From fiedorow at math.ohio-state.edu Mon Jul 1 00:40:15 1996 From: fiedorow at math.ohio-state.edu (Zbigniew Fiedorowicz) Date: Mon, 1 Jul 1996 15:40:15 +0800 Subject: MacPGP 2.6.3 released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I have put FatMacPGP2.6.3 v 1.6 on my web page http://www.math.ohio-state.edu/~fiedorow/PGP for distribution in the US and Canada in accordance with ITAR. The distribution is encrypted and you have to read the file README.txt for instructions on how to decrypt it. Here is a description of the main features of FatMacPGP2.6.3 v 1.6 from the README in the distribution: Enclosed is version 1.6 of FatMacPGP 2.6.3. This is a Macintosh port of the international version PGP 2.6.3ia released 04.03.96. The underlying PGP cryptographic code is the same as in the international release, except that it uses the RSAREF1.0 RSA library instead of Philip Zimmermann's MPILIB, in order to conform with US Patents on RSA. Also the legal_kludge switch, which allows interoperability with infringing pre-2.6 versions of PGP, is disabled. FatMacPGP 2.6.3 will run in native mode on a Power Macintosh, and will also run on 68K Macintoshes having a 68020 CPU or better. It will NOT run on Macintoshes with only a 68000 CPU such as Pluses, SE's, Classics or PB100's. It contains all the enhancements and bug fixes of PGP 2.6.3ia such as 1) It allows recipients of a public key message to be read in from a file containing the list of recipients, one per line. (Unlike previous versions of MacPGP it will not crash if the number of recipients exceeds 5 or 7.) 2) When extracting multiple keys into an ascii file, the each key is put separately into its own block, neatly labelled with the key id and user ids. 3) Better support for 8 bit character sets, ie. characters you get by holding down the option key. 4) Userids can be automatically signed with your secret key when creating keys ('pgp -kg') or adding new userids ('pgp -ke'). This is controlled by the AutoSign flag in the Options menu. 5) The misfeature of the initial 2.6.3i release, which didn't allow softwrapped text to be treated as text has been removed. 6) When clearsigning messages, FatMacPGP 2.6.3 will add a "Charset:" headerto the signature block, explaining which character set was used for creating the signature. This will help the recipient of the message to select correct character conversion when verifying the signature. If he/she is using version 2.6.3i, PGP will automatically choose the correct character set, thereby eliminating a lot of "Bad signature" problems. In addition to the above FatMacPGP 2.6.3 has many enhancements and bug fixes relative to previous versions of MacPGP. 1) Unlike MIT MacPGP 2.6.2 contains native Power PC code. Consequently it runs typically about 1.5 to 2 times faster than the MIT version on PPC machines, and even faster for large keyrings or large keys. It also runs typically 10-20% faster on 68K machines. 2) It has a greatly enhanced AppleEvent suite. For instance, unlike the MIT version, it is not necessary to write data to temporary files before passing it to MacPGP for en/de/cryption or signing. FatMacPGP 2.6.3 accepts AppleEvent TEXT parameters up to 32K in size in memory and returns the processed data as a parameter to the reply AppleEvent. (See the accompanying documentation for further details.) 3) It has options for automatic hardwrapping and detabbing of text, which should make electronic transmission of clearsigned messages more reliable and increase interoperability with many DOS and Unix text processing programs. 4) It has an option for stealthifying PGP encrypted files, removing any trace of their provenance. The resulting files can't be distinguished from white noise and can be completely concealed by "stegoing" into graphics and audio files. (There is of course also an option for destealthifying.) 5) It has an option for using SHA1 as the hashing algorithm for PGP signatures, instead of MD5. (Dobbertin has recently made some dramatic progress towards cryptanalyzing MD5. If he is successful, this might call into question the reliability of PGP signatures under certain circumstances.) This is an experimental feature which is not compatible with earlier versions of PGP. (It is not compatible with the proposed standards of PGP 3.0 either. But 3.0 is supposed to be deliberately incompatible with all 2.x versions to avoid the RSA patent issue.) FatMacPGP 2.6.3 is distributed under the same license terms from MIT and RSADSI as the 2.6.2 release, since its functional core is virtually identical. Please read the license agreements prior to using the program. Distribution of this program may be subject to US government export controls. This release is not endorsed by Philip Zimmermann, MIT or anyone else. However full source code for FatMacPGP 2.6.3 is being released together with the executable (although in a separate archive). It is not difficult to verify that the cryptographic core is unchanged from the 2.6.2 version. Also the author is mentioned in Zimmermann's documentation as the primary developer of previous MacPGP versions. A few support files, such as sample AppleScripts and other extensions, to facilitate interaction with the Eudora mailer program and the BBEdit text editor are included. While they are fully functional and hopefully useful, they are primarily intended to serve as illustrations to other developers on how to integrate PGP with other Macintosh programs. Detailed documentation can be found in the document "MacPGP263_AppleEvents" in the Macintosh Documentation folder. Read the included document "Verifying PGP" for instructions on how to verify this copy of MacPGP. Beginners should first take a look at the document "Getting Started with MacPGP". A detailed reference manual to MacPGP entitled "MacPGP263_Manual" is enclosed in the Macintosh Documentation folder and the indispensible "PGP User's Guide" by Philip Zimmermann is in the Documentation folder. Sources for FatMacPGP 2.6.3 will be available shortly. Z. Fiedorowicz -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: mac Comment: MacPGP 2.6.3 iQCVAwUBMdbLNr1LYmqiC9QjAQEl/wP+JXpDvgQ9VgTmXsvjjfFp+zd4v8ZeIMmt 45WcfqqPvSUPVEXv225MyYHMO1zKDkcKej1swBpFZDz5GV1eZJvriqYuNqc4Z0g0 0w9syQ2i6U5AoF6MR8bPs9Apq2Og9dRbFbaNXZ9Ba6bCtPHXyfZS1qQpi06Mkpty Xh39nE3dv4s= =/3Xe -----END PGP SIGNATURE----- From jon at aggroup.com Mon Jul 1 00:45:20 1996 From: jon at aggroup.com (Yanni) Date: Mon, 1 Jul 1996 15:45:20 +0800 Subject: [Fwd: Doubleclick] Message-ID: <9606301649.AA32058@jon.clearink.com> > There's a very obvious way to get their cookie put in your cookies > file without you explicitly going to their site. This is my favorite example... You work at a company. Evil co-worker there says...check out this webpage I just setup. You goto that page, the server gives you a cookie with confidential information. ( 4k can store a lot of data..:) )... Boss comes around and looks at your cookie file, notices confidential information. You get fired, sued, whatever.... > The server can send whatever it wants to you in the Set-Cookie: > header. Read the spec. Yes, but you know the server that sent it. A Set-Cookie header can't set the domain to be other than the domain that the cookie came from. The message that was copied to the list implied that one domain could set a cookie for another domain. That isn't true unless you have access the the persons cookie file. ( as you implied in your response, but which is beyond the scope of the original letter ). Regards, -jon Jon (no h) S. Stevens yanni at clearink.com ClearInk WebMagus http://www.clearink.com/ finger pgp at sparc.clearink.com for pgp pub key We are hiring! Check out... http://www.clearink.com/clearink/home/job.html From vznuri at netcom.com Mon Jul 1 00:45:27 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 1 Jul 1996 15:45:27 +0800 Subject: The Net and Terrorism In-Reply-To: Message-ID: <199606302244.PAA23220@netcom17.netcom.com> [TCM] >Can anything be done? To stop the likely effects of lots more >surface-to-air missiles, lots more nerve gas available on the black market, >and so on? > >In a word, "no." there are various parts of this essay I agree with, and other parts that I don't. your conclusion that such things are unstoppable is quite tenuous and not backed by evidence. what you fail to note is that law enforcement agencies usually benefit from the same innovations in technology that criminals benefit from. the FBI for example has vastly improved their ability to deal with criminal fingerprints through technology for example. in fact one could argue somewhat that government agencies stand to benefit more from new tehcnology because in some ways they are better organized and better funded than small nefarious cells of terrorists. however, I tend to agree that there is a continual arms race going on here, and that it's not necessarily desirable. the "solution" (TCM would argue against the use of such a word) is not to merely try to have a warfare, siege-like mentality imho, and a continual "trying to stay ahead of the criminals". we do not have regular open terrorism in the streets of the US and I see no reason to think there ever will be as TCM suggests. nevertheless what his essay misses, and many in law enforcement miss, are the root reasons for crime. I'm not going to sound like a liberal here and say criminals are blameless because they have been psychologically abused. its not excusable to react to any situation through crime or terrorism. however they have various gripes that are always seeded in reality. it seems to me no nation-state has ever experimented with trying to take away the root causes of violence and discontent. why? because a policeman holding a gun is so much more visceral and the public responds to this image readily. other "programs" that try to decrease discontent among the budding terrorists of tommorrow are usually ridiculed. it is very difficult to prove that they work or that they are worth the money. terrorists invariably have a patricular pathological psychological profile that sees the world in terms of "martyrs vs. villians" with the villians in the government, and the villians taking away or abusing respectable citizens. the "problem" of terrorism will be solved when we take the view that insanity and violence is *not* a natural aspect of human behavior (as TCM tends to suggest), and that there are specific environmental conditions that breed it. like malaria, if you take away the swamplike breeding grounds, you will largely remove it. such a thing is a radical hypothesis, but one that nonetheless has never really been tested in practice. >FBI Director Louis Freeh and the TLA spooks are already sounding the alarm >about the "Four Horsemen." Sen. Sam Nunn is calling for measures to ensure >that cyberspace is "secured" and that the Net is not used to further >chemical and biological terrorism. the military and spook establishments require threats to survive. I believe they are largely manufacturing a new one that has marginal actual danger content. >I'm not advocating such "terrorism," by the way, merely telling it like it is. ah yes, the standard amusing TCM disclaimer. hmmm, your signature suggests otherwise. >Keep your head down, avoid crowded downtown areas, prepare for moderate >disruptions, and reject arguments that an American Police State will do >anything to stop terrorism. once you lamented about the impractability of Duncan Frissel's suggestions for tax avoidance for regular people and a real society. many of your own suggestions seem to be to fit into the same kind of category of "not viable for regular human beings". >(Remember, terrorism is just warfare carried on by other means, with >apolgies to Von Clausewitz.) disagree. the purpose of warfare has traditionally been to seize something tangible like territory. terrorists are after intangibles-- namely, terror itself, disrupting a "peace process", etc. in warfare, the warfare is directly aimed at obtaining the "thing", like the way Hussein invaded Kuwait. terrorists do not obtain a physical "thing" by bombing some symbol. terrorism is extremely symbolic at the root. however I agree in the use of violence they are identical. Tim McVeigh apparently bombed the OKC Murrah building for a reason: he was pissed off over Waco. in a country in which the populace believes that the government is truly "of, by, or for the people" you won't see this kind of discontent and barbarianism. terrorism is not normal but generally an indication that a nation-state has gone badly off track and neglected some important psychological need of some significant part of its populace. From frantz at netcom.com Mon Jul 1 00:45:40 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 1 Jul 1996 15:45:40 +0800 Subject: FTS2000 and Encryption? Message-ID: <199606302228.PAA19168@netcom7.netcom.com> At 1:57 PM 6/30/96 -0400, Mark O. Aldrich wrote: >... The [FTS2000 follow-on contract - WSF] >security policy and RFP materials are on the 'net (I can't get to the web >right now, or I'd post the URL with this message). Please post the URL when you can. >From what I remember, >the RFP does state that all payload data will be encrypted by the >Government using NSA-approved crypto and that the vendors are not to >"worry about" what's in the payloads. All they have to do is carry it >from point a to point b. Given that FTS2000 supports X.25 Packet Assembly Disassembly (PADs), there is a wide field ahead for screwing up such useful features as 8-bit transparent characters and data forwarding (i.e. When does the PAD decide it has a complete packet and actually send it). Try running emacs without good data forwarding control. ------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz at netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA From mhw at wittsend.com Mon Jul 1 00:45:46 1996 From: mhw at wittsend.com (Michael H. Warfield) Date: Mon, 1 Jul 1996 15:45:46 +0800 Subject: secure WWW on UNsecure servers In-Reply-To: <199606292310.TAA12274@jekyll.piermont.com> Message-ID: Perry E. Metzger enscribed thusly: > Joseph Sokol-Margolis writes: > > > How might one arrange for these encrypted web pages residing on an > > > (unsecure) server to get decrypted only at the client's machine? > > > This should work as transparently as possible for the user; > > > except possibly for a userid/password query it should look like a > > > normal web browsing session. For now, we can assume that the > > > decrypted web pages contain only HTML and images in .gif format. > > It seems like it could be done by writing a plug-in that passed the > > encrypted page to pgp (or had it internally) and used that to decrypt it. > > The plug-in could store the pass-phrase locally and clear when the user > > disconnected. > The "Right Way" to do what was asked is to use S/HTTP. However, > Netscape, in their wisdom, has not implemented it. Uh... Wait a minute... The only ones to blame for the dearth of S/HTTP systems are Tereasa systems and EIT. While the rest of us have been working on and developing for SSL those guys have stonewalled and sat on it. I know. You ever try browsing for S/HTTP information. Most of the links on their site with any useful information refuse access to anyone other that EIT members. We've had a freely available SSL reference implentation available for ages. AFAIK they STILL don't have a working reference implementation. When they do, you can bet it will be EIT only. They're so hell bent on keeping total control over it that they now strangled it to death. We now have freeware SSLeay and nobody is even interested in screwing S/HTTP. Forget that it's a better idea. The idea was stillborn because the parents strangled it a birth. > Perry Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From wb8foz at nrk.com Mon Jul 1 00:45:52 1996 From: wb8foz at nrk.com (David Lesher) Date: Mon, 1 Jul 1996 15:45:52 +0800 Subject: FTS2000 and Encryption? In-Reply-To: Message-ID: <199606302206.SAA01870@nrk.com> > I imagine that we'll see contining developments in the STU-III area (the > most popular crypto phone in Government use), as well as new devices > supporting Type I and Type II crypto for use on the FTS2000 nets. I've heard an ISDN STU-III is either out or coming RSN. One bugaboo I recall was that FTS2000 would not let us make a frac T1 off-net connection. Alas, that included the remote diagnostic number of the equip. mfgr ;-{ -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From ericm at lne.com Mon Jul 1 00:46:02 1996 From: ericm at lne.com (Eric Murray) Date: Mon, 1 Jul 1996 15:46:02 +0800 Subject: [Fwd: Doubleclick] In-Reply-To: <9606301243.AA03585@jon.clearink.com> Message-ID: <199606302113.OAA27031@slack.lne.com> Yanni writes: > > > [short-attention-span summary: someone's using Netscape cookies as a > > way to target-market browser users. Since I hate being targeted, I > > came up with a hack "fix" to prevent it, see below] > > Whatever. Whatever? > > > >Date: Wed, 26 Jun 1996 19:42:00 -0700 > > > >From: Scott Wyant Subject: COMMENT: > > > >Cookie dough > > > > > > > >If you're like me, you never went to a site called "doubleclick." > > > >So how did they give you a cookie? After all, the idea of the > > > >cookie, according to the specs published by Netscape, is to make a > > > >more efficient connection between the server the delivers the > > > >cookie and the client machine which receives it. > > > >But we have never connected to "doubleclick." > > Scott must have. Navigator is very picky about where a cookie comes > from and what is put in the domain field of the cookie. I had a cookie in my cookies file from them also, and had not been to their site before. There's a very obvious way to get their cookie put in your cookies file without you explicitly going to their site. I'm sure a smart boy like you could figure it out. [...] > > My own experiments shows that simply removing the cookie file (~/. > > netscape/cookies) works to "fix" this, as long as you don't have > > old netscape config files lying about (then it pops a dialog asking if > > you want to nuke the old config, and uses the old cookies file). > > Netscape (version 3.0b for Linux) doesn't recreate the cookies file. > > Of course this "fix" means that I'm not able to take advantage of > > whatever cookies might offer me, but since I can't control them and > > never see them there's probably not a lot that they do that I'll miss. > > Who cares if you can't control them? They don't contain any > information that you don't already know about! The server can send whatever it wants to you in the Set-Cookie: header. Read the spec. The user can set Netscape to pop up an alert when a cookie is sent, and it says what the cookie is. However there's no standard encoding format so you get stuff like "IAF=zb87" or "X=VGhlIGxhdW5jaCBjb2RlIGlzICdiYW5kZXJzbmF0Y2gnCgAA" which as far as most users are concerned is gibberish, although it could be base64 encoded "The launch code is 'bandersnatch'". Most people will accept whatever they're given, assuming that they can even find the preference for accepting cookies. -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF From warlord at MIT.EDU Mon Jul 1 00:46:10 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Mon, 1 Jul 1996 15:46:10 +0800 Subject: MacPGP 2.6.3 released In-Reply-To: Message-ID: <199607010105.VAA30534@ihtfp.org> > 2) When extracting multiple keys into an ascii file, the each key is > put separately into its own block, neatly labelled with the key id > and user ids. I hope there is a way to put all the keys into a single key block. > 5) It has an option for using SHA1 as the hashing algorithm for PGP > signatures, instead of MD5. (Dobbertin has recently made some > dramatic progress towards cryptanalyzing MD5. If he is successful, > this might call into question the reliability of PGP signatures > under certain circumstances.) This is an experimental feature > which is not compatible with earlier versions of PGP. This is ok... > (It is not compatible with the proposed standards of PGP 3.0 > either. But I think this is a horrible mistable. Besides the fact that there is no "PGP 3.0" (there is "PGPlib", however), why isn't your code compatible with the implementation that we're working on? This can be highly confusing when PGPlib comes out and messages signed with PGPlib can't be verified by your code, and vice-versa. Bad idea, Zig. > But 3.0 is supposed to be deliberately incompatible with > all 2.x versions to avoid the RSA patent issue.) HUH? Where did you get this faulty information? PGPlib (as I said, there is no PGP 3.0) will have full 2.6 support. So, I don't know where you heard this, but I would recommend you verify your information with people close to the project before spreading more FUD around. Enjoy! -derek From markm at voicenet.com Mon Jul 1 00:46:13 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 1 Jul 1996 15:46:13 +0800 Subject: arcfour In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 29 Jun 1996, Steve Reid wrote: > A few questions about RC4... > > I understand that RC4 is like a one-time-pad, in that a key can not be > used more than once. What about adding a different salt to the key for > each encryption? Would that be sufficent, even if the salt (but not the > rest of the key) were known to an attacker? Probably. > > Is there any way to identify and weed out weak keys? Keys starting with the sequence "00 00 FD", and "03 FD FC" are weak. > > Does anyone have any sample data I can use to test an RC4 implementation? > A key and the first few bytes of the stream should be sufficent. There are a few test vectors included in the original alleged-RC4 file available on the usual crypto FTP sites. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMdbm/LZc+sv5siulAQHksQP9GkdqWiJ7s2ST4QF9ZwcFtFxzTk/PJskh ReNuvXEmWFChkP0AVHJq8USFJDL4CuN4GI7d3sQpn+2HjFw+bcklCuH9zJrret2Y mD7boKcYhzvi/abaKY9FF9/BNtC33yahrjhEIxYFx6QNTLGM9KCjBZIG7/sOAQvq aMSYbfVhvz8= =cgR3 -----END PGP SIGNATURE----- From alano at teleport.com Mon Jul 1 00:46:19 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 1 Jul 1996 15:46:19 +0800 Subject: Cookies anyone? Message-ID: <2.2.32.19960630205357.00af51c8@mail.teleport.com> At 04:34 PM 6/29/96 -0700, vanished at alpha.c2.org wondered what happens if he tosses his cookies: >While rummaging around in my cookie jar, I found this message--along with some >cookies. > >:Netscape HTTP Cookie File >:# http://www.netscape.com/newsref/std/cookie_spec.html >:# This is a generated file! Do not edit. > >Rather than bring down my system by experimenting, I thought I'd ask the list, >"What happens if I delete this file?" and "What happens if I delete (edit) the >cookies?" If you edit the file, Netscape may no longer be able to read the file correctly. (Bookmarks are similar in this respect. Netscape code is pretty picky about things like line termination and the like.) If you toss your cookies, Netscape will probibly bring you more cookies, but they will be different cookies than the last batch. Beware of burned cookies, fortune cookies (espicially ones with "Good Times" written on them), raisin cookies (especially if the raisins move), Brownies under the age of consent, and the cookies from dusty vending machines (Especially the hairy green ones). > >This may have been discussed before, but until now I never checked for cookies. You might also read the cookie recipie at http://www.netscape.com/newsref/std/cookie_spec.html . I hear it was written by a disgruntled Mrs. Fields employee. >Thanks for your consideration of this matter. You are welcome. Have a nice day. --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon "Microsoft -- Nothing but NT promises." From markm at voicenet.com Mon Jul 1 00:46:26 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 1 Jul 1996 15:46:26 +0800 Subject: rsync and md4 In-Reply-To: <199606301849.LAA23313@netcom18.netcom.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sun, 30 Jun 1996, Mike Duvos wrote: > Has MD5 been broken again? Or are you referring to that little > collision problem which is unlikely to affect the security of the > typical real life application? The point isn't whether MD5 can be attacked in a "real life" application, but that there is a flaw in MD5. This means that it is weaker than an algorithm like SHA that has no known cryptanalytical attacks against it. Besides, a hashing algorithm with a 128-bit output can be broken as easily as a 64-bit encryption key. MD5 shouldn't be used for that reason alone. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMdblK7Zc+sv5siulAQHlCgP7BHta126r27mc0Xw9UKy4wnXhzu3AbRBM QauVyh5hHvWKMJ7tXZEyDOtzvGCL3KalHCcXE7cfnybhOS6D+w9K/ZTafY0ASwP+ q6VHT1F3r0b616hL0wfp165X/qTVYKb4urWRU0p+hv9mQ0ET0ZoYpHJz66+7YJ5o AcobTzBNQyk= =oyfI -----END PGP SIGNATURE----- From markm at voicenet.com Mon Jul 1 00:46:31 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 1 Jul 1996 15:46:31 +0800 Subject: Cookies anyone? In-Reply-To: <199606292334.QAA20775@infinity.c2.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 29 Jun 1996 vanished at alpha.c2.org wrote: > While rummaging around in my cookie jar, I found this message--along with > some cookies. > > :Netscape HTTP Cookie File > :# http://www.netscape.com/newsref/std/cookie_spec.html > :# This is a generated file! Do not edit. > > Rather than bring down my system by experimenting, I thought I'd ask the list, > "What happens if I delete this file?" and "What happens if I delete > (edit) the cookies?" I know that there were already several replies so I'll just add a little more information. If you are in DOS, you can prevent the cookies file from being written to by making it read-only (attrib +r cookies.txt). Ditto for UNIX. Also, if you have Netscape 3.04b, you can enable a security option that notifies you whenever a server attempts to send you a cookie. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMdbi4bZc+sv5siulAQGybAP9Fs9eo/8/eiWPRrv7Y8u4jVUbwFFAk6/2 MAkNZJ4IgaZpKmb2lLZwmLbYtbE6sZ1W/KE7N5Hgm84M6vhKGI05vRazgGzHxjlX u6s3dgBnc3ojokd61ZgJA/tXRasNEjRKNuH7AiYuqMym+rkrUxFfNQPcpnCDAyh4 MrpmZcQ0ByY= =xFS+ -----END PGP SIGNATURE----- From perry at piermont.com Mon Jul 1 00:46:41 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 1 Jul 1996 15:46:41 +0800 Subject: rsync and md4 In-Reply-To: <199606301849.LAA23313@netcom18.netcom.com> Message-ID: <199606301942.PAA18888@jekyll.piermont.com> Mike Duvos writes: > Perry writes: > > > I'm afraid you are totally wrong here. MD4 has been completely > > broken. I wouldn't trust it for anything. In fact, MD5 is no longer > > trustworthy, either -- it was broken recently. Stick to SHA. > > Has MD5 been broken again? Or are you referring to that little > collision problem which is unlikely to affect the security of the > typical real life application? I'm not refering to the old pseudocollision problem in the compression from over a year back. A couple of months ago a real break was made as I recall. It wasn't perfect but it was enough. From jon at aggroup.com Mon Jul 1 00:46:45 1996 From: jon at aggroup.com (Yanni) Date: Mon, 1 Jul 1996 15:46:45 +0800 Subject: [Fwd: Doubleclick] Message-ID: <9606301243.AA03585@jon.clearink.com> > [short-attention-span summary: someone's using Netscape cookies as a > way to target-market browser users. Since I hate being targeted, I > came up with a hack "fix" to prevent it, see below] Whatever. > > >Date: Wed, 26 Jun 1996 19:42:00 -0700 > > >From: Scott Wyant Subject: COMMENT: > > >Cookie dough > > > > > >If you're like me, you never went to a site called "doubleclick." > > >So how did they give you a cookie? After all, the idea of the > > >cookie, according to the specs published by Netscape, is to make a > > >more efficient connection between the server the delivers the > > >cookie and the client machine which receives it. > > >But we have never connected to "doubleclick." Scott must have. Navigator is very picky about where a cookie comes from and what is put in the domain field of the cookie. Go read about the domain field in the Cookie spec. Then, write a CGI to play with setting/deleting cookies yourself. You will find out that it is actually almost an art to even get a cookie set. > > >Pay special attention to the information at: > > > Maybe this scott wyant guy works for doubleclick? ;) > > >You'll see that the folks at "doubleclick" make the point that > > >this entire transaction (between their server and your machine) > > >is "transparent to the user." In plain English, that means > > >you'll never know what hit you. No sh*t. The cookie spec says that as well. > > >So what's happening is, subscribers to the doubleclick service put > > >a "cookie request" on their home page FOR THE DOUBLECLICK COOKIE. There is no such thing as a "cookie request". It is up to the browser to send the cookie and up to you to parse it out of the HTTP header. There is no way that the browser is going to send the cookie unless the domain and path matches. Go read the Cookie spec. > > >When you hit such a site, it requests the cookie and take a look to > > >see who you are, and any other information in your cookie file. > > >It then sends a request to "doubleclick" with your ID, requesting > > >all available marketing information about you. (They're very coy > > >about where this information comes from, but it seems clear that > > >at least some of it comes from your record of hitting > > >"doubleclick" enabled sites.) You then receive specially > > >targetted marketing banners from the site. In other words, if > > >Helmut Newton and I log on to the same site at the exact same > > >time, I'll see ads for wetsuits and basketballs, and Helmut will > > >see ads for cameras. Whatever. What are you saying doesn't make any sense if you knew what the heck you were talking about. > > >If you log in to a "doubleclick" enabled site, and it sends a > > >request for your "doubleclick" cookie, and you don't have one, why > > >each and every one of those sites will hand you a "doubleclick" > > >cookie. Whatever. > > >Neat, huh? And you can bet they're going to be rolling in the > > >cookie dough. > > >Me, I edit my cookie file each and every time I go to a new > > >site. (Despite the dire warning at the top of the file, you can > > >edit it with no adverse consequences.) Whatever. > > >Oh, and one other thing. If you edit your cookie file BEFORE > > >you connect to "doubleclick," and then jump around at the site, > > >you'll notice that they DON'T hand you a cookie. I probed the > > >site pretty carefully, checking the MagiCookie file, and > > >nothing happened. > > > > > >Until I closed Netscape. The LAST thing the 'doubleclick" site did > > >was.... > > >You guesed it. They handed me a cookie. So much for making > > >the client-server negotiation more efficient. (In fairness, > > >that cookie may have been in memory until I closed Netscape -- I > > >can't tell for sure.) Scott Wyant > > >Spinoza Ltd. No duh. Navigator doesn't fflush() the cookie file until you quit. It keeps it in memory for speed. > My own experiments shows that simply removing the cookie file (~/. > netscape/cookies) works to "fix" this, as long as you don't have > old netscape config files lying about (then it pops a dialog asking if > you want to nuke the old config, and uses the old cookies file). > Netscape (version 3.0b for Linux) doesn't recreate the cookies file. > Of course this "fix" means that I'm not able to take advantage of > whatever cookies might offer me, but since I can't control them and > never see them there's probably not a lot that they do that I'll miss. Who cares if you can't control them? They don't contain any information that you don't already know about! > I think that Netscape should add a configuration to the browser so > that paranoid privacy fanatics like me can disable cookies or better > yet control which ones that we'll accept. Navigator 3.0 has a preference. -jon (who has had more than enough real world experience with cookies) Jon (no h) S. Stevens yanni at clearink.com ClearInk WebMagus http://www.clearink.com/ finger pgp at sparc.clearink.com for pgp pub key We are hiring! Check out... http://www.clearink.com/clearink/home/job.html From frantz at netcom.com Mon Jul 1 00:46:58 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 1 Jul 1996 15:46:58 +0800 Subject: The Net and Terrorism Message-ID: <199606301954.MAA20179@netcom7.netcom.com> Thanks Tim for your essay. The only thing I would add is that terrorist attacks on pure information resources (e.g. the banking system) are likely to result in many fewer casualties than terrorist attacks on physical entities (e.g. major cities). Another way of saying it is, email bombs are preferable to snail mail bombs. ------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz at netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA From mpd at netcom.com Mon Jul 1 00:47:04 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 1 Jul 1996 15:47:04 +0800 Subject: rsync and md4 In-Reply-To: <199606301747.NAA18634@jekyll.piermont.com> Message-ID: <199606301849.LAA23313@netcom18.netcom.com> Perry writes: > I'm afraid you are totally wrong here. MD4 has been completely > broken. I wouldn't trust it for anything. In fact, MD5 is no longer > trustworthy, either -- it was broken recently. Stick to SHA. Has MD5 been broken again? Or are you referring to that little collision problem which is unlikely to affect the security of the typical real life application? From maldrich at grci.com Mon Jul 1 00:47:10 1996 From: maldrich at grci.com (Mark O. Aldrich) Date: Mon, 1 Jul 1996 15:47:10 +0800 Subject: FTS2000 and Encryption? In-Reply-To: <9605288360.AA836007879@mailgate5.kpmg.com> Message-ID: On Fri, 28 Jun 1996 nson at kpmg.com wrote: > I trying to find out if there are any talks, decisions or even standards being > discussed for encryption and FTS2000? The current FTS2000 contains little in the way of protection other than the proprietary standards undertaken by the vendors (mostly OPSEC and PHYSEC), and the "customer" level crypto that's operated above the layers provided by the FTS2000 networks. In the FTS2000 follow-on contract, however, things are going to change. The Govvies are mandating compliance with a security policy (wow - that's an incredible change) and network management traffic has to be protected. Further, overhead and orderwire bytes, etc., will also have to be protected. The Government isn't mandating how, but the bidding vendors are expected to propose solutions. Further, there are going to be some standards for points of demarcation between adjacent networks. The security policy and RFP materials are on the 'net (I can't get to the web right now, or I'd post the URL with this message). From what I remember, the RFP does state that all payload data will be encrypted by the Government using NSA-approved crypto and that the vendors are not to "worry about" what's in the payloads. All they have to do is carry it from point a to point b. I imagine that we'll see contining developments in the STU-III area (the most popular crypto phone in Government use), as well as new devices supporting Type I and Type II crypto for use on the FTS2000 nets. ------------------------------------------------------------------------- |Just as the strength of the Internet is |Mark Aldrich | |chaos, so the strength of our liberty |GRCI INFOSEC Engineering | |depends upon the chaos and cacophony of |maldrich at grci.com | |the unfettered speech the First Amendment|MAldrich at dockmaster.ncsc.mil | |protects - District Judge Stewart Dalzell| | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From maldrich at grci.com Mon Jul 1 00:47:15 1996 From: maldrich at grci.com (Mark O. Aldrich) Date: Mon, 1 Jul 1996 15:47:15 +0800 Subject: crypto and bagpipes [NOISE] In-Reply-To: <199606292214.PAA15653@mail.pacifier.com> Message-ID: On Sat, 29 Jun 1996, jim bell wrote: > At 01:01 PM 6/29/96 -0700, Michael Myers wrote: > >>Perry E. Metzger wrote: > >>| vinnie moscaritolo writes: > >>| > >>>Mr Brooks, the piper, > > (...) > >>| > >>>claims he wasn't playing a musical > >>| > >>>instrument, but practising with a weapon! > >>| > >>> > >>| > >>>The imagination boggles if his claim is successful! > >>| > >>| No one who has heard sustained bagpipe playing can deny the fact that > >>| bagpipes are indeed an instrument of war, with no legitimate place in > >>| peaceful everyday society. > >>| > >>| Perry > > > >Of course...when bagpipes are outlawed... > > Do you mean the FULL-AUTO "Assault Bagpipes," the ones that produce more > than one "toot" per blow? Or the more "responsible" (but still dangerous!) > semi-auto bagpipes, where you have to blow each time you want a toot. I understand that, even now, the Government is testing nuclear powered bagpipes (NPB's), unmanned ariel bagpipes (UAB's), and highly classified inter-continental bagpipe delivery systems (IBDS's). Can this be the end of civilization as we know it? ------------------------------------------------------------------------- |Just as the strength of the Internet is |Mark Aldrich | |chaos, so the strength of our liberty |GRCI INFOSEC Engineering | |depends upon the chaos and cacophony of |maldrich at grci.com | |the unfettered speech the First Amendment|MAldrich at dockmaster.ncsc.mil | |protects - District Judge Stewart Dalzell| | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From perry at piermont.com Mon Jul 1 00:47:22 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 1 Jul 1996 15:47:22 +0800 Subject: rsync and md4 In-Reply-To: <199606300025.UAA04020@darius.cris.com> Message-ID: <199606301747.NAA18634@jekyll.piermont.com> "David F. Ogren" writes: > > MD4 is a hashing algorithm, but it can be used for checksuming. > > > > > > A first guess might be 2^-128 but I know that this sort of thing is > > > rarely that simple. Is md4 that good? > > > > 2^-64. > > Are you sure? MD5 is a 128 bit hash, and the probability of collision with > a specific random piece of data (of any length) should be 2^-128. I could > be wrong, but do you have any explanation of why you think the answer is > 2^-64. Does the phrase "birthday attack" mean anything to you? > > > Why md4? I chose md4 because it seemed to be the fastest of the > > > reputedly strong, publicly available checksum algorithms. Suggestions > > > for alternative algorithms are welcome. > > MD4 is the fastest hash I am aware of. However, there has been some > successful attacks against two rounds of MD4. Although this is not to > suggest that MD4 is insecure, MD5 almost as fast (~1.3 times slower) and > more secure. I'm afraid you are totally wrong here. MD4 has been completely broken. I wouldn't trust it for anything. In fact, MD5 is no longer trustworthy, either -- it was broken recently. Stick to SHA. Perry From ogren at cris.com Mon Jul 1 00:47:27 1996 From: ogren at cris.com (David F. Ogren) Date: Mon, 1 Jul 1996 15:47:27 +0800 Subject: rsync and md4 Message-ID: <199606300025.UAA04020@darius.cris.com> -----BEGIN PGP SIGNED MESSAGE----- > On Sat, 29 Jun 1996, Andrew Tridgell wrote: > > > Now I'd like to calculate some probabilities of failure of the > > algorithm. The fundamental thing I need to know to do the calculation > > is the probability of a random piece of data of length n having the > > same md4 checksum as another given piece of data of the same length. > > MD4 is a hashing algorithm, but it can be used for checksuming. > > > > A first guess might be 2^-128 but I know that this sort of thing is > > rarely that simple. Is md4 that good? > > 2^-64. Are you sure? MD5 is a 128 bit hash, and the probability of collision with a specific random piece of data (of any length) should be 2^-128. I could be wrong, but do you have any explanation of why you think the answer is 2^-64. > > Why md4? I chose md4 because it seemed to be the fastest of the > > reputedly strong, publicly available checksum algorithms. Suggestions > > for alternative algorithms are welcome. MD4 is the fastest hash I am aware of. However, there has been some successful attacks against two rounds of MD4. Although this is not to suggest that MD4 is insecure, MD5 almost as fast (~1.3 times slower) and more secure. David F. Ogren | ogren at concentric.net | "A man without religion is like a fish PGP Key ID: 0xC626E311 | without a bicycle" - ------------------------------|---------------------------------------- Don't know what PGP is? | Need my public key? It's available Send a message to me with the | by server or by sending me a message subject GETPGPINFO | with the subject GETPGPKEY -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMdXI1fBB6nnGJuMRAQFghwP/W0ZzdAYcbsdsCcrA97cwfw4uwug8sJWd bjWD4Z+ski7kE4HN7bj2dRLFGke6EQZ8DiebnLIRPqGCxeyxdzotqcrsdKrgp+eN eMfjp0Y3wVwvrPn2kVI5M0iI9kpX8tvvLh7Kp3OBvHdsBTim4aPPuM8xR2SHLSgv /SYnhEBeYLA= =VPWe -----END PGP SIGNATURE----- From dm at amsterdam.lcs.mit.edu Mon Jul 1 00:49:54 1996 From: dm at amsterdam.lcs.mit.edu (David Mazieres) Date: Mon, 1 Jul 1996 15:49:54 +0800 Subject: anonymous mailing lists Message-ID: <199607010012.UAA04061@amsterdam.lcs.mit.edu> iang at cs.berkeley.edu (Ian Goldberg) wrote: > Yesterday, Dave and I discussed at length a design for a new > remailer network... If you are thinking of revamping the mixmaster protocol, I have a couple of suggestions/requests. One basic philosophy motivating all of these ideas is that I would like to avoid requiring any "centralized control" or consensus about exactly what remailers should exist. This can be achieved by pushing a lot of configuration parameters into the anonymous messages, where the sender has control over them First, D-H (or RSA with short-lived keys) is an extremely good idea. Long-lived encryption keys (like the current mixmaster secret keys) should not be used for secrecy. However, it would also be good if you could avoid any man-in-the middle weaknesses. Specifically, with simple D-H, an active attack could be used to record all anonymous messages from A to B, and weeks later if B is compromised the messages could then be decrypted. Thus, when sending from remailer A to remailer B, B's identity must be proven with B's public key (either through RSA encrypting A's half of the D-H secret key and a challenge with B's key, or by having B sign his half of the D-H secret and a nonce). Moreover, since not every remailer will be known to every other, and since people may want to set up and test new remailers for a while before announcing them to the world, a strong cryptographic hash or MAC of B's public key should be embedded in the remailed-message itself. Thus, A can query B for its public key and verify the public key, then use this public key to know it is talking to the real "next hop". It would also be nice to avoid having every message go through every remailer unless the sender actually want's it to. In particular, a larger remailer network should not have to translate into more traffic for all the remailers, as it would be nice to have as large a network as possible. Thus, if, for instance, remailer A sends messages out every half hour, and A wants to send messages to B, C, and D--why not send the three useful messages to B, C, and D all in the same round, and just send garbage to all the other remailers. Of course, messages should be allowed to have as many next-hops as necessary, so that if you don't want A to know that a message's next hop is B, you can ask it to send the same message to C, F, and G as well as to B. That way, A won't know the real next hop. Now the next question is, when sending garbage to all the other remailers, should "all the other remailers" be defined by A or by the anonymous message itself. Here, A should definitely have some list of remailers it knows about. However, maybe at each hop a message should be able to supply 6-byte (IP address/port number) addresses of other remailers to which garbage should be send. If there appears to be a remailer at the address supplied, and that remailer is not already known to A, perhaps the new remailer should automatically be added to the list of garbage recipients (and then automatically deleted if it stops responding for 24 hours). In the event that A has a real backlog of messages for a particular destination B, it might make sense for A to hand some of those messages off to other remailers instead of just feeding them garbage. That way, even when one remailer is receiving a lot of mail it won't be immediately clear to it's operator which the preceeding hop is. Given all these features, of course, it would be necessary to have variable-length next-hop-descriptors instead of the fixed size and number currently in mixmaster. Is there some reason this can't be done? The total actual length of the 3-DES encrypted portion of the mixmaster message shouldn't be available to any but the last hop. Thus, is there something wrong with padding the message (or even just the 10K header portion of the message if you want to keep the message in two parts) with garbage to be 3-DES decrypted into more garbage at the next hop? Of course the padding should be done in such a way that the final hop does not know how much space the remailing headers originally took up, but this shouldn't be too hard (for instance the padding could go between the headers and the message data). Finally, another very useful feature would be some support for improved response blocks. Right now aliases like alpha.c2.org don't offer very much security because they have to go through Type-1 remailers. However, one could imagine mixmaster extensions to allow it to work for replies as well as anonymous messages. Imagine a nym server with just a 10K mixmaster header as a response block. The server would pad a received message to 10K, prepend the 10K mixmaster header, and send off the message. At each hop of the way, the message would get "decrypted" with some 3-DES key (and possibly a weird IV). However, couldn't the recipient then just "encrypt" the message to recover the plaintext? Of course, this might undesireably weaken the replay prevention, but there's got to be a good solution for response blocks somewhere near what we currently have for mixmaster. David From perry at piermont.com Mon Jul 1 01:35:30 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 1 Jul 1996 16:35:30 +0800 Subject: rsync and md4 In-Reply-To: <199607010408.AAA21171@darius.cris.com> Message-ID: <199607010520.BAA19288@jekyll.piermont.com> "David F. Ogren" writes: > > I'm afraid you are totally wrong here. MD4 has been completely > > broken. I wouldn't trust it for anything. In fact, MD5 is no longer > > trustworthy, either -- it was broken recently. Stick to SHA. > > > > Unless you are aware of some attack that I'm not, this is the most current > information on MD4 and MD5: > > MD4 has had successful attacks on limited rounds. It has _not_ been > completely cracked. Could you please quit spewing inaccurate information? Dobbertin completely cracked MD4 already, and found MD5 collisions in a document circulated on May 2nd that mean it isn't far behind. The comments you are making are dangerous because they encourage people who don't know better to think that hashes which are known unsafe are safe. Please quit posting until you start monitoring the field enough to have accurate sources of information. [...] Forward from sci.crypt on 11 Jun 1996 14:22:03 GMT wrote (Re: "MD5 discussion"): >In view of the continuing discussion about MD5, I want to make a few >comments, which hopefully can help to avoid some misunderstandings >and misinterpretations: >1. In February 1996 my paper "Cryptanalysis of MD4" appeared (Fast >Software Encryption, Cambridge Proceedings, Lecture Notes in Computer >Sciences, vol. 1039, Springer-Verlag, 1996, pp. 71-82). In this >paper, as an example two versions of a contract are given with the >same MD4 hash value. Alf sells his house to Ann, in the first version >the price is $176,495 and in the second it is $276,495. The contracts >have been prepared by Alf. Now if Ann signs the first version with >$176,495 then Alf can altered to price to $276.495 ... In principle >this risk occurs, if you use a hash function for which (senseful) >collisions can be found, whenever you allow another person to have >influence on the contents of a document you are signing. [...] From bobpal at cdt.org Mon Jul 1 01:51:26 1996 From: bobpal at cdt.org (Bob Palacios) Date: Mon, 1 Jul 1996 16:51:26 +0800 Subject: REMINDER: SAFE Forum Cybercast - Monday July 1, 12 noon - 6 pm EDT Message-ID: <31D75EAB.41A7@cdt.org> SECURITY AND FREEDOM THROUGH ENCRYPTION FORUM MONDAY JULY 1, 1996 STANFORD, CA 9:00 am - 3:00 pm PDT / 12:00 noon - 6:00 pm EDT / 1600 - 2000 GMT On July 1, 1996 in the heart of California's Silicon Valley, members of Congress and prominent computer industry leaders and privacy advocates will meet to discuss the need to reform U.S. encryption policy. The SAFE Forum will bring together members of Congress, privacy advocates, cryptographers, and industry leaders for a discussion on the need to reform U.S. encryption policy. If you can't attend the SAFE Forum in person, you can still participate by attending the cybercast of the event. The cybercast will include still photos of the conference, a RealAudio broadcast of the forum, and a telnet chat room for netizens to discuss the event and cryptography issues. Just visit the SAFE Forum web site on Monday for the necessary links: http://www.crypto.com/safe/ (You will need to be a copy of RealAudio installed on your computer. Visit http://www.realaudio.com/ for a FREE copy of Real Audio). The SAFE Forum Cybercast is brought to you with the help and support of: MediaCast (http://www.mediacast.com/) and AudioNet (http://www.audionet.com/) --------------------------------------------------------------------------- Event Information * Location: Kresge Auditorium at Stanford University, Stanford, California * Date: July 1, 1996, 9:00 am - 3:00 pm Program: 9:00 - 9:15 Welcome Rep. Anna Eshoo (D-Ca), co-host Rep. Tom Campbell (R-Ca), co-host Sen. Patrick Leahy (D-Vt) (by satellite) Jerry Berman, Center for Democracy and Technology 9:15 - 10:15 The Need for Locks and Keys on the GII: An Encryption Overview Marc Andreessen, Netscape Communications Lori Fena, Electronic Frontier Foundation Eric Schmidt, Sun Microsystems Craig Mundie, Microsoft Corporation 10:15 - 10:30 Technology Demo: The Need for Locks & Keys -- Packet Sniffing on the Internet (Cylink Corporation) 10:30 - 10:45 Break 10:45 - 11:45 How U.S. Encryption Policy Fails to Meet User Needs Herbert Lin, National Research Council Jim Omura, Cylink Corporation Tim Oren, CompuServe Incorporated Phil Zimmermann, PGP, Inc. Todd Lappin, Wired Magazine -- Introducing "Stories of Real-Life Encryption Users" 11:45 - 1:00 Lunch 1:00 - 1:45 The Cryptographers' Report: "Forty Bits Is Not Enough" Matt Blaze, AT&T Whitfield Diffie, Sun Microsystems Bruce Schneier, Counterpane Systems Eric Thompson, Access Data Tom Parenty, Sybase Technology Demo: The Genie is Out of the Bottle -- A World Wide Web Tour of Good Cryptography Available Outside of the United States 1:45 - 2:45 Addressing Law Enforcement Concerns in a Constitutional Framework Ken Bass, Venabel, Baetjer, Howard and Civiletti Cindy Cohn, McGlashan & Sarrail Michael Froomkin, University of Miami Law School John Gilmore, Electronic Frontier Foundation Grover Norquist, Americans for Tax Reform Nadine Strossen, American Civil Liberties Union Daniel Weitzner, Center for Democracy and Technology 2:45 - 3:00 Conclusion Members of Congress expected to participate include: * Rep. Anna Eshoo (D-CA) * Rep. Tom Campbell (R-CA) * Rep. Zoe Lofgren (D-CA) * Sen. Conrad Burns (R-MT) * Sen. Patrick Leahy (D-VT) (by satellite) --------------------------------------------------------------------------- Sponsors Of The SAFE Forum: America Online American Civil Liberties Union Americans for Tax Reform AT&T Audionet Business Software Alliance Center for Democracy and Technology Center for National Security Studies Commercial Internet eXchange CompuServe Incorporated Computer and Communications Industry Association Computer Professionals for Social Responsibility Cylink Corporation Digital Secured Networks Technology EDS Electronic Frontier Foundation Electronic Messaging Association Electronic Privacy Information Center Information Technology Association of America IEEE - USA ManyMedia MediaCast Media Institute Microsoft Corporation National Association of Manufacturers Netcom Online Communication Services Netscape Communications Corporation Novell, Inc. Oracle Corporation Pacific Telesis Group Pretty Good Privacy, Inc. Prodigy, Inc. Progress and Freedom Foundation Rent-a-Computer Securities Industry Association Software Publishers Association Sun Microsystems, Inc. Sybase, Inc. Voters Telecommunications Watch Wired Magazine --------------------------------------------------------------------------- CORRECTION An earlier Policy Post listed Matt Blaze with Lucent Technologies. That information was incorrect; he is with AT&T Research. --------------------------------------------------------------------------- From perry at piermont.com Mon Jul 1 01:52:47 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 1 Jul 1996 16:52:47 +0800 Subject: MD5 breaks, etc. Message-ID: <199607010408.AAA19179@jekyll.piermont.com> 1) On the question of MD4, it has been demonstrated that one can generate multiple documents with the same hash -- an example was given in a paper a while back of two contracts, identical but for the dollar sum agreed two, with identical MD4 hashes. That demonstrates that MD4 is useless. 2) Hans Dobbertin on May 2nd released a short paper that circulated widely on the net describing collisions in the MD5 compression function. Several people have asked me for references on this. I cannot give you anything -- all I have is postscript of the document, which had not been published in any journal when I last checked. However, the result is widely known. MD5 is *not* something that should be trusted going forward, and I hope the next version of PGP uses SHA-1. Perry From ogren at cris.com Mon Jul 1 02:05:33 1996 From: ogren at cris.com (David F. Ogren) Date: Mon, 1 Jul 1996 17:05:33 +0800 Subject: rsync and md4 Message-ID: <199607010408.AAA21171@darius.cris.com> -----BEGIN PGP SIGNED MESSAGE----- Subject: Re: rsync and md4 To: perry at piermont.com, ogren at cris.com Cc: markm at voicenet.com, Andrew.Tridgell at anu.edu.au, cypherpunks at toad.com > > "David F. Ogren" writes: > > Are you sure? MD5 is a 128 bit hash, and the probability of collision > with > > a specific random piece of data (of any length) should be 2^-128. I > could > > be wrong, but do you have any explanation of why you think the answer > is > > 2^-64. > > Does the phrase "birthday attack" mean anything to you? But this isn't a birthday attack. Its a comparison between one specific file and one randomly chosen one. > > MD4 is the fastest hash I am aware of. However, there has been some > > successful attacks against two rounds of MD4. Although this is not to > > suggest that MD4 is insecure, MD5 almost as fast (~1.3 times slower) > and > > more secure. > > I'm afraid you are totally wrong here. MD4 has been completely > broken. I wouldn't trust it for anything. In fact, MD5 is no longer > trustworthy, either -- it was broken recently. Stick to SHA. > Unless you are aware of some attack that I'm not, this is the most current information on MD4 and MD5: MD4 has had successful attacks on limited rounds. It has _not_ been completely cracked. MD5 has not been broken. A weakness has been shown, but collisions still cannot be developed. So checksums should still be secure. Additionally, in this case we are more concerned with the chance of random collisions than intentional collisions. In fact, I was probably wrong to suggest MD5. It _is_ more secure, but speed is his first priority, not security. SHA1 is a good hash algorithm as far as security goes (I've used it myself), but it's over three times slower than MD4. - -- David F. Ogren | ogren at concentric.net | "A man without religion is like a fish PGP Key ID: 0x6458EB29 | without a bicycle" - ------------------------------|---------------------------------------- Don't know what PGP is? | Need my public key? It's available Send a message to me with the | by server or by sending me a message subject GETPGPINFO | with the subject GETPGPKEY - -- David F. Ogren | ogren at concentric.net | "A man without religion is like a fish PGP Key ID: 0x6458EB29 | without a bicycle" - ------------------------------|---------------------------------------- Don't know what PGP is? | Need my public key? It's available Send a message to me with the | by server or by sending me a message subject GETPGPINFO | with the subject GETPGPKEY -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMddOi+SLhCBkWOspAQHLTgf7BsDpCO2nhxsHYOunVv8abXWgITexhM/Z vmYWaz2Lgu3tBYZHXIG7B2ijTikZ7u8RgMGd9esipjFxOks1bHRQwYbVbWeDUDb3 O0c5TmPPmZt/7PscUEw1D3hhtj8HeGmn9pfu0y/I54OnMIJzbvNMICpMtLLDXJCu PhpUoAfamyRdWl9OYAvZ3LBMLBdGagzCh/jPxCQ9gEBq0aYMkxF1/qlfIMdmegow H/uL+TRgN5roTIKDZPGPZWYbdLbf0NT00avPz5qKaA5BkOpxYgeRKtoBHdYC5krH O2NZGZqb5LRKgxW9+IvCWoUoJQTB6IXP+YDU7p4pbn/Y/QORSHzqGA== =WA0Y -----END PGP SIGNATURE----- From ogren at cris.com Mon Jul 1 02:43:51 1996 From: ogren at cris.com (David F. Ogren) Date: Mon, 1 Jul 1996 17:43:51 +0800 Subject: rsync and md4 Message-ID: <199607010605.CAA24104@darius.cris.com> -----BEGIN PGP SIGNED MESSAGE----- > > "David F. Ogren" writes: > > > I'm afraid you are totally wrong here. MD4 has been completely > > > broken. I wouldn't trust it for anything. In fact, MD5 is no longer > > > trustworthy, either -- it was broken recently. Stick to SHA. > > > > > > > MD4 has had successful attacks on limited rounds. It has _not_ been > > completely cracked. > > Could you please quit spewing inaccurate information? > > Dobbertin completely cracked MD4 already, and found MD5 collisions in > a document circulated on May 2nd that mean it isn't far behind. > > The comments you are making are dangerous because they encourage > people who don't know better to think that hashes which are known > unsafe are safe. Please quit posting until you start monitoring the > field enough to have accurate sources of information. > I stand by my statements. I have followed the current developments regarding MD5 with interest, and am using SHA1 in the program that I am currently authoring because of its MD5's weaknesses. However, MD5 (and MD4) have not been completely cracked. The problems that you bring up have to do with situations where an active attacker develops a slightly different pair of documents with the same hash. Although this is highly undesirable characteristic for a hash function, and shows a weakness in the function that may eventually lead to its being completely cracked, it does not mean that a fraudulent document can be created from an already signed document. This is an old argument and I don't want to get into it here. However, there a lots of people that who still think MD5 can be safely used to a) sign documents that you create yourself, and b) sign documents that you have made cosmetic changes to. Irregardless, this argument is moot. This thread is titled "rsync and md4". It is a discussion about which hash function suits this particular purpose and he is not particularly concerned with resistance to deliberate attack. In this case MD4 will function adequately. - -- David F. Ogren | ogren at concentric.net | "A man without religion is like a fish PGP Key ID: 0x6458EB29 | without a bicycle" - ------------------------------|---------------------------------------- Don't know what PGP is? | Need my public key? It's available Send a message to me with the | by server or by sending me a message subject GETPGPINFO | with the subject GETPGPKEY -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMddp3uSLhCBkWOspAQEI1Qf/VLg6ak6Y/VfbynFhCcA69RZKAQ/C6pCx DMdz3OFitOwQM/csjTPBs7jue/3ArIQ+jevBOjp/NyAoJ4U8+Np4yv7ksmpEjTKq EWq4DcvAB7MgpgJ72A92tO55vQo8AjYPmcZT2LhqeiTg+R6yL437T4gqS0ZSs7Ud 7e1anp7m72shSel6OKsxtfgiyVDlVi6mdtpXlLegWxcZhPaRYaZen3mHJ3JdxCpc EsQupdrNVxBGMuxKeBwlkjCxD1TbqFpHTodh0oapEDScjpzTMmQeHYavmboI+Pys 32jt1PI9JEPIDracYcI3ovkgvR5VmMlKhAPDXcYbr2MWeBbVRDOaJw== =9dqv -----END PGP SIGNATURE----- From remailer at yap.pactitle.com Mon Jul 1 04:39:05 1996 From: remailer at yap.pactitle.com (Yap Remailer) Date: Mon, 1 Jul 1996 19:39:05 +0800 Subject: MacPGP 2.6.3 released In-Reply-To: <199607010105.VAA30534@ihtfp.org> Message-ID: <199607010634.XAA23399@yap.pactitle.com> > From: Derek Atkins > cc: cypherpunks at toad.com > Date: Sun, 30 Jun 1996 21:05:01 EDT > > Besides the fact that there is no "PGP 3.0" (there is "PGPlib", > however)... > > ...PGPlib (as I said, there is no PGP 3.0) will have full 2.6 > support. So, I don't know where you heard this, but I would > recommend you verify your information with people close to the > project before spreading more FUD around. > > Enjoy! Where do I get PGPlib? An Altavista search of PGPlib turned up nothing, and it's not on net-dist.mit.edu, which I thought was the canonical distribution point? Thanks. From perry at piermont.com Mon Jul 1 10:14:24 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 2 Jul 1996 01:14:24 +0800 Subject: rsync and md4 In-Reply-To: <199607010605.CAA24104@darius.cris.com> Message-ID: <199607011320.JAA20895@jekyll.piermont.com> "David F. Ogren" writes: > I stand by my statements. Then you have lost all your reputation with me. If you don't even have the integrity to admit that you are wrong, you are obviously not a reasonable source of information. > However, MD5 (and MD4) have not been completely cracked. The problems that > you bring up have to do with situations where an active attacker develops a > slightly different pair of documents with the same hash. I believe that is "cracked" under most definitions of cryptographic hashes, Mr. Ogren. A cryptographic hash is supposed to be useable in a signature precisely because it is supposed to be computationally infeasable to find two documents with the same hash. Whether both documents are chosen by the attacker or only one is immaterial -- the property as stated is independant of that. As things stand, you can get someone to sign a contract saying "I agree to pay David F. Ogren $100" and turn it into one saying "I agree to pay David F. Ogren $2395.39" or some such. If that isn't "cracked" what would be "cracked"? Yes, it could be worse, but is this not far more than bad enough? > Although this is highly undesirable characteristic for a hash function, and > shows a weakness in the function that may eventually lead to its being > completely cracked, it does not mean that a fraudulent document can be > created from an already signed document. Whatever you like, Mr. Ogren. Perry From perry at piermont.com Mon Jul 1 11:25:19 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 2 Jul 1996 02:25:19 +0800 Subject: rsync and md4 In-Reply-To: <9607011359.AA15838@mordred.sware.com> Message-ID: <199607011419.KAA20986@jekyll.piermont.com> Charles Watt writes: > How typically Perry. Thank you for the compliment. I know that you think my comments are evidence that I am nasty and that you think this is an insult, but my clients seem to think this sort of thing is evidence that I'm uncompromising in trying to maintain the security of their systems. Everyone here knows my reputation. I may have a rough edge to me, but people by now know that my advice is generally right on the money. The fact that I have a reputation pleases me -- it does not disturb me. > Perry, as you are so fond of quoting Dobbertin, let me forward once again to > the list Hans' analysis of the "crack" that he discovered. He explicitly > agrees with Mr. Ogren's analysis. No, he doesn't. Dobbertin's privately circulated document is entitled "Cryptanalysis of MD5", not "Possible weaknesses in MD5". The MD4 results were even more damning. It is true that the attacks aren't general, but they are bad enough that the key property of cryptographic hashes -- that it is computationally infeasable to produce two documents with the same hash (note that the property is NOT that you cannot produce a document with the same hash as a document selected by the opponent), has been broken. Chosen plaintext, in particular, is completely broken. Dobbertin explicitly says that although there is no reason to panic, that MD5 is not to be trusted. I quote from your quote of Dobbertin: 5. My conclusions are: no reason for panic, but in future implementations better move away from MD5. > Yes it is prudent to move away from MD5. But there are still plenty > of uses where it is more than sufficient. Yeah, like if you are looking for a wacky checksum and not a cryptographic hash. Look the point is that Ogren seems to think this is some sort of a minor technicality and that we can safely ignore it most of the time. Thats simply not prudent. Once you find that the key properties of your cryptographic hash have fallen and you have to be exceptionally careful about what you put through the hash lest an attacker somehow influence it, you've lost the game. MD5 is no longer trustworthy. I agree that one needn't run screaming in the streets, but Ogren made it sound as though this wasn't a matter of concern. Thats simply wrong. Saying that leads people to a completely incorrect conclusion. Perry From raph at CS.Berkeley.EDU Mon Jul 1 11:56:20 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Tue, 2 Jul 1996 02:56:20 +0800 Subject: List of reliable remailers Message-ID: <199607011350.GAA27758@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail. For more information, see: http://www.c2.org/~raph/premail.html For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ksub"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'nymrod'} = ' alpha pgp'; $remailer{"lead"} = " cpunk pgp hash latent cut ek"; $remailer{"treehole"} = " cpunk pgp hash latent cut ek"; $remailer{"nemesis"} = " cpunk pgp hash latent cut"; $remailer{"exon"} = " cpunk pgp hash latent cut ek"; $remailer{"vegas"} = " cpunk pgp hash latent cut"; $remailer{"haystack"} = " cpunk mix pgp hash latent cut ek"; $remailer{"ncognito"} = " mix cpunk pgp hash latent"; $remailer{"lucifer"} = " cpunk mix pgp hash"; $remailer{"jam"} = " cpunk mix pgp hash latent cut ek"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 alpha) (flame replay) (alumni portal) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 1 Jul 96 6:47:34 PDT remailer email address history latency uptime ----------------------------------------------------------------------- flame remailer at flame.alias.net +++++__.-++- 10:04:50 100.00% alumni hal at alumni.caltech.edu #######*+*## 1:13 100.00% ecafe cpunk at remail.ecafe.org ####*#+--##* 14:24 99.98% replay remailer at replay.com *********+** 4:18 99.98% nemesis remailer at meaning.com +**** 23:43 99.98% c2 remail at c2.org ++++++++-+++ 51:58 99.97% portal hfinney at shell.portal.com +#######+*## 1:24 99.95% haystack haystack at holy.cow.net *-+#++++###+ 9:25 99.94% exon remailer at remailer.nl.com ++*******+** 5:49 99.94% lead mix at zifi.genetics.utah.edu ++++++++++++ 39:16 99.94% nymrod nymrod at nym.jpunix.com ** ****#+#-# 12:31 99.92% mix mixmaster at remail.obscura.com __.-_.-.--- 18:42:17 99.88% treehole remailer at mockingbird.alias.net +++ -..+++-+ 5:28:11 99.24% amnesia amnesia at chardos.connix.com ----------- 4:20:06 99.22% penet anon at anon.penet.fi __ _-..... 44:52:17 99.20% extropia remail at miron.vip.best.com --.-------- 5:15:59 97.93% ncognito ncognito at rigel.cyberpass.net -.___.-._ 22:24:17 97.35% alpha alias at alpha.c2.org ******-+++** 38:56 96.99% jam remailer at cypherpunks.ca * 19:19 96.68% lucifer lucifer at dhp.com +++ 56:06 95.20% vegas remailer at vegas.gateway.com #**-#*** 16:52 60.55% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From jamesd at echeque.com Mon Jul 1 12:03:35 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 2 Jul 1996 03:03:35 +0800 Subject: Hardware RNG Message-ID: <199607011504.IAA24410@dns2.noc.best.net> At 06:23 AM 6/30/96 -0700, Timothy C. May wrote: > While radioactive decay is unpredictable (so are a lot of things, by the > way), there are all kinds of biases that reduce the apparent entropy. > Detector "dead time" is a classic one (basically, the detector can't detect > counts during a post-pulse recovery time...probably not a problem at low > count rates, but an example of how subtle things can sneak in). If he has more than eight bits of timing resolution, such biases will have no affect. He is using his non uniformly distributed random number to select a uniformly distributed pseudo random number. Provided that the does not attempt to get more entropy out than he puts in, the result should be a uniformly distributed truly random number. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From maldrich at grci.com Mon Jul 1 12:21:51 1996 From: maldrich at grci.com (Mark O. Aldrich) Date: Tue, 2 Jul 1996 03:21:51 +0800 Subject: FTS2000 Security Info and RFP Message-ID: The URL's for FTS2000 RFP, Security Policy data, and assorted sundries are: http://post.fts2k.gsa.gov/ (the official government stuff) http://204.70.134.242/policy/ (This appears to be an MCI server and I don't know if they know that this stuff is online) Enjoy. ------------------------------------------------------------------------- |Just as the strength of the Internet is |Mark Aldrich | |chaos, so the strength of our liberty |GRCI INFOSEC Engineering | |depends upon the chaos and cacophony of |maldrich at grci.com | |the unfettered speech the First Amendment|MAldrich at dockmaster.ncsc.mil | |protects - District Judge Stewart Dalzell| | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From watt at sware.com Mon Jul 1 12:29:35 1996 From: watt at sware.com (Charles Watt) Date: Tue, 2 Jul 1996 03:29:35 +0800 Subject: rsync and md4 In-Reply-To: <199607011320.JAA20895@jekyll.piermont.com> Message-ID: <9607011359.AA15838@mordred.sware.com> -----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf 1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK aTxjgASxqHhzkx7PkOnL4JrN+Q== MIC-Info: RSA-MD5,RSA, AUgiTVoKIzYpT3U2b5lxqGU6+uLTb+C+hivLsd0PxXH993pdEwRJ3rvJtAPSIacX +G7fosR46YQw+F9wxr955fI= > "David F. Ogren" writes: > > I stand by my statements. > > Then you have lost all your reputation with me. If you don't even have > the integrity to admit that you are wrong, you are obviously not a > reasonable source of information. How typically Perry. > > > However, MD5 (and MD4) have not been completely cracked. The problems that > > you bring up have to do with situations where an active attacker develops a > > slightly different pair of documents with the same hash. > > I believe that is "cracked" under most definitions of cryptographic > hashes, Mr. Ogren. A cryptographic hash is supposed to be useable in a > signature precisely because it is supposed to be computationally > infeasable to find two documents with the same hash. Whether both > documents are chosen by the attacker or only one is immaterial -- the > property as stated is independant of that. As things stand, you can > get someone to sign a contract saying "I agree to pay David F. Ogren > $100" and turn it into one saying "I agree to pay David F. Ogren > $2395.39" or some such. If that isn't "cracked" what would be > "cracked"? Yes, it could be worse, but is this not far more than bad > enough? > > > Although this is highly undesirable characteristic for a hash function, and > > shows a weakness in the function that may eventually lead to its being > > completely cracked, it does not mean that a fraudulent document can be > > created from an already signed document. > > Whatever you like, Mr. Ogren. > > Perry Perry, as you are so fond of quoting Dobbertin, let me forward once again to the list Hans' analysis of the "crack" that he discovered. He explicitly agrees with Mr. Ogren's analysis. Yes it is prudent to move away from MD5. But there are still plenty of uses where it is more than sufficient. Charlie Watt SecureWare - ----------------------------------------------------------------------- > Some of you may have seen this, but I think it's worth reposting here. > --Rob > > Forward from sci.crypt on 11 Jun 1996 14:22:03 GMT > wrote (Re: "MD5 discussion"): > > >In view of the continuing discussion about MD5, I want to make a few comments, > >which hopefully can help to avoid some misunderstandings and misinterpretations: > > >1. In February 1996 my paper "Cryptanalysis of MD4" appeared (Fast Software > >Encryption, Cambridge Proceedings, Lecture Notes in Computer Sciences, > >vol. 1039, Springer-Verlag, 1996, pp. 71-82). In this paper, as an example two > >versions of a contract are given with the same MD4 hash value. Alf sells his > >house to Ann, in the first version the price is $176,495 and in the second it is > >$276,495. The contracts have been prepared by Alf. Now if Ann signs the first > >version with $176,495 then Alf can altered to price to $276.495 ... > >In principle this risk occurs, if you use a hash function for which (senseful) collisions > >can be found, whenever you allow another person to have influence on the > >contents of a document you are signing. Certainly this does not happen > >very often in practical applications. But sometimes you *must* have an agreement > >about a text (contract) which is then signed by two or more parties. And these are > >often just the most important applications! > > >2. I suspect that the recent attack on MD5 compress can be refined and extended > >such that it might lead to MD5 collisions (matching the right IV) and perhaps then > >even to similar results as already obtained for MD4. Certainly this requires a lot of > >hard additional work. > > >3. If you write a message for your own (nobody else has influence on it) and sign > >it using MD5 (and a strong public key algorithm, of course) then there is no danger > >that it can be altered (at least according to our knowledge today)! Thus it is true > >that I guess almost all of you will have no risk using MD5, for instance in PGP. > >However, if you accept 2., then in some cases there could be problems ... > > >4. After all I have reservations against keeping MD5 as a (de facto) standard, > >because 2. might indicate that there is a serious security problem with MD5. > > >5. My conclusions are: no reason for panic, but in future implementations better > >move away from MD5. > > >6. Presently a paper discussion the status of MD5 in detail is in preparation. > > > - Hans Dobbertin -----END PRIVACY-ENHANCED MESSAGE----- From reagle at rpcp.mit.edu Mon Jul 1 12:31:43 1996 From: reagle at rpcp.mit.edu (Joseph M. Reagle Jr.) Date: Tue, 2 Jul 1996 03:31:43 +0800 Subject: SEC lets California retailer trade stock on Internet Message-ID: <9607011502.AA20760@rpcp.mit.edu> WASHINGTON, June 27 (Reuter) - A California company that sells energy-saving solar panels has received Securities and Exchange Commission approval to trade its stock over the Internet, extending the boundaries of off-exchange trading into cyberspace. The approval, the first the SEC has issued on stock trading over the Internet, was given earlier this week to Ukiah, Calif.-based Real Goods Trading Corp., through a ``no action'' letter. In such a letter, the SEC allows a petitioning company to perform what it requested to do, without fear of any enforcement action. In approving Real Goods' request, however, the agency imposed conditions in the interest of investor protection. John Schaeffer, president, chief executive and founder of the company said in an interview he hoped to get the new system operational ``within a couple of weeks.'' Schaeffer said that since 1991, his company has sold $4.6 million of its company's stock to the public through direct, small offerings and without having to pay fees to investment bankers. ``The 'off the grid' trading of our stock is a logical extension of our service to our customers, who will now be able to buy and sell our security without going through a broker,'' Schaeffer said. ``This is also consistent with our mission of creating independent energy alternatives for our customers,'' he added. Real Goods is currently traded thinly on the Pacific Stock Exchange, at a price range of between $5 to $7 in 1995. The stock closed at $7.25 on June 26. In its application, the company said its system would function as a passive Internet bulletin board that will provide the names, addresses, including E-mail, and phone numbers of interested buyers and sellers and number of shares offered for sale or desired to be purchased. Those participating may transmit the information through the company's World Wide Web site or by telephone, fax, mail or E-mail. Real Goods will then enter the data into the system. Real Goods posted a loss of $175,000 last year on sales of $15.3 million, Schaeffer said. ``We expect to be profitable this year,'' he said, adding he estimates sales to climb to about $20 million. Earlier this year, the SEC permitted Spring Street Brewery Co., of New York, to make an initial public offering over the Internet. The agency asked the company to suspend trading, pending review of legal implications of such a trading system. Spring Street subsequently said it planned to establish an online stock exchange through a unit. _______________________ Regards, Democracy is where you can say what you think even if you don't think. - Joseph Reagle http://rpcp.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From watt at sware.com Mon Jul 1 12:54:39 1996 From: watt at sware.com (Charles Watt) Date: Tue, 2 Jul 1996 03:54:39 +0800 Subject: rsync and md4 In-Reply-To: <199607011419.KAA20986@jekyll.piermont.com> Message-ID: <9607011452.AA15989@mordred.sware.com> -----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf 1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK aTxjgASxqHhzkx7PkOnL4JrN+Q== MIC-Info: RSA-MD5,RSA, BmSwniu8gUasZa1TjPkW32wDQoVcczj8fKdr0iBciiZtHKyz1xXgeHgBI9V0oV8h dwcOLMC8bbAL39VVNkGHlxw= > > Perry, as you are so fond of quoting Dobbertin, let me forward once again to > > the list Hans' analysis of the "crack" that he discovered. He explicitly > > agrees with Mr. Ogren's analysis. > > No, he doesn't. Dobbertin's privately circulated document is entitled > "Cryptanalysis of MD5", not "Possible weaknesses in MD5". The MD4 > results were even more damning. It is true that the attacks aren't > general, but they are bad enough that the key property of > cryptographic hashes -- that it is computationally infeasable to > produce two documents with the same hash (note that the property is > NOT that you cannot produce a document with the same hash as a > document selected by the opponent), has been broken. Chosen plaintext, > in particular, is completely broken. > > Dobbertin explicitly says that although there is no reason to panic, > that MD5 is not to be trusted. > > I quote from your quote of Dobbertin: > > 5. My conclusions are: no reason for panic, but in future > implementations better move away from MD5. > > > Yes it is prudent to move away from MD5. But there are still plenty > > of uses where it is more than sufficient. > > Yeah, like if you are looking for a wacky checksum and not a > cryptographic hash. > > Look the point is that Ogren seems to think this is some sort of a > minor technicality and that we can safely ignore it most of the > time. Thats simply not prudent. Once you find that the key properties > of your cryptographic hash have fallen and you have to be > exceptionally careful about what you put through the hash lest an > attacker somehow influence it, you've lost the game. MD5 is no longer > trustworthy. I agree that one needn't run screaming in the streets, > but Ogren made it sound as though this wasn't a matter of > concern. Thats simply wrong. Saying that leads people to a completely > incorrect conclusion. I admit I am at a disadvantage having deleted the first few messages on this thread without actually reading them -- but when I am out one day and come back to 200+ cypherpunk messages of which perhaps 10 are relevant to cryptography, I get a little quick with the delete. However, I am assuming from the stated speed requirement that the original query was intended for just such a hashing scheme. I interpretted Ogren's comments along the lines of "choose an algorithm based upon a best fit for the requirements, where security is just one of the requirements (although the most important)" (quotes used to indicate paraphrasing rather than actual quote). If these assumptions are valid, then he is quite correct, for a blanket condemnation of MD5 is unwarranted. If the intended application is for use with signatures, then I too would be quite leary of MD5 -- but only if I am signing a document that I did not originate OR I need to ensure the validity of the signature for longer than 12 months. Condemning an application of MD5 without understanding the specific requirements placed upon the hashing algorithm is unjustified. Complacently accepting the strength of the algorithm for all applications based upon recent findings is foolish. Charles Watt SecureWare -----END PRIVACY-ENHANCED MESSAGE----- From ogren at cris.com Mon Jul 1 13:01:46 1996 From: ogren at cris.com (David F. Ogren) Date: Tue, 2 Jul 1996 04:01:46 +0800 Subject: rsync and md4 (my final comments) Message-ID: <199607011536.LAA26258@darius.cris.com> -----BEGIN PGP SIGNED MESSAGE----- > > "David F. Ogren" writes: > > I stand by my statements. > > Then you have lost all your reputation with me. If you don't even have > the integrity to admit that you are wrong, you are obviously not a > reasonable source of information. > At this point, I can see that we have agreed to disagree. Mr. Watt has kindly quoted the exact text from Dobbertin, which I did not have handy. Let the readers of this list decide for themselves in regards to the security of MD5. But I wanted to make two last comments before this thread (finally!) dies. 1. I think that you will agree that MD4 will work fine for Mr. Tridgell's program, irregardless of your criticisms. He specifically stated that he was not concerned about intentional collisions, only random ones. 2. (quoted from Mr. Perry in an article entitled "MD5 breaks, etc.") > checked. However, the result is widely known. MD5 is *not* > something that should be trusted going forward, and I hope the next > version of PGP uses SHA-1. As I understand the current plans, PGP 3.0 _will_ incorporate a SHA option. In fact, I believe that there may already be "bootleg" versions that incorporate SHA. - -- David F. Ogren | ogren at concentric.net | "A man without religion is like a fish PGP Key ID: 0x6458EB29 | without a bicycle" - ------------------------------|---------------------------------------- Don't know what PGP is? | Need my public key? It's available Send a message to me with the | by server or by sending me a message subject GETPGPINFO | with the subject GETPGPKEY -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMdfvtuSLhCBkWOspAQGkQwf5AQTJbqJ7YQOCSaLWK7qjn0Fr0AzF9Cyb Bd2WJcHisQZ4WxwPy41SF3uUNXvgyES11rfvqa7SoqDU1QuO4N3I8PZ5+zrlwDpI 2Yb/wHyQ2jPtCVSWCmoyZfbw7a9086wWbg+N4IDuefPdgI+SqNiYmQnEsrh1+f9T L2/gC6GLXFHtl68guYTGjI3XIgHcILWkqjuo19rzw+4NXAQ3kPxTaBLGcxuMYEPl E5IbuKZ3mN4CZIDTSSctr78cthsr79KgW5NwlBW5AcCkU1XnhALVTN0vNEf2tILN jl0BdVALNbkyFdTAE7/5z6pDcThgKR/68cRrTBTRFlq1WAadXAKV8w== =drZ2 -----END PGP SIGNATURE----- From perry at piermont.com Mon Jul 1 13:39:32 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 2 Jul 1996 04:39:32 +0800 Subject: MD5 breaks, etc. In-Reply-To: <1996-Jul01-150540.1> Message-ID: <199607011553.LAA21151@jekyll.piermont.com> "John Hemming - CEO MarketNet" writes: > Accepting for a moment that MD5 collisions have been identified. From > a commercial aspect I am concerned to ensure the cryptographic security > of our ECheque system. [...] > Just a thought on the use of MD5. If two signatures are appended to the > same document both using MD5, but one either > > a) Signing all but the last octet of the message ... or > b) Signing the whole of the message and signature. > > Would that not make the determination of useable collisions either > impracticable or impossible? Wouldn't it be easier to move to SHA-1? > Alternately, could someone please point me at the SHA algorithm. I believe SHA-1 (note-- you want the updated version!) is in the latest edition of Schneier, or at least is referenced there. BTW, you are going to have to assume if you are doing real world business that you will be upgrading your algorithms every few years until the end of your application's lifespan. Perry From johnhemming at mkn.co.uk Mon Jul 1 14:01:24 1996 From: johnhemming at mkn.co.uk (John Hemming - CEO MarketNet) Date: Tue, 2 Jul 1996 05:01:24 +0800 Subject: MD5 breaks, etc. Message-ID: <1996-Jul01-150540.1> Accepting for a moment that MD5 collisions have been identified. From a commercial aspect I am concerned to ensure the cryptographic security of our ECheque system. Just a thought on the use of MD5. If two signatures are appended to the same document both using MD5, but one either a) Signing all but the last octet of the message ... or b) Signing the whole of the message and signature. Would that not make the determination of useable collisions either impracticable or impossible? I must admit I am inclined to encode additionally the key components of the message (amount paid, to whom) as well as the hash using a Private Key encryption. After all we have at least 60 octets of important data that can be encoded in this manner using one simple encryption sequence, this can cover account credited and amount easily. If someone can collision codge the description I am not desperately concerned. Alternately, could someone please point me at the SHA algorithm. From alex at crawfish.suba.com Mon Jul 1 14:27:33 1996 From: alex at crawfish.suba.com (Alex Strasheim) Date: Tue, 2 Jul 1996 05:27:33 +0800 Subject: Sameer got plugged on C-SPAN Message-ID: <199607011632.LAA07025@crawfish.suba.com> Janlori Goldman, at the Center for Democracy & Technology, just mentioned Sameer's anonymizer on C-SPAN during a segment of Internet privacy. They showed a shot of the screen and everything. From snow at smoke.suba.com Mon Jul 1 14:46:29 1996 From: snow at smoke.suba.com (snow) Date: Tue, 2 Jul 1996 05:46:29 +0800 Subject: crypto and bagpipes [NOISE] In-Reply-To: Message-ID: On Sun, 30 Jun 1996, Mark O. Aldrich wrote: > > Can this be the end of civilization as we know it? > What is this civilization thing people keep talking about, and how could _anything_ relating to bagpipes be remotely civil? crypto tie-in: If you steno a voice message into bagpipe music, would anyone be able to stand it long enough to extract the message? Petro, Christopher C. petro at suba.com snow at crash.suba.com From perry at piermont.com Mon Jul 1 15:07:38 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 2 Jul 1996 06:07:38 +0800 Subject: rsync and md4 (my final comments) In-Reply-To: <199607011536.LAA26258@darius.cris.com> Message-ID: <199607011647.MAA21252@jekyll.piermont.com> "David F. Ogren" writes: > 1. I think that you will agree that MD4 will work fine for Mr. Tridgell's > program, irregardless of your criticisms. He specifically stated that he > was not concerned about intentional collisions, only random ones. If one is concerned about speed and doesn't need a cryptographic checksum, a long CRC will be far, far faster and will do fine. As soon as one starts talking about using cryptographic checksums, there is no point in using them unless one really wants the cryptographic protection. Perry From ogren at cris.com Mon Jul 1 15:32:05 1996 From: ogren at cris.com (David F. Ogren) Date: Tue, 2 Jul 1996 06:32:05 +0800 Subject: rsync and md4 Message-ID: <199607011700.NAA19537@darius.cris.com> -----BEGIN PGP SIGNED MESSAGE----- > Look the point is that Ogren seems to think this is some sort of a > minor technicality and that we can safely ignore it most of the > time. Thats simply not prudent. Once you find that the key properties > of your cryptographic hash have fallen and you have to be > exceptionally careful about what you put through the hash lest an > attacker somehow influence it, you've lost the game. MD5 is no longer > trustworthy. I agree that one needn't run screaming in the streets, > but Ogren made it sound as though this wasn't a matter of > concern. Thats simply wrong. Saying that leads people to a completely > incorrect conclusion. And I told myself I wouldn't respond to this thread anymore. Oh well. I just don't want to be misinterpreted. I never meant to imply (and don't think that I did), that the attacks against MD5 were insignificant. As I said, I'm moving to SHA in any software I develop from now on. What I said was the attacks were insignificant in the application being considered (rsync) and that MD5 was not completely broken. Come on, all the guy wanted was a fast 128 bit checksum. For example, I am still using PGP clearsigning which, of course, uses MD5. Dobbertin indicates that his attack cannot be used against me as long as I only sign messages that I create myself. Yes, PGP would work better with SHA. I'd be able to sign documents that others created with (more) certainty. But that doesn't mean that I should stop using PGP. P.S. I apologize to the list for flooding this list recently. Unfortunately, I took it a little too personally when Perry told me to "stop spewing inaccurate information" and to "quit posting". It was late, and I let him bait me more than I ordinarily would. Now I find myself running in circles trying to make sure that I've made myself clear and that no one else (other than Perry) is misintepreting what I'm saying. - -- David F. Ogren | ogren at concentric.net | "A man without religion is like a fish PGP Key ID: 0x6458EB29 | without a bicycle" - ------------------------------|---------------------------------------- Don't know what PGP is? | Need my public key? It's available Send a message to me with the | by server or by sending me a message subject GETPGPINFO | with the subject GETPGPKEY -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMdgDbuSLhCBkWOspAQGPeQf/QJB109Gjd3s/ALodykZgH0S6FCs3wHK7 OiTUpxBF5lwojhBSrz7ej1RnAW+Uq5Lcz/GyWqH6rvYPPI1uZ3023UAV3nqH8qXY nnznPfvTkUQgSjaQu/YRvWlTWwrNsW/KIR6iVbwVDnbUnvuAjUJskWyAg1Wz4zIV 8PV8RnrHSTT06j5LrCtiD0eWr/NgmpgIFS5+ID5z9/ikMV6xF4zSrlubELFFJUUT M3nZWDlr7SaU0hFLQt3yu6oSqAjKSGrPsU1QCJ/Y1zdS49R/cLIzOzbQ42R1Cyot hMnAayTqNdUI/goa2WAbda3gYpRodTA2GpciNj7u3xs0Ik/1TIEqlw== =4x7D -----END PGP SIGNATURE----- From scott_wyant at loop.com Mon Jul 1 15:32:38 1996 From: scott_wyant at loop.com (Scott Wyant) Date: Tue, 2 Jul 1996 06:32:38 +0800 Subject: [Fwd: Doubleclick] Message-ID: <1.5.4.32.19960701172423.006cd9e8@pop.loop.com> At 12:43 PM 6/30/96 -0700, you wrote: > >> > >Date: Wed, 26 Jun 1996 19:42:00 -0700 >> > >From: Scott Wyant Subject: COMMENT: >> > >Cookie dough >> > > >> > >If you're like me, you never went to a site called "doubleclick." >> > >So how did they give you a cookie? After all, the idea of the >> > >cookie, according to the specs published by Netscape, is to make a >> > >more efficient connection between the server the delivers the >> > >cookie and the client machine which receives it. >> > >But we have never connected to "doubleclick." > >Scott must have. Navigator is very picky about where a cookie comes >from and what is put in the domain field of the cookie. > Nope. I'm afraid your information is incorrect here. I've also watched other sites hand me a double-click cookie. And no, I don't work for "DoubleClick." Interesting premise, though. Scott Wyant Spinoza Ltd. From warlord at ATHENA.MIT.EDU Mon Jul 1 16:10:22 1996 From: warlord at ATHENA.MIT.EDU (Derek Atkins) Date: Tue, 2 Jul 1996 07:10:22 +0800 Subject: MacPGP 2.6.3 released In-Reply-To: <199607010634.XAA23399@yap.pactitle.com> Message-ID: <199607011808.OAA03374@charon.MIT.EDU> > > ...PGPlib (as I said, there is no PGP 3.0) will have full 2.6 > > support. So, I don't know where you heard this, but I would > > recommend you verify your information with people close to the > > project before spreading more FUD around. > > > > Enjoy! > > Where do I get PGPlib? An Altavista search of PGPlib turned up > nothing, and it's not on net-dist.mit.edu, which I thought was the > canonical distribution point? If you read closely, you will notice that I said "will", which is in the future tense. PGPlib has not been released, yet. But it will. And I will most assuredly let you know when it is released. Until then, however, my time is better spent implementing than responding to email like this. So, thanks for making me lose my concentration and my place in my code so I could reply to your message. Enjoy! -derek From iang at cs.berkeley.edu Mon Jul 1 16:14:20 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Tue, 2 Jul 1996 07:14:20 +0800 Subject: PGP Inc. buys ViaCrypt (was: Zimmerman/ViaCrypt?) In-Reply-To: <0PggPD7w165w@Garg.Campbell.CA.US> Message-ID: <4r95j8$db6@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- In article <0PggPD7w165w at Garg.Campbell.CA.US>, Edgar Swank wrote: >Phil disagrees with ViaCrypts new "business" version of PGP which >apparently encrypts all messages with an employer-supplied public key >in addition to any specified by the employee. ViaCrypt has their side >of the argument on their web page. > > http://www.viacrypt.com/ > >The basis of the possible lawsuit would be that ViaCrypt violated >their agreement not to put any "back door" into any product with the >PGP name. Whether the "business version feature" could be defined as a >"back door" would be the crux of the argument. > Muppet news flash: I'm listening to the SAFE conference live by RealAudio, and Zimmerman just announced that on Friday, PGP Inc. bought ViaCrypt. He didn't give any more details. - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMdgZikZRiTErSPb1AQExbgP+KYhxBQ8iBs73tQXsmcUezXMznkG88q2E +8G6tqzml5sX3DYsss3rDL/Le2a6RRZjYwOnjpnhjWdCPUIKsXE6s41XaaBhSN0f RaJnYWp+rMPdSMRvHsQQahg25WdGdSYgnHBW46NMGDoBbOG8EN9/Cn0lnIRIfXE6 dP4BCMzoBjw= =nwDn -----END PGP SIGNATURE----- From blancw at microsoft.com Mon Jul 1 16:15:33 1996 From: blancw at microsoft.com (Blanc Weber) Date: Tue, 2 Jul 1996 07:15:33 +0800 Subject: FW: "CyberPayment Infrastructure" Message-ID: >---------- >From: Dick Moores[SMTP:rdm at netcom.com] >Sent: Sunday, June 30, 1996 2:13 PM >To: SEASIGI >Subject: "CyberPayment Infrastructure" > >"CyberPayment Infrastructure" is the title of a new article from the >Journal of Online Law. I have an email subscription, but there's also >a >web site, http://www.wm.edu/law/publications/jol . The new article >should be on the web site soon, but if it's not, I'll send it to anyone >who asks. It's about 20k. Here's the abstract: > > {Article 6} > > CyberPayment Infrastructure > Henry H. Perritt, Jr. [NOTE 1] > > [Cite as Henry H. Perritt, Jr., > "CyberPayment Infrastructure," > 1996 J. Online L. art. 6, par. ___] > >Abstract > >{par. 1} An essential requisite for commerce on the Internet >is the existence of a reliable and secure system to handle >payment for goods and services purchased. The basic >technology for such systems is public key encryption. >Professor Perritt explains how this technology can be used >to create a variety of "payment infrastructures." Any >payment system must meet certain requirements: merchants can >depend on it to be paid; consumers have access to the means >of payment through intermediaries like "certificate >authorities;" these intermediaries understand their >responsibilities and risks; and existing financial >institutions understand their responsibilities in the world >of non-paper-based financial instruments. Much of what is >necessary can be accomplished within today's legal framework >without need of new laws. > >----------------------------------------------------------------- > >Dick Moores rdm at netcom.com > > From tim at dierks.org Mon Jul 1 16:28:48 1996 From: tim at dierks.org (Tim Dierks) Date: Tue, 2 Jul 1996 07:28:48 +0800 Subject: [Fwd: Doubleclick] Message-ID: At 10:24 AM 7/1/96, Scott Wyant wrote: >At 12:43 PM 6/30/96 -0700, jon at aggroup.com wrote: >>> > >From: Scott Wyant Subject: COMMENT: >>> > > >>> > >If you're like me, you never went to a site called "doubleclick." >>> > >So how did they give you a cookie? After all, the idea of the >>> > >cookie, according to the specs published by Netscape, is to make a >>> > >more efficient connection between the server the delivers the >>> > >cookie and the client machine which receives it. >>> > >But we have never connected to "doubleclick." >> >>Scott must have. Navigator is very picky about where a cookie comes >>from and what is put in the domain field of the cookie. > >Nope. I'm afraid your information is incorrect here. I've also watched >other sites hand me a double-click cookie. The way doubleclick works is that the sites who contract with them to sell advertising space insert a URL into their page which fetches the doubleclick ad banner. For example, the guys at TroutHeads, Inc. (www.troutheads.com) would insert an HTML IMAGE tag with an HREF referring to ad.doubleclick.net; that then results in _your_ browser doing an HTTP transaction with ad.doubleclick.net; doubleclick can then hand you all the cookies it wants. Anytime you fetch an image, you're visiting a site, and because it's automatic, you can easily visit a lot of sites you never knew you were going to. >From : For any HTML document you wish to display an ad banner for, simply add the following HTML tags:

Click on graphic to find out more!
Where MY_URL is the URL for the HTML document displaying the ad banner. For example:

Click on graphic to find out more!
- Tim Tim Dierks - Software Haruspex - tim at dierks.org "...when ketchup finally comes out of the bottle, it is going a good 25 miles a year.... It rolls along at three-thousandths of a mile an hour. Heinz knows the speed because it has a device called a Bostwickometer, a chutelike contraption that calculates the speed at which ketchup travels." - The New York Times, June 12, 1996 From jya at pipeline.com Mon Jul 1 16:59:40 1996 From: jya at pipeline.com (John Young) Date: Tue, 2 Jul 1996 07:59:40 +0800 Subject: Technology and Privacy Message-ID: <199607011930.TAA03640@pipe3.t2.usa.pipeline.com> The Washington Post, July 1, 1996, p. A16. Technology and Privacy [Letter] In reference to the May 31 editorial "Plant Lights and Privacy" commenting on an 11th Circuit Court of Appeals decision to uphold the use of thermal imaging in cases involving indoor marijuana growing operations: The U.S. Supreme Court had just declined to review that 11th Circuit decision. On June 11, The Post published a letter from Jack King ["When Government Can Look Through Walls"] warning us that thermal imaging, as developed by the military and as used by civilian law enforcement agencies with the cooperation of the military, posed an Orwellian threat to citizens because the government could use the technology to tell if two people were making love in the privacy of their bedroom. To set the record straight, military thermal imaging is used to support civilian law enforcement only after other probable cause for a search warrant, such as power bills, observation of boarded-up windows, vents on the roof to draw away heat and buys by confidential informants, are documented. The military is then called in, using thermal imagers, to determine if there is an unusual heat source in the house as detected by heat escaping from the house. In dozens of cases where thermal imaging was used, I have not observed one case where it could detect the activity of people in a house, let alone a bedroom. I also have not observed the technology to have the ability to detect what people are doing in any room behind closed doors, covered windows and walls other than to detect blurs or shadows moving around behind light curtains. The United States v. Cusumano language quoted by Mr. King was reversed last month by the court because the original three judges decided it was an issue that didn't need deciding, i.e. the constitutionality of thermal imaging absent a search warrant, and did not exercise "judicial restraint." The trend to Mr. King's "militarization" of the war on drugs, based on a decision by then-secretary of defense Richard Cheney that drug use represented a threat to our national security, is being carried out with restraint, respect for the law and an appropriate appreciation for the privacy of our citizens. Barrie A. Vernon Alexandria The writer is an attorney with the National Guard Bureau at the Pentagon working in support of the counter-drug directorate. [End] From jya at pipeline.com Mon Jul 1 17:13:41 1996 From: jya at pipeline.com (John Young) Date: Tue, 2 Jul 1996 08:13:41 +0800 Subject: The Net and Terrorism Message-ID: <199607012008.UAA08186@pipe6.t2.usa.pipeline.com> To complement Tim May's essay on the Net and Terrorism: The Washington Post, July 1, 1996, Business, p. 22. Keeping the Military in High Tech [Excerpts] At Camber Corporation in Springfield, Va., posters, comic strips and colorful Silicon Graphics Inc. computers dot the office landscape. Employees banter as they work. Technical director Bryan Ware, 26, serves as the bridge between the college-age computer programmers and the military commanders who authorize the projects. "A lot of military people don't know or trust technology," he said. "A lot of computer nerds don't know or trust the military. I know and like both." The Army had a congressional mandate to prepare for terrorists using chemical, biological or even nuclear weapons and for civilian doctors having to figure out how to treat the victims. To that end, the Army contracted Camber to create the Nuclear Biological Chemical Medical Defense Information Server which has many more bells and whistles than the average Web site. On the opening page, "danger" signs line the background. Articles on the latest terrorist catastrophes appear in the center of the screen. Black illuminated links to the site's library, to news and to other information fill the left-hand side. Click on the library link, and medical manuals on nuclear, biological and chemical warfare treatments appear. To the left, a video section link becomes visible. Click on it, and an interactive session begins between the user and an actor playing the role of nuclear, chemical or biological warfare victim. If the user administers the proper treatment (it's good to read the library manuals before going to the video), the victim will survive. If the user fails to administer the correct procedures, the victim will die. "We try to have fun," said Alex Neifert, 21, who's working on the Army Web site project for the summer before heading back to the University of Michigan's Graduate School of Information in the fall. "We're hoping to improve the preparedness of the military and civilian communities to deal with these types of problems. This site will give doctors access to important information that could save lives in the event of a terrorist action," said the Army officer in charge of the project. Camber and the military hope that 1,000 visitors will view the Web site daily when it officially opens July 3. To access the site, point your browser to: www.nbc.gov/. ----- From seth at hygnet.com Mon Jul 1 18:21:21 1996 From: seth at hygnet.com (Seth I. Rich) Date: Tue, 2 Jul 1996 09:21:21 +0800 Subject: [Fwd: Doubleclick] In-Reply-To: <1.5.4.32.19960701172423.006cd9e8@pop.loop.com> Message-ID: <199607012117.RAA08803@arkady.hygnet.com> > >> > >If you're like me, you never went to a site called "doubleclick." > >> > >So how did they give you a cookie? After all, the idea of the > >> > >cookie, according to the specs published by Netscape, is to make a > >> > >more efficient connection between the server the delivers the > >> > >cookie and the client machine which receives it. > >> > >But we have never connected to "doubleclick." You probably loaded a banner ad from doubleclick -- and downloading the inline image from their site is sufficient for the cookie transfer to take place. Seth --------------------------------------------------------------------------- Seth I. Rich - seth at hygnet.com "Info-Puritan elitist crapola!!" Systems Administrator / Webmaster, HYGNet (pbeilard at direct.ca) Rabbits on walls, no problem. From declan at well.com Mon Jul 1 19:54:17 1996 From: declan at well.com (Declan McCullagh) Date: Tue, 2 Jul 1996 10:54:17 +0800 Subject: Technology and Privacy Message-ID: The June 11 letter was from Jack King, a quite clueful and thoughtful D.C. attorney who has been diligent in tracking the war on (some) drugs. Hardly an alarmist. Why can't I quite bring myself to trust "Barrie A. Vernon?" -Declan > The Washington Post, July 1, 1996, p. A16. > > > Technology and Privacy [Letter] > > > In reference to the May 31 editorial "Plant Lights and > Privacy" commenting on an 11th Circuit Court of Appeals > decision to uphold the use of thermal imaging in cases > involving indoor marijuana growing operations: The U.S. > Supreme Court had just declined to review that 11th Circuit > decision. > > On June 11, The Post published a letter from Jack King > ["When Government Can Look Through Walls"] warning us that > thermal imaging, as developed by the military and as used > by civilian law enforcement agencies with the cooperation > of the military, posed an Orwellian threat to citizens > because the government could use the technology to tell if > two people were making love in the privacy of their > bedroom. > > To set the record straight, military thermal imaging is > used to support civilian law enforcement only after other > probable cause for a search warrant, such as power bills, > observation of boarded-up windows, vents on the roof to > draw away heat and buys by confidential informants, are > documented. The military is then called in, using thermal > imagers, to determine if there is an unusual heat source in > the house as detected by heat escaping from the house. In > dozens of cases where thermal imaging was used, I have not > observed one case where it could detect the activity of > people in a house, let alone a bedroom. I also have not > observed the technology to have the ability to detect what > people are doing in any room behind closed doors, covered > windows and walls other than to detect blurs or shadows > moving around behind light curtains. > > The United States v. Cusumano language quoted by Mr. King > was reversed last month by the court because the original > three judges decided it was an issue that didn't need > deciding, i.e. the constitutionality of thermal imaging > absent a search warrant, and did not exercise "judicial > restraint." > > The trend to Mr. King's "militarization" of the war on > drugs, based on a decision by then-secretary of defense > Richard Cheney that drug use represented a threat to our > national security, is being carried out with restraint, > respect for the law and an appropriate appreciation for the > privacy of our citizens. > > Barrie A. Vernon > Alexandria > The writer is an attorney with the National Guard Bureau at > the Pentagon working in support of the counter-drug > directorate. > > [End] > > > > > > From ses at tipper.oit.unc.edu Mon Jul 1 19:54:28 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Tue, 2 Jul 1996 10:54:28 +0800 Subject: The Net and Terrorism In-Reply-To: <199607012008.UAA08186@pipe6.t2.usa.pipeline.com> Message-ID: [www.nbc.gov] hmmm... I remember using IRC during scud attacks when I was working at the Technion. Useful sources of info, but kind of worrying when you suddenly lose all of Tel Aviv when a server picks an importune time to reboot :-) Simon I want my, I want my, I want my Atropine --- Cause maybe (maybe) | In my mind I'm going to Carolina you're gonna be the one that saves me | - back in Chapel Hill May 16th. And after all | Email address remains unchanged You're my firewall - | ........First in Usenet......... From WlkngOwl at unix.asb.com Mon Jul 1 19:56:00 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Tue, 2 Jul 1996 10:56:00 +0800 Subject: mocking paranoia Message-ID: <199607012239.SAA25392@unix.asb.com> On 29 Jun 96 at 5:58, nelson at crynwr.com wrote: > Earlier, someone mocked someone else for being paranoid. Sorry, but > this is a mistake. By definition, you have a non-empty threat model > when you set out to encrypt; therefore you must be paranoid to use > encryption. [..] Depends. If you're paranoia is irrational, then you may do irrational things that will hurt... For instance, there are people who believe that the NSA has control over every C compiler on the planet which inserts a back door into any version of PGP, and therefore the only 'safe' PGP is v1.0. Rob. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From frogfarm at yakko.cs.wmich.edu Mon Jul 1 22:30:32 1996 From: frogfarm at yakko.cs.wmich.edu (Damaged Justice) Date: Tue, 2 Jul 1996 13:30:32 +0800 Subject: (fwd) Re: Cookie problem here , cookie problem there ... Message-ID: <199607020059.UAA11206@yakko.cs.wmich.edu> [Given the recent upset here regarding cookies, of which I only have the most cursory knowledge, I hope some will find this tidbit of use.] >From: jerryw at convex.com (Jerry Whelan) Newsgroups: comp.infosystems.www.authoring.cgi,comp.infosystems.www.authoring.misc,comp.infosystems.www.browsers.misc Subject: Re: Cookie problem here , cookie problem there ... Date: 1 Jul 1996 14:28:39 -0500 Lines: 28 In article <4r8m92$4u at news.istar.ca>, Gord Jeoffroy wrote: -} Margaret wrote: -} -} >You can disable the warnings, you cannot disable the cookies. I am -} >cancelling every cookie I encounter (I usually avoid sites heavy -} >with cookies), reason - I hate invasion of privacy and in particular, -} >junk email from direct marketing. -} -} -} I completely agree with your sentiment, by the way. I'm planning to -} add an editorial to an online magazine I'm beginning. The article will -} be full of server-side includes to demonstrate to the person reading -} it that Big Brother definitely is watching. I don't have any connection with these guys, except that I use their software. Check out www.privnet.com and the Internet Fast Forward netscape plugin for Windows. It can selectively filter cookie transmissions to web servers as well as some other very cool stuff like filter out unwanted images, including but not limited to advertisements. You will be amazed how much more information you can get on your screen when you filter out the useless images, like the one netscape puts at the top of their home page. -- ------------------------------------------------------------------------------ Jerry Whelan -- Information Superman jerryw at convex.com -- http://yakko.cs.wmich.edu/~frogfarm ...for the best in unapproved information "We think people like seeing somebody in a uniform on the porch." -US Postal spokeswoman, quoted in AP 1/27/96. I don't know about you, but the only folks I know who'd enjoy seeing someone in uniform on their porch are leathermen... From minow at apple.com Mon Jul 1 22:31:40 1996 From: minow at apple.com (Martin Minow) Date: Tue, 2 Jul 1996 13:31:40 +0800 Subject: Notes from SAFE meeting Message-ID: Here are my raw, unedited, incomplete, and not to be trusted, notes from the SAFE meeting, July 1, 1996, at Stanford. (ps. thanks to the folk who did an amazing amount of work to put this on.) burns: fbi, cia, nsa presented to senate/congress: said nothing that wasn't already in public record (newspapers) telia (Swedish Telecom) representative (Mattias Soederholm) -- can't import strong encryption as NSA claims it would harass company. doesn't like having to tell customers that USA will read their mail. Whit Diffie - nuclear non-proliferation: proliferation of crypto does more good than harm: make sure that weapons are under your control: extensive development since Kennedy administration. Positive control over nuclear weapon: crypto. ---- Technical panel ---- whit diffie, eric thompson (forced decryption, fbi is a client), bruce schneier, tom parenty (sybase), matt blaze. We came to discuss policics, but were charged with discussing technology. key lengths -- too much jargon. question is work factor: how much work to break system. public keys used only for signatures; actual encryption uses "normal" crypto. 40 bits == 2^40 operations to get a key. First: two different points of view: security officer: every message must be secure, even against strong opponent. intelligence agency wants to read every message. 30, 60, 90, 120. 2^30 == one billion. any pc can recover any key. billion billion == des. very clear that can do it, not easy, however. 90 bits billion billion billion. won't be do-able in lifetime of business personal data. 120 bits can't be do-able in forseeable future. but, point of view of an intercept organization; meet in the middle? won't satisfy either party's interest. 40 bit can be exported. last year, demonstrated that can break 40 bit keys. Takes on order of few weeks to a month of Sun workstations. intercept device spends most of its time deciding whether to record data. has a fraction of a second to look at a message, 40 bits too large for intercept on that basis. eric thompson. access data. cryptanalysis -- break codes, build hardware to aid in this. specialize in defining parts and pieces to break e.g., rc40 amd2905 chips on a board breaks in $8,400 engineering cost. Sell under $20,000. little company, not well-funded government agency. des fpga about $1M/7 days per key. off the shelf design using 5 year old chips. what's realistic to expect the nsa, fbi can do? bruce schneier: foreign crypto. is it any good? yes. more done outside usa than inside. many countries asia, europe, pacific have strong groups. algorithm conferences: 90% of papers from outside usa. hard to get funding in usa. more academic research overseas. products with more options. here, products are hamstrung by baggage: key length, escrow. other countries can write without restrictions. best products from former yugoslavian folk working in swedish university. usa corp's cant compete: no talent, government restrictions. losing our share of research, developement, products. as internet becomes ubiquitious, we lose market share. restrictions won't stop, will only hurt us. tom parenty; worked for NSA: "in God we trust, the rest we monitor." key escrow ineffective. can today buy over 500 products from 60 countries. no usa monopoly. www.cypto.com home page; list of pointers for our favorite foreign crypto products (for some value of "our" and some value of "favorite.") crypto controls don't keep crypto out of child pronographer hands. keeps out of hands of legitimate individuals and corporations. criminal, terrorist, can layer foreign crypto on anything usa gov't does. will give protection. moral equiv of wiretaps? no! criminals: criminals talk to criminals, criminals talk to rest of world. crim to crim: use strong crypto. crim to airline, car rental, hotel: can go to airline etc. and subpeona their records: crypto buys nothing for wiretap. solve crimes, prevent crimes? would key escrow prevent oklahoma bombing? but without strong crypto, foreigner working outside usa can take plane down, grab medical records. etc., by hacking insecure networks. matt blaze: key escrow. ignore politics; doesn't make technical sense. fundamental flaws software engineering can't technically solve in a sensible way. first: enormous increase of engineering complexity. difficult to design even simply secure (alice, bob, eve + detective dorothy) system engineering. key escrow makes this even more difficult. engineering problem is too complex. classified world not far ahead of unclassified: blaze discovered protocol failure in clipper chip design -- can circumvent escrow field, can forge messages. reason failures occur not because nsa incompetent, but because problem is extremely difficult. second fundamental problem: operating key escrow center economically and technically difficult. 24/7/365, 2 hour response to law enforcement request. key escrow doesn't distinguish between comm key, data storage keys, and signature keys. releasing latter may be devistating. --- diffie: if you collect data; it will be used (census data used to round up Japanese in California, Jews in Germany, Holland, Denmark). schneier: data harvesting: insurance company wants to know who filled perscription for AZT. crpyto prevents against non-invasive attack; not against fbi entering house to install bugs. diffie: crypto requirements of bad people: terrorists need tight-knit, unified in purpose. tools to secure communication are readily available "closed crypto." ordinary folk need open crypto; delayed by government restrictions. --- legal issues: ken bass: counsel for telecom policy: national security? non-escrowed strong encryption? balance? costs? what are they, what do we lose? escrow born by nsa mission. didn't hear law enforcement concerns initially; now nsa stands behind shield of fbi. nsa/fbi has created arms race among cryptographers. most people would have been happy with des, which nsa can probably break, but not others. nsa discovered it was doing itself great damage by pursuing export controls: but biggest danger to nsa is explosion of protocols, routings, etc. nsa wants to read everything to see what it wants to look at. fbi, however, knows what it wants to see. nsa knows that crypto puts it out of business. nsa needs to preserve fiction of crypto (i.e, that they can read, but you think they can't). fbi wants to preserve status quo. law enforcement can't undertake survelience until it knows who the target is. don't need crypto to find crooks. needed only after you know who the crooks are. fbi foolish to try to convince us that crypto (escrow) is golden bullet of law enforcement. why does fbi need to have crypto to monitor people for whom they already have probable cause (that they need in order to get warrant to wiretap). jim lucire: americans for tax reform. IRS doesn't follow constitutional protections. barry steinhardt (ACLU). law enforcement concerned to preserve its wiretap capability. wiretap happy administration. set records for number of wiretaps (both in criminal and national security). law requiring wiretap capability in telecom infrastructure. additional crimes where wiretap allowed. Janet Reno: four challenges -- threat that encryption poses to law enforcement; ability to search for stored information. wiretapping. why does aclu find it so odious. fourth amendement "particularized suspicion" -- government must have a reason to search you. wiretapping is a "generalized search." in 1970's, 50% of wiretaps produced useful information. now 17% reveal useful info. warrant to search 100 homes to find criminal info in 17 homes? ability to continue wiretapping is in question. what is cost to individuals who are wiretapped? cindy cohn, lawyer: export problems with ITAR: scientists lose. bernstein case (can export crypto research): export rules squelch discussion and reseach: first amendment; right of people to talk about science, art, literature; not just politics. broadness: IATR is overlly broad. defines export to prevent publication. prevents export to "ordinary" people, but only intended to prevent export to terrorist. procedural problems: no hard boundaries. barbara simons (acm) -- copyright? net community suprised when CDA was passed. major voices heard are those of lobbiests; not technology focus; focussed only on their lobby-needs. monitor net? only to preserve copyright. goals will work only if you shut down the net. copyright legislation makes illegal to manufacture device to violate copyright (camera? vcr?) john gilmore (eff): can we trust the courts? won't be won on a single front: need to keep pressure up. "for purposes of first amendment analysis, court finds that source code is speech." will go to supreme court. need help from legislature. want to bring light into export control process. want to have clear rules so you can read rules, build product and export it. michael froomkin (law school, univ of miami): legal status of privacy? can't count on courts. don't take wait and see attitude. wiretap still has some value. Legal status of no export has been successful: no strong crypto in w/95. ken bass question: froomkin: crypto is a constitutional right (200 pages). very few nsa cases; mostly 4th amendment ('drug exception to constituion). korn case, bernstein case. briefs in cases required reading for congress (first amendment). crypto useful to protect free speech (Phil Zimmerman talked about human rights people in Burma who use PGP to protect their messages from government.) [representative zoe lofgren (Dem CA) -- someone proposed 4th amendment in congressional debate amending criminal law. Defeated on party lines.] implication for information sharing between cia/fbi/nsa with foreign intelligence agency? guatamala tragedy example of problem. the dumb criminal theory? blow up buildings with trucks they rent in their own names. --- With apologies for incoherence, errors, and incompleteness --- Martin Minow minow at apple.com From bluebreeze at nym.jpunix.com Mon Jul 1 22:55:15 1996 From: bluebreeze at nym.jpunix.com (Blue Breeze) Date: Tue, 2 Jul 1996 13:55:15 +0800 Subject: Sameer on C-SPAN Message-ID: <199607020123.UAA19678@alpha.jpunix.com> :From: Alex Strasheim :Date: Mon, 1 Jul 1996 11:32:21 -0500 (CDT) : :Janlori Goldman, at the Center for Democracy & Technology, just mentioned :Sameer's anonymizer on C-SPAN during a segment of Internet privacy. : :They showed a shot of the screen and everything. Not everything. No picture of Sameer!? That's what I'd like to see. From frissell at panix.com Mon Jul 1 23:39:16 1996 From: frissell at panix.com (Duncan Frissell) Date: Tue, 2 Jul 1996 14:39:16 +0800 Subject: Iron Censorship Message-ID: <2.2.32.19960702020835.00b36038@panix.com> The New York Times reports that: "Tipped off by an anonymous source named "nobody," Simon & Schuster Inc. and its literary police are engaged in the Internet equivalent of a high-speed car chase: tracking down a runaway book pirated on right-wing and anarchist sites on the World Wide Web. In the last month, the publishing house's monitors have discovered more than seven Internet sites containing the text of "Report from Iron Mountain," first published in 1967 and intended as political satire, and re-released early this year by a Simon & Schuster imprint, the Free Press." http://www.nytimes.com/library/cyber/week/0701iron-mountain.html Taking up the challenge, I fired up AltaVista and quickly found: http://www.cwi.nl/htbin/jack/mailfetch.py?2383 (2646 lines) I haven't checked this version against my dog-eared first edition so I don't know if this one has been modified by the Great Enemy. DCF "Who wonders what ever happened to the Regional Government Conspiracy. Anyone out there remember "Blame Metro", "Terrible 1313" and other chronicles of what used to be called the Metropolitan Government movement?" From drosoff at arc.unm.edu Tue Jul 2 00:23:08 1996 From: drosoff at arc.unm.edu (David Rosoff) Date: Tue, 2 Jul 1996 15:23:08 +0800 Subject: rsync and md4 Message-ID: <1.5.4.16.19960702023938.4637d0c4@arc.unm.edu> -----BEGIN PGP SIGNED MESSAGE----- At 11.36 AM 7/1/96 -0400, David F. Ogren wrote: >2. >(quoted from Mr. Perry in an article entitled "MD5 breaks, etc.") > >> checked. However, the result is widely known. MD5 is *not* >> something that should be trusted going forward, and I hope the next >> version of PGP uses SHA-1. > >As I understand the current plans, PGP 3.0 _will_ incorporate a SHA option. >In fact, I believe that there may already be "bootleg" versions that >incorporate SHA. What is the difference between SHA and SHA-1? Is this algorithm subject to the same licensing as MD5? Could someone point me to such a bootleg version for DOS, please? Thanks. =============================================================================== David Rosoff (nihongo o sukoshi dekiru) ----------------> drosoff at arc.unm.edu For PGP key 0xD37692F9, finger drosoff at acoma.arc.unm.edu 0xD37692F9 Key fingerprint = 25 7D AA 01 85 41 43 89 50 5A 33 76 F1 F1 99 67 Non-technical beginner's guide to PGP ---> http://www.arc.unm.edu/~drosoff/pgp/ Anonymous ok, PGP ok. If it's not PGP-signed, you know that I didn't write it. === === === === === === === === === === === === === === === === === === === === "Truth is stranger than fiction, especially when truth is being defined by the O.J. Simpson Defense Team." -Dave Barry -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMdiLyBguzHDTdpL5AQHACgP/dmJJ6aQ0ZVlHN3WcAsPkaGoAypU/iCz4 F8HSK6nxbmG+pBd5+82Flzqpquy23Wfp+uk2l+CIv7oygoOMXVvadRLTQKXZEe+h 8/rk0pLATszwLakwa427P5xgGs4mfwvKjzBi0LpEIu1qkUmWYGQphl7KPAumdLc+ +3Wpc0INmHY= =qXUq -----END PGP SIGNATURE----- From daw at cs.berkeley.edu Tue Jul 2 01:00:33 1996 From: daw at cs.berkeley.edu (David Wagner) Date: Tue, 2 Jul 1996 16:00:33 +0800 Subject: Message pools _are_ in use today! In-Reply-To: Message-ID: <4ra50l$is@joseph.cs.berkeley.edu> In article , Timothy C. May wrote: > The newsgroup "alt.anonymous.messages" has existed for a year or two, and > serves to be working reasonably well as a message pool. Check it out. alt.anonymous.messages is not an ideal message pool-- it is a hack. (Granted, it *is* a really cool, clever, and practically useful hack.) Ian and I talked about this at some length. alt.anonymous.messages has certain unfortunate shortcomings. Someone sniffing the Berkeley 'net can tell when I receive an alt.anonymous.messages message by when I download an article from the NNTP server; they can tell when I send such an article by when I upload an article to the NNTP server; they can list all the ``subversive'' Berkeley folks who have read alt.anonymous.messages lately. The local NNTP server must be trusted. Furthermore, even if you run a trusted NNTP server on your local machine, there are still vulnerabilities. Someone sniffing on your subnet can tell when you inject a new message onto alt.anonymous.messages, as can your neighboring NNTP servers. Then there are all the standard message length and timing threats from traffic analysis. And there is no perfect forward secrecy when using alpha nymservers to redirect email to alt.anonymous.messages. There are also second-order threats, arising from the fact that an attacker can selectively and remotely delete messages from some spools by using cancel messages, without compromising any NNTP servers. Ian's post detailed a proposal for implementing a message pool with better security properties: link encryption, constant size messages, randomized flooding, perfect forward secrecy, etc. This mechanism is intended to provide recipient anonymity. Sender anonymity must still be achieved by standard chaining methods. If folks have better ideas for how to achieve really good recipient anonymity, I hope they'll speak up! Take care, -- Dave From llurch at networking.stanford.edu Tue Jul 2 02:42:36 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 2 Jul 1996 17:42:36 +0800 Subject: Notes from SAFE meeting In-Reply-To: Message-ID: On Mon, 1 Jul 1996, Martin Minow wrote: > burns: fbi, cia, nsa presented to senate/congress: said nothing that wasn't > already in public record (newspapers) But he was entertaining. > telia (Swedish Telecom) representative (Mattias Soederholm) -- can't import > strong encryption as NSA claims it would harass company. doesn't like having > to tell customers that USA will read their mail. Specifically, he said "They said they had the power to harass us in ways that could not be traced." Conspiracy hounds feel free to have a field day with that one... > solve crimes, prevent crimes? would key escrow prevent oklahoma bombing? > but without strong crypto, foreigner working outside usa can take plane down, > grab medical records. etc., by hacking insecure networks. This seems to be the best argument for the masses. Tod L... from Wired and VTW felt the need to made some disparaging cracks about libertarian rants, as he distinguished them from the rational commentary. > second fundamental problem: operating key escrow center economically and > technically difficult. 24/7/365, 2 hour response to law enforcement request. Craig-somebody from Microsoft had earlier made an excellent point about the insurability of zero-asset escrow agencies. Would you give your key to this man? (Yes, I did find that funny coming from a Microsoft employee.) > the dumb criminal theory? blow up buildings with trucks they rent in > their own names. Of course, that kind of suicidally dumb criminal tends to do the most damage. Key escrow wouldn't help because it's too slow. -rich From frantz at netcom.com Tue Jul 2 02:49:25 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 2 Jul 1996 17:49:25 +0800 Subject: rsync and md4 [NON-CRYPTO ALGORITHM] Message-ID: <199607020623.XAA19699@netcom7.netcom.com> At 10:50 AM 6/30/96 +1000, Andrew Tridgell wrote: >It effectively creates binary diffs of the two files, without direct >(local) access to both files. As far as I know this is a new type of >algorithm. I worked with an algorithm which sounds similar to this one back about 20 years ago when creating a diff for VM/370 at Tymshare. Here's a quick description of the algorithm so you can see how much the hashing discussion below applies to your problem. (1) Chose a way to break the files into "units". We chose line ends. (2) Hash each unit in both files making two vectors of hashes. (3) Identify which units exist once and only once in a file by: (3a) Initialize a (large) vector of 2-bit entries to all zeros. (3b) Use the hash of each unit to index the vector. If the entry is 00 change it to 01. If it is 01 change it to 10. If it is 10 leave it alone. (4) And the two 2-bit entry vectors together to get the units that exist once and only once in both files. These units are anchors of similarity between the files. (5) Find the hashes which represent these anchors of similarity in both files and link them together. (6) Link the neighbors of already linked units. (7) The unlinked hashes represent differences between the two files. Note that this algorithm finds units that have been moved. I had to do something intelligent with this information to allow for diff-like output. To handle binary files you may need to change the definition of "unit". We used a simple barber poll hash. We went for a number of years before we had a hash failure. (I know, there was a bug in the code that handled hash failures.) A hash based on a CRC calculation would probably be better. ------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz at netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA From llurch at networking.stanford.edu Tue Jul 2 02:51:30 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 2 Jul 1996 17:51:30 +0800 Subject: Info on alleged new German digital wiretapping law? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- None of the Europeans I ran into at today's SAFE conference had even heard of the legislation decried at http://fight-censorship.dementia.org/fight-censorship/dl?num=3027 and in alt.fan.ernst-zundel. What's up? - -rich http://www.stanford.edu/~llurch/ send mail with subject line "send pgp key" for my key or "911" to page me -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMdiyIpNcNyVVy0jxAQEi9QH7BglmZ3rtAnAcKp+5sMQzvWs8WUFXGzpO N8jqMnhpWhkIyFyV62EvAMFKHMGSquaPb75aak8s2xFTXJGsAuZDRg== =Dqj9 -----END PGP SIGNATURE----- From frantz at netcom.com Tue Jul 2 02:55:46 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 2 Jul 1996 17:55:46 +0800 Subject: SAFE Forum Message-ID: <199607020623.XAA19680@netcom7.netcom.com> Rather than a complete report (which will cover a lot of material people here already know), I will just give you my highlights from the forum. None of the people on the first panel have been asked to testify before either intelligence committee. (Panel was: Lori Fena, EFF; Craig Mundie, Microsoft; Eric Schmidt, Sun; and a substitute for Marc Andreessen from Netscape). Current government "Key Escrow" systems cost $200/key/year. [Craig Mundie] These systems can best be described as key-rental systems. "Crime prevention ought to be part of the FBI's mission. [Herbert Lin, National Research Council] Jim Omura [Cylink] spoke of specific business his company has lost to foreign competitors due to export licensing problems. He spoke of protecting US corporate links between China and the US. CompuServe losses are mostly overseas (in e.g. the former USSR) due to insecure communications and Telephone companies. [Tom Oren, CompuServe] PGP Inc bought ViaCrypt on Friday. [Phil Zimmermann, PGP Inc.] (Scooped by Ian Goldberg) Congresswoman Eshoo appeared not to have heard about PGP being used by human rights groups in e.g. Bosnia to protect their files. National Research Council report available from: www2.nas.edu/cstbweb A compromise on key length won't satisfy either side because those using encryption to protect their data want every single message to be secure (implying long keys and brute force times), while those monitoring communications need to quickly decide whether a message is interesting (implying short decrypt times). [Whit Diffie, Sun] We sell RC4, 40 bit decryption hardware (based on AMD29000) for $16K. FPGA devices for breaking DES in 7 days for $1M. [Eric Thompson, Access Data] NSA's problem is not crypto, but the explosive growth in the number of protocols. NSA needs to get out of the business of being a reputation agent for crypto (thru ITAR approval) and allow weak crypto to naturally appear in the market. [Ken Bass, Venabel, Baetjer, Howard and Civiletti] In the 1970s 50% of the wiretaps were of value, now only 17% are. [Barry Steinhardt, ACLU] The introduction of "Dorothy" as the canonical Key Escrow (GAK) holder. (To great hoots of laughter.) [I think this was Tom Parenty, Sybase, but I could be wrong.] When analyzing the crypto requirements of bad guys (e.g. terrorists) and good guys (e.g. digital commerce users), the bad guys are small, tight knit communities where the current, widely available, crypto systems work well. The good guys are not tight knit and need infrastructure we don't have, such as widely available software and certification. [Very broadly taken from Whit Diffie] ------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz at netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA From snow at smoke.suba.com Tue Jul 2 03:05:53 1996 From: snow at smoke.suba.com (snow) Date: Tue, 2 Jul 1996 18:05:53 +0800 Subject: The Net and Terrorism In-Reply-To: Message-ID: On Mon, 1 Jul 1996, Simon Spero wrote: > I want my, I want my, I want my Atropine No, you don't. Petro, Christopher C. petro at suba.com snow at crash.suba.com From vznuri at netcom.com Tue Jul 2 03:18:16 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Tue, 2 Jul 1996 18:18:16 +0800 Subject: whitehouse dossier database? Message-ID: <199607020639.XAA13694@netcom11.netcom.com> holy cow, is this real? Grabbe cites several credible references. although of course he himself fits the bill as one of the world's greatest conspiracy theorists (or trackers, depending on your point of view ). I don't recall the article by Paul Rodriguez of Washington Times, was it recent? ------- Forwarded Message Date: Sun, 30 Jun 1996 20:16:49 -0500 (CDT) Sender: owner-CN-L at cornell.edu From: Brian Redman To: Conspiracy Nation The following is brought to you thanks, in part, to the kind assistance of CyberNews and the fine folks at Cornell University. Conspiracy Nation -- Vol. 8 Num. 30 ====================================== ("Quid coniuratio est?") - - ----------------------------------------------------------------- THE WHITE HOUSE "BIG BROTHER" DATA BASE ======================================= - - -----BEGIN PGP SIGNED MESSAGE----- The White House "Big Brother" Data Base & How Jackson Stephens Precipitated a Banking Crisis by J. Orlin Grabbe Score another coup for Jackson Stephens' Systematics (Alltel Information Services). It provided the software for the White House's "Big Brother" data base system, and now the White House is in a panic that there may be secret methods of accessing its computer. The existence of the White House computer system and data base--known as WHODB, White House Office Data Base, and containing as many as 200,000 names--was revealed by Paul Rodriguez in the *Washington Times*. Some of the information was developed by *Insight*'s Anthony Kimery, soon to be managing editor of the electronic publication *SOURCES eJournal*. Kimery is a writer whose articles in *The American Banker* and *Wired* were among the first to report U.S. government spying on domestic banking transactions. (Kimery was also fired from one magazine for looking into the death of Vince Foster.) Now things have come full circle. The chief government effort to spy on U.S. domestic banking transactions was directed by the electronic spy agency, the National Security Agency (NSA), working in connection with the Little Rock software firm Systematics. Systematics, half-owned by billionaire Jackson Stephens (of Stephens Inc. fame), has been a major supplier of software for back office clearing and wire transfers. It was Stephens' attempt to get Systematics the job of handling the data processing for the Washington-D.C. bank First American that lead to the BCCI takeover of that institution. Hillary Clinton and Vince Foster represented Systematics in that endeavor, and later Foster became an overseer of the NSA project with respect to Systematics. Working together, the NSA and Jackson Stephens' Systematics developed security holes in much of the banking software Systematics sold. Now we face a crisis in banking and financial institution security, according to John Deutch, Director of the CIA. "One obstacle is that banks and other private institutions have been reluctant to divulge any evidence of computer intrusions for fear that it will leak and erode the confidence of their customers. Deutch said 'the situation is improving' but that more cooperation was needed from major corporations, and said the CIA remains willing to share information with such firms about the risks they might face." (*The Washington Post*, June 26, 1996, page A19.) What Deutch failed to mention was that this "banking crisis" in large part was itself created by one of the U.S. intelligence agencies--the NSA in cahoots with Stephens' software firm Systematics. The Citibank heist by Russian hackers, for example, took advantage of a back door in Citibank's Systematics software. (The Russian hackers were apparently aided by the son of one of Jim Leach's House Banking Committee investigators.) Have any major banks thought of instituting lawsuits over this deliberate breach of security on the part of a software supplier? John Deutch has a proposed solution for this and other computer security problems: the creation of an "Information Warfare Technology Center". Guess where he wants to put the Center: in the National Security Agency itself, naturally. That is, the government wants money budgeted for a new bureaucracy to solve the problem another bureaucracy spent money creating. You have to admire the sheer chutzpah of this kind of con--one which would also leave the NSA fox guarding the banking chicken coop. Meanwhile, over at the White House, senior aides are in a panic. Is the WHODB system related to the PROMIS software? they want to know. Is there a back door into the system? Have files been download? It just goes to show that given the right incentive, even the White House will begin spouting conspiracy theories. Perhaps Charles O. Morgan (see part 2 of my Vince Foster series) should write the White House a threatening letter. - - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMdXLbWX1Kn9BepeVAQGSuwP7BOGXepZld6j1skJLnTfKYCDCBo3BZUyN A7hEslyPUkSh7pLGpJhiPQcQf+uEq9eFVYqeUKV+toKgZvEr6nb924aNFq5ObZyV 3drfdlWwgxf503ShHcOW7D/mpu2I5u1P2yyV5sM1nBH/y9CzX/DXNL9l3nBop7wA WmBXlraXros= =BjAo - - -----END PGP SIGNATURE----- - - ----------------------------------------------------------------- I encourage distribution of "Conspiracy Nation." - - ----------------------------------------------------------------- If you would like "Conspiracy Nation" sent to your e-mail address, send a message in the form "subscribe cn-l My Name" to listproc at cornell.edu (Note: that is "CN-L" *not* "CN-1") - - ----------------------------------------------------------------- For information on how to receive the improved Conspiracy Nation Newsletter, send an e-mail message to bigred at shout.net - - ----------------------------------------------------------------- Want to know more about Whitewater, Oklahoma City bombing, etc? (1) telnet prairienet.org (2) logon as "visitor" (3) go citcom - - ----------------------------------------------------------------- See also: http://www.europa.com/~johnlf/cn.html - - ----------------------------------------------------------------- See also: ftp.shout.net pub/users/bigred - - ----------------------------------------------------------------- Aperi os tuum muto, et causis omnium filiorum qui pertranseunt. Aperi os tuum, decerne quod justum est, et judica inopem et pauperem. -- Liber Proverbiorum XXXI: 8-9 - ------- End of Forwarded Message ------- End of Forwarded Message From tcmay at got.net Tue Jul 2 03:45:50 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 2 Jul 1996 18:45:50 +0800 Subject: Message pools _are_ in use today! Message-ID: I must be missing something....: At 3:28 AM 7/2/96, David Wagner wrote: >Someone sniffing the Berkeley 'net can tell when I receive an >alt.anonymous.messages message by when I download an article from >the NNTP server; they can tell when I send such an article by when >I upload an article to the NNTP server; they can list all the >``subversive'' Berkeley folks who have read alt.anonymous.messages >lately. > >The local NNTP server must be trusted. I'm not following your "upload an article to the NNTP server." Don't most people use mail-to-News gateways to post anonymously? (If not, they should, of course.) This way, the posting of an article has the anonymity provided by the chain of remailers used to reach the terminal site, the mail-to-News gateway. The posting is anonymous (within the usual limits we discuss here), and the reading is "pretty hard" to focus on, for several reasons: 1. Hard to gain access to local ISP without sending alerts out (it would be for my ISP, at least). This is admittedly not cryptographically interesting, but is a very real practical difficulty. 2. Many who browse alt.anonymous.messages probably "glance" at many of the oddly-named message pool messages. I know I do. Again, makes it a "needle in a haystack" to know which of several hundred folks who glanced at "ToBear" or "TheRealMessage"--assuming the NSA could ever identify these hundreds--is the real intended target. 3. And I recall that many have newsreaders which download _all_ messages in a newsgroup automatically. Again, this makes the pool of potential readers quite large and meaningless to try to track. The use of public posting areas for message pools (what I called "Democracy Walls" several years back) seems to me have several compelling advantages over "reply-block" approaches. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From llurch at networking.stanford.edu Tue Jul 2 04:12:45 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 2 Jul 1996 19:12:45 +0800 Subject: Message pools _are_ in use today! In-Reply-To: <4ra50l$is@joseph.cs.berkeley.edu> Message-ID: On 1 Jul 1996, David Wagner wrote: > Someone sniffing the Berkeley 'net can tell when I receive an > alt.anonymous.messages message by when I download an article from > the NNTP server So, download every message, all the time, and junk posts that don't interest you offline. You betray yourself as an Evil Anonymous Communicator, but somehow I think they might already know. You give no information about which messages you're actually interested in unless your local workstation is compromised. > Furthermore, even if you run a trusted NNTP server on your local > machine, there are still vulnerabilities. Someone sniffing on your > subnet can tell when you inject a new message onto alt.anonymous.messages, > as can your neighboring NNTP servers. This is true. You'd have to generate white noise, again betraying yourself, but only in general. "They" would need to track every message. To make it more interesting, encrypt a bunch of messages for bogus PGP keys created for the purpose. -rich From vznuri at netcom.com Tue Jul 2 04:25:28 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Tue, 2 Jul 1996 19:25:28 +0800 Subject: "gov runs anon remailers" Message-ID: <199607020636.XAA12930@netcom11.netcom.com> fallout from that old, lame Strassman & Marlow paper. a bit on the new Puzzle Palace. ------- Forwarded Message Date: Mon, 1 Jul 1996 06:11:41 -0400 (EDT) From: "Donna J. Logan" To: snetnews at alterzone.com, liberty-and-justice at pobox.com, act at efn.org Subject: CAQ: CIA Spying on EMAIL (fwd) - - -> SearchNet's snetnews Mailing List - - ---------- Forwarded message ---------- Date: Sun, 30 Jun 1996 15:19:38 -0700 (PDT) To: Recipients of pol-abuse Subject: CAQ: CIA Spying on EMAIL From: Bob Witanek Posted dadoner at chesco.com Thu Jun 20 23:46:55 1996 From: Ronnie Dadone Subject: CIA Spying on Re-mail? http://www.worldmedia.com/caq/articles/remail.html > ARE THE FEDS SNIFFING YOUR RE-MAIL? > > by Joh Dillon > > THE RULES OF PRIVACY ARE CHANGING WITH ELECTRONIC > COMMICATIONS, THE EAGERNESS OF GOVERNMENT TO PRY INTO OUR > COMMINICATIONS, APPARENTLY, IS NOT. > > Foreign and domestic intelligence agencies are actively monitoring > worldwide Internet traffic and are allegedly running anonymous > re-mailer" services designed to protect the privacy of electronic > mail users. > > The startling claim that government snoops may be surreptitiously > operating computer privacy protection systems used by private > citizens was made earlier this year at a Harvard University Law > School Symposium on the Global Information Infrastructure. The > source was not some crazed computer hacker paranoid about government > eavesdropping. Rather, the information was presented by two defense > experts, Former Assistant Secretary of Defense Paul Strassmann, now > a professor at West Point and the National Defense University in > Washington, D.C., along with William Marlow, a top official at > Science Applications International Corp., a leading security > contractor. > > Anonymous re-mailer services are pretty much what the name implies. > By stripping identifying source information from e-mail messages, > they allow people to post electronic messages without traceable > return address information. > > But Strassmann and Marlow said that the anonymous re-mailers, if > used properly and in tandem with encryption software pose an > unprecedented national security threat from information terrorists. > Intelligence services have set up their own re-mailers in order to > collect data on potential spies, criminals, and terrorists, they > said. *1 > > Following their Harvard talk, Strassmann and Marlow explicitly > acknowledged that a number of anonymous re-mailers in the US are run > by government agencies scanning traffic," said Viktor > Mayer-Schoenberger, a lawyer from Austria who attended the > conference. Marlow said that the [US] government runs at least a > dozen re-mailers and that the most popular re-mailers in France and > Germany are run by respective agencies in those countries."2 > > Mayer-Schoenberger was shocked by the defense experts' statement and > tried to spread the news by sending an e-mail message to Hotwired, > the online version of Wired magazine. Although the story did not > make headlines, his note quickly became the e-mail message relayed > 'round the world, triggering over 300 messages to Strassmann and > Marlow. It was followed by the electronic version of spin control. > > Strassmann quickly posted a denial. In an interview, he said the > Austrian completely misunderstood what he and Marlow had said. That > was false," Strassmann said of Mayer-Schoenberger's message. That > was the person's interpretation of what we said. ... We did not > specifically mention any government. What we said was that > governments are so heavily involved in this [Internet issues] that > it seems plausible that governments would use it in many ways." *3 > (Marlow did not return a call for comment.) > > But Harvard Law School Professor Charles Nesson, who heard the > original exchange at the Harvard conference, recalls the > conversation as Mayer-Schoenberger described it. *4 > Mayer-Schoenberger also stands by his story. I remember the > conversation perfectly well," he e-mailed from Vienna. They said a > couple of additional things I'm sure they don't want people to > remember. But the statement about the re-mailers is the one most > people heard and I think is quite explosive news, isn't it?" *5 > > Marlow said that actually a fair percentage of re-mailers around the > world are operated by intelligence services, Mayer-Schoenberger > recalled in a subsequent interview. Someone asked him: `What about > the US, is the same true here as well?' Marlow said: `you bet.' > > The notes for the Harvard symposium, posted on the World Wide Web, > also lend credence to Mayer-Schoenberger's account. The CIA already > has anonymous re-mailers but to effectively control [the Internet] > would require 7,000 to 10,000 around the world," the notes quote > Marlow as saying. *6 > -------------------------------------------------------------------- > > @EASE WITH EAVESDROPPING > > Prying into e-mail is probably as old as e-mail itself. The Internet > is notoriously insecure; messages are kept on computers for months > or years. If they aren't stored safely, they can be viewed by anyone > who rummages through electronic archives by searching through the > hard drive, by using sophisticated eavesdropping techniques, or by > hacking in via modem from a remote location. Once e-mail is > obtained, legally or not, it can be enormously valuable. Lawyers are > increasingly using archived e-mail as evidence in civil litigation. > And it was Oliver North's e-mail (which he thought was deleted) that > showed the depths of the Reagan administration's involvement in the > Iran-Contra affair. > > Moreover, it's easier to tap e-mail messages than voice telephone > traffic, according to the paper written by Strassmann and Marlow. As > e-mail traffic takes over an ever-increasing share of personal > communications, inspection of e-mail traffic can yield more > comprehensive evidence than just about any wire-tapping efforts, > they wrote. E-mail tapping is less expensive, more thorough and less > forgiving than any other means for monitoring personal > communications. 7 > -------------------------------------------------------------------- > > @ RISK > > Two kinds of anonymous re-mailers have evolved to protect the > privacy of users. The first, and the less secure, are two-way > database re-mailers," which maintain a log linking anonymous > identities to real user names. These services are more accurately > called pseudonymous" re-mailers since they assign a new name and > address to the sender (usually a series of numbers or characters) > and are the most vulnerable to security breaches, since the logs can > be subpoenaed or stolen. The most popular pseudonymous" re-mailer is > a Finnish service at anon.penet.fi". > > I believe that if you want protection against a governmental body, > you would be foolish to use anon.penet.fi," said Jeffrey Schiller, > manager of the Massachusetts Institute of Technology computer > network and an expert on e-mail and network security. Last year, in > fact, authorities raided anon.penet.fi to look for the identity of a > Church of Scientology dissident who had posted secret church papers > on the Internet using the supposedly private service. *8 > > The second kind of re-mailers are cypherpunk" services run by > computer-savvy privacy advocates. Someone desiring anonymity detours > the message through the re-mailer; a re-mailer program removes > information identifying the return address, and sends it on its way. > Schiller says that a cypherpunk re-mailer in its simplest form is a > program run on incoming e-mail that looks for messages containing a > request-re-mailing-to" header line. When the program sees such a > line, it removes the information identifying the sender and remails" > the message. *9 Some re-mailers replace the return address with > something like nobody at nowhere.org." > > Further protection can be obtained by using free, publicly available > encryption programs such as Pretty Good Privacy and by chaining > messages and re-mailers together. Sending the message from re-mailer > to re-mailer using encryption at each hop builds up an onion skin > arrangement of encrypted messages inside encrypted messages. Some > re-mailers will vary the timing of the outgoing mail, sending the > messages out in random sequence in order to thwart attempts to trace > mail back by linking it to when it was sent. > -------------------------------------------------------------------- > > @ISSUE: THE RIGHT TO PRIVACY > > Linking encrypted messages together can be tricky and > time-consuming. So who would bother? A. Michael Froomkin, an > assistant professor of law at the University of Miami and an expert > on Internet legal issues, says anonymity allows people to practice > political free speech without fear of retribution. Whistleblowers > can identify corporate or government abuse while reducing their risk > of detection. People with health problems that are embarrassing or > might threaten their ability to get insurance can seek advice > without concern that their names would be blasted electronically > around the world. *10 A battered woman can use re-mailers to > communicate with friends without her spouse finding her. > > The Amnesty International human rights group has used anonymous > re-mailers to protect information supplied by political dissidents, > said Wayne Madsen, a computer security expert and co-author of a new > edition of The Puzzle Palace, a book on the National Security > Agency. Amnesty International has people who use re-mailers because > if an intelligence service in Turkey tracks down [political > opponents] ... they take them out and shoot them," he said. I would > rather err on the side of those people. I would rather give the > benefit of the doubt to human rights." *11 > > Strassmann and Marlow, on the other hand, see the threat to national > security as an overriding concern. Their paper, Risk-Free Access > into the Global Information Infrastructure via Anonymous Re-mailers, > presented at the Harvard conference, is a call to electronic arms. > In it, they warn that re-mailers will be employed in financial fraud > and used by information terrorists" to spread stolen government > secrets or to disrupt telecommunication, finance and power > generation systems. Internet anonymity has rewritten the rules of > modern warfare by making retaliation impossible, since the identity > of the assailant is unknown, they said. Since biblical times, crimes > have been deterred by the prospects of punishment. For that, the > criminal had to be apprehended. Yet information crimes have the > unique characteristic that apprehension is impossible. ... > Information crimes can be committed easily without leaving any > telltale evidence such as fingerprints, traces of poison or > bullets," they wrote. *12 > > As an example, they cite the Finnish re-mailer (anon.penet.fi), > claiming that it is frequently used by the ex-KGB Russian criminal > element. Asked for proof or further detail, Strassmann said: That > [paper] is as far in the public domain as you're going to get." *13 > > At the Harvard symposium, the pair provided additional allegations > that anonymous re-mailers are used to commit crimes. There was a > crisis not too long ago with a large international bank. At the > heart of the problem turned out to be anonymous re-mailers. There > was a massive exchange around the world of the vulnerabilities of > this bank's network," Marlow said. *14 > > But David Banisar, an analyst with the Washington, D.C.-based > Electronic Privacy Information Center (EPIC) downplayed this kind of > anecdote, saying that such allegations are always used by > governments when they want to breach the privacy rights of citizens. > I think this information warfare stuff seems to be a way for the > military trying to find new reasons for existence and for various > opportunistic companies looking for ways to cash in. I'm really > skeptical about a lot of it. The problem is nine-tenths hype and > eight-tenths bad security practices," he said. Already existing > Internet security systems like encryption and firewalls could take > care of the problem." > > The public should not have to justify why it needs privacy, he said. > Why do you need window blinds? Privacy is one of those fundamental > human rights that ties into other human rights such as freedom of > expression, the right to associate with who you want, the right to > speak your mind as you feel like it. ... The question shouldn't be > what do you have to fear, it should be `Why are they listening in?' > With a democratic government with constitutional limits to > democratic power, they have to make the argument they need to listen > in, not the other way around." *15 > > Froomkin, from the University of Miami, also questioned Strassmann > and Mayer's conclusions. First of all, the statistics about where > the re-mailers are and who runs them are inaccurate. I can't find > anybody to confirm them," he said. I completely disagree with their > assessment of facts and the conclusions they draw from them. ... > Having said that, there's no question there are bad things you can > do with anonymous re- mailers. There is potential for criminal > behavior." *16 > > Banisar doubts that intelligence agencies are actually running > re-mailers. It would entail a fairly high profile that they tend to > shy away from, he said. However, it is likely that agencies are > sniffing" monitoring traffic going to and from these sites, he said. > -------------------------------------------------------------------- > > @ WORK SNIFFING THE NET > > Not in doubt, however, is that the government is using the Internet > to gather intelligence and is exploring the net's potential > usefulness for covert operations. Charles Swett, a Department of > Defense policy assistant for special operations and low-intensity > conflict, produced a report last summer saying that by scanning > computer message traffic, the government might see early warnings of > impending significant developments." Swett added that the Internet > could also be used offensively as an additional medium in > psychological operations campaigns and to help achieve > unconventional warfare objectives." *17 The unclassified Swett paper > was itself posted on the Internet by Steven Aftergood of the > Federation of American Scientists. > > The document focuses in part on Internet use by leftist political > activists and devotes substantial space to the San Francisco-based > Institute for Global Communications (IGC), which operates Peacenet > and other networks used by activists. IGC shows, Swett writes, the > breadth of DoD-relevant information available on the Internet." > > The National Security Agency is also actively sniffing" key Internet > sites that route electronic mail traffic, according to Puzzle Palace > co-author Wayne Madsen. In an article in the British newsletter > Computer Fraud and Security Bulletin, Madsen reported that sources > within the government and private industry told him that the NSA is > monitoring two key Internet routers which direct electronic mail > traffic in Maryland and California.18 In an interview, Madsen said > he was told that the NSA was sniffing" for the address of origin and > the address of destination" of electronic mail. > > The NSA is also allegedly monitoring traffic passing through large > Internet gateways by scanning network access points" operated by > regional and long-distance service providers. Madsen writes that the > network access points allegedly under surveillance are at gateway > sites in Pennsauken, N.J. (operated by Sprint), Chicago (operated by > Ameritech and Bell Communications Research) and San Francisco > (operated by Pacific Bell). *19 > > Madsen believes that NSA monitoring doesn't always stop at the US > border, and if this is true, NSA is violating its charter, which > limits the agency 's spying to international activities. People > familiar with the monitoring claim that the program is one of the > NSA's `black projects,' but that it is pretty much an `open secret' > in the communications industry," he wrote. > > Electronic communications open up opportunities to broaden > democratic access to information and organizing. They also provide a > means and an opportunity for governments to pry. But just as people > have a right to send a letter through the post office without a > return address, or even to drop it in a mail box in another city, so > too, electronic rights advocates argue, they have the right to send > an anonymous, untraceable electronic communication. And just as the > post office can be used maliciously, or to commit or hide a crime, > re-mailers can be used by cruel or criminal people to send hate mail > or engage in flame wars." And like the post office, the highways, > and the telephone, the Internet could be used by spies or > terrorists. Those abuses, however, do not justify curtailing the > rights of the vast number of people who use privacy in perfectly > legal ways. > > Robert Ellis Smith, editor of the Privacy Journal newsletter, said > government agencies seem obsessed with anonymous re-mailers. They > were set up by people with a very legitimate privacy issue, he said. > Law enforcement has to keep up with the pace of technology as > opposed to trying to infiltrate technology. Law enforcement seems to > want to shut down or retard technology, and that's not realistic. > Anonymous re-mailers are not a threat to national security. *20 > -END-- > > SUBSCRIPTION INFO - - -> Send "subscribe snetnews " to majordomo at alterzone.com - - -> Posted by: "Donna J. Logan" - ------- End of Forwarded Message ------- End of Forwarded Message From snow at smoke.suba.com Tue Jul 2 04:30:09 1996 From: snow at smoke.suba.com (snow) Date: Tue, 2 Jul 1996 19:30:09 +0800 Subject: Net and Terrorism. Message-ID: I took a few days to think about this stuff, and I am replying to these in bulk rather than seperately. T.C. May wrote: Can anything be done? To stop the likely effects of lots more surface-to-air missiles, lots more nerve gas available on the black market, and so on? In a word, "no." /* I disagree. Terrorism, political terrorism is fear. There are ways to protect military targets that are quite cost effective, unfortunately they are politically unpopular. (What just happend in Saudi is on my mind. STUPID military commanders getting the same pie in the face time and time again. There is NOTHING so unchanging as the military mind set.) Civilian targets are harder to protect, but certain steps can be taken to lessen chances of a sucessful attack. Another method, and this would be very unpopular (and hypocritical of the US) would be simply to announce that we (the Country) are going to hold the _manufacturing_ nation responcible for the use of weapons of mass destruction. So if Soviet Nerve Gas is used, we gas a city in the Soviet Union. MAD carried to a lower level. A third option is quite simply to buy as much of it as possible. */ I expect a city or two to get nuked in the next decade or so. (Haifa or Tel Aviv would be my leading candidates.) To me, this is unsurprising. /* My bets in the following order: Paris New York Rome London LA (by home brewed idiots) Chicago Berlin. I don't think that terrorists in the middle east will pop a nuke as they would get as many of their own as the "enemy". One of the things a terrorist needs more than money is a place to hide, and if you are killing your own people, they won't shield you. */ moderate economic or physical crises. (No, I am not a "survivalist," just mentally and physically prepared to deal with a major earthquake, economic dislocation, or terrorist incident in San Jose, which is 30 miles north of me.) /* Sounds like a "survivalist" to me. */ examples of how the Net can be used to undermine governments (what those governments of course refer to as "terrorism," even when it is mostly not). I'm not advocating such "terrorism," by the way, merely telling it like it is. /* If you want to define terrorism as in the above paragraph, them I am, and you do too. The biggest problem with terrorism is that there isn't a good defination that looks the same from both sides. In otherwords the old saw about one mans terrorist being anothers freedom fighter. Any defination sufficiently inclusive so as to cover all "terrorist" activities will also include uniformed soldiers. The lines get very thin and blurry. */ Keep your head down, avoid crowded downtown areas, prepare for moderate disruptions, and reject arguments that an American Police State will do anything to stop terrorism. /* The american police state (and if we aren't one yet, it isn't for lack of trying) IS an instrument of terrorism in some parts of this country. */ (Remember, terrorism is just warfare carried on by other means, with apolgies to Von Clausewitz.) /* Terrorism is when the other side hits with out warning. */ From: frantz at netcom.com (Bill Frantz) Thanks Tim for your essay. The only thing I would add is that terrorist attacks on pure information resources (e.g. the banking system) are likely to result in many fewer casualties than terrorist attacks on physical entities (e.g. major cities). Another way of saying it is, email bombs are preferable to snail mail bombs. /* I don't think so. One objective of terrorism is/could be to lessen a populations faith in "The System". Some possible situations (can't remember how to spell scenireo): Trash a multi-store pharmacy database and people can't get their prescriptions, or worse get the wrong one. Cause disturbances in certain parts of certain cities, then attack the 911 system to route officers and firemen to _wealthy_ neigborhoods at the expense of the poor neighborhoods. Then complain to the papers about it. Gain control of the power grid (I don't know how possible this is) and selectively brown out certain sections of the city during peak demand periods. Make it obvious, then do the preceeding idea. In all of these people will, or could die, but are much more effective in undermining the faith people have in the structures that run the country. If a bomb blast goes off, people get pissed off at the bomb makers, if the power fails, people get pissed at the electrical company. If you can create a large enough disturbances they will be better than bombs. */ From: "Vladimir Z. Nuri" [TCM] >Can anything be done? To stop the likely effects of lots more >surface-to-air missiles, lots more nerve gas available on the black market, >and so on? >In a word, "no." try to have a warfare, siege-like mentality imho, and a continual "trying to stay ahead of the criminals". we do not have regular open terrorism in the streets of the US and I see no reason to think there ever will be as TCM suggests. /* Depending on how you define "terrorism" I would like you to visit my neighborhood, and then we can go to a couple other here in chicago where the cops terrorize the citizens, the gangs terrorize the cops and the citizens, etc. It hasn't hit the national level yet, but it will. */ nevertheless what his essay misses, and many in law enforcement miss, are the root reasons for crime. I'm not going to sound like a liberal /* There is a big difference (IMO) between a terrorist and a common criminal. Money and Ideology. In *MOST* instances the terrorist is attempting to acheive a political, social, or long term (as in decades/generations) economic change. A criminal is simply trying to get rich or get stoned. IMO the root cause of crime is a lack of self disipline, and it is as far as I can tell part of the human condition. */ in reality. it seems to me no nation-state has ever experimented with trying to take away the root causes of violence and discontent. why? /* Is it possible that to a large degree the nation-state IS the problem? */ because a policeman holding a gun is so much more visceral and the public responds to this image readily. other "programs" that try to decrease discontent among the budding terrorists of tommorrow are usually ridiculed. it is very difficult to prove that they work /* Rightly so. Most of these programs amount to hand-outs or paternalistic pandering. People need to work, not get paid for doing nothing. */ terrorists invariably have a patricular pathological psychological profile that sees the world in terms of "martyrs vs. villians" with the villians in the government, and the villians taking away or abusing respectable citizens. /* Often they are right. */ the "problem" of terrorism will be solved when we take the view that insanity and violence is *not* a natural aspect of human behavior (as TCM tends to suggest), and that /* It is. Insanity is a condition that occasionaly crops up in humans. Sometimes the problem is chemical, sometimes not, however it _is_ natural. So is violence. People want things, and some don't care what they have to do to get these things. */ >(Remember, terrorism is just warfare carried on by other means, with >apolgies to Von Clausewitz.) disagree. the purpose of warfare has traditionally been to seize something tangible like territory. terrorists are after intangibles-- namely, terror itself, disrupting a "peace process", etc. /* Or forcing a certain group to the discussion table. */ Any Obcrypto I could add at this point would be preaching to the choir. Petro, Christopher C. petro at suba.com snow at crash.suba.com From shamrock at netcom.com Tue Jul 2 06:13:46 1996 From: shamrock at netcom.com (Lucky Green) Date: Tue, 2 Jul 1996 21:13:46 +0800 Subject: The Net and Terrorism Message-ID: At 0:54 7/2/96, snow wrote: >On Mon, 1 Jul 1996, Simon Spero wrote: > >> I want my, I want my, I want my Atropine > > No, you don't. Simon, you got to be more careful when synthesizing that Sarin. Always check that the vent is working first. -- Lucky Green PGP encrypted mail preferred. Disclaimer: My opinions are my own. From yusuf921 at uidaho.edu Tue Jul 2 06:16:59 1996 From: yusuf921 at uidaho.edu (Syed Yusuf) Date: Tue, 2 Jul 1996 21:16:59 +0800 Subject: fbi botches intel "ecspionage" case In-Reply-To: <199606291925.MAA12512@netcom3.netcom.com> Message-ID: > at the end of the show, the reporter stated that > the FBI was seeking stronger laws against theft > of "intellectual property" in congress that might > solve the problem. Their main concern when they contacted me about me message to 'Blacknet' is that 'InterNational Terrorists(tm)' would use it to sneak US industry secrects out of the country. Thought for the Day: No matter what pious reason created the entity, Every Entity's primary and over-ruling goal is self-preservation; and no where is this more true than in Gov't, the IRS, and the FBI From frissell at panix.com Tue Jul 2 06:54:44 1996 From: frissell at panix.com (Duncan Frissell) Date: Tue, 2 Jul 1996 21:54:44 +0800 Subject: But what about the poor? Message-ID: <2.2.32.19960702103730.00bb4544@panix.com> At 11:25 PM 7/1/96 -0700, Bill Frantz wrote: >Current government "Key Escrow" systems cost $200/key/year. [Craig Mundie] >These systems can best be described as key-rental systems. This is shocking, shocking. It never occurred to me that our government would charge us for the benefit of being tapped. What about the poor. I'm going to write Senator Kennedy and see if maybe we can get the selfish Republican Congress to free up some cash so that less fortunate Americans can afford to be tapped too. This argument against key escrow never made it onto that long list of questions we made up in the Spring of '93 when Key Escrow was first proposed by the Admin (it was probably Vince Foster's fault). We showed a lack of imagination. DCF "Gee Ossifer I'd love to let you read my files but I just couldn't afford expensive socialistic key escrow so I bought cheap efficient private key escrow instead." From jya at pipeline.com Tue Jul 2 10:06:24 1996 From: jya at pipeline.com (John Young) Date: Wed, 3 Jul 1996 01:06:24 +0800 Subject: LOS_tit Message-ID: <199607021322.NAA17823@pipe4.t2.usa.pipeline.com> 7-2-96 UST, page one: "Companies fear losing privacy, customers' trust." In a show of self-reliance reminiscent of the old West, companies are taking matters into their own hands, hiring security firms to protect their computer systems and ignoring the convention that law enforcement is the best defense. It's a stance that has implications for law enforcement and commerce, raises broad questions of privacy and control, and pits the philosophy of the Clinton administration directly against that of many Fortune 500 companies. "An organization has very little to gain" by reporting, says Lloyd Hession, of IBM's Business Recovery Services. There seems to be universal agreement that the strongest means for securing computer data against theft lies in cryptography, but the Clinton administration, citing fears that criminals would use cryptography to cloak their activities, is setting regulations slowing development of cryptography software. The Clinton administration is to announce, as early as this week, a commission to determine the federal government's role in securing cyberspace, from terrorism to petty crimes. http://pwp.usa.pipeline.com/~jya/lostit.txt (13 kb) Go via www.anonymizer.com. Pipeline now belongs to Mindspring, an Atlanta company. LOS_tit From anonymous-remailer at shell.portal.com Tue Jul 2 10:45:04 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Wed, 3 Jul 1996 01:45:04 +0800 Subject: PGP secret keys Message-ID: <199607021339.GAA02261@jobe.shell.portal.com> Could someone post a pointer to a FAQ that tells what to do if you loose your secret key file? How can you regenerate your private key so that the userid number still matches the public key that has been distributed?? From warlord at MIT.EDU Tue Jul 2 10:51:07 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Wed, 3 Jul 1996 01:51:07 +0800 Subject: rsync and md4 In-Reply-To: <1.5.4.16.19960702023938.4637d0c4@arc.unm.edu> Message-ID: <199607021238.IAA13218@toxicwaste.media.mit.edu> > What is the difference between SHA and SHA-1? Is this algorithm subject > to the same licensing as MD5? The difference between SHA and SHA.1 is the "small technical change" that was added last year. I'm not sure what you mean by "licensing", since there are no licensing issues for MD5 (unless you mean "export issues", in which case SHA, SHA.1 and MD5 all fall into the same category). > Could someone point me to such a bootleg version for DOS, please? Umm, good luck. -derek From warlord at MIT.EDU Tue Jul 2 11:30:42 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Wed, 3 Jul 1996 02:30:42 +0800 Subject: PGP secret keys In-Reply-To: <199607021339.GAA02261@jobe.shell.portal.com> Message-ID: <199607021427.KAA15410@toxicwaste.media.mit.edu> > Could someone post a pointer to a FAQ that tells what to do if you loose > your secret key file? How can you regenerate your private key so that the > userid number still matches the public key that has been distributed?? Pretty much you are SOL. To re-create the secring from the pubring you need to find the secret components of your secret key. The only known way of doing that is factoring you key. How big is it? If it is in the range of 384-512 bits, then we can probably reproduce your secring in about a year. If its any bigger than that, all you can really do is generate a new key. You don't want to generate a key that has the same keyID, since it wont be able to decrypt any messages that the old one could anyways. Enjoy! -derek From ceridwyn at wolfenet.com Tue Jul 2 12:17:35 1996 From: ceridwyn at wolfenet.com (Cerridwyn Llewyellyn) Date: Wed, 3 Jul 1996 03:17:35 +0800 Subject: hard drive encryption Message-ID: <2.2.32.19960702145307.006bb7ac@gonzo.wolfenet.com> What is the best utility freely available for encrypting an entire drive that won't be used for a length of time? ie: I'm going away for a period of time and wish to encrypt the drive while I'm gone, but have no interest in actually using it while it's encrypted. I also have no real preference in what algorithm is used, as long as it's relatively secure. Speed is also not a big consideration, as it will be used once when I leave to encrypt, and once when i return to decrypt. Thanks in advance for the help... //cerridwyn// btw, the OS is Win95 if that matters... From joelm at eskimo.com Tue Jul 2 12:48:18 1996 From: joelm at eskimo.com (Joel McNamara) Date: Wed, 3 Jul 1996 03:48:18 +0800 Subject: hard drive encryption Message-ID: <199607021524.IAA22324@mail.eskimo.com> Currently, SecureDrive seems to be the most reliable under Win95. Check out: http://www.eskimo.com/~joelm/cryptbk.html I just published a cookbook on how to build a "CryptoBook" (a secure PC laptop with all sorts of crypto goodies). Details on SecureDrive are included. Joel At 07:53 AM 7/2/96 -0700, you wrote: > >What is the best utility freely available for encrypting an entire drive >that won't be used for a length of time? ie: I'm going away for a period >of time and wish to encrypt the drive while I'm gone, but have no interest >in actually using it while it's encrypted. I also have no real preference >in what algorithm is used, as long as it's relatively secure. Speed is >also not a big consideration, as it will be used once when I leave to encrypt, >and once when i return to decrypt. >Thanks in advance for the help... >//cerridwyn// > >btw, the OS is Win95 if that matters... > > > From jya at pipeline.com Tue Jul 2 12:56:27 1996 From: jya at pipeline.com (John Young) Date: Wed, 3 Jul 1996 03:56:27 +0800 Subject: TRI_cks Message-ID: <199607021418.OAA29985@pipe2.t2.usa.pipeline.com> 7-2-96. FiTi: "A Japanese engineer's box of tricks is helping detect forged banknotes." Counterfeit dollar bills are judged on a scale of one to nine, with the crudest at level one. The detector machines that existed before Matsumura's could only pick out bills at around level five or six. Supernotes are ranked between seven and nine and have been almost impossible to detect. Matsumura says supernotes do have flaws, though, and his machine can spot differences in the printing by referring to a histogram, or statistical graph, of patterns on real US notes. Each supernote tends to have two or three minute aberrations. Consequently, sensors check for any variations at 12 points on the note. A 0.9-second scan also monitors the thickness of the paper and the printing ink. The company can only produce 500 units a month, but already has orders for 45,000. http://pwp.usa.pipeline.com/~jya/tricks.txt (4 kb) TRI_cks From WlkngOwl at unix.asb.com Tue Jul 2 13:33:43 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Wed, 3 Jul 1996 04:33:43 +0800 Subject: PROMISe them anything (was Re: whitehouse dossier database?) Message-ID: <199607021547.LAA04235@unix.asb.com> On 1 Jul 96 at 23:39, Vladimir Z. Nuri wrote: > holy cow, is this real? Grabbe cites several credible references. Ask Phil Resuto. [..] > ------- Forwarded Message [..] > Conspiracy Nation -- Vol. 8 Num. 30 > ====================================== > ("Quid coniuratio est?") [..] > THE WHITE HOUSE "BIG BROTHER" DATA BASE > ======================================= [..] > The White House "Big Brother" Data > Base & How Jackson Stephens > Precipitated a Banking Crisis Jackson Stephens? Why am I thinking of Steve Jackson Games, operators of the Illuminati BBS that were raided by the SS a few years back... [..] > What Deutch failed to mention was that this > "banking crisis" in large part was itself created by one of > the U.S. intelligence agencies--the NSA in cahoots with > Stephens' software firm Systematics. The Citibank heist > by Russian hackers, for example, took advantage of a back > door in Citibank's Systematics software. (The Russian > hackers were apparently aided by the son of one of Jim > Leach's House Banking Committee investigators.) Have > any major banks thought of instituting lawsuits over this > deliberate breach of security on the part of a software > supplier? Huh? I thought the Russian 'hackers' helped write the software, and used one of their own backdoors. [..] From cwe at it.kth.se Tue Jul 2 13:35:48 1996 From: cwe at it.kth.se (Christian Wettergren) Date: Wed, 3 Jul 1996 04:35:48 +0800 Subject: Paper: "A Socially based Identity Model" Message-ID: <199607021542.RAA08948@piraya.electrum.kth.se> Hi! I've written a paper where I introduce a "name spectrum" as a identity model. The name spectrum has increasing levels of identification; anyone, anyone with alias, established pseudonym, well-reputed pseudonym, escrowed pseudonym, identity and True Name. I try to show how law enforcement still can find criminals, even though they (we) have privacy. I argue that the power balance between the individual and the law enforcement should be approximately the same as it is in ordinary life. I talk quite a lot about the analogy between real life and cyberspace when it comes to power and trust. I have a suggestion for how to deploy traffic mixers (DCnet) without tilting the power balance too much to the advantage of the user as well. I suggest reputation servers where an efficient reputation market can be maintained. I'd appreciate any comments on the paper. It is still preliminary, though. It is available at http://www.it.kth.se/~cwe/phd/ in a number of formats. -Christian Wettergren, cwe at it.kth.se From jimbell at pacifier.com Tue Jul 2 15:09:52 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jul 1996 06:09:52 +0800 Subject: The Net and Terrorism Message-ID: <199607021646.JAA16308@mail.pacifier.com> At 03:23 AM 7/2/96 -0700, Lucky Green wrote: >At 0:54 7/2/96, snow wrote: >>On Mon, 1 Jul 1996, Simon Spero wrote: >> >>> I want my, I want my, I want my Atropine >> >> No, you don't. > >Simon, you got to be more careful when synthesizing that Sarin. Always >check that the vent is working first. Also, you don't want JUST that atropine; trimedoxime and benactyzine are also helpful. BTW, the first symptom of sarin poisoning is a tightness in the chest... Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Tue Jul 2 15:24:07 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jul 1996 06:24:07 +0800 Subject: LOS_tit Message-ID: <199607021650.JAA16623@mail.pacifier.com> At 01:22 PM 7/2/96 GMT, John Young wrote: > 7-2-96 UST, page one: > The Clinton administration is to announce, as early as > this week, a commission to determine the federal > government's role in securing cyberspace, from terrorism > to petty crimes. > http://pwp.usa.pipeline.com/~jya/lostit.txt (13 kb) A commission which will probably be made up of government, ex-government, and industry people, totally ignoring ordinary citizens yet again. Jim Bell jimbell at pacifier.com From tcmay at got.net Tue Jul 2 15:37:11 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 3 Jul 1996 06:37:11 +0800 Subject: Net and Terrorism. Message-ID: At 6:58 AM 7/2/96, snow wrote: >T.C. May wrote: > >Can anything be done? To stop the likely effects of lots more >surface-to-air missiles, lots more nerve gas available on the black market, >and so on? > >In a word, "no." >/* > I disagree. Terrorism, political terrorism is fear. There are ways to >protect military targets that are quite cost effective, unfortunately they >are politically unpopular. (What just happend in Saudi is on my mind. >STUPID military commanders getting the same pie in the face time and time >again. There is NOTHING so unchanging as the military mind set.) Well, attacks on military targets are almost, by definition, not "terrorism." (I'll spare the list a debate about the semantics; U.S. journalists tend to refer to anything done to "us" as "terrorism," whether the target is military or civilian.) The focus of my comments was really on civilian or non-military targets. (Including destruction of government buildings, maybe. I'm not sure whether the Oklahoma City bombing and the recent Phoenix/Viper Militia case is "terrorism" in a formal sense, or counter-government action, but my point is that such things are likely to be happen.) >Civilian targets are harder to protect, but certain steps can be >taken to lessen chances of a sucessful attack. Sure, any particular "soft target" can be hardened to some extent. But not all of them, and even harder sites can be reached. This is left as an exercise for the reader. (Hint: The Japanese cult's Sarin gas attack on the subways...there are tens of thousands of comparable targets in the U.S. alone. Look around, and ask what it would take to harden each one. A minor cryptographic connection is that hardening N of M sites makes the remaining M - N sites all the more tempting.) >Another method, and this would be very unpopular (and >hypocritical of the US) would be simply to announce that we (the Country) >are going to hold the _manufacturing_ nation responcible for the use of >weapons of mass destruction. So if Soviet Nerve Gas is used, we gas a >city in the Soviet Union. MAD carried to a lower level. You are essentially making my point, that the biggest danger of the current responses to terrorism is that nations will turn to national terrorism and police state tactics. >A third option is quite simply to buy as much of it as possible. No, wouldn't work. As with the "War on (Some) Drugs," all this does is raise the price a bit, actually making it a more tempting market for many to get into. (And various CBW agents are incredibly cheap to make, with the precursors available in common products. How ya gonna buy up all the peach pits, for example? Or "buy up" all the fertilizer and fuel oil?) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Tue Jul 2 16:03:35 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jul 1996 07:03:35 +0800 Subject: Message pools _are_ in use today! Message-ID: <199607021730.KAA18852@mail.pacifier.com> At 08:28 PM 7/1/96 -0700, David Wagner wrote: >If folks have better ideas for how to achieve really good recipient >anonymity, I hope they'll speak up! Once they start offering Internet news/email/USENET feeds (one way) by DSS-type dish antenna from satellite, it'll be mighty hard to figure out who's receiving the data. They could probably easily provide 10 megabits per second, which I assume would be more than enough for what's needed. (BTW, for a few years a company called "Planet Connect" has been providing FIDOnet data feeds, although they use the older-style, large antenna systems, and their data rate is 19.2kbps, not even close to enough for Internet service.) Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Tue Jul 2 16:25:22 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jul 1996 07:25:22 +0800 Subject: But what about the poor? Message-ID: <199607021705.KAA17479@mail.pacifier.com> At 06:37 AM 7/2/96 -0400, Duncan Frissell wrote: >At 11:25 PM 7/1/96 -0700, Bill Frantz wrote: > >>Current government "Key Escrow" systems cost $200/key/year. [Craig Mundie] >>These systems can best be described as key-rental systems. > >This is shocking, shocking. Oh, but what a business opportunity! I assume a floppy can hold 1000 keys. Even if I undercut the going rate of $200 per year by a factor of 10, that's a potential income of $20,000 per floppy per year. A box of 20 floppies on the shelf, and I'm set for life! >This argument against key escrow never made it onto that long list of >questions we made up in the Spring of '93 when Key Escrow was first proposed >by the Admin (it was probably Vince Foster's fault). We showed a lack of >imagination. There's no doubt that the government will want to bribe the escrow agents, first to tolerate the system at all, and second to foster enthusiastic cooperation later on, and possibly even ILLEGAL cooperation. Over-paying them is just one way to do it. One thing that never ceases to amaze me is how the government can continue to ignore the likelihood (hell, certainty!) that since "key escrow" will only be attractive to the extent it actually benefits the user, such users will be served by escrow agents who store only encrypted or anonymously-held keys. These are inherently protected against any kind of disclosure, yet provide all the claimed benefits of key escrow. Jim Bell jimbell at pacifier.com From llurch at networking.stanford.edu Tue Jul 2 16:27:51 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 3 Jul 1996 07:27:51 +0800 Subject: SAFE Forum In-Reply-To: <199607020623.XAA19680@netcom7.netcom.com> Message-ID: On Mon, 1 Jul 1996, Bill Frantz wrote: > "Crime prevention ought to be part of the FBI's mission. [Herbert Lin, > National Research Council] In case it's not clear, this was said with much sarcasm... i.e., today's FBI is too often engaged in other pursuits. This in the context of explaining that ubiquitous strong crypto is the best defense against computer crime. -rich From jimbell at pacifier.com Tue Jul 2 16:28:58 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jul 1996 07:28:58 +0800 Subject: hard drive encryption Message-ID: <199607021730.KAA18844@mail.pacifier.com> At 07:53 AM 7/2/96 -0700, Cerridwyn Llewyellyn wrote: > >What is the best utility freely available for encrypting an entire drive >that won't be used for a length of time? ie: I'm going away for a period >of time and wish to encrypt the drive while I'm gone, but have no interest >in actually using it while it's encrypted. I also have no real preference >in what algorithm is used, as long as it's relatively secure. Speed is >also not a big consideration, as it will be used once when I leave to encrypt, >and once when i return to decrypt. >Thanks in advance for the help... You could just de-install and hide the drive. Replace it with some old cast-off drive. (The easiest way to get somebody to stop looking for something is to let him find it.) Jim Bell jimbell at pacifier.com From frantz at netcom.com Tue Jul 2 16:33:11 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 3 Jul 1996 07:33:11 +0800 Subject: But what about the poor? Message-ID: <199607021813.LAA26475@netcom7.netcom.com> At 6:37 AM 7/2/96 -0400, Duncan Frissell wrote: >"Gee Ossifer I'd love to let you read my files but I just couldn't afford >expensive socialistic key escrow so I bought cheap efficient private key >escrow instead." "Gee Orificer, I'd love to let you read my files, but I just couldn't afford any key escrow, so I went naked and didn't use it." :-) ------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz at netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA From frantz at netcom.com Tue Jul 2 18:06:46 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 3 Jul 1996 09:06:46 +0800 Subject: SAFE Forum--some comments Message-ID: <199607021936.MAA07885@netcom8.netcom.com> At 6:40 PM 7/2/96 -0700, Timothy C. May wrote: >... Phil Zimmermann, who told a humorous story of going >to Congressman Dana Rohrabacher's office, seeing the picture of Ollie North >on the wall (much laughter), but finding Rohrabacher's staffers aghast at >the crypto laws and ITARs. Someone pointed out that Phil and Ollie have something in common. They have both been accused of illegally exporting crypto. ------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz at netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA From ericd at shop.internet.net Tue Jul 2 18:14:06 1996 From: ericd at shop.internet.net (Eric Davis) Date: Wed, 3 Jul 1996 09:14:06 +0800 Subject: SAFE Archive Message-ID: FYI: The complete SAFE Forum audio archive is online at: http://www.mediacast.com ----------------------------------------------------- Eric Davis ericd at internet.net Director of Information Systems 415-842-7400 (V) Internet Shopping Network 415-842-7415 (F) Visit our site at: http://www.isn.com/ Co-Founder MediaCast http://www.mediacast.com/ Personal contact: ericd at cyberfarm.com KD6HTO (R) ----------------------------------------------------- There are no law enforcers if law itself they ignore. -- Inka Inka -- Step Back -- Myth of the Machine -- From JeanPaul.Kroepfli at ns.fnet.fr Tue Jul 2 18:16:22 1996 From: JeanPaul.Kroepfli at ns.fnet.fr (Jean-Paul Kroepfli) Date: Wed, 3 Jul 1996 09:16:22 +0800 Subject: SAFE Forum (We sell decryption hardware) Message-ID: <01BB6863.DF27D040@JPKroepsli.S-IP.EUnet.fr> Bill Frantz wrote >We sell RC4, 40 bit decryption hardware (based on AMD29000) for $16K. FPGA >devices for breaking DES in 7 days for $1M. [Eric Thompson, Access Data] What? Do you have some information about this ad (e. g. eMail)? I know some bank that would be very interested about this possibility (not for use it, but as an impulse to change their systems). Best regards, Jean-Paul ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- Jean-Paul et Micheline Kroepfli (our son: Nicolas and daughter: Celine) eMail: JeanPaul.Kroepfli at utopia.fnet.fr Also Compuserve and MSNetwork Phone: +33 81 55 52 59 (F) PostMail: F-25640 Breconchaux (France) or: +41 21 843 27 36 (CH) or: CP 138, CH-1337 Vallorbe Fax: +33 81 55 52 62 (Switzerland) Zephyr(r) : InterNet Communication and Commerce, Security and Cryptography consulting PGP Fingerprint : 19 FB 67 EA 20 70 53 89 AF B2 5C 7F 02 1F CA 8F "The InterNet is the most open standard since air for breathing" From vznuri at netcom.com Tue Jul 2 18:20:35 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 3 Jul 1996 09:20:35 +0800 Subject: SAFE Forum--some comments In-Reply-To: Message-ID: <199607022014.NAA10761@netcom14.netcom.com> TCM >And here I'll comment on Ken Bass's excellent comments [...] > >He pointed out that the driving force for crypto policy is probably the >_law enforcement_ camp, not the _intelligence agency_ camp. And that the >NSA is regretting the ITAR stuff, as it has sparked an "arms race" to >develop stronger crypto. Bass noted that people now equate permission to >export with weakness, and that had the U.S. not restricted exports, users >probably would've been "fat, dumb, and happy" to keep using breakable >crypto. doesn't make sense to me at all. who was behind clipper? the NSA, not the FBI. the FBI is behind digital telephony, which involved *wiretapping*, not key escrow. actually I think that the NSA is trying to convince law enforcement agencies that if they follow the NSA plan of crypto suppression & key escrow that their job will be easier, that great instability results from unfettered crypto. this fits into the way the NSA hates to be behind any proposal themself, and need "cut outs" to do the lobbying for them. I think at the core of it the NSA doesn't really care too much about law enforcement issues like obtaining warrants and that kind of thing. all the talk about warrant and subpoenas makes no sense from the point of view of the NSA. the NSA goals and the law enforcement goals do not really seem to me to overlap much at all and that the whole argument that they do has been a diversion. this suggests an interesting way to turn the "pro-suppression" crowd against itself. if the law enforcement arm can be convinced, as many people are now advocating, that strong crypto actually makes their job easier and the world information infrastructure less insecure, they may eventually advocate unfettered crypto. then you have only the NSA alone standing up and saying that they need the suppression laws. the concept that the NSA "regrets" ITAR laws sounds like an utter fantasy to me. the ITAR has been around for decades. the NSA has been continually *strengthening* the interpretations of the ITAR. the ITAR is enforced largely through NSA *harassment* of companies that are seen to be supposedly violating it. the NSA can stop sending their "men in black" at any time. when the harassment stops, the crypto would spread. no one is twisting the NSA's arm to reject crypto exports in all the applications that are submitted. rather, it is the NSA that is doing all the arm twisting. the NSA has made radical interpretations of the ITAR in various situations: 1. they rule that mere *hooks* are illegal 2. they have told Microsoft that merely *signing* foreign crypto software packages is illegal so the more I think about it, the more I think Bass's comments as reported by TCM are a pile of hooey. perhaps even disinformation. the NSA has full power to stop their harassment campaign at any time. it is possible that there are *elements* within the NSA that regret the policy, but they clearly are not the ones involved in enforcing it. what many people fail to mention is that today we may not even have these horrible infoterrorist problems that the NSA and CIA et. al. are screeching about lately if crypto had been allowed to grow organically and unharassed. in my view, the NSA is largely *responsible* for the weakness in the information infrastructure as it now stands because of their suppression of efforts to implement strong security via crypto. this is the great hypocrisy of it all. frankly at times I think the whole key escrow debate seems like a huge smokescreen or decoy just to get the public to argue about something the NSA was never seriously contemplating anyway. it's could be just a delaying tactic that is working quite spectacularly. every conference of experts sounds the same and they all come to the same conclusion. meanwhile the ITAR is virtually unchanged within the last 5 years. From llurch at networking.stanford.edu Tue Jul 2 18:21:33 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 3 Jul 1996 09:21:33 +0800 Subject: hard drive encryption In-Reply-To: <2.2.32.19960702145307.006bb7ac@gonzo.wolfenet.com> Message-ID: On Tue, 2 Jul 1996, Cerridwyn Llewyellyn wrote: > What is the best utility freely available for encrypting an entire drive > that won't be used for a length of time? ie: I'm going away for a period > of time and wish to encrypt the drive while I'm gone, but have no interest > in actually using it while it's encrypted. I also have no real preference > in what algorithm is used, as long as it's relatively secure. Speed is > also not a big consideration, as it will be used once when I leave to encrypt, > and once when i return to decrypt. Joel's book is not to be missed, but for the single-use application you describe, a screwdriver and a trip to a safe deposit box (or a friend's house) might be more appropriate... -rich From asgaard at sos.sll.se Tue Jul 2 18:27:16 1996 From: asgaard at sos.sll.se (Asgaard) Date: Wed, 3 Jul 1996 09:27:16 +0800 Subject: TRI_cks In-Reply-To: <199607021418.OAA29985@pipe2.t2.usa.pipeline.com> Message-ID: > "A Japanese engineer's box of tricks is helping detect > forged banknotes." Since the bulk of forged US$ (made in Syria and/or Iran?), hundreds of millions, alledgedly are circulating in Russia, will this bring down the Russian black market economy? Or will they outlaw the Japanese box? Asgaard From jpp at software.net Tue Jul 2 18:27:33 1996 From: jpp at software.net (John Pettitt) Date: Wed, 3 Jul 1996 09:27:33 +0800 Subject: SAFE Forum--some comments Message-ID: <2.2.32.19960702211030.01075964@mail.software.net> At 06:40 PM 7/2/96 -0700, Timothy C. May wrote: > >I was at the "SAFE" forum yesterday. Too many things to report on, so I'll >just add comments here and there. > I thought it was interesting to not that a Republican Senator came to california to talk about this stuff and *neither* of the California Senators has got a clue yet. One questioner from the audience made an interesting point that given that most of american can't seta vcr clock crypto will be totally beyond them unless it becomes pervasive ("you can buy it at radio shack"). It was pretty clear from all the speaker that this is a libertarian/authoritarian issue and not a liberal/conservative one. John John Pettitt, jpp at software.net EVP, CyberSource Corporation, 415 473 3065 PGP Key available at: http://www-swiss.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=0xB7AA3705 From tcmay at got.net Tue Jul 2 18:30:05 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 3 Jul 1996 09:30:05 +0800 Subject: SAFE Forum--some comments Message-ID: I was at the "SAFE" forum yesterday. Too many things to report on, so I'll just add comments here and there. And here I'll comment on Ken Bass's excellent comments (there were many excellent points). Bass is a D.C.-area lawyer with the prestigious Venable law firm (the venerable Venable firm?), and a former Reagan Administration official. He pointed out that the driving force for crypto policy is probably the _law enforcement_ camp, not the _intelligence agency_ camp. And that the NSA is regretting the ITAR stuff, as it has sparked an "arms race" to develop stronger crypto. Bass noted that people now equate permission to export with weakness, and that had the U.S. not restricted exports, users probably would've been "fat, dumb, and happy" to keep using breakable crypto. (Many interesting points to make. Bass is no supporter of Clipper and Escrow, and made many points about why the policy won't work. His later dialog with Michael Froomkin and Jerry Berman, about the constitutionality of crypto laws was a highpoint for me.) His comments fit in with the points made by Diffie that the 40 bit restriction is unlikely to satisfy either the user community or the surveillance community. 40 bits is too weak for a targetted attack, but too strong for "vacuum cleaner" intercepts such as NSA SIGINT uses. (Diffie also gave an excellent summary of cryptographic work factors, using 30 bits, 60 bits, 90 bits, and 120 bits as examples. For example, 30 bits needs about a billion operations to brute force, which any modern PC can do in several seconds. 60 bits is a billion times harder, which NSA machines can handle, and 90 bits is beyond current capabilities...) I said I wouldn't do a summary, but I'll make a few comments: -- Both Congresswimmin, Eshoo and Lofgren, seemed genuinely interested in the issues -- Senator Leahy, on t.v. from Vermont, emphasized _privacy_ and made the Cypherpunk/libertarian/ACLU point that he and his neighbors are not criminals and don't think the government has any right to demand that communications, computer files, diaries, and the like be "escrowed." -- Senator Conrad "I ain't no Democrat" Burns was there in person and was entertaining and strongly blasted key escrow and the ITAR restrictions. I found his comments refreshing. -- The whole affair was "preaching to the choir," as many speakers noted. That is, there was little controversy and little disagreement. This was a point made nicely by Phil Zimmermann, who told a humorous story of going to Congressman Dana Rohrabacher's office, seeing the picture of Ollie North on the wall (much laughter), but finding Rohrabacher's staffers aghast at the crypto laws and ITARs. Then, Phil took a hotel shuttle and ended up talking to the driver, who was also aghast. "Where else can you find this kind of consensus?" (A point many of us have made as well, that nearly everyone who has the issues explained to them comes down on the side that the government has no right to tell us we can't use codes and ciphers, that it's all similar to Big Brother demanding video cameras in our homes....) -- Craig Mundie, currently of Microsoft, made excellent points about the costs of a key escrow infrastructure. (By the way, those who read "The Soul of a New Machine" should be interested that Mundie was the leader of the North Carolina research facility of Data General that lost the "shootout at HoJos." If this means nothing to you, read the Kidder book--soon!) -- Michael Froomkin, a law professor (and member of our list of course), pointed out despite the various constitutional issues, the crypto laws are mostly having their desired effect, namely, slowing the deployment of crypto and creating confusion. (That Windows 95 has no crypto modules, and that most browsers and mail programs have nothing built in tells us that the FUD worked.) In summary, for me the SAFE forum was a success. Though it was periods of boring platitudes we all agreed with interspersed with good insights from the speakers and audience. Not much that was new to a Cypherpunk, of course. (In fact, the forum was almost a kind of Cypherpunks physical meeting, in terms of the topics, and in terms of who attended....it was even where we've been having recent physical meetings.) A day well spent. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From WlkngOwl at unix.asb.com Tue Jul 2 18:33:22 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Wed, 3 Jul 1996 09:33:22 +0800 Subject: PGP secret keys Message-ID: <199607022040.QAA09851@unix.asb.com> On 2 Jul 96 at 6:39, anonymous-remailer at shell.port wrote: > Could someone post a pointer to a FAQ that tells what to do if you loose > your secret key file? How can you regenerate your private key so that the > userid number still matches the public key that has been distributed?? You can't do anything. Yer screwed. From bginter at abilnet.com Tue Jul 2 18:37:51 1996 From: bginter at abilnet.com (Benjamin R. Ginter) Date: Wed, 3 Jul 1996 09:37:51 +0800 Subject: hard drive encryption In-Reply-To: <2.2.32.19960702145307.006bb7ac@gonzo.wolfenet.com> Message-ID: <31D99039.8BD@abilnet.com> Cerridwyn Llewyellyn wrote: > > > What is the best utility freely available for encrypting an entire drive > that won't be used for a length of time? ie: I'm going away for a period > of time and wish to encrypt the drive while I'm gone, but have no interest > in actually using it while it's encrypted. I also have no real preference > in what algorithm is used, as long as it's relatively secure. Speed is > also not a big consideration, as it will be used once when I leave to encrypt, > and once when i return to decrypt. > Thanks in advance for the help... > //cerridwyn// > > btw, the OS is Win95 if that matters... Just take your hard drive with you, jeez.. [gk] From WlkngOwl at unix.asb.com Tue Jul 2 18:43:27 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Wed, 3 Jul 1996 09:43:27 +0800 Subject: Message pools _are_ in use today! Message-ID: <199607022051.QAA10112@unix.asb.com> On 1 Jul 96 at 20:28, David Wagner wrote: [..] > Ian and I talked about this at some length. alt.anonymous.messages > has certain unfortunate shortcomings. > Someone sniffing the Berkeley 'net can tell when I receive an > alt.anonymous.messages message by when I download an article from > the NNTP server; they can tell when I send such an article by when > I upload an article to the NNTP server; they can list all the > ``subversive'' Berkeley folks who have read alt.anonymous.messages > lately. Uploading can be gotten around by using anonymous remailers and mail-to-news gateways... although someone can tell if you send mail to anonymous mailers. Rob --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From froomkin at law.miami.edu Tue Jul 2 18:46:32 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Wed, 3 Jul 1996 09:46:32 +0800 Subject: UK Crypto regs? In-Reply-To: <199606300840.JAA00124@server.test.net> Message-ID: Thank you to AB for forwarding the Ross Anderson summary. I am unclear on what I consider a key point regarding UK policy. The US (and Japanese) governments have pledged not to seek to esrow digital signature keys. (FWIW I think this is a very important and praiseworthy pledge.) There is a large class of DS keys, eg RSA keys, which can also be used for encryption; there is also a class of keys (eg. SHA 1, I think?) that cannot. A PKI that requires escrow therefore must either a) limit the type of encryption allowed for DS keys, end exclude one of the most popular flavors or b) escrow digital signature keys I am unclear as to whether the UK authorities understand this, and if so which option they plan to choose. I would welcome any information that might be floating around. [This message may have been dictated with Dragon Dictate 2.01. Please be alert for unintentional word substitutions.] A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's hot here. And humid. From WlkngOwl at unix.asb.com Tue Jul 2 18:52:19 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Wed, 3 Jul 1996 09:52:19 +0800 Subject: Rambling about "Net and Terrorism" (long, slightly amusing, and Message-ID: <199607021839.OAA07556@unix.asb.com> On 2 Jul 96 at 1:58, snow wrote/quoted: [It's hard to tell what's a quote and what snow wrote here] > Can anything be done? To stop the likely effects of lots more [..] > In a word, "no." > /* > I disagree. Terrorism, political terrorism is fear. There are ways to > protect military targets that are quite cost effective, unfortunately they > are politically unpopular. (What just happend in Saudi is on my mind. [..] Yep. Terrorism is fear, but *no* target can be 100% protected. Not even military targets, though it can get difficult and expensive for someone to attack a target. In such cases, terrorists would go for easier targets. Terrorism is against a larger, vague target such as a nation or corporation or an industry or an ideology. Instances are against representations of the target.... a military base is attacked because it is a symbol, not because it is strategic. If said terrorists cannot attack a military base, they'll attack some soldiers on leave at a disco. The symbolic importance cannot be understanted (though it doesn't mean that strategic targets are safe either). So to get back to 'net related discussion: differentiate between use of the internet (and phone or mail systems) to plan acts and spread propaganda versus terrorist acts on the internet. The former implies a need for LEAs to snoop, while the latter implies a need for high-security, crypto, etc.... they are not so compatible. So let's say Wild Al's Church of Kookology and Jihad of Banality (WACKJOB) is planning a cyber-terrorist act. They want something symbolic that will demoralize the United Statesers (USers), so that they will pressure the US government to stop it's Promotion of Internation Googoomuck (PIG) in some corner of the world. It's counter-productive for WACKJOB to stop PIG by destroying the Federal Reserve's computers, paritcular because an economic collapse will keep USers from buying widget fluid from one of their sponsor countries. WACKJOB would also be unable use counterfeit (or real) yankee greenbacks to support their enterprise... and likely this would have a negative effect on marks, pounds, etc. Note that any wealthy kooks who couldn't give a damn about WACKJOB or PIG but like to show off their kook-factor among their other wealthy friends by bankrolling WACKJOB would also be adversely affected... and chances are WACKJOB will not bite the hand that helps it. WACKJOB might want to disrupt communications so that they can perform a non-cyber terrorist act against PIG, but this might prove more difficult because the Management's systems of communication (telephones, email, cellular, courier, face-to-face meetings, etc.) is complex and distributed. Also, WACKJOB would want the pigsty networks functioning so that the USers will know about the WACKJOBs sacrificed their lives and disrupted downtown traffic in NYC by leaping off buildings and splattering on the pavement. So other than using the 'net to plan their WACKJOB (so absurd that the NSA gronk who intercepted the traffic had to be taken to the hospital with a hernia from laughing so much), what *symbolic* cyber-terrorist acts could an aspiring WACKJOB plan? Keep in mind people value human life a little more computer records or property (excepting certain 'libertarian' folk). WACKJOBs would attack computer systems that would have an immediate affect on USers lives... but not permanent, and ones that would still allow USers to know it was a WACKJOB. It would have to be something that appeared to affect mainstream USers. Perhaps interfering with transportation or medical communications that allowed for a mass amount of injury or death in a short, tragic and dramatic burst. Seems securing these systems would be a priority. (Question: possibility of two systems of crypto, escrowed for general public and unescrowed for institutional systems which are more controlled, and where LEAs can get some access to because of the institutional nature?) [..] > Civilian targets are harder to protect, but certain steps can be > taken to lessen chances of a sucessful attack. Lesser chances of being hit by a falling WACKJOB are not the same as no chance of it. > Another method, and this would be very unpopular (and > hypocritical of the US) would be simply to announce that we (the Country) > are going to hold the _manufacturing_ nation responcible for the use of > weapons of mass destruction. So if Soviet Nerve Gas is used, we gas a > city in the Soviet Union. MAD carried to a lower level. Feh! Maybe the Russians hate the WACKJOBs as much as the USers, but a corrupt or poor gronk in O-+>| ("The country formaerly known as Russia") sold nerve gas to a WACKJOB... or some WACKJOB stole it. Why hold them responsible?!? And what if it was stolen from a USer? Under that logic, we can go after the company that mined the steel used in the knife that killed Nicole Simpson (probably a few WACKJOBs would agree with that...) > A third option is quite simply to buy as much of it as possible. So WACKJOBs make their own nerve gas from common household ingredients like Olestra and NutriSweet. Then what? >> I expect a city or two to get nuked in the next decade or so. (Haifa or Tel >> Aviv would be my leading candidates.) To me, this is unsurprising. > My bets in the following order: [..] So the WACKJOBs decide that the center of PIGginess conspiracy happens to be in some rural BFE, hiding under the guise of the Fritters County Malitia and Bible Emporium or maybe in the local Federal Bureau of Ice Cream and Prophylactics Building and nuke the small town you just happen to live in. (Who would have suspected Oklahamo City?) Many terrorist strieks against Brittain or Israel/Palestine did not occur in major cities. Many did not occur in those countries, but on airlines or cruise ships, or in other countries where the targets are. If you are a USer, you are a target for a WACKJOB. Doesn't matter if you're in NYC or London or the middle of nowhere or taking an airplane from a WACKJOB-sympathizing country. Doesn't even matter if you're a WACKJOB sympathizer. > I don't think that terrorists in the middle east will pop a nuke as > they would get as many of their own as the "enemy". One of the things a > terrorist needs more than money is a place to hide, and if you are > killing your own people, they won't shield you. [..] Why only mideast groups? Why should *they* be the only terrorists? With the 'net, any group with a bone to pick can, in theory, go after bigger cyber-targets (in theory, anyway). And why nuking? One can understand up-and-coming-regional powers such as Iran or Iraq, Pakistan, trying to get stolen nukes, but not likely for terrorism. Not saying that no terrorist group would use nukes... but even a lot of stupid WACKJOBs know that nuking a major (or minor) US city would provoke a fierce response from the US, and probably a lot of other countries that felt equally under threat or wanted to disociate themselves from WACKJOBs. If a WACKJOB's friends or family felt nuking was too extreme, a WACKJOB becomes a pariah. Perhaps even the official WACKJOBs disociate themselves from the WACKJOBs who nuked some city... Terrorists want to demoralize their enemies, not anger them further. [..] > One objective of terrorism is/could be to lessen a populations faith > in "The System". Some possible situations [...] > > Trash a multi-store pharmacy database and people can't get their > prescriptions, or worse get the wrong one. Wrong ones? No. It can be recovered from, though with much inconveniencem for most people. Trashing a computerized pill-making system so the wrong medications were in the wrong pills would have more effect... but would it demoralize faith in the system? > Cause disturbances in certain parts of certain cities, then attack > the 911 system to route officers and firemen to _wealthy_ neigborhoods at > the expense of the poor neighborhoods. Then complain to the papers about > it. The 911 system doesn't work. Officers and firement only go the the wealthy neighborhoods in many cities and plenty of people already complain about it. WACKJOBs want a terrorist act that would be noticed... contributing to the status quo isn't an act of terrorism. > Gain control of the power grid (I don't know how possible this is) > and selectively brown out certain sections of the city during peak demand > periods. Make it obvious, then do the preceeding idea. Many places have backup generators or their own local systems. If you live in a hurricane or earthquake prone area your used to losing your electrcity. Possibly one could get a utility's computer system to dosconnect thousands of subscribers for not paying bills, which would incite anger against it (though chances are their computer system would do this without any human intervention). Differentiate between extortion ("give a million dollars to x account or all subscribers are disconnected"), vandalism/prank/K001 d00Z feat, system malfunction/bad programming, and WACKJOBs. They cannot be lumped together as generic 'terrorism'. It seems the pro-GAK and police-state forces focus on WACKJOBs when they use the term 'terrorists' (though they may label others as such for effect at times). > In all of these people will, or could die, but are much more > effective in undermining the faith people have in the structures that run > the country. If a bomb blast goes off, people get pissed off at the bomb > makers, if the power fails, people get pissed at the electrical company. > If you can create a large enough disturbances they will be better than > bombs. What is one trying to accomplish by creating a disturbance? To lead to a collapse of the nation state? Chances are widespread disturbance will lead to large-scale martial law, which would favor statists. The focus has been on larger, 'sexier' and 'heroic' acts of terrorism which are inappropriate to the 'net. What if the WACKJOBs manage to infect copies of Windoze 6.0 with a copy of a virus that destroys PIG-related files? Or if they vanadalize web pages, ftp- or gopher sites with (what they perceive as) PIG-related materials? Or a WACKJOB cancel-moose roaming Usenet? It also seems as if GAK- proposals would be a hinderance to measure to protect against such acts. Another reason the 'net is a "terrorist threat"... it allows "terrorist" groups to have a voice. Didn't a recent government paper cite Zapatista communiques as an example of this? Anti-terrorist measures are as much (if not mroe) thought 'protection' as they are property/life protection. "Terrorism" (as defined by the state) does more to stregthen the state, by creating a nebulous enemy that the state can put an ugly face on while seizing control to 'protect' itself. 'Cyberterrorism' is something the state uses to claim jurisdiction over the cybernetic ether, or by which certain consultants spread FUD for their own benefit. Situationist's comments about the "Protection Racket" come to mind here. Rob. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From nobody at REPLAY.COM Tue Jul 2 18:57:15 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 3 Jul 1996 09:57:15 +0800 Subject: No Subject Message-ID: <199607022101.XAA08988@basement.replay.com> At 06.39 AM 7/2/96 -0700, anonymous-remailer at shell.portal.com wrote: >Could someone post a pointer to a FAQ that tells what to do if you loose >your secret key file? How can you regenerate your private key so that the >userid number still matches the public key that has been distributed?? You can't. You're dead. Next time make a backup. From froomkin at law.miami.edu Tue Jul 2 19:10:13 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Wed, 3 Jul 1996 10:10:13 +0800 Subject: But what about the poor? In-Reply-To: <2.2.32.19960702103730.00bb4544@panix.com> Message-ID: On Tue, 2 Jul 1996, Duncan Frissell wrote: > At 11:25 PM 7/1/96 -0700, Bill Frantz wrote: > > >Current government "Key Escrow" systems cost $200/key/year. [Craig Mundie] > >These systems can best be described as key-rental systems. I bet you it's almost all fixed cost. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's hot here. And humid. From ericd at shop.internet.net Tue Jul 2 19:12:22 1996 From: ericd at shop.internet.net (Eric Davis) Date: Wed, 3 Jul 1996 10:12:22 +0800 Subject: Message pools _are_ in use today! In-Reply-To: <199607021730.KAA18852@mail.pacifier.com> Message-ID: Hughes offers a downlink product called DirectPC. The back channel is your regular modem. Telco/Analog your requests to their servers and the data is delivered via your DSS dish, sent to your PC and decoded via an ISA card. (Opt. DES downlink encryption) http://www.direcpc.com/ The downlink is shared 500Kb/s ( I think ). Though you can schedule a higher BW channel for A/V applications (or so the lit reads). Think it supports multicast/broadcast by default... Eric Davis ----------------------------------------------------- Eric Davis ericd at internet.net Director of Information Systems 415-842-7400 (V) Internet Shopping Network 415-842-7415 (F) Visit our site at: http://www.isn.com Personal contact: ericd at cyberfarm.com KD6HTO (R) ----------------------------------------------------- There are no law enforcers if law itself they ignore. -- Inka Inka -- Step Back -- Myth of the Machine -- On Tue, 2 Jul 1996, jim bell wrote: > At 08:28 PM 7/1/96 -0700, David Wagner wrote: > > >If folks have better ideas for how to achieve really good recipient > >anonymity, I hope they'll speak up! > > Once they start offering Internet news/email/USENET feeds (one way) by > DSS-type dish antenna from satellite, it'll be mighty hard to figure out > who's receiving the data. They could probably easily provide 10 megabits per > second, which I assume would be more than enough for what's needed. > > (BTW, for a few years a company called "Planet Connect" has been providing > FIDOnet data feeds, although they use the older-style, large antenna > systems, and their data rate is 19.2kbps, not even close to enough for > Internet service.) > > Jim Bell > jimbell at pacifier.com > From jpp at software.net Tue Jul 2 19:12:41 1996 From: jpp at software.net (John Pettitt) Date: Wed, 3 Jul 1996 10:12:41 +0800 Subject: SAFE Forum Message-ID: <2.2.32.19960702211201.01023864@mail.software.net> At 10:57 AM 7/2/96 -0700, Rich Graves wrote: >On Mon, 1 Jul 1996, Bill Frantz wrote: > >> "Crime prevention ought to be part of the FBI's mission. [Herbert Lin, >> National Research Council] > >In case it's not clear, this was said with much sarcasm... i.e., today's FBI >is too often engaged in other pursuits. This in the context of explaining >that ubiquitous strong crypto is the best defense against computer crime. > >-rich > > Crime prevention is *never* part of their mission after all if crime is prevented it's hard to use the crime stats to justify the budget ... John Pettitt, jpp at software.net EVP, CyberSource Corporation, 415 473 3065 PGP Key available at: http://www-swiss.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=0xB7AA3705 From elam at art.net Tue Jul 2 19:25:18 1996 From: elam at art.net (Lile Elam) Date: Wed, 3 Jul 1996 10:25:18 +0800 Subject: SAFE Forum--some comments Message-ID: <199607022147.OAA10677@art.net> Well, I went to SAFE and found that it was very helpful for me. I have been struggling with trying to figure out what I personally can do to help change the current state of cryptography in the US of A and found that alot of good suggestions were made at this conference. It was almost like a brainstorming event on how to get things (US politics and laws) going in the right direction in this field. Hearing leaders in the cryptography field speak was awesome. They were direct and to the point. And you could tell that they were being completely strait with everyone about the current situation and what the technology could/could-not do for us. The comment I kept hearing over and over was that we have to educate the public about what cryptography is and why it's important to everyone using computers to communicate. This public includes people who are not on the net and those who don't even know what the Internet is. So, now I have some ideas on what I, as an individual can do to help. Educating poeple about crypto. I work with alot of artists on the net (~300+) and will introduce crytography to them. We'll think of some cool ways to implement it in our work and in the process will learn how to use it. :) The SAFE t-shirts were great too... -lile (a webmaster at art.net) www.art.net From snow at smoke.suba.com Tue Jul 2 19:31:45 1996 From: snow at smoke.suba.com (snow) Date: Wed, 3 Jul 1996 10:31:45 +0800 Subject: Net and Terrorism. In-Reply-To: Message-ID: On Tue, 2 Jul 1996, snow wrote: > Cause disturbances in certain parts of certain cities, then attack > the 911 system to route officers and firemen to _wealthy_ neigborhoods at > the expense of the poor neighborhoods. Then complain to the papers about > it. > > Gain control of the power grid (I don't know how possible this is) > and selectively brown out certain sections of the city during peak demand > periods. Make it obvious, then do the preceeding idea. > > In all of these people will, or could die, but are much more > effective in undermining the faith people have in the structures that run > the country. If a bomb blast goes off, people get pissed off at the bomb > makers, if the power fails, people get pissed at the electrical company. > If you can create a large enough disturbances they will be better than > bombs. > */ Ummm... Just in case anyone is thinking it right now, NO, I didn't. If this outage was deliberate, I had nothing to do with it. I was just postulating possibilities. Petro, Christopher C. petro at suba.com snow at crash.suba.com From llurch at networking.stanford.edu Tue Jul 2 19:33:22 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 3 Jul 1996 10:33:22 +0800 Subject: PROMISe them anything (was Re: whitehouse dossier database?) In-Reply-To: <199607021547.LAA04235@unix.asb.com> Message-ID: On Tue, 2 Jul 1996, Deranged Mutant wrote: > On 1 Jul 96 at 23:39, Vladimir Z. Nuri wrote: > > > holy cow, is this real? Grabbe cites several credible references. > > Ask Phil Resuto. No, for the full story, look at: http://www.cco.net/~trufax/reports/bavarian.html > > Conspiracy Nation -- Vol. 8 Num. 30 I always thought this was a self-parody, like "50 Greatest Conspiracies of All Time." Looking through back issues again, I concede that he might be doing it on purpose. Which is an entirely different thing than saying he believes it. > > Stephens' software firm Systematics. The Citibank heist > > by Russian hackers, for example, took advantage of a back > > door in Citibank's Systematics software. (The Russian > > hackers were apparently aided by the son of one of Jim > > Leach's House Banking Committee investigators.) Have > > any major banks thought of instituting lawsuits over this > > deliberate breach of security on the part of a software > > supplier? > > Huh? I thought the Russian 'hackers' helped write the software, and > used one of their own backdoors. Shh. Never let the truth get in the way of a good rant. -rich http://www.c2.org/~rich/ From cme at cybercash.com Tue Jul 2 19:42:40 1996 From: cme at cybercash.com (Carl Ellison) Date: Wed, 3 Jul 1996 10:42:40 +0800 Subject: Self-signed certificates Message-ID: <2.2.32.19960702215220.002ff23c@cybercash.com> Here's some trouble-making I'm doing on another list (one that believes in X.509 certs and CAs).... :) - Carl >Date: Tue, 02 Jul 1996 17:34:46 -0400 >To: Greg.McPhee at Software.com (Greg McPhee) >From: Carl Ellison >Subject: Re: Self-signed certificates >Cc: ssl-talk at netscape.com > >At 01:51 PM 7/2/96 -0700, Greg McPhee wrote: >>> >>>If you have encountered an old friend of yours on the net and want to make >>>sure that you can exchange keys with her without some active eavesdropper >>>getting in the path and substituting keys, then a CA's cert is probably >>>worthless to you. [I have a paper at this month's USENIX Security Symposium >>>on this subject.] >> >>I want to understand why the "CA's cert" above is worthless. Assuming the >>"CA's cert" is a self signed certificate identifying a CA, then is it >>worthless because it is an untrusted CA, or because my old friend and I >>don't have personal certificates signed by this CA? >> >>Couldn't wait for the paper :-) > >OK -- at the risk of boring the list... :) > >There are many definitions for "identity". In this one case, I'm using the >example of an old friend. We meet again on the net and want to trade keys, >for private communications. Much of the loose talk over the years about >certificates says that if she and I have certificates from a good CA, then >we can be assured we aren't being spoofed. That statement isn't true. > >To state it more formally, a CA's certificate in this case is neither >necessary nor sufficient. > >The CA binds a key to *its name for a person* -- trying to make that name >globally unique and meaningful -- but all it can promise is to make the name >unique. It can't promise to make it meaningful *to me*. The CA is not >aware of my existence, much less of what I know about each person in the >world. There might be 100 certificates for "Sue Robinson" -- with various >other information to distinguish them from one another -- but when I knew >her she was going under the name of Laura and I have no clue what her other >distinguishing information is. I had lost touch with her. > >I could ask her, over the net, and she would tell me all those new bits of >information. > >Trouble is, I need an authenticated channel to her in order to be sure I'm >not being spoofed while she tells me her SNail address (or whatever makes >her cert unique). I can't get an authenticated channel without the cert. >Impasse. > >Thus the cert from the CA is not sufficient. > >It is also not necessary. The paper I'm presenting gives a protocol with >which Sue and I can use our shared memories (what makes us old friends in >the first place and, in a real sense, the *true* definition of "identity") >to prove to each other that there is no eavesdropper over a confidential >channel we create. Once we've done that, we then we can tell each other our >keys and each issue a cert for the other's key. At that point, we have >certified keys for each other without involving a CA. What's better, I have >her certified key from a "CA" I can trust above all others -- myself. > >[QED] > > - Carl From ichudov at algebra.com Tue Jul 2 20:10:25 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Wed, 3 Jul 1996 11:10:25 +0800 Subject: Net and Terrorism. In-Reply-To: Message-ID: <199607022253.RAA31595@manifold.algebra.com> Timothy C. May wrote: > > >Another method, and this would be very unpopular (and > >hypocritical of the US) would be simply to announce that we (the Country) > >are going to hold the _manufacturing_ nation responcible for the use of > >weapons of mass destruction. So if Soviet Nerve Gas is used, we gas a > >city in the Soviet Union. MAD carried to a lower level. > > You are essentially making my point, that the biggest danger of the current > responses to terrorism is that nations will turn to national terrorism and > police state tactics. Khm, have you thought about getting 2,000 nukes in response? - Igor. From um at c2.org Tue Jul 2 20:54:43 1996 From: um at c2.org (Ulf Moeller) Date: Wed, 3 Jul 1996 11:54:43 +0800 Subject: Message pools _are_ in use today! In-Reply-To: Message-ID: >alt.anonymous.messages is not an ideal message pool-- it is a hack. >(Granted, it *is* a really cool, clever, and practically useful hack.) I agree that alt.anonymous.messages is not perfect. But if you download all articles and don't post to alt.anonymous.messages without using a remailer, the only real threat are denial of service attacks with cancel messages etc. >If folks have better ideas for how to achieve really good recipient >anonymity, I hope they'll speak up! I think a DC+ net would achieve the same degree of anonymity more efficiently. (It's not trivial to estimate the traffic caused by a remailer net as proposed by Ian, so I may be wrong there.) From um at c2.org Tue Jul 2 20:56:28 1996 From: um at c2.org (Ulf Moeller) Date: Wed, 3 Jul 1996 11:56:28 +0800 Subject: Info on alleged new German digital wiretapping law? In-Reply-To: Message-ID: Rich Graves writes: >None of the Europeans I ran into at today's SAFE conference had even heard >of the legislation decried at > > http://fight-censorship.dementia.org/fight-censorship/dl?num=3027 > >and in alt.fan.ernst-zundel. What's up? The report is correct. The mainstream press has completely ingnored the wiretap legislation, probably because it is part of the long-awaited new telecommunications law to end the Telekom monopoly. From frissell at panix.com Tue Jul 2 21:24:53 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 3 Jul 1996 12:24:53 +0800 Subject: LE Risks with No Crypto Message-ID: <2.2.32.19960703002028.00ba3b24@panix.com> Did anyone notice the fun little bit in the story of the bust of the Viper Militia in Arizona? The state employee that BATF sent to infiltrate the group almost "assumed room temperature" because an ally of the Militia working for AT&T pulled his long distance phone records. The infiltrator was questioned rather closely about some of his phone calls to official numbers. He managed to persuade them that he wasn't a Fed. Too bad AT&T doesn't use an encrypted open books system to store is records so that "bad guys" can't abuse those records and put our heroic law enforcement personnel at risk. This is a perfect illustration of the fact that technology puts the government most at risk because it will always be the juiciest target. "Worth the powder to blow it up with." DCF From ogren at cris.com Tue Jul 2 21:32:09 1996 From: ogren at cris.com (David F. Ogren) Date: Wed, 3 Jul 1996 12:32:09 +0800 Subject: Lack of PGP signatures Message-ID: <199607022343.TAA21050@darius.cris.com> -----BEGIN PGP SIGNED MESSAGE----- To: cypherpunks at toad.com Date: Tue Jul 02 19:40:44 1996 I've noticed recently that two PGP programmers (Mr. Zimmerman and Mr. Atkins) do not seem to PGP clearsign their messages to this list. In fact, a surprisingly small percentage of messages on the C-punk list are signed. This despite the fact that the average subscriber is at least literate in PGP. Does anybody have any speculation on why this is? Is it because people consider mundane mail unimportant enough to sign? Is it because the members of this list are more concerned with encryption than authentication? Is it because most mail programs are not PGP aware? Is it because of the weaknesses in MD5? David F. Ogren | ogren at concentric.net | "A man without religion is like a fish PGP Key ID: 0x6458EB29 | without a bicycle" - ------------------------------|---------------------------------------- Don't know what PGP is? | Need my public key? It's available Send a message to me with the | by server or by sending me a message subject GETPGPINFO | with the subject GETPGPKEY -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMdmzfeSLhCBkWOspAQEdaAf7BzkKqxVyzBY4TAKoSXqO2DhFpceMGfv1 WJhMXHCi9FnZuCHs2hl03vhf/DReX1Y6YWU9ntLhpO8kY6eDeRdq/M9eyD/le1df lZXewrfWrv/JSQgDEmUgao01EkVCVILAx/mUzeBTYPx0nx4CVKUw5pCOJvcO4oVs Y9K1w7ivSpVtwvonYSrqWjT3qDDXm2aCID+YlffH2c+nDBXPgv094fj5Fzzoi+4i sS8u/otxz8d2A+NlhqKJZWxkPtBi0AA2VO6L2Mx8ZmlwRWaD4EiTjaozusPq5GoE tEh9YIPt4+CJZTiLwRRh1x+OqWIDQOJMcDlLmNhiYxFYuevWhmbLPA== =/E0F -----END PGP SIGNATURE----- From jimbell at pacifier.com Tue Jul 2 21:33:51 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jul 1996 12:33:51 +0800 Subject: But what about the poor? Message-ID: <199607030031.RAA12438@mail.pacifier.com> At 04:55 PM 7/2/96 -0700, Martin Minow wrote: >Jim Bell wants to get rich running a key escrow business (:-) >> >>Oh, but what a business opportunity! I assume a floppy can hold 1000 keys. >>Even if I undercut the going rate of $200 per year by a factor of 10, that's >>a potential income of $20,000 per floppy per year. A box of 20 floppies on >>the shelf, and I'm set for life! >> >Add in the cost of a bank vault I'm assuming that the keys are, themselves, encrypted. > and the ability to provide any key >to an approved law enforcement agency (i.e., one that provides you with >a legitimate search warrant for the key) with a 2 hour response time >(24/7/365). Easy solution! Make 'em show up at the front door. It'd cut down on the requests, I'd say... This would be an excellent way of getting around the "response time" requirement: The time the cops take to actually arrive and request the key is THEIR time, not that of the escrow agent. Locate the escrow agent in Encampment, Wyoming, and see how many can find it! > Also, you will have to take in keys as they are provided. However, this raises an interesting question: Can key-escrow agents change the terms of their operation to delete such responses (or slow them...) for the cops? Or, for that matter, can they charge the cops an arm and a leg for the key? (Say, $100,000 per?) Another question: The cops probably assume that the escrow agent is NOT going to inform the key holder that the key has been delivered. But if the stated policy of the escrow agent is that the key owner MUST be informed, what are the cops gonna do about it? Further, how are the cops going to evidence the existence of a valid warrant? (As opposed to a forgery?) Jim Bell jimbell at pacifier.com From hua at XENON.chromatic.com Tue Jul 2 21:49:59 1996 From: hua at XENON.chromatic.com (Ernest Hua) Date: Wed, 3 Jul 1996 12:49:59 +0800 Subject: Ken Bass: Wire tap only useful for conviction (Was: SAFE Forum--some comments) In-Reply-To: Message-ID: <199607030102.SAA05930@server1.chromatic.com> > And here I'll comment on Ken Bass's excellent comments (there were many > excellent points). > > He pointed out that the driving force for crypto policy is probably the > _law enforcement_ camp, not the _intelligence agency_ camp. Ken pointed out that law enforcement had to have gotten enough evidence prior to a wire tap request to show probable cause. If this is the case, then the only usefulness of wire taps is to improve the likelihood of conviction and not the detection of potential terrorist (or child molestation or your favorite bad guy) plots. Therefore, it is important to cut through the rhetoric and to challenge Reno and Freeh and others when they spout such non-sense, unless they are foreshadowing an Orwellian state (where you might as well expect a camcorder in every bedroom. After all, the most common case of child abuse/molestation/spousal abuse is in the home. Better protect the public!) Ern From jimbell at pacifier.com Tue Jul 2 21:52:48 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jul 1996 12:52:48 +0800 Subject: Net and Terrorism. Message-ID: <199607030107.SAA14488@mail.pacifier.com> At 04:13 PM 7/2/96 -0500, snow wrote: >On Tue, 2 Jul 1996, snow wrote: >> Cause disturbances in certain parts of certain cities, then attack >> the 911 system to route officers and firemen to _wealthy_ neigborhoods at >> the expense of the poor neighborhoods. Then complain to the papers about >> it. >> >> Gain control of the power grid (I don't know how possible this is) >> and selectively brown out certain sections of the city during peak demand >> periods. Make it obvious, then do the preceeding idea. >> >> In all of these people will, or could die, but are much more >> effective in undermining the faith people have in the structures that run >> the country. If a bomb blast goes off, people get pissed off at the bomb >> makers, if the power fails, people get pissed at the electrical company. >> If you can create a large enough disturbances they will be better than >> bombs. Hey, great job Chris! Saw the news reports on the national news! B^) Jim Bell jimbell at pacifier.com From warlord at MIT.EDU Tue Jul 2 22:23:54 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Wed, 3 Jul 1996 13:23:54 +0800 Subject: Lack of PGP signatures In-Reply-To: <199607022343.TAA21050@darius.cris.com> Message-ID: <199607030142.VAA29584@toxicwaste.media.mit.edu> > I've noticed recently that two PGP programmers (Mr. Zimmerman and Mr. > Atkins) do not seem to PGP clearsign their messages to this list. In fact, > a surprisingly small percentage of messages on the C-punk list are signed. > This despite the fact that the average subscriber is at least literate in > PGP. Actually, I don't PGP sign my messages because 95% of the time my connection to my mail host (the machine on which I read and respond to mail) is insecure. Composing the message, bringing the message to my local machine, running PGP, re-uploading the message, and sending it is a big deal and I don't consider it important enough for my everyday posts. When I send out notices that I consider important I do sign them. But that is fairly rare (at the moment). Basically, I refuse to type my passphrase over the net, which signing all my messages (this one included) would require. -derek From unicorn at schloss.li Tue Jul 2 22:28:49 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 3 Jul 1996 13:28:49 +0800 Subject: secure WWW on UNsecure servers In-Reply-To: Message-ID: On Fri, 28 Jun 1996, Joseph Sokol-Margolis wrote: > > How might one arrange for these encrypted web pages residing on an > > (unsecure) server to get decrypted only at the client's machine? Given the cost of high bandwidth connections and the practical necessity of surrendering control of the actual machine on which the server resides to have a decent connection at all, it seems to me that this possibility should be very seriously considered. It will allow virtual anonyminity of browsing and (with cooperative ISPs) allow anonymous maintaince of a page itself. The other alternative (maintaining control of the server and machine itself) requires substantially more work to foil traffic analysis and jurisdictional savvy employment to achieve the same effect. As usual, the mathamatic defense vastly exceeds the utility of the physical defense. To what extent will it be possible, e.g., to run a financial services web page from a server and still keep the server staff from knowing what the page is? It provides the ISP providing the server with liability protection, and presents many more anonymous possibilities. This, clearly, must be the best answer to turning web pages and WWW transactions into the kind of personal and private exchanges that PGP affords e-mail today. From AwakenToMe at aol.com Tue Jul 2 22:31:29 1996 From: AwakenToMe at aol.com (AwakenToMe at aol.com) Date: Wed, 3 Jul 1996 13:31:29 +0800 Subject: hard drive encryption Message-ID: <960702214331_229961662@emout07.mail.aol.com> you told him to take his hard drive with him. but me on the other hand am wondering because I want my drive secure from everyone. While im here and not here. And Im definitely not going to take myt drive everywhere hehehe Sooo what other programs are out there?? Any shareware versiob..trials..etc.. that anyone knows any WWW sites of? Tanks! From jad at dsddhc.com Tue Jul 2 22:31:58 1996 From: jad at dsddhc.com (John Deters) Date: Wed, 3 Jul 1996 13:31:58 +0800 Subject: The Net and Terrorism Message-ID: <2.2.32.19960703005232.009d18e4@labg30> At 03:44 PM 6/30/96 -0700, you wrote: >in reality. it seems to me no nation-state has ever experimented with >trying to take away the root causes of violence and discontent. But here in the U.S., we ARE trying to take them away via the educational system. About the only thing we can effectively do is to provide more educational opportunities that denounce violence, racism, hate crimes, etc. However, you cannot eliminate discontent without eliminating greed; which is simply not possible. Even so, there are a couple of problems with even attempting "to take away the root causes", not the least of which is the Constitutionally protected right to free speech. I am allowed to teach my kid to hate anyone for any reason. I can blame this or that group for this set of troubles, and that the best way to deal with this is not only to scare them away, but to kill as many of them as possible. It may be morally repugnant, but it is protected speech. The countries that sponsor terrorists have not been noted for their successful educational systems. And they certainly are not going to listen to Western discussions on how best to solve their "problems". Do you still not accept that we have a world that contains people who exist in conditions that foster and breed terrorists? If not, look at some more concrete examples. Have you ever met an Islamic fundamentalist? How about a Christian fundamentalist? There really is no difference between them, other than the specific quotations that exit their pre-programmed mouths. When religion enteres the picture, no amount of logic will convince the true believers that they are acting destructively. Even moderately regligious Christians (the people to whom I have been most exposed) have very strong beliefs that X is the word of God, and therefore not subject to question. When this is some destructive (yet not obvious as such) statement, such as "Go forth and multiply", no amount of education or logic will convince them that Zero Population Growth is a good thing. I'm sure you can multiply this into all sorts of destructive behavior preached locally, such as the Southern Baptist preachers who refuse to denounce the maltreatment of blacks or the burning of black churches. There is no force of law that can alter this behavior. My point here is that this behavior is explicitly protected by the Bill of Rights. So, do you not accept that we have the environment right here that can breed violence and discontent? For the most part, I see kids today being educated with much less "hatred" than even my age group was brought up with (I'm 34). We're moving in the right direction by incorporating diversity in education, entertainment and the workplace, but we can never hope to erase it all. And if even one person retains the seed of violence, they can employ the "warfare of the weak" -- terrorism. >or that they are worth the money. terrorists invariably have a >patricular pathological psychological profile that sees the world >in terms of "martyrs vs. villians" with the villians in the government, >and the villians taking away or abusing respectable citizens. So your point here is one of *agreement* that human nature will produce psychological profiles of people who commit acts of terror. >the "problem" of terrorism will be solved when we take the view >that insanity and violence is *not* >a natural aspect of human behavior (as TCM tends to suggest), Even in spite of your argument above? Violence is here. It's been present since recorded history. We've gotten pretty good at it, actually. I think the record speaks pretty clearly that violence continues to be a part of human behavior, despite any efforts made to stop it. >and that >there are specific environmental conditions that breed it. like >malaria, if you take away the swamplike breeding grounds, you will >largely remove it. such a thing is a radical hypothesis, but one that >nonetheless has never really been tested in practice. As I said above, we can reduce some of the breeding grounds, but we can not eradicate them all. And if one were to conduct a study correlating racist attitudes with education with numbers of acts of terror, we might find a direct correlation. The U.S. has a level of tolerance for diversity that I only recently came to appreciate. We hosted a foreign exchange student from Scotland (hardly culture shock to him), but he surprised me when he commented on how surprised he was that different groups of people were mixed together -- black kids hanging out with white kids, catholics and protestants being friends, the sort of thing that I take for granted every day. He expected the subtle racism of home. And lets just say that Great Britain's culture is probably closer to ours than any other country. I am more than willing to agree with you that elimination of hatred and prejudice will go farther than any law enforcement measures to reduce terrorist acts. However, my point, and I believe this is Tim's point, too, is that it will *never* eliminate these acts, and that there must be other ways of dealing with the problems that occur. >>I'm not advocating such "terrorism," by the way, merely telling it like it is. >ah yes, the standard amusing TCM disclaimer. hmmm, your signature suggests >otherwise. This personal attack was completely unwarranted. Are you suggesting that Tim is a sponsor of terrorist attacks, or that he approves of the repeatedly demonstrated governmental penchant for violating our privacy whenever convenient? There was no point to making this statement, other than to foster discontent. >>(Remember, terrorism is just warfare carried on by other means, with >>apolgies to Von Clausewitz.) >disagree. the purpose of warfare has traditionally been to seize I completely disagree with you here. Terror has all the same purposes as general-purpose warfare: it's simply being carried out by a smaller group, without the resources available to an entire government. Look at the Irish Question: they want independance from a government they deem undesirable. Look at the arabian terrorist bombings of Americans in Saudi Arabia, Lebanon, etc.: they want to drive the U.S. Army out. Likewise, the bombing of the Murrah building in OK was a "military" target: it housed the agencies that some small group percieved to be responsible for the attack on Waco. Even the church building burnings happening across the southern U.S. appear to have a specific objective: to frighten the victims; and if the victims left the area, the terrorists would have accomplished their objectives. No hidden purposes here: these are all military actions being carried out by groups that are simply not in a position to negotiate. It is "warfare by the weak". You may think that you hold every answer to terrorism in your hand, that hugs and kisses before bedtime will make the evil monsters under the bed go away. The point of Tim's essay was that, yes, the net can be used by the evil monsters, and yes, the evil monsters are here, and no, the evil monsters are not going away any time soon. Why did you feel it necessary to try to slam his fairly well-researched and quite obvious conclusion? John -- J. Deters >From Senator C. Burns' Pro-CODE bill, which I support and you can find at: http://www.senate.gov/member/mt/burns/general/billtext.htm " (2) Miniaturization, disturbed computing, and reduced transmission costs make communication via electronic networks a reality." +---------------------------------------------------------+ | NET: jad at dsddhc.com (work) jad at pclink.com (home) | | PSTN: 1 612 375 3116 (work) 1 612 894 8507 (home) | | ICBM: 44^58'33"N by 93^16'42"W Elev. ~=290m (work) | | PGP Key ID: 768 / 15FFA875 | +---------------------------------------------------------+ From unicorn at schloss.li Tue Jul 2 22:32:33 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 3 Jul 1996 13:32:33 +0800 Subject: anonymous mailing lists In-Reply-To: <199606290404.XAA32220@manifold.algebra.com> Message-ID: On Fri, 28 Jun 1996, Igor Chudov @ home wrote: > How about this attack: suppose I want to find out who hides behind > an alias MightyPig at alpha.c2.org and I have the ability to monitor > all internet traffic. Then I simply start mailbombing that address > and see whose account gets unusually high traffic volume. > > A nice, albeit quite expensive, way of pretection from traffic analysis > is to create a mailing list (or a newsgroup) and forward all messages to > all users of that mailing list or newsgroup. Of course, since messages > are encrypted, only the recipients will be able to decrypt them. > > This way the list of suspects is all subscribers of that list or > newsgroup and there is no way to discriminate them. > > Instead of having messages to be sent to all recipients all the time, > alpha.c2.org may be programmed so that it sends out every message not to > only one recipient X, but to X and 20 other randomly selected people. > > It apparently makes traffic analysis much harder. > > Then users of alpha.c2.org will have to install mail filters that > automatically delete all incoming mail not intended to be read by them > (they can't read such messages anyway). > > - Igor. > I think that traffic analysis can be best defeated by powerful filtering rather than any kind of multiple sending. Eventually, (as the number of messages to a particular party increases beyond the number of distractor messages sent with each mailing) it will be possible to note the statistical difference in the number of messages send to the random 20 people and the actual recipiant. A mail bombing will still reveal the true identity of the addressee as the 20 distractor address will be randomly selected each time, and the addressee will not. Instead, one might suggest, the same 20 people should be sent to as distractors. Unfortunately this leaves the actual addressee open to disclosure when he/she responds to alpha forwarded messages (you were assuming all internet traffic would be monitored, thus the response timing would be a major clue). I think the real answer to this is going to be open access pools. All encrypted messages will be left in a collective pop account, accessable by anyone at all. An agent could easily be written to poll the pop account, download the entire queue of messages and locally decode and make available only the ones addressed to the addressee. I suspect the best policy would be to purge the pop account once a month of messages older than 2 months. Traffic analysis will reveal who polls the pop account, but not much else. I suppose this could even work today if someone wrote a clever agent to poll alt.anonymous.messages. From minow at apple.com Tue Jul 2 22:37:47 1996 From: minow at apple.com (Martin Minow) Date: Wed, 3 Jul 1996 13:37:47 +0800 Subject: But what about the poor? Message-ID: Jim Bell wants to get rich running a key escrow business (:-) > >Oh, but what a business opportunity! I assume a floppy can hold 1000 keys. >Even if I undercut the going rate of $200 per year by a factor of 10, that's >a potential income of $20,000 per floppy per year. A box of 20 floppies on >the shelf, and I'm set for life! > Add in the cost of a bank vault and the ability to provide any key to an approved law enforcement agency (i.e., one that provides you with a legitimate search warrant for the key) with a 2 hour response time (24/7/365). Also, you will have to take in keys as they are provided. Hmm, the SecureCard (tm) I use to dial into my office system generates one key per minute. Assume there are a million out there. Assume keys are 64 bits (8 bytes) + 64 bits of card ID. 16 Mbytes/minute is, according to the back of my envelope, just under 1/4 mbyte/sec, so each of those floppy's will fill up pretty quickly, and you'll need a really, really, big safe to put them in. Of course, Jim probably knows this. Martin. From unicorn at schloss.li Tue Jul 2 22:52:58 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 3 Jul 1996 13:52:58 +0800 Subject: fbi botches intel "ecspionage" case In-Reply-To: <199606291925.MAA12512@netcom3.netcom.com> Message-ID: On Sat, 29 Jun 1996, Vladimir Z. Nuri wrote: > > "economic espionage" (ecspionage?) is in full swing as being > promoted as the new bogeyman to justify spending billions of > dollars to our intelligence agencies, both military and > the FBI. Careful, the FBI only does counter-intel in this context. > > we already have a very good example where this has > backfired. I was watching Nightline on Tues night or > so in which there was info about how the FBI helped > get an informant into Intel in a *very* sensitive > position, where he was able to film the pentium chip > plans. he said he sold them, as I recall, > to iraq, syria, china, etc. Again, why was the FBI putting the informant into Intel? It was almost 100% certain to be related to a criminal or counter-intel matter. The fact that the informant may have appropriated information in the process and sold it to the highest bidder is a rebuke against the FBI's informant selection process, not against economic or industrial espionage, which the FBI does not do. > somehow we have missed a good public debate about > ecspionage in the country. there were a few NYT > editorials, but it is clearly being used as a very > major aspect of promoting the new post-cold-war spy > and intelligence strategy without almost any notice > by major analyists. It has gained a great deal of notice, you just have to know where to look. I suggest looking over e.g., the economist, foreign affairs, foreign policy, the international journal of intelligence and counterintelligence, signal.... > > I was thinking about all the objections I had to the > FBI ecspionage treatment that were never raised on the > program: I don't think you have a firm grasp on the role or part the FBI took in this matter. > 2. we have a tradition of separation of church and state in > this country, and also separation of the public government > and private industry. suddenly we have the FBI saying they > want to infiltrate companies to deal with economic espionage. Typically this is with the consent of the companies, or in response to complaints from same. This is COUNTER intelligence, not espionage or "ecspionage" (A silly and non-sensical term even if you were constructing it correctly here). > well, these companies have their own policy, and what do > they gain by having a government agency working inside them? See my comment above. > in the above case I note, it led to exactly the *opposite* > of what was intended: the theft of *highly*sensitive* plans > by an FBI mole. Not the first time, certainly will not be the last. Again, it's a question of procedure, not of the validity of the program. > 3. hence, one wonders if the FBI could do a better job of > combating ecspionage I believe you mean economic intelligence here, not economic espionage, or industrial espionage, or "ecspionage." > if someone else can give more info on this case (apparently > a book is coming out about it or something) including the > guy's name, I'd appreciate it, I didn't take any notes so > this is a bit fuzzy. Try to be more careful about the roles of the various parties in your (otherwise interesting) commentary. From frantz at netcom.com Tue Jul 2 22:55:01 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 3 Jul 1996 13:55:01 +0800 Subject: SAFE Forum--some comments Message-ID: <199607030157.SAA17571@netcom8.netcom.com> At 2:47 PM 7/2/96 -0700, Lile Elam wrote: >The comment I kept hearing over and over was that we have to >educate the public about what cryptography is and why it's important >to everyone using computers to communicate. This public includes >people who are not on the net and those who don't even know what the >Internet is. Absolutely! The image of postcards vs. letters may be the most effective metaphor. > www.art.net Check it out. Well worth the visit. (And if, like me, you are limited to 28.8, well, you can practice your Zen.) ------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz at netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA From tcmay at got.net Tue Jul 2 22:58:35 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 3 Jul 1996 13:58:35 +0800 Subject: Net and Terrorism. Message-ID: At 9:13 PM 7/2/96, snow wrote: >On Tue, 2 Jul 1996, snow wrote: >> Gain control of the power grid (I don't know how possible this is) >> and selectively brown out certain sections of the city during peak demand >> periods. Make it obvious, then do the preceeding idea. > Ummm... Just in case anyone is thinking it right now, NO, I >didn't. If this outage was deliberate, I had nothing to do with it. I was >just postulating possibilities. Hmmhhh....I post about the "Net and Terrorism" on Sunday, and the Viper Militia and their plans to blow up several courthouses in Phoenix are revealed a few hours later....Snow posts about using computers to knock out the power grid, and a few hours later power goes out over 15 western states.... Coincidence? I think not. But we can test this hypothesis: "Alien spaceship images will appear in thousands of darkened rooms and will trigger mass hysteria." We'll find out tomorrow if Cypherpunks really do have the Power. --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From blancw at microsoft.com Tue Jul 2 23:00:37 1996 From: blancw at microsoft.com (Blanc Weber) Date: Wed, 3 Jul 1996 14:00:37 +0800 Subject: Net and Terrorism. Message-ID: >From: tcmay at got.net > > >"Alien spaceship images will appear in thousands of darkened rooms and >will trigger mass hysteria." ............................................................... Scheduled for July 4th, "at a theater near you". > .. >Blanc From unicorn at schloss.li Tue Jul 2 23:13:19 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 3 Jul 1996 14:13:19 +0800 Subject: FTS2000 and Encryption? In-Reply-To: <199606302206.SAA01870@nrk.com> Message-ID: On Sun, 30 Jun 1996, David Lesher wrote: > > I imagine that we'll see contining developments in the STU-III area (the > > most popular crypto phone in Government use), as well as new devices > > supporting Type I and Type II crypto for use on the FTS2000 nets. > > I've heard an ISDN STU-III is either out or coming RSN. I have an AT&T prototype. I don't know if they are freely available yet. > > One bugaboo I recall was that FTS2000 would not let us make a frac > T1 off-net connection. Alas, that included the remote diagnostic > number of the equip. mfgr ;-{ > > -- > A host is a host from coast to coast.................wb8foz at nrk.com > & no one will talk to a host that's close........[v].(301) 56-LINUX > Unless the host (that isn't close).........................pob 1433 > is busy, hung or dead....................................20915-1433 > From declan at well.com Tue Jul 2 23:16:09 1996 From: declan at well.com (Declan McCullagh) Date: Wed, 3 Jul 1996 14:16:09 +0800 Subject: F-C Dispatch #16: DoJ files appeal, Supreme Court ho! Message-ID: ----------------------------------------------------------------------------- Fight-Censorship Dispatch #16 ----------------------------------------------------------------------------- Justice Department files appeal, Supreme Court ho! ----------------------------------------------------------------------------- By Declan McCullagh / declan at well.com / Redistribute freely ----------------------------------------------------------------------------- In this dispatch: Justice Department's appeal means long, tortuous process A mysterious "Order on Motion for Clarification" Text of Justice Department's Notice of Appeal July 2, 1996 WASHINGTON, DC -- The Department of Justice yesterday appealed the Philadelphia court's decision striking down the Communications Decency Act, a move that sets the stage for a long, tortuous climb to the Supreme Court. The government's "Notice of Appeal" is a terse, two-page statement saying they "hereby appeal" the "Adjudication and Order entered June 12," the day the special three-judge panel unanimously declared the CDA to be unconstitutional and blocked the Justice Department from enforcing it. Next move is the DoJ's. They have until September 1 to file a "jurisdictional statement" arguing that the Supreme Court should hear their appeal. The Supreme Court doesn't automatically have to accept jurisdiction, notes Ann Beeson, an attorney with the ACLU. "The Supreme Court can still decline to exercise jurisdiction over the case," she says, adding: "They do not have the same kind of discretion they have in a cert petition." All the DoJ has to do is convince the Supremes that there's "still a substantial federal question," says Beeson. "If they're not convinced there is a question, they can decline the appeal." But by all accounts, there's precious little chance of that happening. After Justice files the jurisdictional statement, our attorneys have 30 days to file a response -- and then when the next term begins on October 7, the Supremes will meet to discuss the case. (If the procedure is anything like granting cert, the votes will be cast in a secret conference attended only by the justices and the actual vote won't be disclosed.) The climb to the nation's highest court will be only partly over by then, since the court's decision to consider our case marks the start of the briefing schedule. The government will have 45 more days to file their arguments saying why the Philadelphia decision was wrong; we have 30 more days to rebut. If the Department of Justice -- hardly the speediest bureaucracy in DC -- uses all of their alloted time, the paperwork won't be complete until Christmas. And then the Supremes need plenty of time to digest it. So everyone's best guess is that the Supreme Court will hear the combined ACLU and ALA coalition lawsuits early next year -- just in time for the rescheduled Electronic Freedom March on the nation's Capitol. As I wrote in a recent HotWired column: "The ACLU predicts the Supreme Court will issue a decision near the close of the next term, which ends in July 1997 -- just in time for Congress to try again." +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ THE MYSTERIOUS "ORDER ON MOTION FOR CLARIFICATION" +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ You might be surprised by a mysterious sentence in the text of the Justice Department's notice of appeal talking about a "Order on Motion for Clarification" the court issued on June 28. Not to worry. The judges ruled so vigorously in our favor that the DoJ wanted to be sure the government could prosecute anyone they think may violate other parts of the CDA. "Because of the wording of the court's actual order, they unwittingly called into question whether the DoJ could enforce the provisions of the CDA that we didn't challenge," says Ann Beeson from the ACLU. The Philadelphia court quickly issued the clarification. +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ TEXT OF JUSTICE DEPARTMENT'S "NOTICE OF APPEAL" +-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+-=-+ IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF PENNSYLVANIA _____________________________________________________________ AMERICAN CIVIL LIBERTIES UNION, : CIVIL ACTION et al., Plaintiffs; : No. 96-963 : v. : : JANET RENO, in her official : capacity as Attorney General of : the United States, Defendant. : _____________________________________________________________ AMERICAN LIBRARY ASSOCIATION, : CIVIL ACTION INC., et al., Plaintiffs; : No. 96-1458 : v. : : UNITED STATES DEP'T OF JUSTICE, : et al., Defendants. : _____________________________________________________________ DEFENDANTS' NOTICE OF APPEAL Notice is hereby given that defendant Janet Reno, in her official capacity as Attorney General of the United States, hereby appeals, pursuant to section 561(b) of the Telecommunications Act of 1996, Pub. L. No. 104-104, Sec.561(b), 110 Stat. 143, to the Supreme Court of the United States from the Adjudication and Order entered June 12, 1996, as clarified by the Order on Motion for Clarification entered on June 28, 1996, in American Civil Liberties Union et al. v. Reno, Civ. A. No. 96-0963 (E.D. Pa.). Notice is also hereby given that defendants United States Department of Justice and Janet Reno, in her official capacity as Attorney General of the United States, hereby appeal, pursuant to section 561(b) of the Telecommunications Act of 1996, Pub. L. No. 104-104, Sec.561(b), 110 Stat. 143, to the Supreme Court of the United States from the Adjudication and Order entered June 12, 1996, as clarified by the Order on Motion for Clarification entered on June 28, 1996, in American Library Ass'n, et al. v. Department of Justice, et al., Civ. A. No. 96-1458 (E.D. Pa.). Respectfully Submitted, MICHAEL R. STILES United States Attorney MARK R. KMETZ Assistant United States Attorney FRANK W. HUNGER Assistant Attorney General Civil Division DENNIS G. LINDER Director, Federal Programs Branch [signed] ANTHONY J. COPPOLINO Trial Attorney [signed] JASON R. BARON PATRICIA M. RUSSOTTO Trial Attorneys United States Department of Justice Civil Division Federal Programs Branch 901 E. Street N.W. Washington, Dc 20530 Tel: (202) 514-4782 Date: July 1, 1996 ----------------------------------------------------------------------------- MEA CULPA. In F-C Dispatch #13, I wrote that the Washington Post ran an article "on the first page of the Outlook section bashing "self-indulgent dross" and "crap" on the Net. I neglected to mention that John Schwartz and Kara Swisher had an excellent rebuttal inside. ----------------------------------------------------------------------------- Mentioned in this CDA update: HotWired column on what kind of net-censorship Congress will try next: http://www.hotwired.com/netizen/96/24/declan4a.html Fight-Censorship Dispatch #13: http://fight-censorship.dementia.org/dl?num=2741 Fight-Censorship list Int'l Net-Censorship Justice on Campus This document and previous Fight-Censorship Dispatches are archived at: To subscribe to future Fight-Censorship Dispatches and related announcements, send "subscribe fight-censorship-announce" in the body of a message addressed to: majordomo at vorlon.mit.edu Other relevant web sites: ----------------------------------------------------------------------------- From ghio at myriad.alias.net Tue Jul 2 23:23:33 1996 From: ghio at myriad.alias.net (Matthew Ghio) Date: Wed, 3 Jul 1996 14:23:33 +0800 Subject: Sameer on C-SPAN In-Reply-To: <199607020123.UAA19678@alpha.jpunix.com> Message-ID: <199607030242.TAA13879@myriad> bluebreeze at nym.jpunix.com (Blue Breeze) wrote: > > Not everything. No picture of Sameer!? That's what I'd like to see. There's one in the latest WebSmith magazine. From frantz at netcom.com Tue Jul 2 23:27:49 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 3 Jul 1996 14:27:49 +0800 Subject: Lack of PGP signatures Message-ID: <199607030207.TAA18393@netcom8.netcom.com> At 7:43 PM 7/2/96 -0400, David F. Ogren wrote: >I've noticed recently that two PGP programmers (Mr. Zimmerman and Mr. >Atkins) do not seem to PGP clearsign their messages to this list. In fact, >a surprisingly small percentage of messages on the C-punk list are signed. >This despite the fact that the average subscriber is at least literate in >PGP. > >Does anybody have any speculation on why this is? I want implausible deniability for the mistakes I make. ------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz at netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA From markm at voicenet.com Tue Jul 2 23:40:31 1996 From: markm at voicenet.com (Mark M.) Date: Wed, 3 Jul 1996 14:40:31 +0800 Subject: Lack of PGP signatures In-Reply-To: <199607022343.TAA21050@darius.cris.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 2 Jul 1996, David F. Ogren wrote: > I've noticed recently that two PGP programmers (Mr. Zimmerman and Mr. > Atkins) do not seem to PGP clearsign their messages to this list. In fact, > a surprisingly small percentage of messages on the C-punk list are signed. > This despite the fact that the average subscriber is at least literate in > PGP. > > Does anybody have any speculation on why this is? > > Is it because people consider mundane mail unimportant enough to sign? This is one reason. I think that there are several other reasons: -- Someone may be using a machine at work or on a multiuser UNIX system which is untrusted and insecure. In the case of a UNIX account, one could compose a message off-line and rz it using a term program, but that is a major hassle. -- Many email programs do not have support for PGP so signing a message often requires a lot of cutting and pasting. -- PGP may not work on the computer a person is using for Internet access or the system might be too slow to use PGP. > > Is it because the members of this list are more concerned with encryption > than authentication? I think they are both equally important. The point of public-key cryptography is the ability to communicate with a person without having a secure channel to exchange keys. Once keys can be transmitted using the same medium used for the encrypted traffic, it makes a MITM or denial-of-service attack much easier. There has to be some out-of-band method to authenticate keys. Without authentication, a lot of the security that could be gained by using PK crypto is lost. > > Is it because most mail programs are not PGP aware? I don't know of any mail programs that can use PGP (I know there are various interfaces, sendmail wrappers, and other hacks, but I have yet to see a mailer with an "Encrypt" or "Sign" option. > > Is it because of the weaknesses in MD5? Doubtful. PGP authentication is better than no authentication. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMdnnBLZc+sv5siulAQEIpAP/WesfBknwJeUnNIZzYtLkJkqR7hMu2jYz 9migOABikpYDwe0H8Dfn34ff3bab5xncoJ7M8l0HmvrISMjeFp9DpKXT0yJ0rk7a HymHCGyGpJXjQ+snbLoyEQbB4DzcE+BjihSM2upmIMhQbH3paEagc41VwL+udfVA EsWUux6Yato= =8SiH -----END PGP SIGNATURE----- From jimbell at pacifier.com Wed Jul 3 00:01:07 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jul 1996 15:01:07 +0800 Subject: Message pools _are_ in use today! Message-ID: <199607030340.UAA22879@mail.pacifier.com> At 01:13 PM 7/2/96 -0700, Eric Davis wrote: > >Hughes offers a downlink product called DirectPC. >The back channel is your regular modem. >Telco/Analog your requests to their servers >and the data is delivered via your DSS dish, >sent to your PC and decoded via an ISA card. >(Opt. DES downlink encryption) >http://www.direcpc.com/ > >The downlink is shared 500Kb/s ( I think ). >Though you can schedule a higher BW channel >for A/V applications (or so the lit reads). Anybody know what the total average bps rate for, say, USENET is? >Think it supports multicast/broadcast by default... It sounds like it might be a good addition to a network of remailers... Jim Bell jimbell at pacifier.com From minow at apple.com Wed Jul 3 00:06:28 1996 From: minow at apple.com (Martin Minow) Date: Wed, 3 Jul 1996 15:06:28 +0800 Subject: SAFE Forum--some comments Message-ID: John Pettitt recalls an question from the audience at the SAFE conference: > >One questioner from the audience made an interesting point that given >that most of american can't seta vcr clock crypto will be totally >beyond them unless it becomes pervasive ("you can buy it at radio shack"). > It's not quite that bad. Here are a few (more or less strong) crypto products you might not know you have: 1. Every Macintosh made since at least 1988 has a secure authentication client module in the AppleShare Chooser dialog. When you use it to connect to a remote server, it notes that the user information is "two-way scrambled." (The server sends a random number challenge that the client uses to encrypt the username and password. The encrypted information is sent to the server.) All Macintosh systems running System 7 or later have the corresponding server software. What is interesting about this is that the encryption is completely invisible to the user. 2. At least one garage door opener company offers an opener that resets itself -- an intruder can't record the signal and play it back as the "key code" is one-time only. However, I agree with the questioner regarding the "set VCR problem." I suspect that the major problems in deploying strong crypto will be in marketing and human engineering -- and that the current regulatory environment adds to the difficulty by removing marketing incentives to do high-quality human engineering. Note that the VCR companies have solved the vcr problem by receiving a timecode from a local television station -- making the problem invisible to the end user. We should be able to do the same with strong crypto. Martin Minow minow at apple.com From ogren at cris.com Wed Jul 3 00:18:36 1996 From: ogren at cris.com (David F. Ogren) Date: Wed, 3 Jul 1996 15:18:36 +0800 Subject: Lack of PGP signatures Message-ID: <199607030350.XAA21619@darius.cris.com> -----BEGIN PGP SIGNED MESSAGE----- To: cypherpunks at toad.com Date: Tue Jul 02 23:47:42 1996 > This is one reason. I think that there are several other reasons: > > -- Someone may be using a machine at work or on a multiuser UNIX system > which > is untrusted and insecure. In the case of a UNIX account, one > could > compose a message off-line and rz it using a term program, but that > is a > major hassle. > From the responses I received, this one may be a biggie. And it's one that we can't do much about remedying. > > Is it because most mail programs are not PGP aware? > > I don't know of any mail programs that can use PGP (I know there are > various > interfaces, sendmail wrappers, and other hacks, but I have yet to see a > mailer > with an "Encrypt" or "Sign" option. > I'm beta testing a PGP aware mailer right now called Pronto Secure. It will be a great program when its release. Requires almost no PGP knowledge. Everything is almost perfectly transparent to the user. There is also Private Idado, of course, but that's a little harder to use, and doesn't have the features of a full-fledged mailer. I figure that if strong encryption becomes legal to export from the US (making international standards easier to implement), we may see more programs like these. David F. Ogren | ogren at concentric.net | "A man without religion is like a fish PGP Key ID: 0x6458EB29 | without a bicycle" - ------------------------------|---------------------------------------- Don't know what PGP is? | Need my public key? It's available Send a message to me with the | by server or by sending me a message subject GETPGPINFO | with the subject GETPGPKEY -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMdntX+SLhCBkWOspAQGNgAf/VD/h7sVi/lhIJHSZMtJ262TIE7l++nRh igjbX3PQeIIWrkWuilqarpuYMPwmOXB1OTn38MGkiwGENpAjsX7dS7+kyv/uh5IH OY250DUMdiVW8YqYRknXo2lnOQDxtBWxO/aoDdJoFMRYHYaIBQGtAeg4WpbTjK19 OwdhtDSoXtY8EqdJJHctJcN1Ds7crJWI1v6vmR/I3AhvHMZZrmMuv1Dczsyn3aTj P+wqspkp1oXztRQwP4VCEDpd7X2RGI74fICuJcf0+lRFoIH1o/gI50zLca+b/nq4 I3gn8Vo+LdUzmVpWNkrbW3YhMPyaIIYxFQ36BBT1A/KqliUvZooUgA== =l17m -----END PGP SIGNATURE----- From tcmay at got.net Wed Jul 3 00:18:46 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 3 Jul 1996 15:18:46 +0800 Subject: The Net and Terrorism Message-ID: Not knowing enough of the posting of John Deters, I can't tell where he is being facetious, where I agree with him, and where I really disagree with him. So, take my comments as responding directly to what I perceive his points to actually be: At 12:52 AM 7/3/96, John Deters wrote: >But here in the U.S., we ARE trying to take them away via the educational >system. About the only thing we can effectively do is to provide more >educational opportunities that denounce violence, racism, hate crimes, etc. >However, you cannot eliminate discontent without eliminating greed; which is >simply not possible. As I see it, the more "educated" a subgroup becomes, in terms of "education" about "the dominant political power structure," the more they see the world in dark terms, and resent it. The more "educated" an ethnic subgroup is about "racism" is, the more racist they themselves are. (I learned this in 1970 when I went away to college in California and found an entire racial/ethnic subgroup totally consumed by fears of persecution and racism, so much so that they could only study their own persecution and so screwed themselves out of any reasonable chance of succeeding in the American culture.) By the way, the accepted name for this is: "victimology." >Even so, there are a couple of problems with even attempting "to take away >the root causes", not the least of which is the Constitutionally protected >right to free speech. I am allowed to teach my kid to hate anyone for any >reason. I can blame this or that group for this set of troubles, and that >the best way to deal with this is not only to scare them away, but to kill >as many of them as possible. It may be morally repugnant, but it is >protected speech. I certainly agree with this. Many people and subgroups are losing sight of this basic point. (Of course, their confusion is partially explained by the fact that they have grown up believing that government schools are responsible for instilling proper ethical values.) >The countries that sponsor terrorists have not been noted for their >successful educational systems. And they certainly are not going to listen >to Western discussions on how best to solve their "problems". And those who think the government school system _is_ responsible for teaching moral and ethical values should ponder the issue of just what moral and ethical values were taught by the official schools of Alabama and Mississippi in the 1920s, 30s, 40s, and 50s. Duh. When you dance with the Devil, you dance to his tune. >For the most part, I see kids today being educated with much less "hatred" >than even my age group was brought up with (I'm 34). We're moving in the I'm 44 and I see just the opposite. Today's kids spout platitudes about "Why can't we all just get along?" without any clues about what they mean. 99% of kids interviewed cite "racism" as the world's Number One problem, showing their education to be a complet failure. --Tim May P.S. I planned to stop here, in the interests of brevity, but: >The U.S. has a level of tolerance for diversity that I only recently came to >appreciate. We hosted a foreign exchange student from Scotland (hardly >culture shock to him), but he surprised me when he commented on how >surprised he was that different groups of people were mixed together -- >black kids hanging out with white kids, catholics and protestants being >friends, the sort of thing that I take for granted every day. > >He expected the subtle racism of home. And lets just say that Great >Britain's culture is probably closer to ours than any other country. Well, on these points I agree. Non-U.S. countries often cluck about America's well-publicized race problems, but we are far more integrated and mixed than are most countries (and I lived for a year in Europe and have visited a few times since). >I am more than willing to agree with you that elimination of hatred and >prejudice will go farther than any law enforcement measures to reduce >terrorist acts. However, my point, and I believe this is Tim's point, too, >is that it will *never* eliminate these acts, and that there must be other >ways of dealing with the problems that occur. One of my "meta-points" is to try to move the discussion beyond comments about "hatred and prejudice," which I find to be code words for meaningless chatter which misses the real issues. (No offense to John Deters is intended.) >You may think that you hold every answer to terrorism in your hand, that >hugs and kisses before bedtime will make the evil monsters under the bed go >away. The point of Tim's essay was that, yes, the net can be used by the >evil monsters, and yes, the evil monsters are here, and no, the evil >monsters are not going away any time soon. Why did you feel it necessary to >try to slam his fairly well-researched and quite obvious conclusion? Thanks for the comments, John. My main point was that we should not give up basic American (and "western") values for the sake of reducing terrorism. (Ironically, one of the basic notions of terrorism of certain sorts is that the very acts of terrorism will bring on some state which will further the causes of the terrorists...the Hegelian triatica and all that revolutionary stuff, etc.) The terrorists should not be given a victory of sorts by implementing martial law to reduce further attacks. --Tim, again Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Wed Jul 3 00:25:05 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jul 1996 15:25:05 +0800 Subject: SAFE Forum--some comments Message-ID: <199607030434.VAA25837@mail.pacifier.com> At 07:00 PM 7/2/96 -0700, Bill Frantz wrote: >At 2:47 PM 7/2/96 -0700, Lile Elam wrote: >>The comment I kept hearing over and over was that we have to >>educate the public about what cryptography is and why it's important >>to everyone using computers to communicate. This public includes >>people who are not on the net and those who don't even know what the >>Internet is. > >Absolutely! The image of postcards vs. letters may be the most effective >metaphor. However, that AT+T fellow who revealed the phone records to the militia group would also be an appropriate comparison to destroy the "key-escrow" idea. I assume AT+T had procedures in place which were SUPPOSED TO prevent this. Well, key-escrow agents "will" also have similar procedures. Why should we assume they will be more reliable? Jim Bell jimbell at pacifier.com From alano at teleport.com Wed Jul 3 00:25:41 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 3 Jul 1996 15:25:41 +0800 Subject: Sameer on C-SPAN Message-ID: <2.2.32.19960703041841.00b01ffc@mail.teleport.com> At 07:42 PM 7/2/96 -0700, you wrote: >bluebreeze at nym.jpunix.com (Blue Breeze) wrote: >> >> Not everything. No picture of Sameer!? That's what I'd like to see. > >There's one in the latest WebSmith magazine. As well as his article on writing modules for Apache servers... [BTW, the issue number is no 4.] A worthwhile magazine if you write code for web servers. Now all I have to do is come up with a few ideas for modules... --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon "Microsoft -- Nothing but NT promises." From jimbell at pacifier.com Wed Jul 3 00:43:02 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jul 1996 15:43:02 +0800 Subject: But what about the poor? Message-ID: <199607030429.VAA25505@mail.pacifier.com> At 10:16 PM 7/2/96 -0500, snow wrote: >On Tue, 2 Jul 1996, jim bell wrote: >> stated policy of the escrow agent is that the key owner MUST be informed, >> what are the cops gonna do about it? >> >> Further, how are the cops going to evidence the existence of a valid >> warrant? (As opposed to a forgery?) > > The judge that issues it will digitally sign it. You can check the >signature block. However, what about an UNCOOPERATIVE escrow agent? (one who insists on signed paper, or for that matter insists that the judge himself shows up.) Or one, at least, who sites himself in Borneo, on the top of a 4000 foot mountain, with a 386 laptop computer and a box of floppies, and who promises 2 hour services to anybody who shows up? No email, no fax, no phone, no light, no motor car, not a single luxury....oooops....sorry about that...not even radio. Moreover, if the escrow agent is out of the country, can any domestic laws force him to divulge keys? Jim Bell jimbell at pacifier.com From blancw at MICROSOFT.com Wed Jul 3 00:47:58 1996 From: blancw at MICROSOFT.com (Blanc Weber) Date: Wed, 3 Jul 1996 15:47:58 +0800 Subject: fbi botches intel "ecspionage" case Message-ID: >From: Black Unicorn > >On Sat, 29 Jun 1996, Vladimir Z. Nuri wrote: > >> 3. hence, one wonders if the FBI could do a better job of >> combating ecspionage > >I believe you mean economic intelligence here, not economic espionage, >or >industrial espionage, or "ecspionage." ............................................................... One day in a future galaxy, "ecspionage" will involve locating "flits"..... .. Blanc From perry at piermont.com Wed Jul 3 01:13:19 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 3 Jul 1996 16:13:19 +0800 Subject: Lack of PGP signatures In-Reply-To: <199607022343.TAA21050@darius.cris.com> Message-ID: <199607030500.BAA26348@jekyll.piermont.com> "David F. Ogren" writes: > Atkins) do not seem to PGP clearsign their messages to this list. In fact, > a surprisingly small percentage of messages on the C-punk list are signed. > This despite the fact that the average subscriber is at least literate in > PGP. > > Does anybody have any speculation on why this is? I'd say this is it: > Is it because most mail programs are not PGP aware? From die at pig.die.com Wed Jul 3 01:18:46 1996 From: die at pig.die.com (Dave Emery) Date: Wed, 3 Jul 1996 16:18:46 +0800 Subject: Message pools _are_ in use today! In-Reply-To: <199607021730.KAA18852@mail.pacifier.com> Message-ID: <9607030513.AA24821@pig.die.com> > > At 08:28 PM 7/1/96 -0700, David Wagner wrote: > > >If folks have better ideas for how to achieve really good recipient > >anonymity, I hope they'll speak up! > > > (BTW, for a few years a company called "Planet Connect" has been providing > FIDOnet data feeds, although they use the older-style, large antenna > systems, and their data rate is 19.2kbps, not even close to enough for > Internet service.) > There is another small company (used to be called Pagesat and now called NCIT) that provides a 115.2 kb compressed (gzip) forward error corrected feed of the entire USENET in near real time over a Ku band satellite - not big ugly 8-10 foot dish C band, but a 1 meter VSAT style fixed offset fed Ku dish (bigger than DSS - more the size of Primestar). (Satellite is K2 and soon will be GE-1). Pagesat/NCIT markets this service primarily to medium and small size ISPs, but it is available to individuals willing to pay $400/yr for the service and about $600-$1000 for the hardware. Dave Emery die at die.com From llurch at networking.stanford.edu Wed Jul 3 01:18:53 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 3 Jul 1996 16:18:53 +0800 Subject: SAFE Forum--some comments In-Reply-To: <199607022147.OAA10677@art.net> Message-ID: On Tue, 2 Jul 1996, Lile Elam wrote: > So, now I have some ideas on what I, as an individual can do to > help. Educating poeple about crypto. I work with alot of artists > on the net (~300+) and will introduce crytography to them. We'll > think of some cool ways to implement it in our work and in the > process will learn how to use it. :) A good toy to share might be CryptaPix, an image viewer with integrated crypto, http://execpc.com/~kbriggs/ as seen on comp.os.ms-windows.announce on 5/24. -rich From llurch at networking.stanford.edu Wed Jul 3 01:20:00 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 3 Jul 1996 16:20:00 +0800 Subject: Message pools _are_ in use today! In-Reply-To: Message-ID: On Wed, 3 Jul 1996, Ulf Moeller wrote: > >alt.anonymous.messages is not an ideal message pool-- it is a hack. > >(Granted, it *is* a really cool, clever, and practically useful hack.) > > I agree that alt.anonymous.messages is not perfect. But if you > download all articles and don't post to alt.anonymous.messages > without using a remailer, the only real threat are denial of > service attacks with cancel messages etc. You could also read alt.anonymous.messages by pointing The Anonymizer at AltaVista. Their news feed expires pretty quick, but it's probably just as fast and reliable as yours, if not better. -rich From declan at well.com Wed Jul 3 01:25:05 1996 From: declan at well.com (Declan McCullagh) Date: Wed, 3 Jul 1996 16:25:05 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port Message-ID: CyberWire Dispatch // Copyright (c) 1996 // Jacking in from the "Keys to the Kingdom" Port: Washington, DC -- This is a tale of broken codes, betrayal of a social contract, morality run amuck, and a kind of twisted John Le Carre meets the Crying Game encounter. For a range of companies producing so-called "blocking software" designed to keep kids from accessing undesirable material in cyberspace, the road to such a moral high ground turns out to be a slippery slope. These programs, spawned in the wake of the hysteria over how much porn Junior might find on the Net, have chosen the role of online guardians. The resulting array of applications, including names like SurfWatch, CyberPatrol, NetNanny and CyberSitter, acts as a kind of digital moral compass for parents, educators, paranoid Congressmen, and puritanical PTAs. Install the programs and Junior can't access porn. No fuss, no muss, no bother. "Parental empowerment" is the buzzword. Indeed, it was these programs that helped sway the three-judge panel in Philly to knock down the Communications Decency Act as unconstitutional. But there's a darker side. A close look at the actual range of sites blocked by these apps shows they go far beyond just restricting "pornography." Indeed, some programs ban access to newsgroups discussing gay and lesbian issues or topics such as feminism. Entire *domains* are restricted, such as HotWired. Even a web site dedicated to the safe use of fireworks is blocked. All this might be reasonable, in a twisted sort of way, if parents were actually aware of what the programs banned. But here's the rub: Each company holds its database of blocked sites in the highest security. Companies fight for market share based on how well they upgrade and maintain thhat blocking database. All encrypt that list to protect it from prying eyes --- until now. Dispatch received a copy of each of those lists. With the codes cracked, we now held the keys to the kingdom: the results of hundreds, no, thousands of manhours of smut-surfing dedicated to digging up the most obscene and pornographic sites in the world. And it's in our possession. But it didn't come easy... I'd just spent the better part of a muggy Washington night knocking back boilermakers in an all-night Georgetown bistro waiting for a couple of NSA spooks that never showed. I tried to stumble to the door and an arm reached out and gently shoved me back to my table. At the end of that arm was a leggy redhead; she had a fast figure and even faster smile. There was a wildness about her eyes and I knew it was the crank. But something else wasn't quite right. As I fought with my booze-addled brain, struggling to focus my eyes, I noticed her adam's apple. "Who needs this distraction," I thought, again wondering what kind of comic hellhole I fell into that put me in the middle of yet another bizarre adventure. "I have something for you," she/he deadpanned. Red had the voice of a baritone and a body you could break bricks on. No introductions, no chit-chat. This was strictly business and for a moment I thought I was being set up by the missing spooks. The hair on the back of my neck stood on end. Out from Red's purse came a CD-ROM. She/he shoved the jewel box across the table. It was labeled: "The keys to the kingdom." What the fuck was this? I must be on Candid Camera. Red anticipated my question: "I can't say; I won't say. Just take it, use it. That's all I'm supposed to say." And she/he got up, stretched those mile-high legs, and loped into the night. The next morning I slipped the disc in my Mac and the secret innards of the net-blocking programs flowed across my screen. CyberPatrol, SurfWatch, NetNanny, CyberSitter. Their encrypted files -- thousands and thousands of web pages and newsgroups with the best porn on the Net. Not surprising, really -- the net-blocking software companies collect smut-reports from customers and pay college kids to grope around the Net for porn. This shit was good. Even half-awake with a major league hangover, I could tell the smut-censoring software folks would go ballistic over Red's delivery. To Junior, these lists would be a one-stop-porn-shop. Susan Getgood from CyberPatrol emphasized this to Dispatch. She said: "The printout of the 'Cybernot' list never *ever* leaves this building. It's under lock and key... Once it left this building we'd see it posted on the Net tomorrow. It would be contributing to the problem it was designed to solve -- [it would be] the best source of indecent material anywhere." She's right. A recent version of CyberPatrol's so-called "Cybernot" list featured 4,800 web sites and 250 newsgroups. That's a lot of balloon-breasted babes. CyberPatrol is easily the largest and most extensive smut-blocker. It assigns each undesirable web site to at least one and often multiple categories that range from "violence/profanity" to "sexual acts," "drugs and drug culture," and "gross depictions." The last category, which includes pix of syphilis-infected monkeys and greyhounds tossed in a garbage dump, has some animal-rights groups in a tizzy. They told Dispatch that having portions of their sites labeled as "gross depictions" is defamatory -- and they intend to sue the bastards. "We're somewhat incensed," said Christina Springer, managing director of Envirolink, a Pittsburgh-based company that provides web space to environmental and animal-rights groups. "Pending whether [our attorney] thinks we have a case or not, we will actually pursue legal actions against CyberPatrol." Said Springer: "Animal rights is usually the first step that children take in being involved in the environment. Ignoring companies like Mary Kay that do these things to animals and allowing them to promote themselves like good corporate citizens is a 'gross depiction.'" CyberPatrol's Getgood responded: "We sent a note back to [the Envirolink director] and haven't heard back from him. Apparently he's happy with our decision. I still think the monkey with its eye gouged out is a gross depiction." Rick O'Donnell from the Progress and Freedom Foundation is amazed that Envirolink would threaten legal action. "It's new technology. It's trial-and-error... There will be glitches." "Filtering software firms have the right to choose whatever site they want to block since it's voluntary... Government-imposed [blocking] is censorship. Privately-chosen is editing, discernment, freedom of choice," he said. The Gay and Lesbian Alliance Against Defamation (GLAAD) is as unhappy as Envirolink. When Dispatch spoke with GLAAD's Alan Klein and rattled off a list of online gay and lesbian resources that the overeager blocking software censored, he was horrified. "We take this very seriously," said Klein. "Lesbian and gay users shouldn't be treated as second-class users on the Net. These companies need to understand that they can't discriminate against lesbian and gay users... We will take an active stance on this." CyberPatrol blocks a mirror of the Queer Resources Directory (QRD) at http://qrd.tcp.com/ and USENET newsgroups including clari.news.gays (home to AP and Reuters articles) alt.journalism.gay-press, and soc.support.youth.gay-lesbian-bi, Red's list revealed. CyberSitter also bans alt.politics.homosexual and the QRD at qrd.org. NetNanny blocks IRC chatrooms such as #gaysf and #ozgay, presumably discussions by San Francisco and Australian gays. GLAAD told Dispatch they were especially surprised that CyberPatrol blocked gay political and journalism groups since the anti-defamation organization has a representative on the "Cybernot" oversight committee, which meets every few weeks to set policies. However, Dispatch learned the oversight group never actually sees the previously top-secret "Cybernot" list. They don't know what's *really* banned. Why should alt.journalism.gay-press, for instance, be blocked? There's no excuse for it, said GLAAD's Klein. "A journalism newsgroup shouldn't be blocked. It's completely unacceptable... This is such an important resource for gay youth around the country. If it weren't for the Net, maybe thousands of gay teens around the country would not have come out and known there were resources for them." He's right. Even a single directory at the QRD, such as the Health/AIDS area, has vital information from the Centers for Disease Control and Prevention, the AIDS Book Review Journal, and AIDS Treatment News. In response to Dispatch's questions about these sites being blocked, CyberPatrol's Getgood said: "It doesn't block materials based on sexual preference. If a site would be blocked if there are two heterosexuals kissing, we'd block it if there are two homosexuals kissing." Fine, but we're not talking about gay porn here. What about some of the political groups? "We'll look into it," said Getgood. NetNanny is just as bad, argues GLAAD's Loren Javier, who called the software's logging features "dangerous." (The program lets parents review what their kids have been doing online.) "If you have someone who has homophobic parents, it gives them a way of keeping tabs on their kid and possibly making it worse for their children," said Javier. Worse yet, CyberPatrol doesn't store the complete URL for blocking -- it abbreviates the last three characters. So when it blocks the "CyberOS" gay video site by banning http://www.webcom.com/~cyb, children are barred from attending the first "Cyber High School" at ~cyberhi, along with 16 other accounts that start with "cyb." In attacking Shawn Knight's occult resources at http://loiosh.andrew.cmu.edu/~sha, the program cuts off 23 "sha" accounts at Carnegie Mellon University, including Derrick "Shadow" Brashear's web page on Pittsburgh radio stations. The geeks at CMU's School of Computer Science had fun with this. In March they cobbled together a "Banned by CyberPatrol" logo that they merrily added to their blocked homepages: http://nut.compose.cs.cmu.edu/images/ban3.gif NetNanny also has a fetish for computer scientists. For instance, it blocks all mailing lists run out of cs.colorado.edu -- including such salacious ones as parallel-compilers, systems+software, and computer-architecture. Guess those computer geeks talk blue when they're not pumping out C code. Dispatch asked Getgood why CyberPatrol blocks access to other seemingly unobjectionable web sites including the University of Newcastle's computer science department, the Electronic Frontier Foundation's censorship archive, and the League for Programming Freedom at MIT, a group that opposes software patents. Getgood replied via email: "I'll forward this message to our Internet Research Supervisor and have her look into the specific sites you mention..." She said there is a "fair process" for appeals of unwarranted blocking. But CyberPatrol doesn't stop at EFF and MIT. It also goes after gun and Second Amendment pages including http://www.shooters.com/, http://www.taurususa.com/, http://206.31.73.39/, and http://www-199.webnexus.com/nra-sv/, according to a recent "Cybernot" list. The last site is run by the National Rifle Association (NRA) Members' Council of Silicon Valley, and bills itself as "the NRA's grass roots political action and education group for the San Jose, Santa Clara, Milpitas, and surrounding areas." Peter Nesbitt, an air-traffic controller who volunteers as part of the Silicon Valley NRA group, says "it's terrible" that CyberPatrol blocks gun-rights web sites. "The people who are engaging in censoring gun rights or gun advocates groups are the opposition who want to censor us to further their anti-gun agenda." An unlikely bedfellow, the National Organization of Women (NOW) ain't too pleased neither. Of course, they're unlikely to feel any other way -- CyberSitter blocks their web site at www.now.org. Not to be outdone, NetNanny blocks feminist newsgroups while CyberSitter slams anything dealing with "bisexual" or "lesbian" themes." CyberPatrol beats 'em all by going after alt.feminism, alt.feminism.individualism, soc.feminism, clari.news.women, soc.support.pregnancy.loss, alt.homosexual.lesbian, and soc.support.fat-acceptance. Dispatch reached Kim Gandy, NOW's executive vice president, at home as she was preparing dinner for her 3-year old daughter. Gandy charged the companies with "suppressing information" about feminism. She said: "As a mother myself, I'd like to limit my kids from looking at pornography but I wouldn't want my teenage daughter [prevented] from reading and participating in online discussions of important current issues relating to womens rights." An indignant NOW? Let 'em rant, says CyberSitter's Brian Milburn. "If NOW doesn't like it, tough... We have not and will not bow to any pressure from any organization that disagrees with our philosophy." Unlike the others, CyberSitter doesn't hide the fact that they're trying to enforce a moral code. "We don't simply block pornography. That's not the intention of the product," said Milburn. "The majority of our customers are strong family-oriented people with traditional family values. Our product is sold by Focus on the Family because we allow the parents to select fairly strict guidelines." (Focus on the Family, of course, is a conservative group that strongly supports the CDA.) Dispatch particularly enjoyed CyberSitter's database, which reads like a fucking how-to of conversations the programmers thought distasteful: [up][the,his,her,your,my][ass,cunt,twat][,hole] [wild,wet,net,cyber,have,making,having,getting,giving,phone][sex...] [,up][the,his,her,your,my][butt,cunt,pussy,asshole,rectum,anus] [,suck,lick][the,his,her,your,my][cock,dong,dick,penis,hard on...] [gay,queer,bisexual][male,men,boy,group,rights,community,activities...] [gay,queer,homosexual,lesbian,bisexual][society,culture] [you][are][,a,an,too,to][stupid,dumb,ugly,fat,idiot,ass,fag,dolt,dummy] CyberSitter's Milburn added: "I wouldn't even care to debate the issues if gay and lesbian issues are suitable for teenagers. If they [parents] want it they can buy SurfWatch... We filter anything that has to do with sex. Sexual orientation [is about sex] by virtue of the fact that it has sex in the name." That's the rub. It's a bait and switch maneuver. The smut-censors say they're going after porn, but they quietly restrict political speech. All this proves is that anyone setting themselves up as a kind of digital moral compass quickly finds themselves plunged into a kind of virtual Bermuda Triangle, where vertigo reigns and you hope to hell you pop out the other side still on course. Technology is never a substitute for conscience. And for anyone thinking of making an offer for the disc, forget it. Like a scene out of Mission Impossible, we came back from a late-night binge to find the CD-ROM melted and the drive smoldering. Thank God there's a backup somewhere. Red, get in touch. Meeks and McCullagh out... ------------- While Brock N. Meeks (brock at well.com) did the heaving drinking for this article, Declan B. McCullagh (declan at well.com) did the heavy reporting. From snow at smoke.suba.com Wed Jul 3 01:52:28 1996 From: snow at smoke.suba.com (snow) Date: Wed, 3 Jul 1996 16:52:28 +0800 Subject: But what about the poor? In-Reply-To: <199607030031.RAA12438@mail.pacifier.com> Message-ID: On Tue, 2 Jul 1996, jim bell wrote: > stated policy of the escrow agent is that the key owner MUST be informed, > what are the cops gonna do about it? > > Further, how are the cops going to evidence the existence of a valid > warrant? (As opposed to a forgery?) The judge that issues it will digitally sign it. You can check the signature block. Petro, Christopher C. petro at suba.com snow at crash.suba.com From llurch at networking.stanford.edu Wed Jul 3 02:01:42 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 3 Jul 1996 17:01:42 +0800 Subject: Info on alleged new German digital wiretapping law? In-Reply-To: Message-ID: On Wed, 3 Jul 1996, Ulf Moeller wrote: > Rich Graves writes: > > > http://fight-censorship.dementia.org/fight-censorship/dl?num=3027 > > > >and in alt.fan.ernst-zundel. What's up? > > The report is correct. > > The mainstream press has completely ingnored the wiretap legislation, > probably because it is part of the long-awaited new telecommunications > law to end the Telekom monopoly. We 'merkins were probably just a little more aware. So what's the prospect for implementation? The claim is that law enforcement is supposed to have a back door to every computer system. Are we talking about escrow of root passwords, or what? That's the bit I found loony, given what I've heard (from you and others) about the generally semi-clueful technology and telecoms ministries. Is it THAT bad? -rich From stend at grendel.austin.texas.net Wed Jul 3 02:07:05 1996 From: stend at grendel.austin.texas.net (Firebeard) Date: Wed, 3 Jul 1996 17:07:05 +0800 Subject: Lack of PGP signatures In-Reply-To: <199607022343.TAA21050@darius.cris.com> Message-ID: <199607030559.AAA17707@grendel.austin.texas.net> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Mark M writes: MM> On Tue, 2 Jul 1996, David F. Ogren wrote: DO> In fact, a surprisingly small percentage of messages on the C-punk DO> list are signed. This despite the fact that the average DO> subscriber is at least literate in PGP. DO> DO> Does anybody have any speculation on why this is? DO> DO> Is it because people consider mundane mail unimportant enough to DO> sign? MM> This is one reason. I think that there are several other reasons: >> Is it because most mail programs are not PGP aware? MM> I don't know of any mail programs that can use PGP (I know there MM> are various interfaces, sendmail wrappers, and other hacks, but I MM> have yet to see a mailer with an "Encrypt" or "Sign" option. Well, I'd say that the emacs/Gnus/mailcrypt combo is PGP aware - - properly installed, emacs has encrypt, sign, and remail menu items. I don't use it routinely mainly because I haven't set things up to propogate my key, so signing articles would be kind of useless. - -- #include /* Sten Drescher */ Unsolicited solicitations will be proofread for a US$100/page fee. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQEVAwUBMdoLmC+2V9GxYWz1AQEwMwf+MKji8AGIfhmLCkANxjzvqc209yLlGEAz J1LIXuN4+2M7fVPPKmsg6jiUT0k4G0IpXJMF7bbolDYd1PjEAlJiRhlCa7D8GJbz w21cE2IN8qvJZfzZrncfsOlElOzQXBbi2DpyF1xPzxRvOodwGBT80iVOQR6K0jZO wficMfAUmItp7y5+W+L+y2rsAaQ+gkhuLAyKwe7C4n7eYW+2Pqh7CvJT/Ob7nlTD OgrR8i9m6cl6G5JsJAcb/FYcRzyr8+k8BzvryWqiALS0QGwv8lzbbP0HS9171Fu7 vAXcilhV4WNgG7WVBcElIYlgGW5yiaUxq64O91QVQPfrR283c3APTg== =rVPk -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Wed Jul 3 02:08:01 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 3 Jul 1996 17:08:01 +0800 Subject: Lack of PGP signatures In-Reply-To: <199607030142.VAA29584@toxicwaste.media.mit.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 2 Jul 1996, Derek Atkins wrote: > Actually, I don't PGP sign my messages because 95% of the time my > connection to my mail host (the machine on which I read and respond to > mail) is insecure. Composing the message, bringing the message to my "Me too," though I recently created a 512-bit key just for the purpose of such insecure signing. As long as people understand that that key simply means "this is either me, or someone who has gone to the trouble of cracking root here, or someone who spent a couple weeks brute-forcing this key," it's useful to prevent casual attacks. Several others are doing the same thing... I know all the NoCeM posters and most of the newsgroup moderators using PGPMoose have created suuch secondary keys. - -rich finger or send mail with subject line "send pgp key" if you want 'em -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMdoJ+JNcNyVVy0jxAQH7fwIAvK/GWCSXtoDyZWIC+rffKjv/VNbQL/J8 nvabWe7DC6NMp6iGmmZCaIkuvD+TON6rEpu3xatyim0R8ILQoSPyfg== =/wh3 -----END PGP SIGNATURE----- From llurch at networking.stanford.edu Wed Jul 3 02:11:02 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 3 Jul 1996 17:11:02 +0800 Subject: LE Risks with No Crypto In-Reply-To: <2.2.32.19960703002028.00ba3b24@panix.com> Message-ID: On Tue, 2 Jul 1996, Duncan Frissell wrote: > Too bad AT&T doesn't use an encrypted open books system to store is records > so that "bad guys" can't abuse those records and put our heroic law > enforcement personnel at risk. I keep hearing suggestions like this, but I don't think they'd work. If you needed a digital key to grok phone records, then that digital key would be passed around just as casually as the current passwords. Any organization that large, where 99% of the information is banal and uninteresting 99% of the time, cannot keep secrets. It's unreasonable to expect them to. It doesn't make business sense to promise security, because when they fail to deliver, as they can't, they'll get their ass sued. I recently had a practical joker call up all the magazines to which I was subscribed and change my address to that of the local hospital, where these practical jokers were suggesting they'd like to send me. There is no security against this kind of attack, because it's just not in most people's threat profile. This kind of thing is annoying, but it can't be helped. Adding a reasonable level of security to such an insignificant system would increase the cost of that system by several orders of magnitde. It's just not worth it. In the unicorn of Color's relative absence, it falls on me to stress that you can't trust organizations to protect your privacy. If you need to participate in an insecure system, and everybody does, use cash, and use psedonyms. > This is a perfect illustration of the fact that technology puts the > government most at risk because it will always be the juiciest target. > "Worth the powder to blow it up with." This is true. -rich From jimbell at pacifier.com Wed Jul 3 02:14:21 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 3 Jul 1996 17:14:21 +0800 Subject: SAFE Forum--some comments Message-ID: <199607030603.XAA01097@mail.pacifier.com> At 08:44 PM 7/2/96 -0700, Martin Minow wrote: >It's not quite that bad. Here are a few (more or less strong) crypto >products you might not know you have: > >1. Every Macintosh made since at least 1988 has a secure authentication > client module in the AppleShare Chooser dialog. When you use it to > connect to a remote server, it notes that the user information > is "two-way scrambled." (The server sends a random number challenge > that the client uses to encrypt the username and password. The > encrypted information is sent to the server.) All Macintosh systems > running System 7 or later have the corresponding server software. > What is interesting about this is that the encryption is completely > invisible to the user. How did this affect the Macintosh's exportability? >Note that the VCR companies have solved the vcr problem by receiving >a timecode from a local television station -- making the problem >invisible to the end user. We should be able to do the same with >strong crypto. I haven't bought a new VCR in a few years. Is this real? What prevented them from doing this 10 years ago? Jim Bell jimbell at pacifier.com From vznuri at netcom.com Wed Jul 3 03:14:54 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 3 Jul 1996 18:14:54 +0800 Subject: The Net and Terrorism In-Reply-To: <2.2.32.19960703005232.009d18e4@labg30> Message-ID: <199607030700.AAA12965@netcom3.netcom.com> >Do you still not accept that we have a world that contains people who exist >in conditions that foster and breed terrorists? of course. but what TCM's writing often seems to hide is a cynicism about these conditions. "there's nothing we can do about it. buy a bulletproof jacket and avoid crowed downtown areas". I'm saying this cynicism and isolationism tends to make the problem worse, not better. you clearly agree that we must find the reasons that terrorists are being bred, and work to eliminate those conditions. TCM apparently would feel that such a thing is a waste of time. another thing that annoys me about the TCM slant or "spin" is the pervasive connotation in his writing that terrorism is going to get far worse in the future. if so, I would say that is because world conditions that breed terrorists are getting far worse. he seems to convey the idea that the world is a nonsensical place where things, like increases in terrorism, occur for no particular reason. keep in mind that Ruby Ridge and Waco happened only a few years ago. that's a nanosecond in cosmic time, yet the terrorist repercussions are being felt immediately. I would say its very visceral evidene that terrorists are responding to events and are not just madmen out for the fun of killing people. there's a bit of that of course.. >So, do you not accept that we have the environment right here that can breed >violence and discontent? it's a fatalistic way of putting it. yes I agree that such an environment exists. no, I don't believe there is nothing that can be done about it. no, I don't believe that everything that can be done about it has been done about it. far from the case. my point in the essay. >So your point here is one of *agreement* that human nature will produce >psychological profiles of people who commit acts of terror. no, I specifically reject that insanity and violence are "normal" aspects of human behavior. merely because they have been around for centuries does not prove they are normal, only how warped the world has become such that abnormality is considered normal. >Violence is here. It's been present since recorded history. We've gotten >pretty good at it, actually. I think the record speaks pretty clearly that >violence continues to be a part of human behavior, despite any efforts made >to stop it. what your argument amounts to is essentially "well gosh, if there was a way to get rid of violence we would have discovered it by now". not if you are cynical, pessimistic, closeminded, and believe that violence is simply a part of life. >As I said above, we can reduce some of the breeding grounds, but we can not >eradicate them all. And if one were to conduct a study correlating racist >attitudes with education with numbers of acts of terror, we might find a >direct correlation. no, but I believe you can eradicate virtually all the most extreme "swamplike breeding grounds" that lead to the most insane terrorism such as OKC. would OKC have happened if neither ruby ridge or Waco happened? a compelling case can be made... >The U.S. has a level of tolerance for diversity that I only recently came to >appreciate. I agree. but it's not optimal. it's fantastic compared to the rest of the world, though, I agree. good anecdote. >I am more than willing to agree with you that elimination of hatred and >prejudice will go farther than any law enforcement measures to reduce >terrorist acts. However, my point, and I believe this is Tim's point, too, >is that it will *never* eliminate these acts, and that there must be other >ways of dealing with the problems that occur. disagree. terrorism on the scale of OKC is largely unprecedented in American history. I believe you are conflating degrees of violence. and behind your and Tim's argument is that "there is a point at which it is a waste of time to try to put any more work into eradicating terrorism, because it is inevitable". >Look at the Irish Question: they want independance from a government they >deem undesirable. Look at the arabian terrorist bombings of Americans in >Saudi Arabia, Lebanon, etc.: they want to drive the U.S. Army out. the point is that there is no physical strategic value from bombing symbols. I was making the point that terrorism is extremely symbolic at the root. I'm not saying either warfare or terrorism is better than the other. they're both very evil. but it seems to me that people like TCM who equate terrorist activities with what governments do are doing a grave disservice to civilization. you can find isolated examples where governments behave like terrorist organizations, but their primary purpose is to avoid such situations. >You may think that you hold every answer to terrorism in your hand, that >hugs and kisses before bedtime will make the evil monsters under the bed go >away. bzzzzzzt. what I am pointing out is that what Tim is essentially saying, as you seem to be, that trying to combat terrorism is a waste of time because it is a fact of life, is erroneous in my view. it is a common libertarian argument that goes, "criminality is everywhere, so why try to stop it?" a rather juvenile ideology. may you live in your reality and see what it is like. hint: the current one we are living in is not one in which the government does not try to fight terrorism. The point of Tim's essay was that, yes, the net can be used by the >evil monsters, and yes, the evil monsters are here, and no, the evil >monsters are not going away any time soon. Why did you feel it necessary to >try to slam his fairly well-researched and quite obvious conclusion? because, from my past experience, it seems Timmy's wildest fantasies are always contained in the paragraphs in which he says, "now, I'm not advocating this or anything...." From eagle at armory.com Wed Jul 3 05:02:51 1996 From: eagle at armory.com (Jeff Davis) Date: Wed, 3 Jul 1996 20:02:51 +0800 Subject: SAFE Forum--some comments In-Reply-To: Message-ID: <9607030224.aa08663@deepthought.armory.com> Tim sez... > And here I'll comment on Ken Bass's excellent comments (there were many > excellent points). Bass is a D.C.-area lawyer with the prestigious Venable > law firm (the venerable Venable firm?), and a former Reagan Administration > official. > > He pointed out that the driving force for crypto policy is probably the > _law enforcement_ camp, not the _intelligence agency_ camp. And that the > NSA is regretting the ITAR stuff, as it has sparked an "arms race" to > develop stronger crypto. Bass noted that people now equate permission to > export with weakness, and that had the U.S. not restricted exports, users > probably would've been "fat, dumb, and happy" to keep using breakable > crypto. Bass is fun to drink with too. His web site is under attack and he needs a hacker if anyone is interested in doing any pro bono community service work. Bruce's comments on the robustness of foreign, (i.e. unescrowed) encryption were very enlightening as well. It was good to see all the old CDT hands, and the munchies Gilmore bought went quickly at the Godwin table. Mike makes a substantial argument that the Supreme Court will not overturn ACLU et. al. v. Reno, but I wouldn't pretend to speak for him. And Cindy Cohn is the point man in the Super Bowl long range recon team, Bernstein v. DoS. Defending Bernstein on First Amendment grounds and having judge Patel rule that for the purposes of the case, source code is speech, is a big deal. The First Amendment survives the Electronic Revolution with ACLU v. Reno. The Super Bowl is ITAR. It's nice to have some momentum going in to the Super Bowl. With robust, uncompromised cryptography, we can reclaim the 4th Amendment ourselves. I have a feeling that the congressional support is reaching critical mass. Oh yeah, knowing me as you do Tim, it probably doesn't surprise you that the entire global positioning system is going to roll over at midnight 23 August 1999, and claim it's my 25th birthday, 6 January 1980... As Barlow says, "You know its gonna get stranger, so let's get on with the show!" -- According to John Perry Barlow: *What is EFF?* "Jeff Davis is a truly gifted trouble-maker." *email * *** O U T L A W S On The E L E C T R O N I C F R O N T I E R **** US Out Of Cyberspace!!! Join EFF Today! *email * From anthony at direct.it Wed Jul 3 06:00:44 1996 From: anthony at direct.it (Anthony Daniel) Date: Wed, 3 Jul 1996 21:00:44 +0800 Subject: hard drive encryption Message-ID: <2.2.32.19960703100758.0069f568@betty.direct.it> Hi You could try using SECURE Desk-Top. It can encrypt your hard drive using a symmetrical key. The algorithms are DES and IDEA (128 bits). It's fast and you could choose exactly what part of the drive to encrypt, whether just some files or the entire drive. You can download the software from this url: http://www.systems.it/secure All the best Anthony > >What is the best utility freely available for encrypting an entire drive >that won't be used for a length of time? ie: I'm going away for a period >of time and wish to encrypt the drive while I'm gone, but have no interest >in actually using it while it's encrypted. I also have no real preference >in what algorithm is used, as long as it's relatively secure. Speed is >also not a big consideration, as it will be used once when I leave to encrypt, >and once when i return to decrypt. >Thanks in advance for the help... >//cerridwyn// > >btw, the OS is Win95 if that matters... > From eagle at armory.com Wed Jul 3 07:17:11 1996 From: eagle at armory.com (Jeff Davis) Date: Wed, 3 Jul 1996 22:17:11 +0800 Subject: SAFE Forum--some comments In-Reply-To: <199607022014.NAA10761@netcom14.netcom.com> Message-ID: <9607030239.aa09019@deepthought.armory.com> Vladimir rebuts May quoting Bass... > >He pointed out that the driving force for crypto policy is probably the > >_law enforcement_ camp, not the _intelligence agency_ camp. And that the > >NSA is regretting the ITAR stuff, as it has sparked an "arms race" to > >develop stronger crypto. > > doesn't make sense to me at all. who was behind clipper? the NSA, not > the FBI. the FBI is behind digital telephony, which involved > *wiretapping*, not key escrow. That's because you don't understand American Football. The NSA is Jerry Kramer for the FBI's Frank Gifford on a double whammy end around of any substantial public hearings on the subject running a play Lombardi designed in the height of the Cold War. The only problem is Lombardi died of cancer, and the Clinton Administration has been duped into winning one for the Gipper- except the Gip has altzheimers and Nancy has to wipe his chin, so its bed time for Bonzo, ITAR and EES! Party on C'punks! Internet is the revenge of the nerds on Acid. (Don't post when you're peaking...don't post when you're peaking...) -- According to John Perry Barlow: *What is EFF?* "Jeff Davis is a truly gifted trouble-maker." *email * *** O U T L A W S On The E L E C T R O N I C F R O N T I E R **** US Out Of Cyberspace!!! Join EFF Today! *email * From ses at tipper.oit.unc.edu Wed Jul 3 07:25:52 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Wed, 3 Jul 1996 22:25:52 +0800 Subject: PGP secret keys In-Reply-To: <199607022040.QAA09851@unix.asb.com> Message-ID: On Tue, 2 Jul 1996, Deranged Mutant wrote: > On 2 Jul 96 at 6:39, anonymous-remailer at shell.port wrote: > > > Could someone post a pointer to a FAQ that tells what to do if you loose > > your secret key file? How can you regenerate your private key so that the > You can't do anything. Yer screwed. Unless you buy an 'O' and you're escrowed :-) --- Cause maybe (maybe) | In my mind I'm going to Carolina you're gonna be the one that saves me | - back in Chapel Hill May 16th. And after all | Email address remains unchanged You're my firewall - | ........First in Usenet......... From daw at cs.berkeley.edu Wed Jul 3 07:52:40 1996 From: daw at cs.berkeley.edu (David Wagner) Date: Wed, 3 Jul 1996 22:52:40 +0800 Subject: Message pools _are_ in use today! In-Reply-To: Message-ID: <4rdm7p$2lm@joseph.cs.berkeley.edu> In article , Timothy C. May wrote: > I must be missing something....: Nope! That would be..er..my fault. :-) > I'm not following your "upload an article to the NNTP server." Don't most > people use mail-to-News gateways to post anonymously? (If not, they should, > of course.) > > This way, the posting of an article has the anonymity provided by the chain > of remailers used to reach the terminal site, the mail-to-News gateway. You are quite right. I was mixing my criticisms. My mistake. A message pool provides only recipient anonymity, of course. For sender anonymity (e.g. posting to a message pool), chaining is the right way to go. > The posting is anonymous (within the usual limits we discuss here), and the > reading is "pretty hard" to focus on, for several reasons: > > 1. Hard to gain access to local ISP without sending alerts out (it would be > for my ISP, at least). This is admittedly not cryptographically > interesting, but is a very real practical difficulty. > > 2. Many who browse alt.anonymous.messages probably "glance" at many of the > oddly-named message pool messages. I know I do. Again, makes it a "needle > in a haystack" to know which of several hundred folks who glanced at > "ToBear" or "TheRealMessage"--assuming the NSA could ever identify these > hundreds--is the real intended target. > > 3. And I recall that many have newsreaders which download _all_ messages in > a newsgroup automatically. Again, this makes the pool of potential readers > quite large and meaningless to try to track. > > The use of public posting areas for message pools (what I called "Democracy > Walls" several years back) seems to me have several compelling advantages > over "reply-block" approaches. Good points, all of them. I agree that public message pools seem to give far better security than reply-block approaches. (Although the two can be combined: set up a nym reply-block which just redirects traffic to alt.anonymous.messages; then the reply-block is not security-critical, but does allow folks to contact you by a simple email address.) Jim Bell brought up the really nifty point that someday soon we may be able to receive these message pools by satellite dish-- hurray for true broadcasting! That would provide most excellent security (unless `they' started requiring licenses, waiting periods, ... to own a dish-- unlikely). I can't wait. Another suggestion was to read alt.anonymous.messages by pointing the anonymizer at it. This doesn't stand up to my threat model at all. The anonymizer only provides you anonymity against a malicious server who is trying to collect marketing information-- it doesn't protect you against SIGINT folks eavesdropping on network links, performing traffic analysis, etc. to trace back your access. Now if we had pipe-net deployed :-), the idea might work... From asgaard at sos.sll.se Wed Jul 3 08:43:24 1996 From: asgaard at sos.sll.se (Asgaard) Date: Wed, 3 Jul 1996 23:43:24 +0800 Subject: Info on alleged new German digital wiretapping law? In-Reply-To: Message-ID: On Wed, 3 Jul 1996, Ulf Moeller wrote: > > http://fight-censorship.dementia.org/fight-censorship/dl?num=3027 > > > >and in alt.fan.ernst-zundel. What's up? > > The report is correct. > > The mainstream press has completely ingnored the wiretap legislation, > probably because it is part of the long-awaited new telecommunications > law to end the Telekom monopoly. As has the media in Sweden completely ignored that we have our own 'Digital Telephony Act' as of July 1. I haven't been able to find it on the net yet. From second hand sources it seems more or less identical to the US one, although the financial burdens for reprogramming and hardware adjustsments are put solely on the telco's (Sweden has no monopoly since a decade). The telco's have a respite until 7.1.97 to fulfill the requirements. Asgaard From m5 at vail.tivoli.com Wed Jul 3 09:32:49 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Thu, 4 Jul 1996 00:32:49 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: Message-ID: <31DA7000.6239@vail.tivoli.com> Declan McCullagh/Brock Meeks wrote (and quite well, I might add): > ... > Install the programs and Junior can't access porn. No fuss, no muss, no > bother. "Parental empowerment" is the buzzword. Indeed, it was these > programs that helped sway the three-judge panel in Philly to knock down > the Communications Decency Act as unconstitutional. Scenario: Mr. & Mrs. Joseph and Mary Christian buy SmutNoMore for their home computer, to protect their children Mathew, Mark, Luke, John, and Zebediah. All are happy and content. One day, Mathew and Mark go to a the home of a school chum, Bart Simpson, whose parents are products of the liberal 60's. Bart has a computer too, along with an ISDN link through a local ISP to the Internet. But --- horrors --- Bart's computer is not equipped with SmutNoMore, or any other filtering software. Bart's parents do not believe it to be fair to filter their children's access to information. During that afternoon of Internet fun, Mark clicks the mouse and follows a hyperlink link to a web site filled with nasty objectionable anti-family morally corrosive filth. Mark and Mathew run home in tears to their parents and tell all about the nightmare they've experienced. I wonder whether the Christians would be able to successfully sue the Simpsons on some sort of "corruption of a minor" deal? Indeed, couldn't it even be possible that some local prosecutor might find the Simpsons criminally involved? ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From WlkngOwl at unix.asb.com Wed Jul 3 10:13:53 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Thu, 4 Jul 1996 01:13:53 +0800 Subject: NOISE.SYS v0.6.3 is released. Message-ID: <199607031410.KAA15519@unix.asb.com> NOISE.SYS Version 0.6.3-Beta is now released. Check ftp.funet.fi in directory /pub/crypt/random. NOISE.SYS is a /dev/random-like driver for DOS systems, similar to the Linux implementation. It collects timings from keystrokes, disk access, mouse movement, and other system events as sources of randomness. Changes include: Ability to add samples by writing to RANDOM$ or URANDOM$ devices Fixes bug when reading RANDOM$ device in ASCII mode under MSDOS7 (Yes, it was a minor bug) If you have any questions, comments, or problems, drop me a line. Rob. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From froomkin at law.miami.edu Wed Jul 3 10:28:14 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Thu, 4 Jul 1996 01:28:14 +0800 Subject: Ken Bass: Wire tap only useful for conviction (Was: SAFE Forum--some comments) In-Reply-To: <199607030102.SAA05930@server1.chromatic.com> Message-ID: On Tue, 2 Jul 1996, Ernest Hua wrote: > > > And here I'll comment on Ken Bass's excellent comments (there were many > > excellent points). > > > > He pointed out that the driving force for crypto policy is probably the > > _law enforcement_ camp, not the _intelligence agency_ camp. > > Ken pointed out that law enforcement had to have gotten enough > evidence prior to a wire tap request to show probable cause. > If this is the case, then the only usefulness of wire taps is > to improve the likelihood of conviction and not the detection > of potential terrorist (or child molestation or your favorite > bad guy) plots. I thought Ken Bass was wrong on this point (I agreed with everything else he said): wiretaps help LEOs identify co-conspirators. They are not without intelligence value. [This message may have been dictated with Dragon Dictate 2.01. Please be alert for unintentional word substitutions.] A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's hot here. And humid. From jimbell at pacifier.com Wed Jul 3 10:53:25 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 4 Jul 1996 01:53:25 +0800 Subject: The Net and Terrorism Message-ID: <199607031403.HAA16134@mail.pacifier.com> At 12:00 AM 7/3/96 -0700, Vladimir Z. Nuri wrote: > >keep in mind that Ruby Ridge and Waco happened only a few years >ago. that's a nanosecond in cosmic time, yet the terrorist >repercussions are being felt immediately. I would say its very >visceral evidene that terrorists are responding to events and >are not just madmen out for the fun of killing people. there's >a bit of that of course.. If you listen to the Feds discussing this most recent militia story, when they're asked what was the militia's motivation, they don't want to talk about it, and won't even speculate on more than the most unspecific, vacuous terms. Jim Bell jimbell at pacifier.com From bshantz at nwlink.com Wed Jul 3 11:02:07 1996 From: bshantz at nwlink.com (Brad Shantz) Date: Thu, 4 Jul 1996 02:02:07 +0800 Subject: Lack of PGP signatures Message-ID: <199607031436.HAA27482@montana.nwlink.com> Mark M. Wrote: > > Is it because most mail programs are not PGP aware? > > I don't know of any mail programs that can use PGP (I know there are various > interfaces, sendmail wrappers, and other hacks, but I have yet to see a mailer > with an "Encrypt" or "Sign" option. Once upon a time last year or the year before, Tim May posted why he doesn't use PGP very often. And I have always stood by that same sentiment. Yes, it is a good encryption product, but it is not integrated seamlessly into other applications. Tim, feel free to whack me if you think I'm speaking for you. If, as cypherpunks, we want to spread the use of strong crypto, we need to have a better interface than what currently exists on PGP 2.6.2. I'm sure Derek and the other guys on PGPlib will make it easier to integrate into applications. Am I just blowing smoke, Mr. Atkins? PGP is a pain for encrypting or signing e-mail when you have to save your message out to a temp file, encrypt it, and load it back in to your mail package. Sure, there are things like Private Idaho, which I use on occasion. But, it is still a seperate application that just doesn't fit seamlessly into most applications. In my free time, I have been playing around with add ons for Microsoft Exchange. I've got an OLE 2.0 encryption object that embeds nicely into an Exchange message. I haven't tied it in to PGP yet, because I have been waiting for the release of PGPlib. However, that will allow at least some seamless integration. Brad Shantz TRIsource Windows Development Services From minow at apple.com Wed Jul 3 12:39:43 1996 From: minow at apple.com (Martin Minow) Date: Thu, 4 Jul 1996 03:39:43 +0800 Subject: SAFE Forum--some comments Message-ID: Jim Bell asks about Macintosh exportability. There appears to be no problem using a non-tappable authentication in the AppleShare client (but this does not mean that the actual data is secure). The PowerTalk module (available with System 7.5 and later, but to be replaced in the future for reasons not having to do with crypto) supports additional crypto-related functions, including MD5, RSA digital signatures and 40-bit encrypted (and, hence, exportable) data streams. Apple did negotiate with the export control people in order to fashion a technology that could be exported. There are also country-specific kits in order to meet import requirements. The actual strong encryption capabilities are not accessable to developers or end users. MD5 and RSA signing API's are published and, as part of my work at Apple, I wrote and distributed sample code that shows how to use them to sign and verify arbitrary data areas. At the poorly-attended June physical c-punks meeting in Palo Alto, I gave a very brief overview of Apple's "crypto-related" capabilities and could repeat it at a future meeting. > >I haven't bought a new VCR in a few years. Is this real? What prevented >them from doing this 10 years ago? > This is fairly recent. It requires a cooperating (generally, PBS) station that broadcasts the timecode in one of the retrace lines. Martin. minow at apple.com From warlord at MIT.EDU Wed Jul 3 12:44:48 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 4 Jul 1996 03:44:48 +0800 Subject: Lack of PGP signatures In-Reply-To: <199607031436.HAA27482@montana.nwlink.com> Message-ID: <199607031509.LAA09556@toxicwaste.media.mit.edu> > I'm sure Derek and the other guys on PGPlib will make it easier to > integrate into applications. Am I just blowing smoke, Mr. Atkins? No, you are not blowing smoke. That is the hope of the PGPlib project; PGPlib will make it easy (almost trivial) to integrate PGP security into almost any application. > In my free time, I have been playing around with add ons for > Microsoft Exchange. I've got an OLE 2.0 encryption object that > embeds nicely into an Exchange message. I haven't tied it in to PGP > yet, because I have been waiting for the release of PGPlib. However, > that will allow at least some seamless integration. Neat. I don't know enough about OLE to comment, but can we discuss this offline? Is there an equivalent of OLE (AppleEvents, perhaps?) for the Mac? It would be really cool if we could come up with a plug-in standard that gets put into mailers such that we could later add a PGP drop-in that performs the encryption using those standard interfaces. -derek From bluebreeze at nym.jpunix.com Wed Jul 3 13:23:28 1996 From: bluebreeze at nym.jpunix.com (bluebreeze at nym.jpunix.com) Date: Thu, 4 Jul 1996 04:23:28 +0800 Subject: Sameer on C-SPAN Message-ID: <199607031555.KAA02107@alpha.jpunix.com> :bluebreeze at nym.jpunix.com (Blue Breeze) wrote: :> :> Not everything. No picture of Sameer!? That's what I'd like to see. : :There's one in the latest WebSmith magazine. Thanks Matt. Outta my way! (Thanks to Alan too.) From tcmay at got.net Wed Jul 3 14:00:50 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 4 Jul 1996 05:00:50 +0800 Subject: Message pools _are_ in use today! Message-ID: At 11:40 AM 7/3/96, David Wagner wrote: >Jim Bell brought up the really nifty point that someday soon we may be >able to receive these message pools by satellite dish-- hurray for true >broadcasting! That would provide most excellent security (unless `they' >started requiring licenses, waiting periods, ... to own a dish-- unlikely). >I can't wait. Yeah, and I should have mentioned the "PageSat" Usenet distribution model, too. (It was a really hot topic 3-4 years ago, but I've heard little of it in the past couple of years...the rise of the Web has made passive downloads of Usenet a lot less interesting.) Someone mentioned the Ku-band dishes that are used by PageSat (or whatever it is now called....). My DSS system, which is technically a Ku-band receiver, has a digital i/o connector of some sort on the back, and it is rumored that this will someday be available for PageSat-like uses. (I have a feeling this may be years off, for admin reasons if not technical reasons.) The point being that there are already _many_ ways to read NetNews almost untraceably. With more to come. (NetNews also used to be available on CD-ROM; the volume is now so high that this just isn't practical anymore. But it underscores the point that NetNews is so "distributed" that attempts to track who is reading "alt.anonymous.messages," and _particular_ messages in such a group, are nearly hopeless.) Finally, the threat model has two angles to consider: 1. The authorities want to know all those who have read a particular message--call it "ToAlice" to keep in the "Alice" and "Bob" framework. 2. The authorities already have identified a suspect, call him "Bob," and wish to know if he reading (and perhaps decrypting) messages to "Alice." As several of us have noted, #1 is tough--real tough. The authorities would have to contact 10,000 or more ISPs who have local newsfeeds and subpoena their logs of who read which newsgroups...assuming such logs are even kept (I don't know the granularity of such logs, whether any logs are kept of specific newsgroups and specific messages within newsgroups). The authorities would have to also check on the other distribution "vectors," including _subscriptions_ to NetNews newsgroups (where a newsgroup is _mailed_ to recipients...I heard this is an option for some). And PageSat, and so on. The second angle, #2, is formally equivalent to wiretapping a target. Once identified, and tapped, anything the target reads can presumably be read by the authorities. (Quibbles: I really mean a "black bag" type of surveillance, where the target's local machine has been compromised/tapped.) The bottom line is this: were I an FBI agent given the task of finding out who is reading a specific message or series of messages, e.g., the "ToAlice" encrypted messages posted in alt.anonymous.messages, I would tell my bosses it is economically impractical. --Tim May (P.S. I think this recent discussion of message pools, started by Hal and continued by this latest thread, is very important. Message pools have fewer of the kinds of "correlations" that can allow sender-recipient correlations to be made.) Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From nowhere at alpha.c2.org Wed Jul 3 14:04:38 1996 From: nowhere at alpha.c2.org (nowhere at alpha.c2.org) Date: Thu, 4 Jul 1996 05:04:38 +0800 Subject: Lack of PGP signatures Message-ID: <199607031631.JAA07820@infinity.c2.org> At 09:42 PM 7/2/96 EDT, Derek Atkins wrote: :Basically, I refuse to type my passphrase over the net, which signing :all my messages (this one included) would require. : :-derek Why, in heaven's name, would you have to "type your passphrase over the net" to encypher a message? From sandfort at crl.com Wed Jul 3 14:12:46 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 4 Jul 1996 05:12:46 +0800 Subject: Ken Bass: Wire tap only useful for conviction (Was: SAFE Forum--some comments) Message-ID: <2.2.32.19960703163757.00761c98@popmail.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ C'punks, At 09:59 AM 7/3/96 -0400, Michael Froomkin wrote: >...wiretaps help LEOs identify co-conspirators. They are >not without intelligence value. True, but so do pen registers. It's usually easy enough to separate calls to Pizza Hut from calls to co-cospirators. There is no need to hear the content of a call to get a good idea who is involved in a conspiracy. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From drosoff at arc.unm.edu Wed Jul 3 14:25:28 1996 From: drosoff at arc.unm.edu (David Rosoff) Date: Thu, 4 Jul 1996 05:25:28 +0800 Subject: But what about the poor? Message-ID: <1.5.4.16.19960703170022.48475994@arc.unm.edu> -----BEGIN PGP SIGNED MESSAGE----- At 09.29 PM 7/2/96 -0800, jim bell wrote: >At 10:16 PM 7/2/96 -0500, snow wrote: >>On Tue, 2 Jul 1996, jim bell wrote: >>> stated policy of the escrow agent is that the key owner MUST be informed, >>> what are the cops gonna do about it? >>> >>> Further, how are the cops going to evidence the existence of a valid >>> warrant? (As opposed to a forgery?) >> >> The judge that issues it will digitally sign it. You can check the >>signature block. > > >However, what about an UNCOOPERATIVE escrow agent? (one who insists on >signed paper, or for that matter insists that the judge himself shows up.) >Or one, at least, who sites himself in Borneo, on the top of a 4000 foot >mountain, with a 386 laptop computer and a box of floppies, and who promises >2 hour services to anybody who shows up? No email, no fax, no phone, no >light, no motor car, not a single luxury....oooops....sorry about that...not >even radio. > >Moreover, if the escrow agent is out of the country, can any domestic laws >force him to divulge keys? And anyway, you could just be a kind of escrow agent that will hold the keys for the key owner, right? You don't have to say that you will provide them to the government, right? =============================================================================== David Rosoff (nihongo o sukoshi dekiru) ----------------> drosoff at arc.unm.edu For PGP key 0xD37692F9, finger drosoff at acoma.arc.unm.edu 0xD37692F9 Key fingerprint = 25 7D AA 01 85 41 43 89 50 5A 33 76 F1 F1 99 67 Do you know who's reading your email? ---> http://www.arc.unm.edu/~drosoff/pgp/ Anonymous ok, PGP ok. If it's not PGP-signed, you know that I didn't write it. === === === === === === === === === === === === === === === === === === === === "Truth is stranger than fiction, especially when truth is being defined by the O.J. Simpson Defense Team." -Dave Barry -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMdqh6hguzHDTdpL5AQFD4gQAlm9cekEcnq26tQkwTljb+xDGc5wRQL6e D5gqXo2JpCQuLXfdYND5ROoV58T4UL43uXMfo8ziqq2mMNRY5SsNKaOWi+f4bw6c SEhMBeBIzLnd50rIzQvWfRzaVr1NBwKjlOGpmRD9H3lWsap/l2ttog4CdShWRWdv 4GMLwzh+PhE= =Y2+p -----END PGP SIGNATURE----- From frantz at netcom.com Wed Jul 3 14:32:30 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 4 Jul 1996 05:32:30 +0800 Subject: SAFE Forum--some comments Message-ID: <199607031659.JAA25899@netcom8.netcom.com> At 9:34 PM 7/2/96 -0800, jim bell wrote: >However, that AT+T fellow who revealed the phone records to the militia >group would also be an appropriate comparison to destroy the "key-escrow" >idea. I assume AT+T had procedures in place which were SUPPOSED TO prevent >this. Well, key-escrow agents "will" also have similar procedures. Why >should we assume they will be more reliable? We shouldn't. In fact, they will have a much higher economic value. I would expect them to be more vulnerable to insiders. ------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz at netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA From rah at shipwright.com Wed Jul 3 14:36:18 1996 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 4 Jul 1996 05:36:18 +0800 Subject: Lack of PGP signatures In-Reply-To: <199607031436.HAA27482@montana.nwlink.com> Message-ID: At 11:09 AM -0400 7/3/96, Derek Atkins wrote: > Is there an equivalent of OLE (AppleEvents, perhaps?) > for the Mac? It would be really cool if we could come up with a > plug-in standard that gets put into mailers such that we could later > add a PGP drop-in that performs the encryption using those standard > interfaces. Damn betcha. It's called OpenDoc, and it's probably the most exciting thing to happen to the Mac since desktop publishing. See my web-page for a rant or two on the subject. Vinnie Moscaritolo (Famous ex-Marine and Samoan Attorney) started a list at mailto://majordomo at thumper.vmeng.com called mac-crypto (send "subscribe mac-crypto" in the body of the message), where we're talking about stuff like this, and other things. One of the projects we've been kicking around is a Macintosh Digital Commerce Conference ("Digital Commerce *is* Financial Cryptography", and all that...), and it looks like Vinnie's very close to getting a conference date set up. A while ago, the folks working on the Macintosh Cryptography Interface Project merged their list with mac-crypto, so things have been getting interesting, even if traffic is a little sparse these days. Getting a conference date firmed up should change that, we hope. So would a discussion of PGPlib in OpenDoc... Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://www.vmeng.com/rah/ From tcmay at got.net Wed Jul 3 14:36:27 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 4 Jul 1996 05:36:27 +0800 Subject: Lack of PGP signatures Message-ID: At 7:38 AM 7/3/96, Brad Shantz wrote: >Once upon a time last year or the year before, Tim May posted why he >doesn't use PGP very often. And I have always stood by that same >sentiment. Yes, it is a good encryption product, but it is not >integrated seamlessly into other applications. Tim, feel free to >whack me if you think I'm speaking for you. If, as cypherpunks, we >want to spread the use of strong crypto, we need to have a better >interface than what currently exists on PGP 2.6.2. You are correct in your memory of what I said. My message is somewhere in the archives...but the archives are of course no longer very available. I'll make a few brief points: 1. PGP and other crypto tools are not well-integrated into Eudora, Microsoft Mail, cc:Mail (or whatever), Netscape mail, etc. Sure, various tools exist, but not out-of-the-box. (Proof that crypto confusion has been a successful strategy for U.S. authorities.) 2. For me, using PGP means using MacPGP. This means cutting-and-pasting and extra work. (Given that I often delete messages after only glancing at them for 5 seconds or less, any additional work is not welcome.) 3. Of course, I will only _decrypt_ messages sent to me personally, for obvious reasons. And given that I am very open about my political views and am neither a money launderer nor a conspirator, nor a Horsemen of any other flavor, most of the PGP-encrypted messages sent to me are banal and PGP use was unneeded. (After doing the mumbo jumbo to decrypt a message, I get crap like "Yo, Tim, just wanted to say that PGP is, like, really kewl. Send me some encrypted stuff.") And so on. I use PGP when I think it is necessary. As to using it _routinely_, at least signing routinely and checking signatures routinely, it can't be routine until it is routine. Why isn't mail in the major e-mail packages _automatically_ signed? Look to them for answers. Look to the NSA for more answers. Look to Dorothy Denning for an explanation of why obstacles need to be placed in the path of wider use of crypto. (Note to Mac users: before any of you wastes your time composing a message to me about a new package that makes links to MacPGP through AppleEvents, it turns out that one has to first install a tool that is only commercially available, for $$$. Again, obstacles have been placed in the path of easy and wide use of crypto.) Finally, a comment. I've never really bought the argument that we should all be using PGP in all of our messages to set some kind of example or to provide cover traffic. We don't have to set any kind of example, in my cosmology. And the "cover traffic" is amply provided by an exponential increase in Web traffic, alternate routes, new services, etc. I think crypto tools need to be made easier to use (without installing additional commercial tools which cost more than the mail package itself), but until then I will feel no guilt about not using PGP more than I do. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From drosoff at arc.unm.edu Wed Jul 3 14:36:48 1996 From: drosoff at arc.unm.edu (David Rosoff) Date: Thu, 4 Jul 1996 05:36:48 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port Message-ID: <1.5.4.16.19960703170027.5fc7bc80@arc.unm.edu> -----BEGIN PGP SIGNED MESSAGE----- At 12.10 AM 7/3/96 -0500, Declan McCullagh wrote: >CyberWire Dispatch // Copyright (c) 1996 // >Install the programs and Junior can't access porn. No fuss, no muss, no >bother. "Parental empowerment" is the buzzword. Indeed, it was these >programs that helped sway the three-judge panel in Philly to knock down >the Communications Decency Act as unconstitutional. I've wondered .. could a creative child circumvent these filter programs using a URL-redirecter, like where you see something like http://www.one.site.com/cgi-bin/rd?http://www.porno-site.com/ or are they not URL-based? =============================================================================== David Rosoff (nihongo o sukoshi dekiru) ----------------> drosoff at arc.unm.edu For PGP key 0xD37692F9, finger drosoff at acoma.arc.unm.edu 0xD37692F9 Key fingerprint = 25 7D AA 01 85 41 43 89 50 5A 33 76 F1 F1 99 67 Do you know who's reading your email? ---> http://www.arc.unm.edu/~drosoff/pgp/ Anonymous ok, PGP ok. If it's not PGP-signed, you know that I didn't write it. === === === === === === === === === === === === === === === === === === === === "Truth is stranger than fiction, especially when truth is being defined by the O.J. Simpson Defense Team." -Dave Barry -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMdqkPhguzHDTdpL5AQG77QP7B6oJR9SOeJYyTP9fnad+Yn/fA/ZObaf3 szA2m9Sytxslfd/Juu19KfTTTjncE7dHMBnq6PuyouKD5jwkTnncnXNe7R2Tgjp8 SdVpyUUdFz++lLdBQ1WYos+eCU2QaGqsYe5+79MkHhFOk1XOhAH8zX5hG9kwuO+q 8C9/wuf6ZyU= =NfcF -----END PGP SIGNATURE----- From drosoff at arc.unm.edu Wed Jul 3 14:37:03 1996 From: drosoff at arc.unm.edu (David Rosoff) Date: Thu, 4 Jul 1996 05:37:03 +0800 Subject: PGP secret keys [PUN] Message-ID: <1.5.4.16.19960703170031.48477926@arc.unm.edu> -----BEGIN PGP SIGNED MESSAGE----- At 07.23 AM 7/3/96 -0400, Simon Spero wrote: >On Tue, 2 Jul 1996, Deranged Mutant wrote: > >> On 2 Jul 96 at 6:39, anonymous-remailer at shell.port wrote: >> >> > Could someone post a pointer to a FAQ that tells what to do if you loose >> > your secret key file? How can you regenerate your private key so that the >> You can't do anything. Yer screwed. > >Unless you buy an 'O' and you're escrowed :-) AAAAAAGH! Death by pun! =============================================================================== David Rosoff (nihongo o sukoshi dekiru) ----------------> drosoff at arc.unm.edu For PGP key 0xD37692F9, finger drosoff at acoma.arc.unm.edu 0xD37692F9 Key fingerprint = 25 7D AA 01 85 41 43 89 50 5A 33 76 F1 F1 99 67 Do you know who's reading your email? ---> http://www.arc.unm.edu/~drosoff/pgp/ Anonymous ok, PGP ok. If it's not PGP-signed, you know that I didn't write it. === === === === === === === === === === === === === === === === === === === === "Truth is stranger than fiction, especially when truth is being defined by the O.J. Simpson Defense Team." -Dave Barry -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMdqkpBguzHDTdpL5AQG4KAP9G0Ej5v4wIytlZYGywG2hfgHKGHqmqt58 lCd9cdEno1vD0OzYHx86wx7unxfIBZU93ueKsFLpou0XKnTxBuDc0qw/z4WORBUc WGANjF2+XyyR/RxrVKNIwl/mbdc59WmWP2Mg1Xzb19kULhvRXbMS7kQJYba+JmRF jXvXJC4V6b4= =lQxI -----END PGP SIGNATURE----- From tcmay at got.net Wed Jul 3 14:51:42 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 4 Jul 1996 05:51:42 +0800 Subject: The Net and Terrorism Message-ID: At 7:00 AM 7/3/96, Vladimir Z. Nuri wrote: >of course. but what TCM's writing often seems to hide is a cynicism >about these conditions. "there's nothing we can do about it. buy >a bulletproof jacket and avoid crowed downtown areas". I'm saying >this cynicism and isolationism tends to make the problem worse, >not better. you clearly agree that we must find the reasons that >terrorists are being bred, and work to eliminate those conditions. >TCM apparently would feel that such a thing is a waste of time. Well, I've written many dozens of articles on this issue (and many thousands of articles overall). My article made my points, so I won't rewrite it here. You are of course not required to agree. You are free to live in crowded cites--near "soft targets." You are welcome to lobby for world peace and for economic changes to lessen terrorism. (I think this is mostly hopeless. No matter how "nice" conditions get, for game-theoretic reasons there will be some groups seeking changes.) >another thing that annoys me about the TCM slant or "spin" is the >pervasive connotation in his writing that terrorism is going >to get far worse in the future. if so, I would say that is because >world conditions that breed terrorists are getting far worse. he >seems to convey the idea that the world is a nonsensical place >where things, like increases in terrorism, occur for no particular >reason. I've never made any claims, explicit or implicit, that such acts are "for no particular reason." Various groups--religious, political, corporate, etc.--see advantages and disadvantages in various course of action. (This sounds nebulous, but I am trying to avoid citing specific examples; I'm trying to separate out the reactions people have to specific camps and look at the bigger picture.) >keep in mind that Ruby Ridge and Waco happened only a few years >ago. that's a nanosecond in cosmic time, yet the terrorist >repercussions are being felt immediately. I would say its very >visceral evidene that terrorists are responding to events and >are not just madmen out for the fun of killing people. there's >a bit of that of course.. Straw man. I never claimed that terrorists are doing it just for the fun of it. The "terrorist" bomb that killed 230 American soldiers in Beirut in 1983 was done for "good" reasons ("good" in the sense of advancing their goals)--that bomb triggered an almost immediate departure of Americans from Beirut. Mission accomplished. (I also don't call that attack a "terrorist" event, given the target and the state of war extant.) Classical terrorism, such as that of the Bologna train station bombing by the P2 Lodge, also advances political goals. It is not done "randomly," or "for the fun of it." >no, I specifically reject that insanity and violence are "normal" >aspects of human behavior. merely because they have been around >for centuries does not prove they are normal, only how warped >the world has become such that abnormality is considered normal. You and others are of course welcome to lobby for people to be nice to each other. Peace and brotherhood, rah rah. I believe there are basic game-theoretic reasons which make conflict and jockeying for power "not surprising." >the point is that there is no physical strategic value from bombing >symbols. I was making the point that terrorism is extremely symbolic And the bombing in Beirut is explained how? Bear in mind that the British thought the Colonial tactic of shooting at them from behind trees--a "terrorist" tactic borrowed from the Indians who used it on the colonists--was immoral and unsportsmanlike. Ditto our feeling that the "sneak attack" on Pearl Harbor was immoral. I take the meta-view that the attack on Pearl Harbor was brilliantly carried-out military strategy, just as the bombing of the Marine barracks in Beirut was brilliantly carried-out military strategy. > >bzzzzzzt. what I am pointing out is that what Tim is essentially saying, >as you seem to be, that trying to combat terrorism is a waste of time >because it is a fact of life, is erroneous in my view. it is a common >libertarian argument that goes, "criminality is everywhere, so why try >to stop it?" a rather juvenile ideology. may you live in your reality and >see what it is like. hint: the current one we are living in is not >one in which the government does not try to fight terrorism. You really need read up on the "strategy of tension," esp. the writings of Stefano Dellechiai (sp?) and the Russian "anarchists" of the late 19th century. Also, the role the CIA played in funding former German commando Otto Skorzeny in setting up "terrorist" groups in the 1950s and 60s. Basically, one of the things terrorists want to do is to provoke a crackdown by the ruling authorities, making things so bad that a counterrevolution occurs. They believe they will reap the rewards of such a counterevolution (or revolution, as it need not be "counter"). You can all fill in the way this worked for leftists hoping for a leftist revolution (Sindero Luminoso being the exemplar here) and rightists hoping that things will get so bad that a fascist or rightist revolution will occur (P2 being an example). My main point in my essay was that violence and authoritarianism are all around us, and that responding to the attacking of "soft targets" by cracking down on basic liberties is NOT something we should endorse. Taking responsibility for our own protection is preferable. (And my point about moving out of cities referred to what *I* am doing; others are of course free to mingle in crowded markets, hoping that the bombs won't come that day. Others are free to send their children to day care centers located in likely targets for ZOG's enemies to bomb, and so on.) >because, from my past experience, it seems Timmy's wildest >fantasies are always contained in the paragraphs >in which he says, "now, I'm not advocating this or anything...." If you can't make your points reasonably and convincingly, I see that you once again make ad hominem arguments. Calling me "Timmy" is not terribly effective. --Timmy Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From declan at well.com Wed Jul 3 15:13:57 1996 From: declan at well.com (Declan McCullagh) Date: Thu, 4 Jul 1996 06:13:57 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port Message-ID: Sameer's www.anonymizer.com is not blocked -- yet, at least. Some of the programs release weekly updates, so as soon as it's reported by some Net-groping pornhound, I'm sure it'll end up in there. But the blocking apps do more than just check on URLs -- which do constitute most of the databases. (I mentioned that CyberPatrol lists 4,800 web sites.) They also block by keywords. So going through a URL-redirector to "playboy.com" or "xxxpix" would fail. CyberPatrol is free for the download. Check it out! http://www.cyberpatrol.com/ -Declan >-----BEGIN PGP SIGNED MESSAGE----- > >At 12.10 AM 7/3/96 -0500, Declan McCullagh wrote: > >>CyberWire Dispatch // Copyright (c) 1996 // > >>Install the programs and Junior can't access porn. No fuss, no muss, no >>bother. "Parental empowerment" is the buzzword. Indeed, it was these >>programs that helped sway the three-judge panel in Philly to knock down >>the Communications Decency Act as unconstitutional. > >I've wondered .. could a creative child circumvent these filter programs >using a URL-redirecter, like where you see something like >http://www.one.site.com/cgi-bin/rd?http://www.porno-site.com/ >or are they not URL-based? > >=============================================================================== >David Rosoff (nihongo o sukoshi dekiru) ----------------> drosoff at arc.unm.edu >For PGP key 0xD37692F9, finger drosoff at acoma.arc.unm.edu >0xD37692F9 Key fingerprint = 25 7D AA 01 85 41 43 89 50 5A 33 76 F1 F1 99 67 >Do you know who's reading your email? ---> http://www.arc.unm.edu/~drosoff/pgp/ >Anonymous ok, PGP ok. If it's not PGP-signed, you know that I didn't write it. >=== === === === === === === === === === === === === === === === === === === === >"Truth is stranger than fiction, especially when truth is being defined by the >O.J. Simpson Defense Team." -Dave Barry > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.2 > >iQCVAwUBMdqkPhguzHDTdpL5AQG77QP7B6oJR9SOeJYyTP9fnad+Yn/fA/ZObaf3 >szA2m9Sytxslfd/Juu19KfTTTjncE7dHMBnq6PuyouKD5jwkTnncnXNe7R2Tgjp8 >SdVpyUUdFz++lLdBQ1WYos+eCU2QaGqsYe5+79MkHhFOk1XOhAH8zX5hG9kwuO+q >8C9/wuf6ZyU= >=NfcF >-----END PGP SIGNATURE----- From cibir at netcom.com Wed Jul 3 16:07:58 1996 From: cibir at netcom.com (Joseph Seanor) Date: Thu, 4 Jul 1996 07:07:58 +0800 Subject: Setting a PGP keyserver on my Web server In-Reply-To: <199607031436.HAA27482@montana.nwlink.com> Message-ID: How can I go about setting up a PGP keyserver on my Web Server? Joseph Seanor cibir at netcom.com From crypto at nas.edu Wed Jul 3 16:09:10 1996 From: crypto at nas.edu (CRYPTO) Date: Thu, 4 Jul 1996 07:09:10 +0800 Subject: A public briefing in NYC on the NRC cryptography policy... Message-ID: <9606038364.AA836431090@nas.edu> Subject: A public briefing in NYC on the NRC cryptography policy report The NRC report entitled Cryptography's Role in Securing the Information Society was released on May 30, 1996. A public briefing on the report will be held in New York City: Wednesday, July 10, 1996, 10:00 am to noon. It will be presented at the Association of the Bar of the City of New York (ABCNY) under the aegis of its Committee on Science and Law. Mr. Kenneth Dam, study chair and Max Pam Professor of American and Foreign Law at the University of Chicago, Mr. Colin Crook, committee member and senior technology officer at Citicorp, and Dr. Herbert Lin, study director and senior staff officer of CSTB, will be present. The briefing will take place in the Stimson Room, 42 W. 44th Street, New York, New York, from 10:00 a.m. to Noon. Committee members will respond to questions from attendees, and a limited number of pre-publication copies of the report will be available at that time. For further information, please contact Michael Schiffres of the ABCNY Committee on Science and Law at (718) 248-5708 for further information. The event is open to the press and the public. If you have suggestions about other places that the committee should offer a public briefing, please send e-mail to crypto at nas.edu. From frantz at netcom.com Wed Jul 3 16:14:08 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 4 Jul 1996 07:14:08 +0800 Subject: Lack of PGP signatures Message-ID: <199607031912.MAA08945@netcom8.netcom.com> -----BEGIN PGP SIGNED MESSAGE----- At 7:38 AM 7/3/96 +0000, Brad Shantz wrote: >PGP is a pain for encrypting or signing e-mail when you have to save >your message out to a temp file, encrypt it, and load it back in to >your mail package. On my Mac I just entered this answer, cut it to the clipboard, launched PGP, clearsigned it, and pasted the result back into the Eudora window for the new mail. Bill -----BEGIN PGP SIGNATURE----- Version: 2.6 iQB1AwUBMdqyT9QgMXPCzT+1AQF35QMAiUM/5pVLwh41m0KncAiW+kms0d/GWn2W C8RNwQpzanwEBaNyCpd/MSPdMAz5+YRrstnmp9MqGwbKMbsW4frqb86Dxdpgp2/f qnwHvik9PlU/K81unAPij83MulSuysdJ =feiY -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz at netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA From frantz at netcom.com Wed Jul 3 16:14:50 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 4 Jul 1996 07:14:50 +0800 Subject: SAFE Forum--some comments Message-ID: <199607031912.MAA08980@netcom8.netcom.com> At 08:44 PM 7/2/96 -0700, Martin Minow wrote: >It's not quite that bad. Here are a few (more or less strong) crypto >products you might not know you have: > >1. Every Macintosh made since at least 1988 has a secure authentication > client module in the AppleShare Chooser dialog. When you use it to > connect to a remote server, it notes that the user information > is "two-way scrambled." (The server sends a random number challenge > that the client uses to encrypt the username and password. The > encrypted information is sent to the server.) All Macintosh systems > running System 7 or later have the corresponding server software. > What is interesting about this is that the encryption is completely > invisible to the user. I hear this as the server sends out a key which the client uses to encrypt the username/password. This algorithm makes less sense than the one I thought I heard at the SAFE forum on Monday which was: (1) The server sends out a challenge/salt (different each time) (2) The client uses a secure hash to compute hash(salt||password) and returns the username and the hash. (3) The server computes hash(salt||password) and compares the hashes. Given that there is still some interest in algorithms and protocols on this list, can you describe what is really happening? Thanks - Bill ------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz at netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA From shelly at wyverstone.win-uk.net Wed Jul 3 16:21:15 1996 From: shelly at wyverstone.win-uk.net (Andrew Sheldon) Date: Thu, 4 Jul 1996 07:21:15 +0800 Subject: LACC: GCHQ/DTI briefing on strong encryption - Report Message-ID: <43@wyverstone.win-uk.net> Following are Ross Anderson's comments from the recent meeting hosted by the IEE in the UK with contributions from GCHQ, Security Services, et al. They are long but are, I feel, worth posting here... (appologies if they have already been posted - I've been away... =========== From: rja14 at cl.cam.ac.uk (Ross Anderson) Newsgroups: sci.crypt,alt.security,uk.telecom,alt.security.pgp Subject: HMS Clipper - GCHQ bungling! Date: 28 Jun 1996 12:20:19 GMT Organization: U of Cambridge Computer Lab, UK Message-ID: <4r0im3$32p at lyra.csx.cam.ac.uk> I went to the meeting organised at the IEE yesterday on the UK `Trusted Third Party' proposals. One of the speakers, Nigel Hickson of the DTI, confirmed that escrowing of confidentiality keys would be mandatory. He also claimed that an OECD expert group was working on `global crypto guidelines', and made clear that the controls would focus on small-to medium enterprises and individuals rather than on large companies. It was a most extraordinary meeting, and showed up GCHQ in a rather poor light. The introductory talk was given by Andrew Saunders, advertised as head of CESG (GCHQ's protection arm) since 1991 and a GCHQ board member. He remarked that the debate on encryption had been acrimonious, especially in the USA, but that now technology made possible a compromise in the form of `Trusted Third Parties' which would supply a key delivery service and a key recovery service for both users and law enforcement authorities. I asked him whether his department had advised ministers that it was all right to release the April report on encryption in the NHS network (which floated the TTP idea), or had at least had sight of it before its release. He claimed to have no knowledge of whether his agency had seen it. After a talk on the common criteria by Murray Donaldson of the Ministry of Defence, Saunders left, and we were addressed by a man introduced as Paul Fleury, head of the information systems security group at the security service. He was claimed to have been with MI5 for 18 years, and in his current post for 5; and to head a team of 9 people responsible for the overall UK threat assessment (with technical input from GCHQ), as well as for managing CRAMM and running UNIRAS (the UK government equivalent of CERT). Strangely enough for such a senior and responsible person, his name did not appear on the programme, and in the list of participants he appears only as `UNIRAS SPEAKER, Security Service, PO Box 5656, London EC1A 1AH' (so now you know - but why did he turn up with slides that had his name on them and yet not write his name in the attendance register?) His talk contained little to surprise, with statistics on viruses, equipment thefts and hacking. He did mention that 98% of the 873 hacking incidents in 1994/5 were abuse of access by insiders rather than external attack. The third talk was by Elizabeth France, the Data Protection Registrar, who expressed amusement at my having ironically referred to her (along with the other speakers) as `one of the forces of darkness' when I relayed notice of the meeting to the net. She proceeded to blaze with light; she argued that the national security exemptions to data protection law should be curtailed, and could see no reason why the security service should not have to register along with everybody else. She also pleaded for the wider use of privacy enhancing technologies, such as the use of pseudonyms in medical databases. Next was John Austen of the Yard, who pointed out that company directors can get ten years' jail if one of their employees has kiddieporn on a company server, since under the Children and Young Persons Act simple possession is an offence. Then Bob Hill of the MoD talked about the SOS-TDP project to provide security interfaces in Microsoft, Novell and DEC products, linked with Northern Telecom's `Enterprise Security Toolkit'; David Ferbrache of DRA talked about security threats from the Internet; John Hughes of TIS about firewalls; and Alex McIntosh of PCSL about how his company built a crypto infrastructure for Shell and got government approval for it. The threat model depicted in these talks was remote from reality. For example, it was categorically stated that most thefts of PCs are for the information in them, rather than the resale value of the machine or its components. False - over 11% of UK general practitioners have experienced theft of a practice PC, yet there is only one case known to the BMA in which the information was abused. Another example was the numbers put on various threats: satellite TV hacking was said to cost 300,000 pounds a year (according to News Datacom at Cardis 94, that should be 200,000,000) while other risks were wildly inflated. Bob Morris, the former NSA chief scientist, is fond of asking security researchers, `Do you consider yourself to be more dishonest, or more incompetent?' Well, does GCHQ know that the threat model presented at their meeting is wrong, or don't they? Anyway, Alex McIntosh's talk brought matters back to crypto policy when he explained that following UK and US government approval of a corporate security architecture designed for Shell, Fortune 500 companies would be trusted to manage their own keys. The explanation is that they have so much to lose that they will be responsive to warrants and subpoenas. (The doctrine of equality of persons before the law was not, of course, mentioned.) The final speaker was Nigel Hickson from the DTI. The excuse given for his late arrival ws that he had been in France with the OECD and had been discussing crypto policy for three days. He looked somewhat junior but was said to co-chair the ITSEC scheme with CESG and to be one of a group of five people in DTI responsible for information security policy. In the introduction to his talk, he picked up on Alex's remarks about Shell and stated that the motivation for the DTI's involvement was that while `large firms will crack security', it would be an inhibiting factor for small-to-medium firms and individuals, and would prevent them participating in commerce on the Internet (this seemed to clash with the policy announcement that corporate encryption would be regulated but private would not be). He then quite blatantly waffled until his time was almost up before getting to the reason most people had come to the meeting, namely the DTI announcement of its intent to regulate `Trusted Third Parties'. My notes on his words are as follows: Why the UK announcement? Many reasons, some of which are highlighted in the public statement. The primary reason is that to secure electronic commerce people will need access to strong crypto, and if this is serious then government will have to look at what systems are `appropriate'. The UK government has spent a lot of time discussing the essential balance. Continued law enforcement access is required along the lines of the Interception of Communications Act. The government has `obviously' looked at TTPs and at `elements of key escrow'. There was no mention of national intelligence requirements. Policy framework for the provision of encryption services: 1 No new controls on the use of encryption, such as types of algorithm. The introduction of trusted third parties will be on a voluntary basis; 2 Licensing of TTPs will be on (a) competence (b) ability to provide a service (c) cooperation with government under conditions of warranted interception; 3 International working will be the essential vehicle to drive it - first in Europe and then in a wider field. Legislation later this year is possible. The EU is working on a `second infosec decision' to promote TTPs in Europe. The OECD expert group is working on global crypto guidelines. By the time he had finished this short exposition, he had run over the advertised time of 4.15, eating well into the fifteen minutes that the programme had allocated for discussion. There were only a few questions: Paul Leyland managed to ask whether it would be mandatory for confidentiality keys to be escrowed, and Hickson said yes. Just as the questions were starting to flow, the chairman - advertised as Mr DJ Robertson, Ministry of Defence - declared the meeting closed. I objected; I pointed out that there were plenty of people with questions, and that the government's attempts to sell their proposal would not be aided by such blatant news management, which would surely be reported. He said that we absolutely had to be out of the room by half past four - the time then - and overruled me, remarking that the Universities of Oxford and Cambridge had asked quite enough questions. Then a large gentleman came up to me and said that he hoped my remark about publicising their news management had been made in jest. I told him that it was not, and he became menacing. He said that the meeting was held under IEE rules and seemed taken aback when I stood my ground and told him I was a member. He then said that he was also a graduate of Cambridge and that he would write to very senior people in the University about me. Good luck to him. Although he wouldn't give me his name, his lapel badge said `B Buxton' and the attendance register lists a Bill Buxton, Parity Solutions Ltd., Wimbledon Bridge House, 1 Hartford Road, Wimbledon SW19 3RU. After the meeting, we milled around, to the evident discomfiture of the man advertised as Robertson. Finally, at almost five o'clock, an IEE lady turned up while there were still a few of us in the corridor. He asked her to see us off the premises, at which she smiled and asked whether we knew our way out. When I said yes, she said 'that's all right then' and went off. The man advertised as Robertson scuttled away without meeting my eye. As Bob would ask, incompetence or dishonesty? Well, I didn't get the impression that our spooks are even competent at being dishonest. Ross Anderson From hlin at nas.edu Wed Jul 3 16:42:53 1996 From: hlin at nas.edu (Herb Lin) Date: Thu, 4 Jul 1996 07:42:53 +0800 Subject: SAFE forum -- remarks of Herb Lin Message-ID: <9606038364.AA836434501@nas.edu> Folks -- I object to the characterization of my remarks about crime prevention being made with sarcasm. The complete remark was "Crime prevention ought to be part of the FBI's mission, ... and it is -- ask them, and they acknowledge that." No sarcasm was intended; the basic point was, and is, that encryption has costs from the perspective of the authorized information collection efforts of law enforcement, and benefits from the perspective of preventing information crimes such as the compromise of proprietary business information. I am not on the cypherpunks list, so if you want me to respond, pls copy me at hlin at nas.edu. herb === Date: Tue, 2 Jul 1996 10:57:30 -0700 (PDT) >From: Rich Graves To: cypherpunks at toad.com Subject: Re: SAFE Forum On Mon, 1 Jul 1996, Bill Frantz wrote: > "Crime prevention ought to be part of the FBI's mission. [Herbert Lin, > National Research Council] In case it's not clear, this was said with much sarcasm... i.e., today's FBI is too often engaged in other pursuits.. This in the context of explaining that ubiquitous strong crypto is the best defense against computer crime. -rich From maldrich at grci.com Wed Jul 3 16:55:02 1996 From: maldrich at grci.com (Mark O. Aldrich) Date: Thu, 4 Jul 1996 07:55:02 +0800 Subject: PGP, Inc. indeed has purchased ViaCrypt and Lemcom Systems Message-ID: C'punks: In case you've not seen the press release, it's at http://www.viacrypt.com/lit/pgpinc.htm This brings "back home" the license that Phil granted for the commercial sales of PGP. While PGP, Inc., has a web page (www.pgp.com) it, uh, doesn't really have anything on it. I guess they're busy doing a make on PGPfone, or designing a new box for ViaCrypt software. :) ------------------------------------------------------------------------- |Just as the strength of the Internet is |Mark Aldrich | |chaos, so the strength of our liberty |GRCI INFOSEC Engineering | |depends upon the chaos and cacophony of |maldrich at grci.com | |the unfettered speech the First Amendment|MAldrich at dockmaster.ncsc.mil | |protects - District Judge Stewart Dalzell| | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From ogren at cris.com Wed Jul 3 16:58:05 1996 From: ogren at cris.com (David F. Ogren) Date: Thu, 4 Jul 1996 07:58:05 +0800 Subject: Lack of PGP signatures Message-ID: <199607032012.QAA13633@darius.cris.com> -----BEGIN PGP SIGNED MESSAGE----- To: cypherpunks at toad.com Date: Wed Jul 03 16:09:34 1996 > At 09:42 PM 7/2/96 EDT, Derek Atkins wrote: > > :Basically, I refuse to type my passphrase over the net, which signing > :all my messages (this one included) would require. > : > :-derek > > Why, in heaven's name, would you have to "type your passphrase over the > net" to encypher a message? > Lots of people still deal with the Internet remotely, despite the profileration of SLIP/PPP accounts. To see the the difference consider the following two scenarios: 1. Alice connects to the Internet via a PPP account. She downloads all of her mail to Exchange (on her local computer), from which she can encrypt/decrypt et cetera. All encryption is done locally and securely. 2. Bob connects to the Internet via a "shell" account. All processing is done by his ISP's unix machine. He reads his mail on the mail reader provided by unix machine. He has two choices: 2A. Install PGP on the ISP's unix machine and use it to encrypt/decrypt messages. This is relatively easy, but also insecure. The ISP's administration has access to his secret keyring, and his password must be sent over the modem line to the ISP before it used. Thus he is "typing his passphrase over the net". 2B. He can download the mail to his local machine manually. Manually encrypt/decrypt the mail there and then upload it (again manually) to the host computer to be sent. This is secure, but it's also a pain in the butt. David F. Ogren | ogren at concentric.net | "A man without religion is like a fish PGP Key ID: 0x6458EB29 | without a bicycle" - ------------------------------|---------------------------------------- Don't know what PGP is? | Need my public key? It's available Send a message to me with the | by server or by sending me a message subject GETPGPINFO | with the subject GETPGPKEY -----BEGIN PGP SIGNATURE----- Version: 2..6.2 iQEVAwUBMdrTf+SLhCBkWOspAQGLHgf+LEQRFzRl5vdWoGDI8TKhyfHHjBbCszHV Fshtoa2h3vj+GcqGhh3IBTBwynZWlrQTHZeON41XMcl7ZxUqb9yd3C0qxaBE56Yk Bf1b9KVa+z7GWue3EVbcuOP2wNBQjUKC0FZLjwHGxiLH1+sZ2HvTGzBSLeHWoMFq oYyxLR6RZMbMy/2lKWJDIaz9CB4X8p5TPqvHQqoOIAhM6cmJkJc6VlPdW4bQgWWi unzKcaMf9WuHH3crZMNAeGsnq2PkzYlDCTQNsESHIBtlw0+Z8gjmGaqnI2ouG1gh b0ozEOOvgo+jrLF1+uXy92UJzdOFeNq4kXjbqxa9QQ7FidtDYpskkw== =B5gF -----END PGP SIGNATURE----- From wendigo at gti.net Wed Jul 3 17:02:22 1996 From: wendigo at gti.net (Mark Rogaski) Date: Thu, 4 Jul 1996 08:02:22 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: <1.5.4.16.19960703170027.5fc7bc80@arc.unm.edu> Message-ID: <199607032025.QAA25327@apollo.gti.net> -----BEGIN PGP SIGNED MESSAGE----- An entity claiming to be David Rosoff wrote: : : I've wondered .. could a creative child circumvent these filter programs : using a URL-redirecter, like where you see something like : http://www.one.site.com/cgi-bin/rd?http://www.porno-site.com/ : or are they not URL-based? I would assume that the filters look for regexp's in the query string, too. How about a nice little Nutscape plugin that uses a rot13'd query string? http://www.one.site.com/cgi-bin/sneaky-rd?uggc://jjj.cbeab-fvgr.pbz/ Hmmm, no bad words in the query string. Of course the filter package would start looking for rot13'd stuff in the next release. So the next logical step is to use the URL encrypted with the redirector's public key ... or better yet, a dynamically generated key. Just convert it to radix64 so as to avoid ?'s &'s or ='s, and use that as the query string. The plug-in would only be necessary to generate the first request. Any URL preparation could be handled by passing the output of netcat through a stream filter before sending it to the client. Now, if I can get the time, maybe I will write a nice little redirector to do this. (hehehehehehe ... right ... get the time ... good one) mark - -- Mark Rogaski | Why read when you can just sit and | Member GTI System Admin | stare at things? | Programmers Local wendigo at gti.net | Any expressed opinions are my own | # 0xfffe wendigo at pobox.com | unless they can get me in trouble. | APL-CPIO -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMdrXDQ0HmAyu61cJAQEZXwP/bSI1tqQH/BCXXWPHhIp9Waq/A22ozyKf W0iL3zveQWbmirXd5RYtxoo+v8jTFmv+SOIUKrI+n7WKTmFoj1TtzMf8zTYTz/KW aZ2NK/PddgSqq4mjQEaxufMqvbG8lE/+Cu6GePo8UkFmkd7hSnNQA5sVv/kaTD47 5xVQCwkEwnc= =traT -----END PGP SIGNATURE----- From watt at sware.com Wed Jul 3 17:05:39 1996 From: watt at sware.com (Charles Watt) Date: Thu, 4 Jul 1996 08:05:39 +0800 Subject: Lack of PGP signatures In-Reply-To: <199607031912.MAA08945@netcom8.netcom.com> Message-ID: <9607031935.AA08888@mordred.sware.com> -----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf 1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK aTxjgASxqHhzkx7PkOnL4JrN+Q== MIC-Info: RSA-MD5,RSA, BeMb0/+U7Gnp8Xx2J5GUFwFI2hLb0giw65Y+HudXPvuSMDdeBToKOQXkR/HvyvKr kM+gtqWFV3Q/2xKS6iIeYRc= > -----BEGIN PGP SIGNED MESSAGE----- > > At 7:38 AM 7/3/96 +0000, Brad Shantz wrote: > >PGP is a pain for encrypting or signing e-mail when you have to save > >your message out to a temp file, encrypt it, and load it back in to > >your mail package. > > On my Mac I just entered this answer, cut it to the clipboard, launched > PGP, clearsigned it, and pasted the result back into the Eudora window for > the new mail. > > Bill > > > -----BEGIN PGP SIGNATURE----- > Version: 2.6 > > iQB1AwUBMdqyT9QgMXPCzT+1AQF35QMAiUM/5pVLwh41m0KncAiW+kms0d/GWn2W > C8RNwQpzanwEBaNyCpd/MSPdMAz5+YRrstnmp9MqGwbKMbsW4frqb86Dxdpgp2/f > qnwHvik9PlU/K81unAPij83MulSuysdJ > =feiY > -----END PGP SIGNATURE----- With our mailers, you simply hit the reply key. Of course, it is PEM rather than PGP. But with automated key management PEM can be a lot easier to use than PGP with its key ring -- and most implementations don't require you to use the restrictive IETF certificiate hierarchy. See www.secureware.com Charlie Watt SecureWare, Inc. -----END PRIVACY-ENHANCED MESSAGE----- From vznuri at netcom.com Wed Jul 3 17:09:42 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 4 Jul 1996 08:09:42 +0800 Subject: blocking software & brock meeks Message-ID: <199607032037.NAA25035@netcom23.netcom.com> sent this to Brock Meeks re: his latest column I also ask cpunks not to harass these companies or their users-- it's a solution that's working. ------- Forwarded Message To: brock at well.com Subject: cyber blocking software Date: Wed, 03 Jul 96 12:48:49 -0700 From: "Vladimir Z. Nuri" I read your columns regularly. outstanding work. regarding your recent dispatch: please do not harass the blocking software companies too much. they are simply based on a different premise than the regular net. the internet starts out with, "everybody can access everything". they start out with, "only stuff we approve of can be accessed". what their system shows is that you will always have disagreement and controversy whenever this software is employed, whereever subjectivity is involved. it is a very legitimate and worthwhile service for parents who would rather "err on the side of caution". but far better to have these organizations arguing & bickering with who they censor than to have the people who are censored suing the government. the people who want free net access have it, and are unbothered by these controversies. in other words, by moving the controversies to places where they are locally contained (i.e. among the blockers and blockees) the rest of the surfing public is unaffected and perhaps even protected from harassment. so you see? there is all kinds of ranting about censorship going on, but it has nothing to do with the way the vast majority uses the internet. it's completely voluntary. it's the perfect solution. so far, nothing the blocking companies do can affect the net as a whole. they are largely predicated on that function. in a real sense they are providing very general services of "rating web sites our customers will be most interested in". and you realize, even the Point Communications awards are the exact same thing. so again, please do not harass the companies. it's a solution that does work. the existence of controversy does not prove it doesn't work. it in fact proves that it does work. ------- End of Forwarded Message From me at muddcs.cs.hmc.edu Wed Jul 3 17:16:42 1996 From: me at muddcs.cs.hmc.edu (Michael Elkins) Date: Thu, 4 Jul 1996 08:16:42 +0800 Subject: Lack of PGP signatures In-Reply-To: <199607031631.JAA07820@infinity.c2.org> Message-ID: <199607032033.NAA07808@muddcs.cs.hmc.edu> nowhere at alpha.c2.org writes: > At 09:42 PM 7/2/96 EDT, Derek Atkins wrote: > :Basically, I refuse to type my passphrase over the net, which signing > :all my messages (this one included) would require. > > Why, in heaven's name, would you have to "type your passphrase over the net" to encypher a message? He was talking about signing messages that you send. You have to enter your passphrase possible over a TELNET session, which sends it across in the clear. This is a Bad Thing(tm) for keeping it truly private. me -- Michael Elkins http://www.cs.hmc.edu/~me PGP key fingerprint = EB B1 68 32 3F B5 54 F9 6C AF 4E 94 5A EB 90 EC From youssefy at ucla.edu Wed Jul 3 17:23:55 1996 From: youssefy at ucla.edu (youssefy at ucla.edu) Date: Thu, 4 Jul 1996 08:23:55 +0800 Subject: AT&T bans anonymous messages Message-ID: <2.2.32.19960703211803.006cedb4@pop.ben2.ucla.edu> At 11:43 AM 6/24/96 -0500, you wrote: >AT&T WorldNet service has banned the sending of anonymous email or >posting anonymously. > Can someone please explain to me the technicalities of how they know I am sending anonymous e-mail? From um at c2.org Wed Jul 3 17:43:15 1996 From: um at c2.org (Ulf Moeller) Date: Thu, 4 Jul 1996 08:43:15 +0800 Subject: Info on alleged new German digital wiretapping law? In-Reply-To: Message-ID: > > > http://fight-censorship.dementia.org/fight-censorship/dl?num=3027 > So what's the prospect for implementation? The claim is that law enforcement > is supposed to have a back door to every computer system. Are we talking > about escrow of root passwords, or what? No. There are two points: 1) The network operators have to create a wiretapping system to be approved by the Regulation Authority, and operate dedicated digital lines for law enforcement access. As I understand it, Internet providers could be forced to duplicate IP packets to that line, when wiretapping has been ordered. 2) They have to keep files of customer data (name, address, etc.) that the Regulation Authority can access secretly at any time. From WlkngOwl at unix.asb.com Wed Jul 3 17:44:27 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Thu, 4 Jul 1996 08:44:27 +0800 Subject: The Net and Terrorism Message-ID: <199607032157.RAA25003@unix.asb.com> On 3 Jul 96 at 7:03, jim bell wrote: > If you listen to the Feds discussing this most recent militia story, when > they're asked what was the militia's motivation, they don't want to talk > about it, and won't even speculate on more than the most unspecific, vacuous > terms. How can they? It's also not their concern WHY they (allegedly) plotted to blow up buildings, only THAT they did so. Rob. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From vznuri at netcom.com Wed Jul 3 17:44:32 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Thu, 4 Jul 1996 08:44:32 +0800 Subject: The Net and Terrorism In-Reply-To: Message-ID: <199607032035.NAA24719@netcom23.netcom.com> TCM breaks a longstanding personal policy of never replying to my posts directly. (well, thanks.) realize that my speculation on his position is largely associated with the vacuum of his continually refusing to discuss key points of his essays. >My article made my points, so I won't rewrite it here. You are of course >not required to agree. You are free to live in crowded cites--near "soft >targets." You are welcome to lobby for world peace and for economic changes >to lessen terrorism. lobbying is of marginal efficacy. I was not advocating lobbying congress. imagine that all the palestinians had good paying jobs, for example. how many of them would be into rock-throwing and terrorism? of course their own attitudes make such a thing very difficult. they may not have any skills or reject a job even if offered one. I'm not saying such a thing is easy. the fact that it is so elusive is proof of how difficult such a thing is. what you are failing to address is that terrorism is bred from DISCONTENT. I do believe that it is possible for groups to live together without DISCONTENT. such a thing is incredibly difficult to achieve, but definitely impossible if one starts with the premise, as you do, that such a thing is impossible. you will often find that some groups, if given minor concessions, are quite aghast at such overtures. but when both parties are stuck in "kill my enemies" mode, such a thing is not conceivable of course. I do NOT believe that living in the world is a zero-sum game as you seem to suggest. your use of the term is very compelling. do you believe human life is always at the expense of other human life? if so I can see why you think terrorism and violence are inevitable and likely to worsen (e.g. with the increase in population). but if you start from a different premise, that human problems can be solved, you may get a different reality. (interesting though, this dark view of the world as a zero-sum game does seem to influence a lot of thinking here on this list). >(I think this is mostly hopeless. No matter how "nice" conditions get, for >game-theoretic reasons there will be some groups seeking changes.) "hopeless"-- couldn't have characterized your position better myself. "groups seeking changes" == "terrorists"?? quite a leap of terminology. notice that it is quite possible to PEACEFULLY work for changes without resorting to violence. those that do resort to violence are at the most extreme ends of the spectrum. terrorism is like an adult having the ultimate temper tantrum. "if you don't give me what I want, I'll blow up a building". >I've never made any claims, explicit or implicit, that such acts are "for >no particular reason." Various groups--religious, political, corporate, >etc.--see advantages and disadvantages in various course of action. (This >sounds nebulous, but I am trying to avoid citing specific examples; I'm >trying to separate out the reactions people have to specific camps and look >at the bigger picture.) again, a blurring of degrees of extremism. of course there will always be conflicting demands of different groups in the world. but why does this equate to an inevitable rise in terrorism? I think we should study why it is that some people don't resort to violence to solve their problems, and some do, and try to pinpoint the difference in their psychologies. terrorists are not insane in a certain sense. they have just pushed themselves out of the envelope. >I never claimed that terrorists are doing it just for the fun of >it. I didn't say you claimed that. what you seem to suggest an inherent irrationality to terrorism such that it is often senseless. I'm trying to point out that terrorists are not just insane people, and that we are not always going to have lots of terrorists just because there is always an insane percentage of the human populace. I would suggest that terrorism in this country is only going to get worse if the government becomes more extreme. unfortunately, responses to terrorism tend to increase the extremism of govt, so it is difficult to separate cause from effect. I suspect we are already in this negative feedback loop. but ask yourself, would tim mcveigh have bombed the OK building if: 1. the FBI hadn't tried to cover up waco and ruby ridge 2. the FBI disciplined their agents, firing some on the spot 3. the FBI admitted making "egregious errors" 4. the FBI compensated families with cash without them having to sue the government first in retrospect, are any of these things not the "right thing to do" anyway? didn't the government eventually end up doing most of them anyway in the long run? what if they had apologized from the beginning? now, I am not saying what Mcveigh did was justified-- what I am saying is that the government could have potentially averted inflaming him and a zillion other militia members by a particular course of action that was inconceivable to them because of their need to preserve their testosterone-laced image of manhood... I gues being a government agent means never having to say you're sorry.... but terrorists are subject to the exact same kind of extremism of course. the extreme government and the extreme terrorist are the perfect match for each other and continually inflame each other more. >You and others are of course welcome to lobby for people to be nice to each >other. Peace and brotherhood, rah rah. "lobby". you are using your own straw man against me. I don't advocate lobbying or petitioning congress in particular to change the world. such measures play a small role. (btw, you probably think mother teresa is an idiot based on that sentence) >I believe there are basic game-theoretic reasons which make conflict and >jockeying for power "not surprising." again, a conflation of regular, routine conflict and disagreement with extreme violence and terrorism. why can some people solve their problems, or postpone their settlement, without resorting to violence? why can't others? >>the point is that there is no physical strategic value from bombing >>symbols. I was making the point that terrorism is extremely symbolic > >And the bombing in Beirut is explained how? it was a highly symbolic action. the palestinians are enraged that israel is largely supported through american dollars and military support. >Bear in mind that the British thought the Colonial tactic of shooting at >them from behind trees--a "terrorist" tactic borrowed from the Indians who >used it on the colonists--was immoral and unsportsmanlike. Ditto our >feeling that the "sneak attack" on Pearl Harbor was immoral. I take the >meta-view that the attack on Pearl Harbor was brilliantly carried-out >military strategy, just as the bombing of the Marine barracks in Beirut was >brilliantly carried-out military strategy. ok, an interesting analogy. notice however why the japanese attacked however. their critical oil supplies were being cut off. it wasn't just an exercise in trying to destroy an enemy. we became their enemy for particular reasons. >You really need read up on the "strategy of tension," esp. the writings of >Stefano Dellechiai (sp?) and the Russian "anarchists" of the late 19th >century. Also, the role the CIA played in funding former German commando >Otto Skorzeny in setting up "terrorist" groups in the 1950s and 60s. terrorists would not be terrorists unless they had their reasons. take away their reasons for being terrorists and they have nothing to inflame themselves about. that's my point. >Basically, one of the things terrorists want to do is to provoke a >crackdown by the ruling authorities, making things so bad that a >counterrevolution occurs. bzzzzt. you constantly talk about terrorists as if they are one single kind of breed in the world. but they have a zillion different variations and they are all violent for different reasons. they are fighting for *causes*. the sole cause of a terrorist is not to destroy government. they *want* to destroy government for some other reason. "I'm pissed off about [x], therefore I'm going to destroy the government". now, they *say* they are dedicated to destroying governments, but they're really just pissed off about [x], and if you take away [x] (which the government does often have a hand in) they have very little reason to be terrorists any more. ( McVeigh is a good case in point.) there are terrorists who are explicitly dedicated to destroying government merely because it is government, but I'd say this is an extreme form of terrorism that is relatively rare. apparently you have studied these forms the most and concluded they are the regular variety, and I take exception to this. you will not find terrorism in societies that are largely "contented". you cannot realize this until you study societies that are "content", which is the opposite of what you have done, focus on societies that are "discontented" and stuck in turmoil. I think this is what I find remarkable about your writing. for terrorists, destroying the government is a means to an end. but you often write as if terrorism is the end itself, that terrorism is its own reason for existence. that's what I'm questioning. They believe they will reap the rewards of such a >counterevolution (or revolution, as it need not be "counter"). note that they are really interested in the rewards, not necessarily the revolution. what would happen if they could obtain the rewards without the revolution? frequently revolution is required because the government is fanatically opposed to giving them their demands. but their demands are rarely that extreme at the root. (a place to live, religious tolerance, sovereignty, whatever). when you have terrorists, what you have is a government that is as extreme in its attitudes as the terrorists. it takes two to tango, as you are suggesting. the violent confrontation between government and terrorism is only the result of a negative feedback loop in which both become more extreme and polarized, each feeling that any concession to the other is a sign of submission. it is *not* a natural course of civilized society as you frequently suggest. >My main point in my essay was that violence and authoritarianism are all >around us, and that responding to the attacking of "soft targets" by >cracking down on basic liberties is NOT something we should endorse. well, we're in agreement, although at times it sounds like you are rooting for the violent crackdown, the negative feedback loop. your writing is very opaque sometimes. its not clear what you are advocating in particular. you seem to want to advocate things without appearing to advocate them, eh? >If you can't make your points reasonably and convincingly, I see that you >once again make ad hominem arguments. Calling me "Timmy" is not terribly >effective. actually it was a term of endearment . I would be awfully bored here without your postings. it's just a pity that you don't ever consider reexamining your fundamental premises, or stating them in depth. but this is human nature, so I can't fault you for it. From frantz at netcom.com Wed Jul 3 17:49:27 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 4 Jul 1996 08:49:27 +0800 Subject: Lack of PGP signatures Message-ID: <199607032105.OAA18411@netcom8.netcom.com> At 12:15 PM 7/3/96 -0700, Bill Frantz wrote: >On my Mac I just entered this answer, cut it to the clipboard, launched >PGP, clearsigned it, and pasted the result back into the Eudora window for >the new mail. But of course the signature doesn't check. (I suspect Eudora line wrapping.) >Pretty Good Privacy(tm) 2.6 - Public-key encryption for the masses. >(c) 1990-1994 Philip Zimmermann, Phil's Pretty Good Software. 9 Jun 94 >Distributed by the Massachusetts Institute of Technology. Uses RSAREF. >Export of this software may be restricted by the U.S. government. >Current time: 1996/07/03 21:04 GMT >pgp PGPTmpClipboardFile.tmp > >File has signature. Public key is required to check signature. . >WARNING: Bad signature, doesn't match file contents! > >Bad signature from user "Bill Frantz ". >Signature made 1996/07/03 17:48 GMT > >Plaintext filename: PGPTmpClipboardFile ------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz at netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA From hfinney at shell.portal.com Wed Jul 3 17:50:14 1996 From: hfinney at shell.portal.com (Hal) Date: Thu, 4 Jul 1996 08:50:14 +0800 Subject: Setting a PGP keyserver on my Web server Message-ID: <199607032119.OAA19946@jobe.shell.portal.com> From: Joseph Seanor > How can I go about setting up a PGP keyserver on my Web Server? I have simple code for a "proxy" key server on my web server. It is not a real key server, but just forwards requests to a real key server. It has a list of a few servers that it knows about and it tries the list until one responds. I use it for Java applets which get PGP keys from the server; they have limitation that they can only connect back to the server they came from. So this solves that problem. Code and a sample Java applet are available from: . Hal From WlkngOwl at unix.asb.com Wed Jul 3 17:57:48 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Thu, 4 Jul 1996 08:57:48 +0800 Subject: Lack of PGP signatures Message-ID: <199607032150.RAA24892@unix.asb.com> On 3 Jul 96 at 9:31, nowhere at alpha.c2.org wrote: > At 09:42 PM 7/2/96 EDT, Derek Atkins wrote: > :Basically, I refuse to type my passphrase over the net, which signing > :all my messages (this one included) would require. > Why, in heaven's name, would you have to "type your passphrase over > the net" to encypher a message? You need to type it in to SIGN a message. (BTW, there's been an awful lot of messages posted with one line huge paragraphs. It's moderately inconvenient using Windows, but it's still a pain. Can you hit the Enter key or set word wrap on next time?) Rob. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From jimbell at pacifier.com Wed Jul 3 18:04:13 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 4 Jul 1996 09:04:13 +0800 Subject: The Net and Terrorism Message-ID: <199607032148.OAA12397@mail.pacifier.com> At 05:45 PM 7/3/96 +0000, Deranged Mutant wrote: >On 3 Jul 96 at 7:03, jim bell wrote: > >> If you listen to the Feds discussing this most recent militia story, when >> they're asked what was the militia's motivation, they don't want to talk >> about it, and won't even speculate on more than the most unspecific, vacuous >> terms. > >How can they? It's also not their concern WHY they (allegedly) >plotted to blow up buildings, only THAT they did so. >Rob. But as I've pointed out elsewhere, there's a big difference between "We're gonna do this!" and "Someday we may have to do this." My impression is that the government has tried to completely erase the dividing line between these two concepts. Jim Bell jimbell at pacifier.com From alano at teleport.com Wed Jul 3 18:16:18 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 4 Jul 1996 09:16:18 +0800 Subject: Lack of PGP signatures Message-ID: <2.2.32.19960703220436.00e93fe8@mail.teleport.com> At 02:07 PM 7/3/96 -0700, Bill Frantz wrote: >At 12:15 PM 7/3/96 -0700, Bill Frantz wrote: >>On my Mac I just entered this answer, cut it to the clipboard, launched >>PGP, clearsigned it, and pasted the result back into the Eudora window for >>the new mail. > >But of course the signature doesn't check. (I suspect Eudora line wrapping.) Yep. Been there, done that. Line wrap problems are the bain of PGP sigs. This is the reason that most PGP shells will force a line wrap before generating the signature. The only way around it is to turn off all line wrapping or have a utility do it for you before signing it. I am wondering why there is not a signing option that ignores all non-printing characters. Might fix some of these problems... (Can anyone think of a reason this would be a "Bad Thing(tm)"?) --- |"Computers are Voodoo -- You just have to know where to stick the pins."| |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From ses at tipper.oit.unc.edu Wed Jul 3 18:22:06 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 4 Jul 1996 09:22:06 +0800 Subject: ecash thoughts Message-ID: 1) Current ecash systems require live verification of coins, which will require banks to perform public key operations at around the 100K PKOP/s level, as well as all the headaches caused by the serial number lookup. Would anybody care to price up a system to handle this kind of traffic, assuming that coins can be given relatively short maximum lifetimes to keep the number of serial numbers in use within semi-reasonable limits. I'm wondering what the breakeven point is for only doing statistical sampling when verifying low value coins. 2) If ecash is used to create a new currency- i.e. the value of a unit of the ecash is not tied to any single existing currency, what should the value of one currency unit be set at? (let's call it a Turing) If the currency is run to be as anti inflationary as possible (e.g. backed by index-linked government securities), one Turing should buy the same amount of goods for a long long time, though relative prices may change. What value is likely to give the most convienient prices to the most goods? (e.g. +/- powers of two). 3) Not ecash, but still banking [noise] I'm currently visiting at my parents house in England, which for the past 18 years has had a really nice phone number. Unfortunately, BT split london into two area codes, and have reallocated the exchange number in the other one to citibank. Unfortunately, not many of their customers can quite cope with the concept of area-codes. Even more unfortunately, neither can BT or citibanks telcom group- we've had calls transferred from their switchboard straight through to us. Now, here comes the test for cp ingenuity - can you think of the best way to answer the phone to someone who things they've called a bank? Ones I've used so far, when I've been really pissed off are: Oh, I'm sorry - haven't you heard? They've filed for chapter 11. I'm from the Federal Reserve- I'm working with the recievers - can I possibly help you? [response was a disappointing "Good Heavens! Really?" ] and the simple, yet subtle Lovecraftian terror of: CitiBank, Nick Leeson speaking. [pause, giggle, must have a wrong number, click] Any more suggestions? Simon From markm at voicenet.com Wed Jul 3 18:54:19 1996 From: markm at voicenet.com (Mark M.) Date: Thu, 4 Jul 1996 09:54:19 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: <1.5.4.16.19960703170027.5fc7bc80@arc.unm.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 3 Jul 1996, David Rosoff wrote: > At 12.10 AM 7/3/96 -0500, Declan McCullagh wrote: > > >CyberWire Dispatch // Copyright (c) 1996 // > > >Install the programs and Junior can't access porn. No fuss, no muss, no > >bother. "Parental empowerment" is the buzzword. Indeed, it was these > >programs that helped sway the three-judge panel in Philly to knock down > >the Communications Decency Act as unconstitutional. > > I've wondered .. could a creative child circumvent these filter programs > using a URL-redirecter, like where you see something like > http://www.one.site.com/cgi-bin/rd?http://www.porno-site.com/ > or are they not URL-based? If the child is creative enough, he will be able to boot DOS from a bootdisk and remove the line from config.sys that starts up the filtering software. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMdr7NLZc+sv5siulAQERvQP/YyzeV1YtbR0ba0RkiosU/r6kzDDJeDSc OllJ4dAwlRAvJgNdlbX0aa0pQ47e7QNDu6yZsUv2j1MfJSvVcNlMLIWIaWP0lEvJ 4L+Oedxearr6fSwjgDa40Tv+/hWC3qwV7QHLKriRuyQxDE7nWbz8wMl2G1i91rAg a5dD8JrALeg= =RucL -----END PGP SIGNATURE----- From cme at cybercash.com Wed Jul 3 18:57:56 1996 From: cme at cybercash.com (Carl Ellison) Date: Thu, 4 Jul 1996 09:57:56 +0800 Subject: Minutes Of the WWW I&A Forum Message-ID: <2.2.32.19960703215331.00736f58@cybercash.com> >Return-Path: >Date: Wed, 03 Jul 1996 5:45pm >From: "Niemczuk John" >To: vanbelld at bah.com, hapemand at bah.com, anthony.vitale at qmgate.trw.com, > balenson at tis.com, ballodi at paralon.com, bdorsey at v-one.com, > benner_tim at bah.com, bitting at mitre.org, bonatti at bah.com, > cme at cybercash.com, crowan at jgvandyke.com, cscrugg at spyrus.com, > dale at sctc.com, davidh at checkpoint.com, davids at checkpoint.com, > fred.unterberger at east.sun.com, ghilborn at csc.com, hecker at netscape.com, > hh at columbia.sparta.com, hittman at v-one.com, housley at spyrus.com, > hthomas at smiley.mitre.org, iolson at mitre.org, j_rolen at hud.gov, > jacksont at lfs.loral.com, jalexand at aero.org, james.prohaska at litronic.com, > janispel at caas.com, janisple at caas.com, jbiggs at csc.com, > jfurlong at mitre.org, jharrell at centech.com, jim.beattie at network.com, > jim at lsli.com, jmat at vnet.ibm.com, jmyers at mitre.org, jswang at v-one.com, > kearny at betuvic1.vnet.ibm.com, khrose at annap.infi.net, > khutton at lfs.loral.com, kurowski at lfs.loral.com, lnotargi at us.oracle.com, > louden at mitre.org, luther at sware.com, migues_sammy at prc.com, > mikez at secureware.com, mjm at reston.ans.net, mkrenzin at mail.hcsc.com, > mmancuso at v-one.com, mulvihil at smiley.mitre.org, netland at scc.com, > olkowskid at comm.hq.af.mil, oswald at columbia.sparta.com, pguay at mitre.org, > price_bill at prc.com, ray at sesi.com, sferry at raptor.com, > shlomo at checkpoint.com, sledgerw at bdm.com, smith at sctc.com, > tcfarin at sed.csc.com, tehrsam at us.oracle.com, thomps1r at ncr.disa.mil, > vritts at cscmail.csc.com, watt at sware.com, wneugent at smiley.mitre.org, > woycke at mitre.org >Cc: jhsteve at missi.ncsc.mil >Subject: Minutes Of the WWW I&A Forum > > Multilevel Information Systems Security Initiative >(MISSI) > Identification and Authentication (I&A) Forum > 3 June 1996, Meeting Minutes > > The theme of this I&A Forum was security for the World Wide Web (WWW). > The following was the agenda for the meeting: > > - Introduction - Dave Luddy, National Security Agency (NSA) > - Web Technology Overview - Dave Dodge, NSA > - INTELINK Security Needs - Susanne Rosewell, ISMC > - Mitre Corporate Experiences Using The Web (An Information Security >[INFOSEC] Point Of View) - Michael Louden, Mitre > - Security Policy Summary - Dale Hapeman, Booz, Allen & Hamilton > - Internet Engineering Task Force (IETF)/Worldwide Web Consortium (W3C) >Secure Web Standard Activities - Judy Furlong, Mitre > - Netscape and Web Security - Frank Hecker, Netscape > - Protecting Web Sites From Attack - Dr. Rick Smith, Secure Computing >Corporation > - Security products For WWW Applications - Mike Zauzig, SecureWare > - WWW Access (Attempting Solutions) - Dale Hapeman, Booz, Allen & Hamilton > - Forum Wrap-up - Dave Luddy, NSA > > Mr. Dave Luddy, the Forum Chairperson, opened the meeting with an >overview of the forum. He discussed: > - The goal of the forum is "to insure the commercial availability of >affordable I&A solutions that meet our customer's security, performance, >interoperability, and security management needs." > - The focus is on MISSI FORTEZZA based solutions. > - The development of an I&A Concept Of Operations (CONOPS) will be used as >the means of capturing I&A requirements for WWW access and other network >applications. > - The forum participants and modus operandi are documented in the I&A >Forum Charter. > > Mr. Dave Dodge, from the Operations Directorate of NSA, presented an >introduction to the WWW technology. Mr. Dodge presented an overview of: > - The Hypertext Transport Protocol (HTTP) which is one of the most >flexible tools for navigating the Internet. > - Uniform Resource Locators (URLs) which allow a user to identify the >location of a resource and the method used to retrieve it. > - The HyperText Mark-up Language (HTML) which is used to format Web pages >and present URLs to users. > - The Common Gateway Interface (CGI) which allows programs run on a server >to receive data from a user via an HTTP connection. > - JAVA which allows a program to be moved from the server to a client and >then executed on the client. JAVA is designed to "protect you from itself". > It has checks that are made during execution. JAVA is not universally >implemented yet. There is no tag in the HTML > - The Secure Socket Layer (SSL) > - The Secure-HTTP (S-HTTP) > >Questions and Answers: >Q: Is a firewall able to differentiate an access made by a user from an >access originated by a JAVA applet? >A: (from Dave Dodge and Frank Hecker): No. A JAVA applet can open any >random port to the server that provided it. >Q: Can a JAVA applet make an access through a proxy? >A: (from Frank Hecker). Either the applet needs to know about that proxy >ahead of time or it can make use of the existing HTTP browser. >Q: Do search engines present any special I&A issues? >A: Most search engines are implemented using the GET or POST HTTP commands >which feed a program running on the server. Control of access to that >program is the same as access to any Web page. >Q: Is there an IETF Working Group (WG) for WWW? >A: The W3C is an industry consortia that deals with Web issues (it's >responsible for the new HTML standard). There are many IETF WGs and >standards related to Web topics. > > Ms. Susanne Rosewell, from the ISMC Security office presented a >briefing on INTELINK security needs. She pointed out that there is a panel >working on security issues that meets monthly. They are supported by several >WGs that are addressing: > - JAVA > - Access Control > - Firewalls > - Inter Domain security > > Ms. Rosewell discussed some of the security issues and goals related to >INTELINK: > - Currently, Local Administrators provide security by reviewing server >logs to track who has had access to a server (i.e., no access control). > INTELINK would like to provide access control at the "front door" and not >at individual servers. > - They are looking at using X.509 Version 3 certificates to provide the >ability to limit access to no foreign (NOFORN) information. They also want >to use X.509 certificates to identify community of interest (COI). > - The Inter Domain WG is investigating the use of commercial off-the-shelf >(COTS) multi-level security (MLS) servers to allow a Secret user to access >Secret and below data from a server that also contains Top Secret data. > - A long term goal is to provide "true data labeling" so that data may >carry and maintain a sensitivity label. > >Questions and Answers: >Q: Isn't it harder to get Secret data into a Top Secret enclave than to >get Secret data out of a Top Secret enclave? >A: Yes. >Q: Is the goal to provide servers that contain both Top Secret and Secret >data that is connected to both (S and TS) networks? >A: Yes. >Q: Is data aggregation an issue? >A: Current efforts are to only label individual data objects. >Q: How will an individual user determine what technology to use and when >to upgrade? >A: INTELINK will be mandating a SSL capable browser in the future and is >asking people to comply with that requirement now. >Q: Will the INTELINK e-mail solution be Simple Mail Transfer Protocol >(SMTP) or X.400. >A: The E-mail application package that INTELINK will standardize on is >still an issue. They need a application now and consider SMTP as the only >current option. X.400 applications (from the Defense Message System [DMS]) >are somewhere down the road. >Q: Commercial MLS servers are not readily available, the market has not >been established. How will INTELINK obtain COTS MLS servers? >A: There are a few MLS workstations available. INTELINK is working with >NSA and vendors to solve this issue. >Q: INTELINK is requiring the use of Version 3 X.509 certificates, DMS has >an infrastructure based on Version 1 certificates. Is anyone working on >solving this issue. >A: There is an INTELINK representative on the MISSI Key Privilege & >Certificate WG (KP&CWG) which is working on the problem of incompatible >X.500 infrastructures. Conversion from Version 1 to Version 3 X.509 >certificates is a transition issue for DMS. The issue is the timing of the >conversion to Version 3 certificates. There was never any intention to >interoperate between the two versions. > > Mr. Michael Louden, who is involved with Mitre corporate management of >computer and network operations briefed "A Corporate Experience Using The >Web (An INFOSEC Point Of View). The briefing provided an overview of the >Mitre Information Infrastructure (MII). In the area of security, the >briefing included the MII security environment, key security features, >security trade-offs, and security issues. Miter has different access control >mechanisms (e.g., Passwords, Tickets) for different servers and would like >to centralize/standardize the access control mechanisms. > >Questions and Answers: >Q: When Mitre splits into two separate organizations, will you have to >totally rework your access control rights? >A: Mitre plans to duplicate the access control system and then delete the >individuals from the other organization. > > Mr. Dale Hapeman, the Booz(Allen I&A task leader, presented a briefing >on "Sensitive But Unclassified (SBU) WWW Requirements." He started the >brief by reviewing the Context Diagram from the I&A CONOPS and presented an >operational environment which showed Web clients an servers relative to SBU >enclaves. Mr. Hapeman followed with an explanation of how each facet of a >MISSI security policy could be applied to data as it is being transferred >between a Client and Server through multiple firewalls. He provided >definitions of Authorized and Authenticated. Mr. Hapeman finished with an >invitation to the audience to consider the policies they would like to see >implemented at the different components involved in a WWW access (client, >server, and firewall). > > Ms. Judith Furlong is a lead INFOSEC Engineer at the Mitre corporation. >She presented a briefing titled "IETF/W3C Secure Web Standards Activity." > Ms. Furlong started her briefing with a discussion of the following >existing Web security standards > - SSL Protocol > - S-HTTP > - Private Communication Technology (PCT) protocol > - Secure Electronic Transaction (SET) Protocol > > Ms. Furlong followed with an overview of the W3C, including a >discussion of the W3C Security WG. Ms. Furlong covered: > - The Protocol Extension Protocol (PEP), a W3C proposal for extending HTTP >to accommodate additional capabilities such as security, watermarks, >labeling etc. She further described the Security Extension Architecture >(SEA) using the proposed PEP. > - The Joint Electronic Payment Initiative (JEPI), a joint WG between the >W3C's Electronic Payments WG and CommerceNet which is developing an Internet >payment protocol negotiation scheme and a standard interface for payment >modules. > - The Digital Signature Initiative which deals with issues associated with >applying digital signatures to objects such as video frames. > - The Platform for Internet Content Selection (PICS) WG which has the >charter to design technology to support "values-based" content >rating/labeling. The PICS technology has security applicability. > > Ms. Furlong provided an overview of the IETF and its Web Transaction >Security (WTS) and Transport Layer Security (TLS) WGs. > She completed her briefing with a discussion of the following security >areas not being addressed by standards efforts: > - Secure Search capabilities > - Mobile Code Security > - Security Management Functions > - Interfaces to Security Infrastructures > > Mr. Frank Hecker, a senior systems engineer with Netscape >Communications Corporation, presented a briefing on Netscape and Web >Security. The briefing covered the security areas and technologies that >Netscape is active in. Mr. Hecker started with a discussion of SSL and how >Netscape has improved it through upgrades to their Navigator software as >well as additional SSL issues they are investigating. He also covered >Netscape's security related issues: > - Support for hardware tokens other than FORTEZZA. > - Making a browser "firewall aware" (e.g., able to authenticate to >intermediate firewalls) without becoming susceptible to man-in-the-middle >attacks. > - Providing directory services for use by many different types of >applications. > - Downloadable applications (JAVA and JAVASCRIPT) > - Financial transactions - Netscape will implement SET > - Secure e-mail - S/multipurpose internet mail extensions (MIME) >(initially not FORTEZZA) > - Public key infrastructure - Committed to X.509 Version 3 Certificates > - User and/or administrator configurability - Netscape will have a toolkit >to support Navigator 3.0. > >Questions and Answers: >Q: What are Netscape's plans for supporting applications other than Web >browsing over SSL connections? >A: Netscape currently implements HTTP, NNTP over SSL. They plan on >implementing lightweight directory access protocol (LDAP) over SSL in the >future. file ransfer protocol (FTP), TELNET, and SMTP/POP3/IMAP4 are >possible but not planned. Other vendors or individuals have implemented >TELNET and FTP over SSL. >Q: How does a user deal with non-SSL servers or optionally implementing >SSL on a connection? >A: A page that must be accessed with SSL is designated with a URL starting >with https:// (instead of http://). > > Dr. Rick Smith an information security consultant with Secure Computing >Corporation presented a briefing titled "Protecting Web Sites From Attack". > Dr. Smith started his presentation with a history of some of the more well >known sever penetrations. Dr. Smith discussed several types of attacks and >methods of protection with Type Enforcement Encapsulation. > >Questions and Answers: >Q: Where are the tables used for type enforcement defined? >A: There is an Administrators Tool that includes this function. >Q: How many domains and types can Sidewinder implement? >A: Dozens. > > Mr. Mike Zauzig, a senior products development engineer with >SecureWare, presented a briefing on "Security Products For WWW >Applications." Mr. Zauzig provided an overview of his company, aspects to >web security, and the following SecureWare products: > - Hannah - Network Security > - Troy - Platform Integrity Assurance > - SecureMail - E-mail Security > - Secure Web Platform Integrity - Safe Web Server > - Interceptor - Transmission Control Protocol (TCP)/IP Firewall > - Internet Scanner - Attack Simulator > >Questions and Answers: >Q: Is SecureWare's mail package interoperable with other FORTEZZA e-mail >implementations. >A: Yes (Dave Luddy). >Q: The Security First Network Bank shows a Web server that is connected to >directly the Internet (not through the firewall). Is this machine running >SSL on one side and Hannah on the other? >A: Yes. > > Mr. Hapeman presented a briefing which attempted to summarize the >security requirements presented at the day's meeting. He reviewed the >security services needed and the requirements that are allocated to >components. He also discussed the protocol requirements and possible >solutions available to secure the Web. Different options for authenticating >to firewalls placed between clients and servers were presented. Much work >remains to secure the proxy or tunneling solutions. > >Questions and Answers: >Q: The Internet Protocol Security (IPSec) protocol has not been mentioned >all day. It is very mature and has had much NSA input (especially the >Internet Security Association and Key Management Protocol [ISAKMP] key >management protocol). It should be considered as a security solution. >A: Agreed. IPSec is a viable option, especially for authenticated >firewall-to-firewall connections. It was not mentioned by name but is >certainly being considered as a solution. > > Mr. Luddy's closing comments were: > - NIST FIPS PUB JJJ has been discussed at previous I&A Forums. Although >it presents an authentication scheme, it does not provide for interoperable >solutions. Dave Kemp has authored a Public Key Login Protocol that provides >the detail needed for interoperability. The document will be submitted as >an IETF Internet draft. Comments are solicited. > - The I&A CONOPS document will be sent out by e-mail to everyone who >registered. > - The topic for the next I&A Forum is Access Control. It is scheduled for >8-9 July 1996. > > > From lzirko at c2.org Wed Jul 3 19:16:19 1996 From: lzirko at c2.org (Lou Zirko) Date: Thu, 4 Jul 1996 10:16:19 +0800 Subject: Computer-Aided Revolution Message-ID: <199607032325.QAA21478@infinity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- To: jimbell at pacifier.com, cypherpunks at toad.com Date: Wed Jul 03 18:24:47 1996 You could have all 1000 sync with the same time server. There are plenty of standard time servers available on the net and timer daemons are available for most platforms. Lou Zirko > I've thought of an application for a "revolutionary" program for > peaceful > protest, but one that requires that a substantial number (1000) of > people > have access to computer time synchronized to 1 second, ideally 0.1 > second. > How good would a time sync over the net typically be? > > Jim Bell > jimbell at pacifier.com > > Lou Zirko (502)383-2175 Zystems lzirko at c2.org "We're all bozos on this bus" - Nick Danger, Third Eye -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: latin1 iQEVAwUBMdsBT8tPRTNbb5z9AQFtmQf/bSl4oZ/TGz9jzPcEk6pCrJISQrIkpwc4 3ycIuRTkAk71BxyWllpquaFvc4LYxSha1KgjF4WKLE8luVEhLYNiK+MZxUQmd6Sn 26eagt3r470dppK6w6Ahzf8Nrm6SwYO7J0xHAxh5j/dDkvtGm9S5s+c4cgzbyvzR fOmz48UJYfcnQ5TmllOmqDHQ2YTbLcgBDZmG154KeSx/9AaU8hOw2WpWsCZAhVY5 By06kqTm12JBt1ERE63juPgf9AQpOY7ssGLRfTNttlZayd/UeTDmB0coD3rJnM1R egbl7hdoqNmkic9SMHF7TS5p+pq4WphGkxUqmvyI9wBy2YC+Luqgnw== =t8a2 -----END PGP SIGNATURE----- From jimbell at pacifier.com Wed Jul 3 19:26:23 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 4 Jul 1996 10:26:23 +0800 Subject: Computer-Aided Revolution Message-ID: <199607032257.PAA16812@mail.pacifier.com> I've thought of an application for a "revolutionary" program for peaceful protest, but one that requires that a substantial number (1000) of people have access to computer time synchronized to 1 second, ideally 0.1 second. How good would a time sync over the net typically be? Jim Bell jimbell at pacifier.com From asgaard at sos.sll.se Wed Jul 3 19:27:51 1996 From: asgaard at sos.sll.se (Asgaard) Date: Thu, 4 Jul 1996 10:27:51 +0800 Subject: The Net and Terrorism In-Reply-To: Message-ID: On Wed, 3 Jul 1996, Timothy C. May wrote: > Basically, one of the things terrorists want to do is to provoke a > crackdown by the ruling authorities, making things so bad that a > counterrevolution occurs. They believe they will reap the rewards of > such a counterevolution (or revolution, as it need not be "counter"). Examples of this are the bombing attacks on tourists in Egypt and Turkey; classical terrorism where the victims are not really participants in the political struggle (as opposed to volontarily enlisted American soldiers in Saudi). The agenda here is to bring down the economy by scaring away future tourists, making way for an islamic revolution/a separate kurdish state. Anyone been to Egypt lately? Asgaard From llurch at networking.stanford.edu Wed Jul 3 19:28:35 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 4 Jul 1996 10:28:35 +0800 Subject: Info on alleged new German digital wiretapping law? In-Reply-To: Message-ID: On Wed, 3 Jul 1996, Ulf Moeller wrote: > > > > http://fight-censorship.dementia.org/fight-censorship/dl?num=3027 > > > So what's the prospect for implementation? The claim is that law enforcement > > is supposed to have a back door to every computer system. Are we talking > > about escrow of root passwords, or what? > > No. There are two points: > > 1) The network operators have to create a wiretapping system to be > approved by the Regulation Authority, and operate dedicated digital > lines for law enforcement access. As I understand it, Internet > providers could be forced to duplicate IP packets to that line, when > wiretapping has been ordered. Sounds like US and Swedish law. What's the phase-in period? > 2) They have to keep files of customer data (name, address, etc.) that > the Regulation Authority can access secretly at any time. Sounds like a market opportunity. -rich From declan at well.com Wed Jul 3 19:47:48 1996 From: declan at well.com (Declan McCullagh) Date: Thu, 4 Jul 1996 10:47:48 +0800 Subject: blocking software & brock meeks Message-ID: Since I wrote most of the dispatch M. Nuri is talking about, I'll take a moment to respond to his points below. First, neither Brock nor I intends to "harass" the blocking software companies. Seocnd, I wouldn't be nearly as skeptical of their efforts if they'd honestly admit what they block. Right now, parents don't _know_ the extent to which Junior is kept from educational and political sites. This was the point of the article; I fear you missed it entirely. -Declan >sent this to Brock Meeks re: his latest column >I also ask cpunks not to harass these companies or their users-- >it's a solution that's working. > >------- Forwarded Message > >To: brock at well.com >Subject: cyber blocking software >Date: Wed, 03 Jul 96 12:48:49 -0700 >From: "Vladimir Z. Nuri" > > >I read your columns regularly. outstanding work. > >regarding your recent dispatch: please do not harass the >blocking software companies too much. they are simply based >on a different premise than the regular net. the internet >starts out with, "everybody can access everything". they >start out with, "only stuff we approve of can be accessed". > >what their system shows is that you will always have disagreement >and controversy whenever this software is employed, whereever >subjectivity is involved. it is a very legitimate and worthwhile >service for parents who would rather "err on the side of caution". > >but far >better to have these organizations arguing & bickering with who they >censor than to have the people who are censored suing the >government. the people who want free net access have it, and >are unbothered by these controversies. in other words, >by moving the controversies to places where they are locally >contained (i.e. among the blockers and blockees) the rest >of the surfing public is unaffected and perhaps even protected >from harassment. > >so you see? there is all kinds of ranting about censorship going >on, but it has nothing to do with the way the vast majority uses >the internet. it's completely voluntary. it's the perfect solution. >so far, nothing the blocking companies do can affect the net as >a whole. they are largely predicated on that function. > >in a real sense they are providing very general services of >"rating web sites our customers will be most interested in". >and you realize, even the Point Communications awards are the >exact same thing. > >so again, please do not harass the companies. it's a solution >that does work. the existence of controversy does not prove >it doesn't work. it in fact proves that it does work. > > > >------- End of Forwarded Message From llurch at networking.stanford.edu Wed Jul 3 19:55:32 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 4 Jul 1996 10:55:32 +0800 Subject: SAFE forum -- remarks of Herb Lin In-Reply-To: <9606038364.AA836434501@nas.edu> Message-ID: On Wed, 3 Jul 1996, Herb Lin wrote: > Folks -- I object to the characterization of my remarks about crime prevention > being made with sarcasm. The complete remark was "Crime prevention ought > to be part of the FBI's mission, ... and it is -- ask them, and they acknowledge > that." OK, sorry, my reading. I'd certainly hate to jeopardize any professional relationships by implying that you'd been poking fun at them on purpose. There's already far too much distrust to go around. As I recall, the sequence went "Crime prevention ought to be part of the FBI's mission [audience snickers, Herb realizes what he just said and smiles]... and it is -- ask them, and they acknowledge that." The best standup comics are the genuine straight men, I guess. To avoid any trouble, I'll be using that line *without* specific attribution from now on. -rich From furballs at netcom.com Wed Jul 3 20:01:39 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Thu, 4 Jul 1996 11:01:39 +0800 Subject: LE Risks with No Crypto In-Reply-To: <2.2.32.19960703002028.00ba3b24@panix.com> Message-ID: I will presume for the moment that you actually support this position and this is not a blatant troll. On Tue, 2 Jul 1996, Duncan Frissell wrote: > Did anyone notice the fun little bit in the story of the bust of the Viper > Militia in Arizona? > > The state employee that BATF sent to infiltrate the group almost "assumed > room temperature" because an ally of the Militia working for AT&T pulled his > long distance phone records. The infiltrator was questioned rather closely > about some of his phone calls to official numbers. He managed to persuade > them that he wasn't a Fed. > > Too bad AT&T doesn't use an encrypted open books system to store is records > so that "bad guys" can't abuse those records and put our heroic law > enforcement personnel at risk. > > This is a perfect illustration of the fact that technology puts the > government most at risk because it will always be the juiciest target. > "Worth the powder to blow it up with." > > DCF > I disagree completely with the premise that the government will always be the juciest target. If you read Tim May's treatise about terrorism, he makes a point that may never be openly discussed by the press as it makes all too much sense. That point is simply that terrorism begins to blossom against a government when a section of the citizenry percieves that they have been disenfranchised by that government and view no opportunity for legal recourse to change the situation, and are not willing to live under those rules. The fact that AT&T may or may not use encryption on their records is irrelevant. That BATF agent could have been the one to pull records illegally instead. Now where is your point ? A government represented has now abused position and priviledge to persue a purpose - right or wrong. The US government is at risk because of the robber baron mentality of many of the government officials, congressmen, representatives, and of course BIll & Hillary. IMO They have purposefully abused position and priveldge and lined their own pockets to their advantage - leaving many of the citizenry wondering what is really going on. I am not a supporter of the militia movement - however, they do represent a growing segment of the population that feels disenfrachised and view violence against the visible government establishment as a way to make their point. There are others who view the government the same way as the militia, but resort to trying to continue to work within the existing system to make the changes they feel are necessary. In this venue encryption is not only desirable but necessary as those in power are trying to consolidate their position by trying to use information they can glean against those who want to remove them from office or thwart their efforts to enact bad legislation. RIchard Nixon was noted for his use of the IRS against select folks. Now we have BIll Clinton and the 700+ personal files collect for use against "enemies" of the administration. My position is that crypto should be available to all - not just the government or a priviledged few. Any technology man creates can be used for good or evil. That will never change. ...Paul From llurch at networking.stanford.edu Wed Jul 3 20:18:15 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 4 Jul 1996 11:18:15 +0800 Subject: Lack of PGP signatures In-Reply-To: <199607032012.QAA13633@darius.cris.com> Message-ID: On Wed, 3 Jul 1996, David F. Ogren wrote: > Lots of people still deal with the Internet remotely, despite the > profileration of SLIP/PPP accounts. On the other extreme, but with the same conclusion, some of us work in ubiquitous distributed computing environments. I simply don't have a "home" PC; I can sit down and work on any of 20,000 computers on campus with equal ease. Most of the time, I log on encrypted, but strong encryption is unavailable for some services I need to use to do my job. -rich From llurch at networking.stanford.edu Wed Jul 3 20:20:22 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 4 Jul 1996 11:20:22 +0800 Subject: Lack of PGP signatures In-Reply-To: <9607031935.AA08888@mordred.sware.com> Message-ID: On Wed, 3 Jul 1996, Charles Watt wrote: > -----BEGIN PRIVACY-ENHANCED MESSAGE----- > Proc-Type: 4,MIC-CLEAR > Content-Domain: RFC822 > Originator-Certificate: > MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG > A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj > dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw > MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl > Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT > DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB > AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf > 1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA > A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK > aTxjgASxqHhzkx7PkOnL4JrN+Q== > MIC-Info: RSA-MD5,RSA, > BeMb0/+U7Gnp8Xx2J5GUFwFI2hLb0giw65Y+HudXPvuSMDdeBToKOQXkR/HvyvKr > kM+gtqWFV3Q/2xKS6iIeYRc= > > > -----BEGIN PGP SIGNED MESSAGE----- And then there's the part about it being ugly as sin for people with non-crypto-aware clients, and a performance hit for people with clients that are crypto-aware. -rich From alano at teleport.com Wed Jul 3 20:25:22 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 4 Jul 1996 11:25:22 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port Message-ID: <2.2.32.19960704003011.00f3be94@mail.teleport.com> At 06:58 PM 7/3/96 -0400, Mark M. wrote: >> I've wondered .. could a creative child circumvent these filter programs >> using a URL-redirecter, like where you see something like >> http://www.one.site.com/cgi-bin/rd?http://www.porno-site.com/ >> or are they not URL-based? > >If the child is creative enough, he will be able to boot DOS from a bootdisk >and remove the line from config.sys that starts up the filtering software. Or just remark it out and reboot. Or does the filtering software make it so they cannot use an editor as well...? Sounds like a pretty easy thing to bypass given a small amount of clues. (Makes me wonder how the usually clueless parents are going to block access to their kids who usually understand the technology better than they do.) --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon "Microsoft -- Nothing but NT promises." From mix-admin at nym.alias.net Wed Jul 3 20:35:33 1996 From: mix-admin at nym.alias.net (lcs Remailer Administrator) Date: Thu, 4 Jul 1996 11:35:33 +0800 Subject: Wanted: NNTP posting access for remailers Message-ID: <199607040046.UAA04545@anon.lcs.mit.edu> -----BEGIN PGP SIGNED MESSAGE----- Would anyone out there be willing to give NNTP posting or transfer privileges to anon.lcs.mit.edu? Because of recent spams through mail2news at anon.lcs.mit.edu, I may loose my news posting privileges to the news server I have been using. Though I try to resolve all complaints I receive, other complaints have been sent to other postmasters in the domain, who don't seem to want to hear about these problems. If you run a news server and would like to help people posting anonymous messages, please consider allowing posts from mail2news at anon.lcs.mit.edu. Ideally you would also be in a position to receive mail at some of the relevant postmaster aliases in your domain, and would not mind forwarding misdirected complaints to me so that I can deal with them. Alternatively, if you are willing to give me "IHAVE" priviliges, I can possibly set things up with an initial "Path:" header that guarantees most complaints will go directly to me. Thanks, - -mix-admin at anon.lcs.mit.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBMdsT70TBtHVi58fRAQHQ0QP/U3Jn7sL9+k3aUr+qw4WdDxef/lIeu3xO BwdO8zlNPavJgbxuunR81n011jGy80l7qnc+DpvtuEEQqszLMcMO/4zHw/VfVOY8 08nxE8+IkF/FE66vJdnU7O3I1mIjtbF8ixcm9FOwqoehSLJB40tXy6wu6KV663TQ fmy/Gz5XDe8= =Gp4D -----END PGP SIGNATURE----- From attila at primenet.com Wed Jul 3 21:05:37 1996 From: attila at primenet.com (attila) Date: Thu, 4 Jul 1996 12:05:37 +0800 Subject: WSJ: Cable Ruling may Portend Internet Regulation Message-ID: <199607040046.RAA08830@primenet.com> WSJ 01 Jul 96 Cable Ruling May Portend Internet Content Restrictions What looks at first glance like a Supreme Court victory for free expression in cable television could turn out to be a First Amendment quagmire encouraging restrictions on the Internet. That's the view some constitutional experts are taking of a high court ruling Friday that struck down parts of a 1992 law designed to curb "indecent" programming on cable channels leased to local groups or set aside for the public. "It's a sweeping victory for legitimate First Amendment expression," declared Michael Greenberger, one of the attorneys who represented public-access cable producers who challenged the law. Conservative advocates on the other side of the case also claimed victory because one part of the law was preserved. "American families fighting to shelter young children from cable-television pornography won a major battle today as the Supreme Court upheld the right of private cable operators to screen pornographic programs," said Cathy Cleaver, director of legal studies at the Family Research Council. But some liberals were less sanguine. The ruling "tastes sweet at first," said Prof. Laurence Tribe of Harvard Law School, "but it turns out to be a sugar-coated poison pill for the First Amendment." He argued that the reasoning in the court's main opinion, written by Justice Stephen Breyer, was highly cautious and pragmatic rather than sweeping. This approach could be used to permit aggressive regulation of the Internet if the government can show that the global computer network gives children access to indecent material, meaning material that depicts sexual activities or organs in a "patently offensive" way. The Supreme Court produced six opinions but not one that commanded a majority; the vote counts were 6-3 and 5-4 to strike down two of the cable restrictions at issue, and 7-2 to uphold a third. In a separate case last month, a special federal court in Philadelphia invalidated key parts of a 1996 law aimed at curbing indecent material on the Internet. The Clinton administration last week said it would appeal that ruling to the Supreme Court. The Philadelphia court relied on ringing First Amendment rhetoric to decry government interference with the Internet. Justice Breyer's opinion on Friday was strikingly different in tone and method. He took great pains to underscore the seriousness of the government's concern about exposing children to adult programming and explicitly rejected the sort of categorical legal analysis that looks with great skepticism at any restriction on the content of programming. The trio of provisions at issue in the case were pushed by Republican Sen. Jesse Helms of North Carolina as last-minute amendments to a broader 1992 cable-regulation bill. They authorized cable-system operators to prohibit indecent programming on leased channels and public access stations reserved for educational and governmental use. If an operator chose to allow indecent programming on leased channels, the Helms amendments required the operator to "segregate" such programming from other offerings, block it and provide it only to customers who requested it in writing. Supporters of the legislation said they were targeting leased-access programs in New York and elsewhere that feature hard-core pornography. The Supreme Court case arose from lawsuits filed by community-access programmers who argued that the law would ban legitimate shows on sex education, abortion and other topics that could be defined as indecent. (In the legal lexicon, indecent material receives some First Amendment protection, whereas "obscene" material, defined as that which lacks any social or artistic value, doesn't.) In Friday's ruling, the high court by a 7-2 vote upheld a provision that encourages -- but doesn't require -- cable operators to prohibit indecent programming on leased access channels. There is plenty of evidence on those channels of pornographic material that lacks social merit and should be kept away from children, Justice Breyer said. The provision isn't overly broad, he added. Adults seeking racy shows can look to the larger commercial cable channels, where they are plentiful. By a 6-3 vote, however, the court struck down the provision that requires operators who choose to allow indecent programming to block it for all but those viewers who request it in writing. Justice Breyer questioned the need to force customers to disclose their viewing appetites, and he asserted that other, less intrusive means exist to tailor dissemination of adult material if it is to be provided. As examples, he pointed to a recently enacted requirement that commercial cable operators "scramble" or block stations dedicated to sexual material and another that obliges television manufacturers to install "V-chips" in televisions that can automatically identify and block sexual or violent programming. (The high court didn't rule formally on the constitutionality of these devices.) Finally, by a 5-4 margin, the court struck down a measure that encourages cable operators to ban indecent material on public-access stations. There isn't much, if any, indecency on these channels, but the law threatens to cause censorship of controversial shows on health, politics and art, Justice Breyer said. Daniel Brenner, a lawyer with the National Cable Television association, said the group was pleased overall with the ruling because it left operators "with the ability to protect our customers as to leased access. We wish it had done the same for public access." The Federal Communications Commission, which had defended the Helms amendments, managed to find something to celebrate as well. The decision "reaffirms that the Supreme Court believes that caring about what kids see on television is a compelling government interest, and there are constitutionally permissible ways for government to act to protect kids," said FCC Chairman Reed Hundt. He added that the ruling "is also significant because it confirms that the government's definition of "indecency" is not unconstitutionally vague." Only Justices John Paul Stevens and David Souter joined the Breyer opinion in full. Justice Sandra Day O'Connor dissented in part. Justices Anthony Kennedy and Ruth Bader Ginsburg would have struck down all of the challenged law. The court's most conservative wing -- Chief Justice William Rehnquist and Justices Antonin Scalia and Clarence Thomas -- would have upheld the entire law. Contractors' Speech In a pair of other First Amendment cases, the high court ruled 7-2 that independent government contractors can't be fired for expressing their views on public issues or for supporting the wrong candidate. In cases from Illinois and Kansas, the court said that contractors have roughly the same free-speech rights as public employees. Justice Scalia, joined by Justice Thomas, dissented from both decisions. "Favoritism," he wrote, "happens all the time in political life, and no one has ever thought that it violated -- of all things -- the First Amendment to the Constitution of the United States." (Wabaunsee County, Kansas vs. Umbehr, O'Hare Truck Service Inc. vs. City of Northlake, Ill.) -- Fuck off, Uncle Sam. Cyberspace is where democracy lives! From snow at smoke.suba.com Wed Jul 3 21:28:22 1996 From: snow at smoke.suba.com (snow) Date: Thu, 4 Jul 1996 12:28:22 +0800 Subject: Net and Terrorism. In-Reply-To: Message-ID: On Tue, 2 Jul 1996, Timothy C. May wrote: > At 6:58 AM 7/2/96, snow wrote: > >T.C. May wrote: > >Can anything be done? To stop the likely effects of lots more > >surface-to-air missiles, lots more nerve gas available on the black market, > >and so on? > >In a word, "no." > >/* > > I disagree. Terrorism, political terrorism is fear. There are ways to > >protect military targets that are quite cost effective, unfortunately they > >are politically unpopular. (What just happend in Saudi is on my mind. > >STUPID military commanders getting the same pie in the face time and time > >again. There is NOTHING so unchanging as the military mind set.) > > Well, attacks on military targets are almost, by definition, not > "terrorism." (I'll spare the list a debate about the semantics; U.S. > journalists tend to refer to anything done to "us" as "terrorism," whether > the target is military or civilian.) I think a clear line can be established between terrorist incidents and battles/fights/raids/attacks carried out by other "legitimate" troops or guerilla fighters. Military troops can best be protected by 3 seperate methods: 1) Don't put them in situations were they are targets for terrorism abroad. Soldiers and Marines exist to elivate the ENEMIES body counts, not ours. By putting troops trained to fight in defensive passive positions you are exposing them to terrorist attacks, and ruining their combat reflexes. 2) When they _are_ exposed, let them fight the fuck back. Rules of engagment are simple. When fired on, shoot to kill. If the shot comes from a building, take out the building. If from a crowd, well, do you best, but _get the shooter_. 3) Again when operating in a potentially deadly enviroment, follow the standard anti-terrorist rules. Vary your routines, don't bunch up, Be unpredictable. None of these were done in the Saudi blast, Nor where they done in Beruit 12 years ago. > The focus of my comments was really on civilian or non-military targets. > (Including destruction of government buildings, maybe. I'm not sure whether > the Oklahoma City bombing and the recent Phoenix/Viper Militia case is > "terrorism" in a formal sense, or counter-government action, but my point > is that such things are likely to be happen.) IMO the Ok. bombing was a terrorist attack. The attack was carried out by a civilian (in the sense that he was not acting as a part of any government, official or otherwise and not wearing a uniform etc.) > >Civilian targets are harder to protect, but certain steps can be > >taken to lessen chances of a sucessful attack. > Sure, any particular "soft target" can be hardened to some extent. But not > all of them, and even harder sites can be reached. This is left as an > exercise for the reader. > (Hint: The Japanese cult's Sarin gas attack on the subways...there are tens > of thousands of comparable targets in the U.S. alone. Look around, and ask > what it would take to harden each one. A minor cryptographic connection is > that hardening N of M sites makes the remaining M - N sites all the more > tempting.) I kinda mis-spoke. The way I should have put it was: Steps can be taken to make attacks less likely, and to make it easier to capture the individuals responcible afterwords. Think about it. Why have we had so little terrorism in this country? This is one of the most diverse countries in the world, we allow damn near anyone breathing into this country, yet we have much less terrorism than does England, France, Germany etc. Why? IMO It is opportunity. Maybe everyone who emigrates here doesn't get rich, but they are almost _all_ better off than in their original countries. By keeping this country as free as possible, and allowing the free exchange of ideas, not jailing (too many) people for political/religious opnions you at least give the appearance that they can change things w/out killing things and breaking people. This makes it much harder for the potential terrs. to get the financial backing. It also reduces sympathy for them in the community. IMO as long as people have the illusion of freedom and upwards mobility coupled with the ability to pray to the stupidity of their choice things will maintain an even keel in this country. You will have the occasional UniBomber, but I don't think you will get anything like that Japanese Cult w/sarin. Then again we have come close. > >Another method, and this would be very unpopular (and > >hypocritical of the US) would be simply to announce that we (the Country) > >are going to hold the _manufacturing_ nation responcible for the use of > >weapons of mass destruction. So if Soviet Nerve Gas is used, we gas a > >city in the Soviet Union. MAD carried to a lower level. > You are essentially making my point, that the biggest danger of the current > responses to terrorism is that nations will turn to national terrorism and > police state tactics. I missed that in your original post. > >A third option is quite simply to buy as much of it as possible. > No, wouldn't work. As with the "War on (Some) Drugs," all this does is > raise the price a bit, actually making it a more tempting market for many > to get into. If the US were to offer Russia $3 billion (or whatever) in a one time take it or leave it for their entire chemical weapon stock, it might get the soviet shit off the market. The nuclear stuff is a little easier to store (I think) and it would be a harder sell. I agree tho' that it isn't possible to buy out the market. Petro, Christopher C. petro at suba.com snow at crash.suba.com From adam at homeport.org Wed Jul 3 21:33:00 1996 From: adam at homeport.org (Adam Shostack) Date: Thu, 4 Jul 1996 12:33:00 +0800 Subject: Computer-Aided Revolution In-Reply-To: <199607032257.PAA16812@mail.pacifier.com> Message-ID: <199607040148.UAA04518@homeport.org> xntp (extended network time protocol) can be accurate to a few tenths of a second over a serial link, possibly better. It can get to thousandths or better over an ethernet. GPS can also provide a very accurate time signal (about $300 for the hardware, which is becoming relatively common.) Adam jim bell wrote: | I've thought of an application for a "revolutionary" program for peaceful | protest, but one that requires that a substantial number (1000) of people | have access to computer time synchronized to 1 second, ideally 0.1 second. | How good would a time sync over the net typically be? | | Jim Bell | jimbell at pacifier.com | -- "It is seldom that liberty of any kind is lost all at once." -Hume From wb8foz at nrk.com Wed Jul 3 21:37:14 1996 From: wb8foz at nrk.com (David Lesher) Date: Thu, 4 Jul 1996 12:37:14 +0800 Subject: Lack of PGP signatures In-Reply-To: <2.2.32.19960703220436.00e93fe8@mail.teleport.com> Message-ID: <199607040145.VAA05041@nrk.com> > I am wondering why there is not a signing option that ignores all > non-printing characters. Might fix some of these problems... (Can anyone > think of a reason this would be a "Bad Thing(tm)"?) Moving spaces could change meaning on a legal doc. A nonsense example is the alt.folklore.urbane "cow orker" tag... -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From snow at smoke.suba.com Wed Jul 3 21:55:30 1996 From: snow at smoke.suba.com (snow) Date: Thu, 4 Jul 1996 12:55:30 +0800 Subject: Net and Terrorism. In-Reply-To: Message-ID: On Wed, 3 Jul 1996, Timothy C. May wrote: > At 9:13 PM 7/2/96, snow wrote: > >On Tue, 2 Jul 1996, snow wrote: > >> Gain control of the power grid (I don't know how possible this is) > > Ummm... Just in case anyone is thinking it right now, NO, I > >didn't. If this outage was deliberate, I had nothing to do with it. I was > >just postulating possibilities. > Hmmhhh....I post about the "Net and Terrorism" on Sunday, and the Viper > Militia and their plans to blow up several courthouses in Phoenix are > revealed a few hours later....Snow posts about using computers to knock out > the power grid, and a few hours later power goes out over 15 western > states.... > Coincidence? I think not. > But we can test this hypothesis: > "Alien spaceship images will appear in thousands of darkened rooms and will > trigger mass hysteria." I mentioned this to my wife. Her reply: "I think mass hysteria already exists". Petro, Christopher C. petro at suba.com snow at crash.suba.com From snow at smoke.suba.com Wed Jul 3 21:59:24 1996 From: snow at smoke.suba.com (snow) Date: Thu, 4 Jul 1996 12:59:24 +0800 Subject: The Net and Terrorism In-Reply-To: <2.2.32.19960703005232.009d18e4@labg30> Message-ID: On Tue, 2 Jul 1996, John Deters wrote: > At 03:44 PM 6/30/96 -0700, you wrote: > >in reality. it seems to me no nation-state has ever experimented with > >trying to take away the root causes of violence and discontent. > But here in the U.S., we ARE trying to take them away via the educational > system. About the only thing we can effectively do is to provide more > educational opportunities that denounce violence, racism, hate crimes, etc. > However, you cannot eliminate discontent without eliminating greed; which is > simply not possible. Bullshit. The root causes of violence and discontent are not persistent "us against themism". The root causes are situation dependent, but would fall into 3 areas: 1) boredom. 2) lack (of food, housing, land, etc. Also includes perceived lack) 3) Response to the perceived threat against the 2). It is my opnion that the education system in this county is a breeding ground for violence and discontent for in several ways: 1) By almost totally failing to prepare students for "Real Life" while at the same time telling them what wonderful intelligent humans they are, it sets them up for 1 & 2 above. 2) Given the revisionist teachings often presented in schools, and the current practice of "blame the white man", certain ignorant (see 1) individuals feel threatened leading to 3 above. As I said in an earilier post, IMO one of the things that has kept the levels of terrorism down in this country (unless you count things like the KKK as terrorism...just thought of that hmmmm...again caused by the 1 & 3 as well as occasionaly 2 above). > The countries that sponsor terrorists have not been noted for their > successful educational systems. And they certainly are not going to listen > to Western discussions on how best to solve their "problems". They have also not been known for their freedoms. The USSR supposedly exprted quite a bit of terrorism, especially by proxie. They have a decent educational system, but free thought is discouraged. > My point here is that this behavior is explicitly protected by the Bill of > Rights. > So, do you not accept that we have the environment right here that can breed > violence and discontent? > For the most part, I see kids today being educated with much less "hatred" > than even my age group was brought up with (I'm 34). We're moving in the > right direction by incorporating diversity in education, entertainment and > the workplace, but we can never hope to erase it all. And if even one > person retains the seed of violence, they can employ the "warfare of the > weak" -- terrorism. Agreed. > psychological profiles of people who commit acts of terror. > >the "problem" of terrorism will be solved when we take the view > >that insanity and violence is *not* > >a natural aspect of human behavior (as TCM tends to suggest), I'd say they _are_ natural. It is natural and healthy to act violently at times, and insanity is simply a broken [mind brain] shit happends. > >and that > >there are specific environmental conditions that breed it. like > >malaria, if you take away the swamplike breeding grounds, you will > >largely remove it. such a thing is a radical hypothesis, but one that > >nonetheless has never really been tested in practice. > As I said above, we can reduce some of the breeding grounds, but we can not > eradicate them all. And if one were to conduct a study correlating racist > attitudes with education with numbers of acts of terror, we might find a > direct correlation. I doubt it. THere are quite a few well educated racists. > away. The point of Tim's essay was that, yes, the net can be used by the > evil monsters, and yes, the evil monsters are here, and no, the evil > monsters are not going away any time soon. Why did you feel it necessary to > try to slam his fairly well-researched and quite obvious conclusion? The monsters are in our heads. They are us. Petro, Christopher C. petro at suba.com snow at crash.suba.com From drosoff at arc.unm.edu Wed Jul 3 22:11:00 1996 From: drosoff at arc.unm.edu (David Rosoff) Date: Thu, 4 Jul 1996 13:11:00 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port Message-ID: <1.5.4.16.19960704020949.330fe182@arc.unm.edu> -----BEGIN PGP SIGNED MESSAGE----- At 05.30 PM 7/3/96 -0700, Alan Olsen wrote: >At 06:58 PM 7/3/96 -0400, Mark M. wrote: >>If the child is creative enough, he will be able to boot DOS from a bootdisk >>and remove the line from config.sys that starts up the filtering software. >Or just remark it out and reboot. Or does the filtering software make it so >they cannot use an editor as well...? > >Sounds like a pretty easy thing to bypass given a small amount of clues. >(Makes me wonder how the usually clueless parents are going to block access >to their kids who usually understand the technology better than they do.) It would not have stopped me. =============================================================================== David Rosoff (nihongo o sukoshi dekiru) ----------------> drosoff at arc.unm.edu For PGP key 0xD37692F9, finger drosoff at acoma.arc.unm.edu 0xD37692F9 Key fingerprint = 25 7D AA 01 85 41 43 89 50 5A 33 76 F1 F1 99 67 Do you know who's reading your email? ---> http://www.arc.unm.edu/~drosoff/pgp/ Anonymous ok, PGP ok. If it's not PGP-signed, you know that I didn't write it. === === === === === === === === === === === === === === === === === === === === "Truth is stranger than fiction, especially when truth is being defined by the O.J. Simpson Defense Team." -Dave Barry -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMdsleRguzHDTdpL5AQGYYQQAirqoel38eJrNBo17WKYlKZ5SYT8n+4dM Uil2vBHosxIOdGo8vmarHoxVALF7L31wXbFJ6pdv7p/qHAMvzDW3RetJQhDAc42P lZY0qMnRonoA6tKQbTcx8zkoRevGBEzTjxkVUyfRDHJCez7U42Mlvif728Faj4Dg 9ceqFYutAjU= =/cfm -----END PGP SIGNATURE----- From unicorn at schloss.li Wed Jul 3 22:25:16 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 4 Jul 1996 13:25:16 +0800 Subject: What remains to be done. Message-ID: Because I am not myself much of a programer, and because I have to find excuses to feel useful, I thought I would annoy everyone with my ideas about where c'punks might want to direct their efforts at encryption development. Of course any suggestion at direction tends to require a disclosure of the assumptions one is working from. The following are mine: 1. The most interesting crypto uses and implementations seem to come from grassroots programers, not large organizations. Remailers, PGP, Curve Encrypt, Private Idaho, mixmaster, premail, and magic money all were the results of "grassroots" efforts. None of these have been produced from massive corporate R and D programs, and most have been the result of predominately a single programmer's efforts. 2. The most useful crypto applications out there have tended to survive by using crypto that looks forward, not to the past, or the present. This is generally manifest in the inclusion or easy use of multiple methods. Zimmerman's selection of IDEA over DES, PGP's multiple key sizes, Curve Encrypt's 3DES/IDEA option, are all examples of an effort to design systems which will be useful tommorow, not just today. PGPlib seems to pick up this trend where PGP 2.x went awry. 3. In so far as proliferation is important, the impact of crypto applications and implementations is directly tied to ease of use. If PGP has failings, one must be that it can be immensely intimidating to the novice. 4. Increasingly cryptography is defying attempts at conventional regulation. 5. #4 will eventually spur sovereigns to rather drastic methods to defy #4. 6. Secure Communications, and transparent crypto are a Good Thing. Assuming the above, I think it is apparent that crypto development should be focused on a few general points and a few key areas. As to general points, I think the clear concentrations include: A. Increasing the ease of use. Perhaps I should have put this as #1, because really among those things which I suggest in this post, I think this is of primary importance. It cannot be stressed enough that encryption must be transparent, easy to use, but at the same time make its presence just apparent enough to encourage its use, and to make users note its absence. Crypto will have its most significant impact, its most liberating results, and be self assuring only to the extent that it is not a novelty, but an assumption. Please, authors, coderpunks, make crypto easy to use, but flexible enough so that adept and expert users can modify functional aspects. (Key generation, key size, exponent size, algorithm selection, level of verbosity and suchlike should find their way into an expert menu somewhere). B. Multiple encryption method support/larger key sizes. While I may be more paranoid than some, or even most, I think it is crucial to provide for the possibility that strong encryption may one day face a total ban in more countries. To avoid the chilling effect that this would certainly have on development, it is of key importance to permit applications and implementations to nexus with several methods, and to allow what may today seem like extrodinarily large key sizes. (256 bits would not be unreasonable in my view, particularly so where the user was given the option of selecting a ~128 or so bit method like IDEA or 3DES at their option (consistent with A. above). C. Anonymous communication. I'm not sure this needs much explanation. D. True stego. Today it is a simple matter to identify encrypted traffic. This is the key flaw in what I will call (at risk of sounding like a white paper) the NEI (National Encryption Infrastructure). It subjects users to very effective and easy to implement traffic analysis. While I understand the temptation to use checksum like methods to speed the key checking process, at some point I am of the view that this convenience will come back to haunt crypto. Given these areas, what specific applications might be the best to look into for the grassroots crypto advocate/coder? A. Methods to run secure websites on insecure servers. A thread on 'punks last month, I am of the view that local decryption of web pages is essential to the development of coercion free web pages. Estlablishing a truely secure web page today requires the server to be extra-terratorial, in a secure physical location, and requires such lengths to defeat traffic analysis (which lengths must be applied to the actual network logistics, rather than the software logistics) so as to be impractical to all but institutional resources. The best effort I have seen is in European Union Bank (www.eub.com) or (www.eub.net) [neither of which I recommend you use for deposits] and it still falls quite short. A software solution which permits local decryption makes traffic analysis less useful, presents the opportunity to use front end and disposable www pages on domestic ISPs while imposing no liability on the ISP itself, and opens several more effective traffic analysis deterants. Ideally, both web proxies (for servers as well as clients) and local decryption will be written allowing both server and user a degree of double blind operation as well as easy disposability of front ends. A Netscape plugin for local decryption of web pages and proxy forwarding of WWW form submissions to the server is a MUST. Is anyone considering work on these? B. More effective message pools. Really this is the only practical and most effective method to defeat traffic analysis of e-mail communications. Why do you think it is that informants always communicate with the FBI in the classified ads? This has been discussed again and again, yet I am aware of no serious effort to construct an effective server or client to implement it more effectively than USENET (which seems to be hopelessly slow and prone to drop postings regularly) I am encouraged by the new mixmaster model, but I have yet to read the entire abstract carefully. If the goal is, as I believe it should be, to make encryption accessible and understood by, if not everyman and joe sixpack, joe digitalsixpack, then it strikes me that the focus should be on WWW browsers and servers, (Netscape like material), popular mailing programs (Eudora), and the building blocks of the network, the point of origin, and the point of final destination. Point to point, grassroots plug ins to existing de facto standards, and ease of use, ease of use, ease of use. cypherpunks write code. Call me "half a cypherpunk" -- I hate lightning. (unicorn at schloss.li) From alano at teleport.com Wed Jul 3 22:30:52 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 4 Jul 1996 13:30:52 +0800 Subject: Lack of PGP signatures Message-ID: <2.2.32.19960704022445.00e26020@mail.teleport.com> At 09:45 PM 7/3/96 -0400, David Lesher wrote: >> I am wondering why there is not a signing option that ignores all >> non-printing characters. Might fix some of these problems... (Can anyone >> think of a reason this would be a "Bad Thing(tm)"?) > >Moving spaces could change meaning on a legal doc. > >A nonsense example is the alt.folklore.urbane "cow orker" tag... I was thinking of carriage return/line feed combinations... Spaces are obvious and print. I was thinking of non-printing characters that are non-obivious when inserted. --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon "Microsoft -- Nothing but NT promises." From tcmay at got.net Wed Jul 3 22:40:01 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 4 Jul 1996 13:40:01 +0800 Subject: The Net and Terrorism Message-ID: At 8:35 PM 7/3/96, Vladimir Z. Nuri wrote: >TCM breaks a longstanding personal policy of never replying >to my posts directly. (well, thanks.) realize that my >speculation on his position is largely associated with the >vacuum of his continually refusing to discuss key points of his >essays. Check your mail logs, Larry, as I've replied to a couple of your posts in the last several months. True, I delete most of your posts after glancing at them briefly, but I do this with a lot of posts and posters. >imagine that all the palestinians had good paying jobs, for example. >how many of them would be into rock-throwing and terrorism? of course their >own attitudes make such a thing very difficult. they may not have any >skills or reject a job even if offered one. I'm not saying such a thing >is easy. the fact that it is so elusive is proof of how difficult such >a thing is. Your point being? After all, nothing we can do will give the Palestinians such jobs...visit the Middle East and see the quagmire. Too many points to make here, and I don't plan to debate utopian ideologies about making the world a land of milk and honey. (I will tell you that there are relatively few "good paying jobs" anywhere in the Arab world--look at the poverty of Egypt, Yemen, Sudan, Morocco, and so on. Note that these countries are not directly involved in the Israeli-Palestinian dispute, and yet not a single one of these countries has so much as a primitive electronics production facility, let alone true high tech facilities such as Israel has. You may want to wave a magic wand and say "Yeah, but what if they did have such jobs?," but this is pure fantasy, and not something I plan to waste time debunking.) >I do NOT believe that living in the world is a zero-sum game as you >seem to suggest. your use of the term is very compelling. do you >believe human life is always at the expense of other human life? I made no such claims about the world being a zero-sum game. (I made references to game theory, and used the term "game-theoretic," but this is not at all the same thing as asserting anything about zero sum games! I never mentioned zero sum games, positive sum games, or anything at all about sums. You are carelessly setting up straw men and then knocking them down.) No real point in wading through the rest of your ramblings. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Wed Jul 3 22:50:55 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 4 Jul 1996 13:50:55 +0800 Subject: Net and Terrorism. Message-ID: At 12:14 AM 7/4/96, snow wrote: > Military troops can best be protected by 3 seperate methods: > 2) When they _are_ exposed, let them fight the fuck back. Rules of > engagment are simple. When fired on, shoot to kill. If the shot > comes from a building, take out the building. If from a crowd, ^^^^^^^^^^^^^^^^^^^^^^ "Colonel, the mission was accomplished. Apparently the sniper was firing from the 34th floor, so we simply took out the building. There was minor collateral damage, of course." Such overreaction to terrorist events is often precisely what a terrorist wants, as I've explained a couple of times. >> You are essentially making my point, that the biggest danger of the current >> responses to terrorism is that nations will turn to national terrorism and >> police state tactics. > > I missed that in your original post. Well, go back and look for it. The clear point of my post was that the U.S. should not adopt police state measures so as to reduce terrorism. >> >A third option is quite simply to buy as much of it as possible. >> No, wouldn't work. As with the "War on (Some) Drugs," all this does is >> raise the price a bit, actually making it a more tempting market for many >> to get into. > > If the US were to offer Russia $3 billion (or whatever) >in a one time take it or leave it for their entire chemical weapon stock, >it might get the soviet shit off the market. The nuclear stuff is a little >easier to store (I think) and it would be a harder sell. As with "buying out" the coca crop in Peru, the poppy crop in Turkey, the marijuana crop in the dozens of countries, etc., their motto is, obviously enough, "we'll make more." Again, the Sarin attack in Tokyo had nothing to do with former U.S.S.R. CBW weapons. Chemical and biological agents are cheap to make, especially in the quanties needed to kill only a few thousand people, and in the non-battlefield delivery environment. > I agree tho' that it isn't possible to buy out the market. Then why do you float ideas such as buying out the Soviet arsenal if you think it isn't possible? --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From fair at clock.org Wed Jul 3 23:03:48 1996 From: fair at clock.org (Erik E. Fair (Time Keeper)) Date: Thu, 4 Jul 1996 14:03:48 +0800 Subject: blocking software & brock meeks Message-ID: Vladimir, I agree with you in general, however, Brock and Declan have a point to make too: these companies need to differentiate themselves based on two things: 1. basic philosophy of filtering (why they filter what they filter). 2. diligence in keeping up their databases. Brock & Declan are right to expose the basic filtering philosophies of the different companies, so that those of us who may wish to avail ourselves their services know exactly what we're getting (or rather, not getting). In the end, the market will choose between the simple "no porn" philosophy (for whatever your definition is of that), and the "christian family values approved by the christian coalition" philosophy (with, one hopes, a whole lot of other points on the spectrum in the middle). However, the consumers cannot make this choice absent the information; Brock & Declan have done everyone a service by shining some light on this. What I'm surprised about is that these companies apparently aren't already trumpeting their philosophies of filtering themselves. The principle differentiator for this market is not the software - there really aren't that many ways to filter this stuff, and these companies ought to share their techniques in that area so that they can all be more effective and thus serve their customers better. The real differentiator is what's in their databases, which (one presumes) is driven by each of their philosophies of what is "harmful" to minors. One wonders if these companies might be embarassed to actually take a public position on this burning issue: just exactly what *is* "harmful" to minors? Personally, I fail to see how they can avoid it - it is the essence of their entire business. Erik Fair From steve at miranova.com Wed Jul 3 23:12:36 1996 From: steve at miranova.com (Steven L Baur) Date: Thu, 4 Jul 1996 14:12:36 +0800 Subject: Lack of PGP signatures In-Reply-To: Message-ID: >>>>> "Rich" == Rich Graves writes: Rich> On Wed, 3 Jul 1996, Charles Watt wrote: >> -----BEGIN PRIVACY-ENHANCED MESSAGE----- Rich> And then there's the part about it being ugly as sin ... (defun gnus-article-hide-pem (&optional arg) "Toggle hiding of any PEM headers and signatures in the current article. If given a negative prefix, always show; if given a positive prefix, always hide. Adapted from gnus-article-hide-pgp." (interactive (gnus-hidden-arg)) (unless (gnus-article-check-hidden-text 'pem arg) (save-excursion (set-buffer gnus-article-buffer) (let ((props (nconc (list 'gnus-type 'pem) gnus-hidden-properties)) buffer-read-only end) (widen) (goto-char (point-min)) ;; hide the horrendously ugly "header". (and (search-forward "\n-----BEGIN PRIVACY-ENHANCED MESSAGE-----\n" nil t) (setq end (1+ (match-beginning 0))) (gnus-hide-text end (if (search-forward "\n\n" nil t) (match-end 0) (point-max)) props)) ;; hide the trailer as well (and (search-forward "\n-----END PRIVACY-ENHANCED MESSAGE-----\n" nil t) (gnus-hide-text (match-beginning 0) (match-end 0) props)))))) -- steve at miranova.com baur Unsolicited commercial e-mail will be proofread for $250/hour. Andrea Seastrand: For your vote on the Telecom bill, I will vote for anyone except you in November. From JMKELSEY at delphi.com Wed Jul 3 23:15:30 1996 From: JMKELSEY at delphi.com (JMKELSEY at delphi.com) Date: Thu, 4 Jul 1996 14:15:30 +0800 Subject: anonymous remailers Message-ID: <01I6NJC6YZES91X6WG@delphi.com> -----BEGIN PGP SIGNED MESSAGE----- [ To: Cypherpunks ## Date: 07/02/96 03:36 pm ## Subject: Re: anonymous mailing lists ] >Date: Sat, 29 Jun 1996 09:40:51 -0700 >From: Hal >Subject: Re: anonymous mailing lists >Wei Dai did some nice statistical analysis of this type of attack >sometime a year or two ago. Even with countermeasures such as you >suggest, if they are not perfect, so some information leaks correlating >incoming and outgoing messages, Wei showed that it was possible to >deduce the owners of the nyms surprisingly quickly. Yes, this makes sense. As I said before, this is related to the way timing attacks work. A little correlation that shouldn't be there, over many messages, turns out to be enough to unravel a lot of information. >The countermeasures do work - if you get and send exactly 50 pieces of >4K byte email every day, no matter what, then correlations don't exist >- but they are expensive to do perfectly. At the very least, this is susceptible to a flooding attack. At any rate, this is analogous to the fixed-delay solution to timing attacks. (Make all PK operations with long-term secret keys take the same amount of time.) Unfortunately, I can't see a solution to this that's analogous to blinding out the values in the timing attacks. >Hal Note: Please respond via e-mail as well as or instead of posting, as I get CP-LITE instead of the whole list. --John Kelsey, jmkelsey at delphi.com / kelsey at counterpane.com PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMds0LUHx57Ag8goBAQHPeQP+JH4b7bJCLW3ttqQ+v0XzEcbCaeOg9LqR e+xuaLx2AjCx5N+V2q3xeJTAldfZZ5YFwCUq3KgpnBAbDvJ1my0hCGmKj+1uXQTp SFSciq5oItMo2kwncbez2RaN/0aqcDSOGnc4ddfO4Ur7H7k+aLOQuaAUvcvDpV1p C8up+1PSPW0= =60Zh -----END PGP SIGNATURE----- From JMKELSEY at delphi.com Wed Jul 3 23:29:05 1996 From: JMKELSEY at delphi.com (JMKELSEY at delphi.com) Date: Thu, 4 Jul 1996 14:29:05 +0800 Subject: anonymous remailers Message-ID: <01I6NJCHTC8Q91X6WG@delphi.com> -----BEGIN PGP SIGNED MESSAGE----- [ To: cypherpunks ## Date: 07/02/96 03:35 pm ## Subject: Re: anonymous mailing lists ] >Date: Fri, 28 Jun 1996 23:04:28 -0500 (CDT) >From: ichudov at algebra.com (Igor Chudov @ home) >Subject: Re: anonymous mailing lists >How about this attack: suppose I want to find out who hides behind >an alias MightyPig at alpha.c2.org and I have the ability to monitor >all internet traffic. Then I simply start mailbombing that address >and see whose account gets unusually high traffic volume. Yes. This is a simpler version. The advantage of the attack I was describing over this attack is that an attacker doesn't have to know how to send messages to the recipient--just where the stream of messages is originating. >A nice, albeit quite expensive, way of pretection from traffic analysis >is to create a mailing list (or a newsgroup) and forward all messages to >all users of that mailing list or newsgroup. Of course, since messages >are encrypted, only the recipients will be able to decrypt them. The flaw here is that only a small number of people will be willing to plow through any volume of messages at all, in order to occasionally get a single readable message. There are also some potential problems with giving the right recipient a cheap way to determine whether or not this message is for him, without giving anyone else a cheap way to determine this. (An application for ``Rabin for Paranoids,'' anyone?) >This way the list of suspects is all subscribers of that list or >newsgroup and there is no way to discriminate them. If this is a small enough group, that may still be a problem. And the bandwidth and processing requirements are probably enough to ensure that it's a small group. >Instead of having messages to be sent to all recipients all the time, >alpha.c2.org may be programmed so that it sends out every message not to >only one recipient X, but to X and 20 other randomly selected people. This makes the attack only a little harder. If the other 20 are selected randomly, then for a stream of many messages, only one recipient will correlate properly with sender volume and timing. If it's the same 20 every time for a given receiver, then the attacker will be able to narrow the recipient down to 20 people. At that point, he can use other techniques (wiretaps, black-bag jobs, TEMPEST attacks, etc.) to make his final determination. > - Igor. Note: Please respond via e-mail as well as or instead of posting, as I get CP-LITE instead of the whole list. --John Kelsey, jmkelsey at delphi.com / kelsey at counterpane.com PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMds0OUHx57Ag8goBAQFE8QP/ZWBP32mg2xdkcUrloFwruW+4L1bgY+Uk CEGxngqarxQxTNAckF0vOzpbS5gtjrs6dlEOFIQGeEuF3UWxHeKUIoOejofBZ2vT Htp/FT4x2xkfTFlgVE6GLyjE7bxK8DqfwH3ACAtbR4l+YwKQDNoInfpeFw0HKD40 jC/R8M7l0Lk= =9uja -----END PGP SIGNATURE----- From andrew_loewenstern at il.us.swissbank.com Thu Jul 4 00:36:56 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Thu, 4 Jul 1996 15:36:56 +0800 Subject: Message pools _are_ in use today! In-Reply-To: <199607022051.QAA10112@unix.asb.com> Message-ID: <9607031927.AA00805@ch1d157nwk> Deranged Mutant writes: > Uploading can be gotten around by using anonymous remailers > and mail-to-news gateways... although someone can tell if you > send mail to anonymous mailers. Not if you run your own remailer! andrew From jimbell at pacifier.com Thu Jul 4 00:51:29 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 4 Jul 1996 15:51:29 +0800 Subject: ecash thoughts Message-ID: <199607040424.VAA02562@mail.pacifier.com> At 05:53 PM 7/3/96 -0400, Simon Spero wrote: >2) If ecash is used to create a new currency- i.e. the value of a unit of >the ecash is not tied to any single existing currency, what should the >value of one currency unit be set at? (let's call it a Turing) Low, maybe a tenth of an American cent. But probabilistic payment should be used to allow the minimum average payment to go way below this, perhaps to an unlimited extent. The reason is simple: The cost of providing net transactions, and electronic transactions in general, can be expected to drop exponentially, just like the cost of telecommunications and CPU power do. Any arbitrary limit to how low they can go will act somewhat akin to the minimum wage: It will deter development of any product or service whose perceived value is less than this arbitrary minimum. Jim Bell jimbell at pacifier.com From snow at smoke.suba.com Thu Jul 4 01:25:07 1996 From: snow at smoke.suba.com (snow) Date: Thu, 4 Jul 1996 16:25:07 +0800 Subject: Lack of PGP signatures In-Reply-To: <2.2.32.19960703220436.00e93fe8@mail.teleport.com> Message-ID: On Wed, 3 Jul 1996, Alan Olsen wrote: > I am wondering why there is not a signing option that ignores all > non-printing characters. Might fix some of these problems... (Can anyone > think of a reason this would be a "Bad Thing(tm)"?) IANACE, but off the top of my head I'd say clear signing binaries. Petro, Christopher C. petro at suba.com snow at crash.suba.com From snow at smoke.suba.com Thu Jul 4 01:33:54 1996 From: snow at smoke.suba.com (snow) Date: Thu, 4 Jul 1996 16:33:54 +0800 Subject: Net and Terrorism. In-Reply-To: Message-ID: On Thu, 4 Jul 1996, Timothy C. May wrote: > At 12:14 AM 7/4/96, snow wrote: > > Military troops can best be protected by 3 seperate methods: > > 2) When they _are_ exposed, let them fight the fuck back. Rules of > > engagment are simple. When fired on, shoot to kill. If the shot > > comes from a building, take out the building. If from a crowd, > ^^^^^^^^^^^^^^^^^^^^^^ > "Colonel, the mission was accomplished. Apparently the sniper was firing > from the 34th floor, so we simply took out the building. There was minor > collateral damage, of course." I guess that part of the problem is that I was in the military, and while I was never actually under fire, there was always the possibility, and after hereing (from people who where there) the silly ass ROE, let's just say that when some one is trying to kill you it is nice to be able to do something about it. There is something to the theory of peer pressure. I would maintain that there is a difference between responding to immediate threats and long term supression. > Such overreaction to terrorist events is often precisely what a terrorist > wants, as I've explained a couple of times. Sometimes the terrorists are relying on exactly the opposite, a lack of immediate reaction. This makes the government look impotent. > >> >A third option is quite simply to buy as much of it as possible. > >> No, wouldn't work. As with the "War on (Some) Drugs," all this does is > >> raise the price a bit, actually making it a more tempting market for many > >> to get into. > > > > If the US were to offer Russia $3 billion (or whatever) > >in a one time take it or leave it for their entire chemical weapon stock, > >it might get the soviet shit off the market. The nuclear stuff is a little > >easier to store (I think) and it would be a harder sell. > > > I agree tho' that it isn't possible to buy out the market. > > Then why do you float ideas such as buying out the Soviet arsenal if you > think it isn't possible? Market v.s. Arsenel. Difference between buying a car dealership and buying the Big 6 Auto Makers. I was simply refering to removing the soviet stocks from the market. That would force the prices up a but, might get some private dealers into the market, but I wouldn't think that this particular market is all that big. I may be wrong about the size of the market. Petro, Christopher C. petro at suba.com snow at crash.suba.com From tcmay at got.net Thu Jul 4 01:38:10 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 4 Jul 1996 16:38:10 +0800 Subject: Message pools _are_ in use today! Message-ID: At 7:27 PM 7/3/96, Andrew Loewenstern wrote: >Deranged Mutant writes: >> Uploading can be gotten around by using anonymous remailers >> and mail-to-news gateways... although someone can tell if you >> send mail to anonymous mailers. > >Not if you run your own remailer! Agreed. And if a remailer chain is long enough, the "someone can tell if you send mail to anonymous mailers" is meaningless. (In an ideally crypto-anarchic world, millions of messages are being sent to anonymous remailers, and it is worth nothing to know that Subject A sent a message to an anonymous remailer.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From attila at primenet.com Thu Jul 4 02:13:27 1996 From: attila at primenet.com (attila) Date: Thu, 4 Jul 1996 17:13:27 +0800 Subject: What remains to be done. Message-ID: <199607040558.WAA07414@primenet.com> Addressed to: Black Unicorn Cypherpunks ** Reply to note from Black Unicorn 07/03/96 10:17pm -0400 good "white paper." modularity is the key. use of standardized encryption libraries permitting user selection of one or more formats. message pools would be great from satellite channels --how do you regulate (read this as "pay for") since someone must receive the messages to uplink? -otherwise you have the dropouts of USENET. user interface is the achilles heel for most programmers --the time is spent making the code 'work.' with the tools available which allow multi- platform development, the *functional* GUI should be done by someone who creates "artitstic" interfaces. I agree-- if encryption can be made so simple, and with a clean user interface, it will be used by joe sixpack (who rarely likes uncle, anyway --but for different reasons). once joe sixpack starts to use (probably dropping his private keys...), then it is too pervasive to stop --even if there are a few high level prosecutions. one of our greatest failings v/v encryption as a group (including coderpunks) is we are satisfied with our access to encrytion. PGP is a nusiance, and the instructions are not clear --so we experiment until we get the results: on the command line. our satisfaction makes us insular; we need to think in global terms --mass marketing of a free product which will hold appeal for everyone. encryption is no different than the students in China --no, they do have it, but how long can Father Deng (and his successors) hang on against technology and quest for knowledge? -- Fuck off, Uncle Sam. Cyberspace is where democracy lives! From attila at primenet.com Thu Jul 4 02:15:08 1996 From: attila at primenet.com (attila) Date: Thu, 4 Jul 1996 17:15:08 +0800 Subject: Net and Terrorism. Message-ID: <199607040558.WAA07424@primenet.com> Addressed to: tcmay at got.net Cypherpunks ** Reply to note from tcmay at got.net 07/04/96 03:22am -0700 = Date: Thu, 4 Jul 1996 03:22:42 -0700 = To: cypherpunks at toad.com = From: tcmay at got.net (Timothy C. May) = = Subject: Re: Net and Terrorism. = = At 12:14 AM 7/4/96, snow wrote: = = > Military troops can best be protected by 3 seperate methods: = = > 2) When they _are_ exposed, let them fight the fuck back. Rules of = > engagment are simple. When fired on, shoot to kill. If the shot = > comes from a building, take out the building. If from a crowd, = ^^^^^^^^^^^^^^^^^^^^^^ = = "Colonel, the mission was accomplished. Apparently the sniper was firing = from the 34th floor, so we simply took out the building. There was minor = collateral damage, of course." = unfortunately, that was a modus operandi which I commanded --e.g. if one shoots, waste them all. fortunately, the U.S. SE Asia policies in "denied zones" (we were never there) is no longer in vogue. however, we will probably see that again in parts of the world as many cultures do not have the basic respect for life we do. the first time you witness a small child begging for chocolate exploded by a remote control pressed by her father, you understand --you do not necessarily like it, it's just survival. and faced with a decision of giving up 'n' "friendlies" for 1000n, or even more, to survive, I know where I stood, and still stand. War is hell --and terrorism is war, make no mistake about it. in "black" operations, priority 1 is survival, priority 2 is objective, and accountability is generally not an issue (unless you are out of bounds). = Such overreaction to terrorist events is often precisely what a terrorist = wants, as I've explained a couple of times. = yes, but it is the press, not the commander, who makes the decision to give the terrorist sympathy coverage. basicly: exclude, by whatever means, the press and eliminate the terrorists 15 minutes of fame. = = >> You are essentially making my point, that the biggest danger of the current = >> responses to terrorism is that nations will turn to national terrorism and = >> police state tactics. = > = > I missed that in your original post. = = Well, go back and look for it. The clear point of my post was that the U.S. = should not adopt police state measures so as to reduce terrorism. = no shit; in spades. if the U.S does adopt the police state tactics Bubba is espousing, the U.S. will be faced with _real_ terror, not staged incidents to justify the marial law, etc. if the populace is already disenchanted, absolute loss of freedom will stir to action some very unlikely participants and partners in "brotherhood." = = >> >A third option is quite simply to buy as much of it as possible. = >> No, wouldn't work. As with the "War on (Some) Drugs," all this does is = >> raise the price a bit, actually making it a more tempting market for many = >> to get into. = > = > If the US were to offer Russia $3 billion (or whatever) = >in a one time take it or leave it for their entire chemical weapon stock, = >it might get the soviet shit off the market. The nuclear stuff is a little = >easier to store (I think) and it would be a harder sell. = = As with "buying out" the coca crop in Peru, the poppy crop in Turkey, the = marijuana crop in the dozens of countries, etc., their motto is, obviously = enough, "we'll make more." = The U.S. spooks are still the single largest trafficers in drugs... = Again, the Sarin attack in Tokyo had nothing to do with former U.S.S.R. CBW = weapons. Chemical and biological agents are cheap to make, especially in = the quanties needed to kill only a few thousand people, and in the = non-battlefield delivery environment. = = > I agree tho' that it isn't possible to buy out the market. = = Then why do you float ideas such as buying out the Soviet arsenal if you = think it isn't possible? = U.S. cash has eliminated a lot of Soviet weapons, including, I believe some chemical. however, keep in mind: the obsolete, and expensive to maintain, hardware predominated. However, you will never be able to buy out the religious terrorists --they are on a "mission." The Western world faces far more threat from fundamentalist religious terrorists than it does from the Soviet Union, etc. There is no cure for the "revolutionary" terrorists --just death for their own brand of glory. If we do not even print their obit, there is no glory! = --Tim May = -- Fuck off, Uncle Sam. Cyberspace is where democracy lives! From loki at infonex.com Thu Jul 4 02:34:38 1996 From: loki at infonex.com (Lance Cottrell) Date: Thu, 4 Jul 1996 17:34:38 +0800 Subject: Wanted: NNTP posting access for remailers Message-ID: I would be willing to give you permission to use news.infonex.net. I will set it up for you tomorrow. -Lance At 5:46 PM 7/3/96, lcs Remailer Administrator wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >Would anyone out there be willing to give NNTP posting or transfer >privileges to anon.lcs.mit.edu? > >Because of recent spams through mail2news at anon.lcs.mit.edu, I may >loose my news posting privileges to the news server I have been using. >Though I try to resolve all complaints I receive, other complaints >have been sent to other postmasters in the domain, who don't seem to >want to hear about these problems. > >If you run a news server and would like to help people posting >anonymous messages, please consider allowing posts from >mail2news at anon.lcs.mit.edu. Ideally you would also be in a position >to receive mail at some of the relevant postmaster aliases in your >domain, and would not mind forwarding misdirected complaints to me so >that I can deal with them. Alternatively, if you are willing to give >me "IHAVE" priviliges, I can possibly set things up with an initial >"Path:" header that guarantees most complaints will go directly to me. > >Thanks, >- -mix-admin at anon.lcs.mit.edu > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.2 >Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface > >iQCVAwUBMdsT70TBtHVi58fRAQHQ0QP/U3Jn7sL9+k3aUr+qw4WdDxef/lIeu3xO >BwdO8zlNPavJgbxuunR81n011jGy80l7qnc+DpvtuEEQqszLMcMO/4zHw/VfVOY8 >08nxE8+IkF/FE66vJdnU7O3I1mIjtbF8ixcm9FOwqoehSLJB40tXy6wu6KV663TQ >fmy/Gz5XDe8= >=Gp4D >-----END PGP SIGNATURE----- ---------------------------------------------------------- Lance Cottrell loki at obscura.com PGP 2.6 key available by finger or server. Mixmaster, the next generation remailer, is now available! http://www.obscura.com/~loki/Welcome.html or FTP to obscura.com "Love is a snowmobile racing across the tundra. Suddenly it flips over, pinning you underneath. At night the ice weasels come." --Nietzsche ---------------------------------------------------------- From jimbell at pacifier.com Thu Jul 4 02:47:31 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 4 Jul 1996 17:47:31 +0800 Subject: Message pools _are_ in use today! Message-ID: <199607040656.XAA09167@mail.pacifier.com> At 05:25 PM 7/3/96 -0700, Timothy C. May wrote: >Someone mentioned the Ku-band dishes that are used by PageSat (or whatever >it is now called....). My DSS system, which is technically a Ku-band >receiver, has a digital i/o connector of some sort on the back, and it is >rumored that this will someday be available for PageSat-like uses. (I have >a feeling this may be years off, for admin reasons if not technical >reasons.) As I understand it, the DSS broadcast (unlike older C-band units) consists of a single digital stream which contains the highly compressed (MPEG?) data representing all channels. Being compressed, the data rate needed per channel varies with the scene and the rate it changes. Even if you add up a large number of these statistically-varying channels, you'll still get a fairly wide variation in the needed bit rate per second. The system must have a substantial amount of headroom to protect against occasional times when many channels need a lot of bits, headroom that is mostly not being used, most of the time. If this is correct, then most of this headroom should be available to piggybacked data traffic on a "space-available" basis. Probably tens of megabits per second. Jim Bell jimbell at pacifier.com From grafolog at netcom.com Thu Jul 4 04:44:40 1996 From: grafolog at netcom.com (jonathon) Date: Thu, 4 Jul 1996 19:44:40 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: Message-ID: On Wed, 3 Jul 1996, Mark M. wrote: > On Wed, 3 Jul 1996, David Rosoff wrote: > > I've wondered .. could a creative child circumvent these filter programs > If the child is creative enough, he will be able to boot DOS from a bootdisk > and remove the line from config.sys that starts up the filtering software. Even more creative kids will find the Dos-based web browser that bypasses whatever is in the config.sys file, that is supposed to prevent them from seeing those "naughty" websites. xan jonathon grafolog at netcom.com AOL coasters are unique, and colourful. Collect the entire set. From gary at systemics.com Thu Jul 4 07:30:15 1996 From: gary at systemics.com (Gary Howland) Date: Thu, 4 Jul 1996 22:30:15 +0800 Subject: Noise: Re: Those Evil Republicans In-Reply-To: <9606262325.AA25647@Etna.ai.mit.edu> Message-ID: <31DBA835.6EEA4806@systemics.com> hallam at Etna.ai.mit.edu wrote: > > Jersey and the Isle of Man are not independent soverign nations. The > Manx parliament is subordinate to the English Privy Council and Jersey > is similarly an anachronism. Andora is ruled jointly by the French President > and a Spanish Bishop (or is it the other way round?). Andorra is a self governing sovereign nation - the French president and Spanish bishop play only titular roles. Regarding Jersey and the Isle of Man, I misunderstood the requirement for the countries to be independant - we were after all discussing countries which have no control over their currencies. Still, there are many non-independant countries that do not use the currency of the country they are dependent on - for example Bermuda and BVI (both UK dependent) use the US dollar. Many of the Caribbean islands which are UK dependent (eg. Anguilla) use East Caribbean dollars. There are also several independent sovereign nations that have no control over their own currency (eg. Liechtenstein (the one you mentioned), Andorra, Monaco, Nauru, Marshall Islands, Micronesia and Pueto Rico). One could even argue that countries such as Cuba have relinquished control over their own currency by tying their Peso to the US dollar (which is also widely used in Cuba). The same could perhaps be said of Luxembourg. > Fogive my skepticism but I don't think that any ecconomist would seriously > suggest these as usefull models for modern industrial societies. The chief > industries being parasitic on those of larger nations. First of all, "parasitic" is a very derogatory term to apply to these nations. They are no more parasitic than out of town supermarkets. Second, you suggest Liechenstein as a useful model for a modern industrial society that has no control over its currency, but then go on to criticise Andorra as a useful model. Why? Third, you have missed the point I was making, that of Goodhearts law, which loosely states that "attempts by the government to regulate or tax one channel of banking business quickly lead to the same business being conducted through a different channel which is untaxed or unregulated". Surely the fact that every large nation has its banking tax havens (eg. UK has the Channel Islands, the US has the Caribbean islands) is proof of this? Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 From gary at systemics.com Thu Jul 4 08:14:37 1996 From: gary at systemics.com (Gary Howland) Date: Thu, 4 Jul 1996 23:14:37 +0800 Subject: What remains to be done. In-Reply-To: Message-ID: <31DBB50A.5656AEC7@systemics.com> Black Unicorn wrote: > > A. Methods to run secure websites on insecure servers. > > A thread on 'punks last month, I am of the view that local decryption of > web pages is essential to the development of coercion free web pages. > Estlablishing a truely secure web page today requires the server to be > extra-terratorial, in a secure physical location, and requires such > lengths to defeat traffic analysis (which lengths must be applied to the > actual network logistics, rather than the software logistics) so as to be > impractical to all but institutional resources. The best effort I have > seen is in European Union Bank (www.eub.com) or (www.eub.net) [neither of > which I recommend you use for deposits] and it still falls quite short. > > A software solution which permits local decryption makes traffic analysis > less useful, presents the opportunity to use front end and disposable www > pages on domestic ISPs while imposing no liability on the ISP itself, and > opens several more effective traffic analysis deterants. > > Ideally, both web proxies (for servers as well as clients) and local > decryption will be written allowing both server and user a degree of > double blind operation as well as easy disposability of front ends. > > A Netscape plugin for local decryption of web pages and proxy forwarding > of WWW form submissions to the server is a MUST. I fully agree with all of your comments, but, encrypted proxying issues aside, what is wrong with SSL? Is it because the encryption is for the whole server, not individual users? > Is anyone considering work on these? I gave the encrypted proxy idea some thought, and intend to do it one day. If someone is willing to run it, then I will certainly do it. Offers? With regard to the local decryption idea, then I don't see this as much of a problem. How much interest is there in this? We already have something similar running, but it would still need a bit of work to make more general. Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 From cyberia at cam.org Thu Jul 4 09:57:33 1996 From: cyberia at cam.org (CyberEyes) Date: Fri, 5 Jul 1996 00:57:33 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: <31DA7000.6239@vail.tivoli.com> Message-ID: On Wed, 3 Jul 1996, Mike McNally wrote: > During that afternoon of Internet fun, Mark clicks the mouse and > follows a hyperlink link to a web site filled with nasty objectionable > anti-family morally corrosive filth. Mark and Mathew run home in > tears to their parents and tell all about the nightmare they've > experienced. > > I wonder whether the Christians would be able to successfully sue > the Simpsons on some sort of "corruption of a minor" deal? Indeed, > couldn't it even be possible that some local prosecutor might find > the Simpsons criminally involved? Depending on whether the information they accessed was pornographic, yes they could be. I'm not a lawyer, but I know it's illegal for minors to look at pornography. Ryan A. Rowe - Montreal, Quebec /Seeking Internet-related job!/ aka CyberEyes, Rubik'S Cube I will relocate _ANYWHERE_. Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia at cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run Read my C.V. at http://www.cam.org/~cyberia/resume-e.html "In lieu of experience, I have a willingness to learn." "Everyone has their day, mine is July 15th, 1998." From kyleb at juno.com Thu Jul 4 10:28:33 1996 From: kyleb at juno.com (Kyle A Beltle) Date: Fri, 5 Jul 1996 01:28:33 +0800 Subject: PGP Message-ID: <19960704.101434.10126.21.KYLEB@juno.com> Hello, Does anyone have the latest version of PGP for Windows and/or DOS If so please reply directly, since I am not yet on C'Punks. Thanks, KyleB at juno.com From gregmi at galileo.mis.net Thu Jul 4 11:27:36 1996 From: gregmi at galileo.mis.net (Greg Miller) Date: Fri, 5 Jul 1996 02:27:36 +0800 Subject: Word lists for passphrases Message-ID: <31dbf02b.66263803@pop.mis.net> Are there any publically available word lists which contain just about every word in the English language? It's not absolutley necessary, but I'd also like the list to include english names. Thanks in advance. begin 644 tagline.txt enum MicrosoftBoolean {TRUE, FALSE, MAYBE}; Greg Miller: Programmer/Analyst (gregmi at mis.net) http://grendel.ius.indiana.edu/~gmiller/ end. From sandfort at crl.com Thu Jul 4 11:54:25 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Fri, 5 Jul 1996 02:54:25 +0800 Subject: Noise: Re: Those Evil Republicans In-Reply-To: <31DBA835.6EEA4806@systemics.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Thu, 4 Jul 1996, Gary Howland wrote: > There are also several independent sovereign nations that have no control > over their own currency (eg. Liechtenstein (the one you mentioned), Andorra, > Monaco, Nauru, Marshall Islands, Micronesia and Pueto Rico)... Don't forget Panama, Liberia, Tuvalu, Turks & Caicos, etc. Printing one's own money does not a sovereign nation make. > First of all, "parasitic" is a very derogatory term to apply to these > nations. They are no more parasitic than out of town supermarkets. Correct. While the US unsuccessfully tries to play policeman for the world, other countries are far more successful in being the bankers, playgrounds, pharmaceutical manufacturers and distributors, etc. for the world. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From WlkngOwl at unix.asb.com Thu Jul 4 12:31:33 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Fri, 5 Jul 1996 03:31:33 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port Message-ID: <199607041655.MAA00784@unix.asb.com> On 3 Jul 96 at 18:58, Mark M. wrote: [..] > If the child is creative enough, he will be able to boot DOS from a bootdisk > and remove the line from config.sys that starts up the filtering software. Who bother using a boot disk. Remove it from the config.sys and then reboot. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From WlkngOwl at unix.asb.com Thu Jul 4 12:33:08 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Fri, 5 Jul 1996 03:33:08 +0800 Subject: The Net and Terrorism Message-ID: <199607041655.MAA00793@unix.asb.com> On 3 Jul 96 at 14:48, jim bell wrote: [..] > But as I've pointed out elsewhere, there's a big difference between "We're > gonna do this!" and "Someday we may have to do this." My impression is > that the government has tried to completely erase the dividing line > between these two concepts. As far as the government is concerned, "gonna do this" and "may have to do this" is the same, since the "this" is illegal. There is no dividing line. I suspect that since they (alegedly) had specific targets planned it leaned closer to the "gonna do this". From the minimal discussion in the media I have read, it appeared to be another 'revenge for waco and ruby ridge' action rather than a 'defense of civil liberties from a potential totalitarian government' action. (I'm rather skeptical as to how blowing up a specific IRS office would be effective were the government to change into a totalitarian regime.) Rob. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From WlkngOwl at unix.asb.com Thu Jul 4 12:37:38 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Fri, 5 Jul 1996 03:37:38 +0800 Subject: Lack of PGP sigs Message-ID: <199607041655.MAA00788@unix.asb.com> -----BEGIN PGP SIGNED MESSAGE----- Another minor problem is when PGP-sigs are made using something other than MD5 as a hash algorithm, at least until certain modifications of PGP become 'standardized' until PGPlib is released. Rob. -----BEGIN PGP SIGNATURE----- Version: 2.6.3b Charset: cp850 Comment: SHA1 is used instead of MD5 for this signature iQEVAwUBMdvzjwTNlSxdPy6ZAQIbRwf8DFyAdkQemj6z8nGb8MAkg9Hi0t9AZgpT /7IaNy7x7+P1ahY5TRm0gZRaRr3A3scz4jCCP2IUbKnP/3SnVsvWH/GuH2EnGzQQ UhZODymDzaeWVhoQH0GNhDsAf3yLVyr6CQPWsP0aMDD4HBCFKDjr5ip9XsZRYCo1 P+7GbT+/oIRtztEFufguecIalfh275rT/FyDioblKxgyK+AX8hQ+3POzJgayPbc8 7AosgiFv9UGD4O4ComQyurZi/eFdn/x6NqrVKUVRK0KOWDVEYqAhDz45oP94//NQ ahE8viIm6irCu6PS+yf62RZvZafXLccHCBG2rUOm6gYEsB3XtuM/Vg== =SQBi -----END PGP SIGNATURE----- --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From WlkngOwl at unix.asb.com Thu Jul 4 12:45:03 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Fri, 5 Jul 1996 03:45:03 +0800 Subject: What remains to be done. Message-ID: <199607041710.NAA00995@unix.asb.com> Another need is for file/disk-encryption utilities. I'm not familiar with what's out there for Macs, but for PCs there's SFS and ASPICRYP for SCSI drives (with no source!) and SFS, SecureDrive and SecureDevice for HD (or FD). The latter won't work on Win95. AFAIK, SFS and SecureDrive aren't 100% friendly with Win95 either, though they'll work. There's a need for something that will work under Win95, WinNT, and/or OS/2 for encrypting partitions. Aside from a few commercial or shareware apps which use some variant of DES, there's little out there. (One problem is that DD kits for Win95/NT and OS/2 cost $$$.) Rob. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From tcmay at got.net Thu Jul 4 13:04:11 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Jul 1996 04:04:11 +0800 Subject: Net and Terrorism. Message-ID: At 5:58 AM 7/4/96, attila wrote: > U.S. cash has eliminated a lot of Soviet weapons, including, I >believe > some chemical. however, keep in mind: the obsolete, and expensive to > maintain, hardware predominated. However, you will never be able to >buy out > the religious terrorists --they are on a "mission." > > The Western world faces far more threat from fundamentalist religious > terrorists than it does from the Soviet Union, etc. > > There is no cure for the "revolutionary" terrorists --just death >for their > own brand of glory. If we do not even print their obit, there is no glory! I recall that Attila is one of several Mormons on the list, from a recent thread where I happened to mention Mormons as an example (and got comments, including a statement that "Mormon" is a slur). Anyway, I should point out that Mormons (or Latter Day Saints, I guess) are spreading quickly around the world...all WITHOUT using "conversion by the sword," as some other well-known religions are wont to do. Islam, notably, was known for this policy of conversion by the sword: entire national populations were given the choice of converting to Islam or being put to the sword. Most converted, naturally enough. (cf. various histories, incl. Wright's "Sacred Rage.") Islam is one of the religions teaching that "martyrs" go directly to Paradise/Heaven/Valhalla. A terrorist who explodes himself goes directly to sit at Allah's dinner table. His relatives, too, as I understand their beliefs, though the surviving relatives have to wait until they die to get this benefit. Further, if a large Middle Eastern city, e.g., Tel Aviv or Haifa, were to be nuked by Believers, then all of the vaporized Muslims in the city would automatically be martyred, and would also go to Paradise. This makes it more "acceptable" to Believers to hit targets which may contain their own kind. (The famous "Kill them all and let God sort them out" line really does apply to many Muslims.) (Two other religions come to mind as having similar beliefs about death in battle and afterlives: the Viking "berserkers" circa 800-1100 A.D. and the Japanese/Shinto suicide pilots in WW2. I'm sure there are other examples.) Most other religions which have strong beliefs about an afterlife, including Mormons, Catholics, and other flavors of Christianity, nevertheless have not adopted this "martyr" concept. This may explain why few suicide bombings and suchlike come from these groups. (There are exceptions. Many Christian sects believe that abortion is immoral and a grave sin, and that those who bomb or shoot up abortion clinics, a la John Salvi, are doing God's work and are ensured a place in Heaven. Personally, I expect to see more such "terrorist" acts in the coming decades, in the U.S.) Calling a spade a spade, Islam is in some sense a "terrorist religion," in that physical force is seen by many Muslims as a legitimate mechanism of conversion. The wrinkle that those who die in the service of Allah go directly to sit at his side is of course a major incentivizing factor for more truck bombs, nerve gas attacks, and even nukings. We should all be thankful that Mormons, as economically powerful and as well-organized as they are, steer far clear of this kind of recruiting and service to their beliefs. (It's been 30 years since I've been in Salt Lake City, but I understand that strip clubs exist there--from reading certain news groups!--and that alcohol is not illegal there. This government tolerance of things inimical to the dominant religion would be unthinkable in, say, Mecca.) There are of course other flavors of Islam, including arts-loving, peace-loving, and scholarly sorts. The propagation of science and math through the Dark Ages owes much to Arabic scholars, of course. Hence, we cannot blanketly condemn Islam. However, for the sake of the discussion about terrorism, it's important to recognize that some significant fraction of Muslims believe these notions of martrydom and are willing to engage in horrific acts to accomplish certain ends. (The Arab world is very poorly connected to the Net at this time. It'll be interesting to see what happens if and when they become well-connected, with PGP, remailers, information markets, etc.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From fair at clock.org Thu Jul 4 13:48:27 1996 From: fair at clock.org (Erik E. Fair (Time Keeper)) Date: Fri, 5 Jul 1996 04:48:27 +0800 Subject: Word lists for passphrases Message-ID: You could just snarf up a week's worth of netnews... Erik From dlv at bwalk.dm.com Thu Jul 4 13:54:39 1996 From: dlv at bwalk.dm.com (Dr.Dimitri Vulis KOTM) Date: Fri, 5 Jul 1996 04:54:39 +0800 Subject: Net and Terrorism. In-Reply-To: Message-ID: <41ZJqD67w165w@bwalk.dm.com> tcmay at got.net (Timothy C. May) writes: > Islam, notably, was known for this policy of conversion by the sword: > entire national populations were given the choice of converting to Islam or > being put to the sword. Most converted, naturally enough. No, the population was given the choice of converting or becoming slaves. (Slaves who opted to convert later didn't become free.) There were very few examples of mass genocide during the moslem conquests, and generally they avoided killing anyone who could be sold into slavery. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From cyberia at cam.org Thu Jul 4 14:04:12 1996 From: cyberia at cam.org (CyberEyes) Date: Fri, 5 Jul 1996 05:04:12 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: <1.5.4.16.19960703170027.5fc7bc80@arc.unm.edu> Message-ID: On Wed, 3 Jul 1996, David Rosoff wrote: > I've wondered .. could a creative child circumvent these filter programs > using a URL-redirecter, like where you see something like > http://www.one.site.com/cgi-bin/rd?http://www.porno-site.com/ > or are they not URL-based? The child would also be able to use the Anonymizer at http://www.anonymizer.com. But, is it that easy to redirect? Just type that little rd command? What others are there? I've seen < and > in use, what do they perform? Ryan A. Rowe - Montreal, Quebec /Seeking Internet-related job!/ aka CyberEyes, Rubik'S Cube I will relocate _ANYWHERE_. Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia at cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run Read my C.V. at http://www.cam.org/~cyberia/resume-e.html "In lieu of experience, I have a willingness to learn." "Everyone has their day, mine is July 15th, 1998." From cyberia at cam.org Thu Jul 4 14:18:55 1996 From: cyberia at cam.org (CyberEyes) Date: Fri, 5 Jul 1996 05:18:55 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: <199607032025.QAA25327@apollo.gti.net> Message-ID: On Wed, 3 Jul 1996, Mark Rogaski wrote: > I would assume that the filters look for regexp's in the query string, too. > How about a nice little Nutscape plugin that uses a rot13'd query string? Do you have a copy of that plugin? If it exists. > http://www.one.site.com/cgi-bin/sneaky-rd?uggc://jjj.cbeab-fvgr.pbz/ > > Hmmm, no bad words in the query string. Of course the filter package would > start looking for rot13'd stuff in the next release. So the next logical > step is to use the URL encrypted with the redirector's public key ... or > better yet, a dynamically generated key. Just convert it to radix64 so > as to avoid ?'s &'s or ='s, and use that as the query string. > > The plug-in would only be necessary to generate the first request. Any > URL preparation could be handled by passing the output of netcat through > a stream filter before sending it to the client. That "creative child" would have to be pretty damn smart to do what you described. Ryan A. Rowe - Montreal, Quebec /Seeking Internet-related job!/ aka CyberEyes, Rubik'S Cube I will relocate _ANYWHERE_. Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia at cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run Read my C.V. at http://www.cam.org/~cyberia/resume-e.html "In lieu of experience, I have a willingness to learn." "Everyone has their day, mine is July 15th, 1998." From cyberia at cam.org Thu Jul 4 14:25:35 1996 From: cyberia at cam.org (CyberEyes) Date: Fri, 5 Jul 1996 05:25:35 +0800 Subject: Computer-Aided Revolution In-Reply-To: <199607032257.PAA16812@mail.pacifier.com> Message-ID: On Wed, 3 Jul 1996, jim bell wrote: > I've thought of an application for a "revolutionary" program for peaceful > protest, but one that requires that a substantial number (1000) of people > have access to computer time synchronized to 1 second, ideally 0.1 second. > How good would a time sync over the net typically be? Probably not very good, considering lags, and other aspects. It's possible however... 1000 people is a lot, though. Ryan A. Rowe - Montreal, Quebec /Seeking Internet-related job!/ aka CyberEyes, Rubik'S Cube I will relocate _ANYWHERE_. Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia at cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run Read my C.V. at http://www.cam.org/~cyberia/resume-e.html "In lieu of experience, I have a willingness to learn." "Everyone has their day, mine is July 15th, 1998." From cyberia at cam.org Thu Jul 4 14:36:04 1996 From: cyberia at cam.org (CyberEyes) Date: Fri, 5 Jul 1996 05:36:04 +0800 Subject: ecash thoughts In-Reply-To: Message-ID: On Wed, 3 Jul 1996, Simon Spero wrote: > I'm currently visiting at my parents house in England, which for the past > 18 years has had a really nice phone number. Unfortunately, BT split > london into two area codes, and have reallocated the exchange number in > the other one to citibank. Unfortunately, not many of their customers can > quite cope with the concept of area-codes. Even more unfortunately, > neither can BT or citibanks telcom group- we've had calls transferred > from their switchboard straight through to us. > > Now, here comes the test for cp ingenuity - can you think of the best way > to answer the phone to someone who things they've called a bank? Act like a teller, get their banking information, then steal all their money. er. Sure, it's bank fraud, but it's fun! :) Ryan A. Rowe - Montreal, Quebec /Seeking Internet-related job!/ aka CyberEyes, Rubik'S Cube I will relocate _ANYWHERE_. Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia at cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run Read my C.V. at http://www.cam.org/~cyberia/resume-e.html "In lieu of experience, I have a willingness to learn." "Everyone has their day, mine is July 15th, 1998." From jimbell at pacifier.com Thu Jul 4 15:42:21 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 5 Jul 1996 06:42:21 +0800 Subject: The Net and Terrorism Message-ID: <199607041917.MAA05137@mail.pacifier.com> At 12:43 PM 7/4/96 +0000, Deranged Mutant wrote: >On 3 Jul 96 at 14:48, jim bell wrote: >[..] >> But as I've pointed out elsewhere, there's a big difference between "We're >> gonna do this!" and "Someday we may have to do this." My impression is >> that the government has tried to completely erase the dividing line >> between these two concepts. > >As far as the government is concerned, "gonna do this" and "may have >to do this" is the same, since the "this" is illegal. There is no >dividing line. A couple of decades ago, a relative of mine was in the Army Reserve. Every summer, they went on exercises, and in one particular exercise (this is probably true of all of them, as well), they invented some sort of fictional scenario in which America was bordered by two fictional countries, the one to the south was called "Taco Land" and the one to the north was called "Big Tree Land." I complimented him on the Army's ability to hide the meanings of these fictions so well! B^) Naturally, the Reserve went out and set up camp, etc, and did everything an army was supposed to do under such exercises. So why were they allowed to do this, while ordinary citizens weren't? Now, you may respond, "Hey, they're the Army, that's their job and they're allowed!" Maybe. But then again, as "ordinary citizens" we have a job to do as well. And part of that job may involve ensuring that if the government stops being limited to the strictures of the Constitution, they can take it down and replace it with something better. (See Declaration of Independence, for example.) Frankly, nothing of what I've heard that this Arizona group did ought to be illegal. I interpret the 2nd amendment ("arms") to include the dictionary meaning, "objects used as weapons," so I don't see any legitimate restriction of explosives. As for scouting, practicing, and making possible-but-not-certain plans, I see nothing wrong with this either. (Remember, the Army has plenty of plans, too... few of which ever are carried out.) >I suspect that since they (alegedly) had specific targets >planned it leaned closer to the "gonna do this". Then, unfortunately, your "logic" is atrocious. If you see a likely enemy, it makes sense to identify his assets well in advance of any actual hostilities, even if those hostilities are not certain. (to fail to do so would be completely irresponsible.) That's what these people appear to have done. > From the minimal discussion in the media I have read, ^ ^^^^^^^^^^^^^^^^^^ That's a CLUE. The reason there's been "minimal discussion" is because the lap-dog media wants to avoid the entire "we're gonna do this/someday we may have to do this" issue. It's not that they want to put the dividing line in a slightly different location, they want to deny that there is ANY SORT of a dividing line at all! For the media to acknowledge that the people have a RIGHT to simply collect weapons of all kinds, including explosives, for a potential future confrontation with the government would, then, require debate as to how far this could go. I think that would lead to the logical conclusion is that no action is illegal short of actually engaging in an attack. > it appeared to be another >'revenge for waco and ruby ridge' action rather than a 'defense of >civil liberties from a potential totalitarian government' action. I don't really see any valid distinction, here, except in _time_. > (I'm rather skeptical as to how blowing up a specific IRS office would >be effective were the government to change into a totalitarian regime.) > >Rob. Local people can be expected to act locally. They'll take care of their part of town, you take care of yours, right? Jim Bell jimbell at pacifier.com From mhw at wittsend.com Thu Jul 4 16:35:37 1996 From: mhw at wittsend.com (Michael H. Warfield) Date: Fri, 5 Jul 1996 07:35:37 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: <31DA7000.6239@vail.tivoli.com> Message-ID: Mike McNally enscribed thusly: > Declan McCullagh/Brock Meeks wrote (and quite well, I might add): > > ... > > Install the programs and Junior can't access porn. No fuss, no muss, no > > bother. "Parental empowerment" is the buzzword. Indeed, it was these > > programs that helped sway the three-judge panel in Philly to knock down > > the Communications Decency Act as unconstitutional. > Scenario: Mr. & Mrs. Joseph and Mary Christian buy SmutNoMore for > their home computer, to protect their children Mathew, Mark, Luke, > John, and Zebediah. All are happy and content. > One day, Mathew and Mark go to a the home of a school chum, Bart > Simpson, whose parents are products of the liberal 60's. Bart has > a computer too, along with an ISDN link through a local ISP to > the Internet. But --- horrors --- Bart's computer is not equipped > with SmutNoMore, or any other filtering software. Bart's parents > do not believe it to be fair to filter their children's access to > information. > During that afternoon of Internet fun, Mark clicks the mouse and > follows a hyperlink link to a web site filled with nasty objectionable > anti-family morally corrosive filth. Mark and Mathew run home in > tears to their parents and tell all about the nightmare they've > experienced. > I wonder whether the Christians would be able to successfully sue > the Simpsons on some sort of "corruption of a minor" deal? Indeed, > couldn't it even be possible that some local prosecutor might find > the Simpsons criminally involved? Scenario update: Replace all instances of Bart's computer and internet connections with Playboy or Penthouse (or worse - Hustler!) magazines found in a drawer in the house. You then discover this to be the shear and utter gibberish that it really is... BTW... You will also discover that the new senario is orders of magnitude MORE likey than the former. > ______c_____________________________________________________________________ > Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable > m5 at tivoli.com * m101 at io.com * > * suffering is optional Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From ichudov at algebra.com Thu Jul 4 17:23:38 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Fri, 5 Jul 1996 08:23:38 +0800 Subject: Net and Terrorism. In-Reply-To: <41ZJqD67w165w@bwalk.dm.com> Message-ID: <199607042108.QAA07984@manifold.algebra.com> Dr.Dimitri Vulis KOTM wrote: > > tcmay at got.net (Timothy C. May) writes: > > Islam, notably, was known for this policy of conversion by the sword: > > entire national populations were given the choice of converting to Islam or > > being put to the sword. Most converted, naturally enough. > > No, the population was given the choice of converting or becoming slaves. > (Slaves who opted to convert later didn't become free.) There were very > few examples of mass genocide during the moslem conquests, and generally > they avoided killing anyone who could be sold into slavery. Just curious how much slaves cost at that time. Would be interestnig to see a price of a good slave as compared to, say, average monthly earnings or a price of one sheep. - Igor. From hfinney at shell.portal.com Thu Jul 4 17:24:03 1996 From: hfinney at shell.portal.com (Hal) Date: Fri, 5 Jul 1996 08:24:03 +0800 Subject: What remains to be done. Message-ID: <199607042102.OAA26752@jobe.shell.portal.com> From: Black Unicorn > A. Methods to run secure websites on insecure servers. > [...] > A software solution which permits local decryption makes traffic analysis > less useful, presents the opportunity to use front end and disposable www > pages on domestic ISPs while imposing no liability on the ISP itself, and > opens several more effective traffic analysis deterants. I don't quite understand what is being proposed here. If the information on the web site is encrypted, who is supposed to be able to decrypt it? Just one person, or some select group of people? My concern is the difficulty of keeping keys secret if they are made available to more than one or two people. Once the keys are known to those who would oppose the publication of the information they can go to the ISP just as easily as if the information were not encrypted, and get them to take it down if it is illegal. It would seem that an equally effective method would be to use no encryption, but just a secret URL, one which is not linked to from elsewhere - an "island in the net", so to speak (apologies to Bruce Sterling). Hal From root at edmweb.com Thu Jul 4 17:35:45 1996 From: root at edmweb.com (Steve Reid) Date: Fri, 5 Jul 1996 08:35:45 +0800 Subject: ecash thoughts Message-ID: > But probabilistic payment should be used to allow the minimum average > payment to go way below this, perhaps to an unlimited extent. I just thought of an obvious problem with "probabilistic payments". Suppose someone is surfing the web or whatever, and various sites are charging, say, 0.1 cents per web page, via probabilistic payments. Suppose there is a 1 in 10 chance that the person will pay 1 cent. The person wanders around the web, acting as though he's perfectly willing to pay, and participating in the fair coin tosses. Except, he really has no intention of paying. He will gain free access to 9 out of 10 sites, and on the ones that he loses the 1/10 gamble, he just backs out of the deal and doesn't pay anything. The end result is that instead of seeing all of the web at 0.1 cents per page, he sees 90% of the web completely for free. If everyone does this, the sites will go broke. It's the equivalent of welshing on a bet. The obvious solution would be to require that the person pay the 1 cent, then if he wins the 9/10 bet, he gets the 1 cent back. But that will just move the problem from the user to the server- the site can welsh on the bet and refuse to pay back the one cent. They will get ten times the payment that they are supposed to get. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E68C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, TANSTAAFL, IANAL. -- | ===================================================================:) From joelm at eskimo.com Thu Jul 4 17:53:33 1996 From: joelm at eskimo.com (Joel McNamara) Date: Fri, 5 Jul 1996 08:53:33 +0800 Subject: Announce: Private Idaho 2.7b Message-ID: <199607042154.OAA06900@mail.eskimo.com> Since I'm in an especially patriotic mood today, I've just uploaded the 2.7b beta release of Private Idaho (which started out life as a Windows PGP shell, but is turning into the "mother of all privacy tools" shell). Significant new additions include: Automated install application - no more installing and updating new releases of PI by hand (many thanks to Colin Tan for writing the Setup application). The install application comes bundled with PGP QuickStart, a utility for helping new users download and install PGP. Expert and user modes - for new users, user mode provides a limited set of commonly used commands. Expert mode gives you access to all of the commands. Steps - again, another feature for new users. Step-by-step information on how to perform common tasks. Change nym account reply blocks - easy way to change nym reply blocks. Anonymizer support - support for C2's new anonymous Web browsing server. Select a URL from any text within Private Idaho and your browser will anonymously access that Web page. Mixmaster support - support for Mixmaster type 2 remailers. Variable word-wrap length - select window size, 65, 70, or 75 character line length. Revised online help HTML version of help Get it at: http://www.eskimo.com/~joelm/pi.html And while you're there, as an added 4th of July bonus, check out: http://www.eskimo.com/~joelm/cryptbk.html For the extremely tacky, and offensive to some, "Building a CryptoBook" page. Comments, questions, etc. as usual to: Joel McNamara joelm at eskimo.com From nobody at c2.org Thu Jul 4 18:08:46 1996 From: nobody at c2.org (Anonymous User) Date: Fri, 5 Jul 1996 09:08:46 +0800 Subject: premail-0.44, WHERE DO I GET IT. Message-ID: <199607042205.PAA24666@infinity.c2.org> Cpunks: I tried to find the perl script premail (v. 0.44) that is described at the Raph Levien's page. Unfortunately, EVERY place where it is purported to be is screwed up: ftp.csua.berkeley.edu does not respond to FTP commands, Levien's download page returns premail 0.43 instead of 0.44, and ftp.hacktic.nl does not have premail-0.44. WHAT TO DO??? WHAT TO DO??? WHAT TO DO??? From markm at voicenet.com Thu Jul 4 18:21:16 1996 From: markm at voicenet.com (Mark M.) Date: Fri, 5 Jul 1996 09:21:16 +0800 Subject: Lack of PGP signatures In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 3 Jul 1996, snow wrote: > On Wed, 3 Jul 1996, Alan Olsen wrote: > > I am wondering why there is not a signing option that ignores all > > non-printing characters. Might fix some of these problems... (Can anyone > > think of a reason this would be a "Bad Thing(tm)"?) > > IANACE, but off the top of my head I'd say clear signing binaries. It is not possible to clear-sign binaries with PGP. The point of clear-signing is to have signed text that is readable to people who don't have the software necessary to process the text. It would make sense to clearsign a file that is base64'ed or uuencoded, which wouldn't alter the contents of the file. I can't see how such an option would be harmful, except that it might lose some characters that are important to the context of the message. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMdwIoLZc+sv5siulAQHVegQAqeyjQY9SmQ4mM1/ezBDeI9MLa3EZ8620 JXrbxYCt74zUFzqC8GxylUE9cowdZmDrQ2NbYepWbekoY/cmSE3lxJPd1VW36Lbo NY3c1iNswvUiAsfXPUA+tBide/aZCk/vniHXFwLBPJi+gRTjktpbIUNixoxW3B5z xJSFusVl8Lg= =QUGA -----END PGP SIGNATURE----- From naim at micronet.fr Thu Jul 4 18:34:22 1996 From: naim at micronet.fr (predator) Date: Fri, 5 Jul 1996 09:34:22 +0800 Subject: unsuscribe In-Reply-To: <31CDACD4.751@potlatch.esd112.wednet.edu> Message-ID: <31DC3BCB.702C@micronet.fr> unsuscribe From anonymous-remailer at shell.portal.com Thu Jul 4 19:17:53 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Fri, 5 Jul 1996 10:17:53 +0800 Subject: No Subject Message-ID: <199607042317.QAA04006@jobe.shell.portal.com> :: Encrypted: PGP -----BEGIN PGP MESSAGE----- Version: 2.6.2 hIkDPRWysueuweUBA+irExxkMlmCIvGqzCvDUNWtFWbAjJx4JODBCbauj6uYeC62 pF0r72wgDKrncK5Z/oZdF11vaVveW50KrZQQFVL2+etoRTHfLBNgKKYW4cDwTe/f 4jS3+tut2XfRf/y/Ho139zKfNIBdHC0ByHEsIcKU2FPwNzalERc3q+yehKYAAAHF mFeehQHt3/AdVJOueBP+EzxG31y72enxE0lilm9VGzQzLf7sH2354xezhtxsrNgH BEkF9o0EhYy6/3JHDhqcat0fwDBZsBPDH8Lg1m60xBMD8iTLtOT5jUNAQRUwahlf s1acdgoSnx6PgTnHpox4r6SNxeIaC9AH1WTAngfrLvm877/gk5kxjIJV7D7Z7sF8 IQn9BXNPj1/6c9MyqAPQE7w3PpEFkN6/KPZsAhtyEc/ib4IxwMoRoVCRpOY13iVm q1UGaOPsTaom13rCn35fFp71o+Myc+Due3OoTpCC01B95JucbhUMV2pyBdgcafbN vnj/0FUAgWVDkAMWYuZj82qqoi8NWcNhXsBxsnXRBAxemgckmZdo+sx6sUlSLy9u 5JbN+7DNcwbfY5qbUJIVnPNu4BDuN+s9dCVSYalCVL/rGhFwkCvPSHJuFIZF7daE H+uITFUp5D8kmlLj3zHdTaoXkctRA7xc2+JVlgEGAsLuBQ8SSOQQovmJIarmBdhJ g2RiRaGv4CsaSbQiMfy5vAmDjbuJdrL+sYfDI4n4ODVSaBHkGjoOriU8T1kpwJCT qFRDBgQGhMwGplT1FKULqn7D7SFh =v5LU -----END PGP MESSAGE----- I didn't know L.Detweiler's first name was Larry. How did you, tcmay? From drosoff at arc.unm.edu Thu Jul 4 19:23:03 1996 From: drosoff at arc.unm.edu (David Rosoff) Date: Fri, 5 Jul 1996 10:23:03 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port Message-ID: <1.5.4.16.19960704232543.3a3f1d7c@arc.unm.edu> -----BEGIN PGP SIGNED MESSAGE----- At 01.30 PM 7/4/96 -0400, CyberEyes wrote: > The child would also be able to use the Anonymizer at >http://www.anonymizer.com. But, is it that easy to redirect? Just type >that little rd command? What others are there? I've seen < and > in >use, what do they perform? No, but in things like Yahoo and Alta Vista, when they have those ads, look at the URL assigned to the ad. It redirects you through the service you're using rather than send you straight there. I don't know why. I was just using an example.... Since HTML uses the < and > (less-than and greater-than) characters in the code, you use the < and > to print one of these characters and not use it in the code. =============================================================================== David Rosoff (nihongo o sukoshi dekiru) ----------------> drosoff at arc.unm.edu For PGP key 0xD37692F9, finger drosoff at acoma.arc.unm.edu 0xD37692F9 Key fingerprint = 25 7D AA 01 85 41 43 89 50 5A 33 76 F1 F1 99 67 Do you know who's reading your email? ---> http://www.arc.unm.edu/~drosoff/pgp/ Anonymous ok, PGP ok. If it's not PGP-signed, you know that I didn't write it. === === === === === === === === === === === === === === === === === === === === "Truth is stranger than fiction, especially when truth is being defined by the O.J. Simpson Defense Team." -Dave Barry -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMdxKCxguzHDTdpL5AQFyaQP/VevSEcgSOqZ0I0XB7mFX5tKivwEpHQ4+ 8zEBfUJTI7SZjZVSbo7dCa/4IRuk7NBrvI0bGHCyRqO7TPqOEZn9Po1eBFfg2I08 RZEVrE3EN1gm/rW32pJ/ocNLTH45mRqKEQoO8gZle509ZvkhiBzJuK8aXFn7hJn+ cgJeSUTfBmw= =U3zk -----END PGP SIGNATURE----- From drosoff at arc.unm.edu Thu Jul 4 19:29:36 1996 From: drosoff at arc.unm.edu (David Rosoff) Date: Fri, 5 Jul 1996 10:29:36 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port Message-ID: <1.5.4.16.19960704232548.0b77fbf4@arc.unm.edu> -----BEGIN PGP SIGNED MESSAGE----- At 02.09 PM 7/4/96 -0400, you wrote: >On Wed, 3 Jul 1996, Mark Rogaski wrote: > >> I would assume that the filters look for regexp's in the query string, too. >> How about a nice little Nutscape plugin that uses a rot13'd query string? > > Do you have a copy of that plugin? If it exists. > >> http://www.one.site.com/cgi-bin/sneaky-rd?uggc://jjj.cbeab-fvgr.pbz/ >> >> Hmmm, no bad words in the query string. Of course the filter package would >> start looking for rot13'd stuff in the next release. So the next logical >> step is to use the URL encrypted with the redirector's public key ... or >> better yet, a dynamically generated key. Just convert it to radix64 so >> as to avoid ?'s &'s or ='s, and use that as the query string. >> >> The plug-in would only be necessary to generate the first request. Any >> URL preparation could be handled by passing the output of netcat through >> a stream filter before sending it to the client. > > That "creative child" would have to be pretty damn smart to do >what you described. It would actually take less creativity to do the other things, bypass the config.sys, etc. The child would thus be perhaps a little TOO creative. :) =============================================================================== David Rosoff (nihongo o sukoshi dekiru) ----------------> drosoff at arc.unm.edu For PGP key 0xD37692F9, finger drosoff at acoma.arc.unm.edu 0xD37692F9 Key fingerprint = 25 7D AA 01 85 41 43 89 50 5A 33 76 F1 F1 99 67 Do you know who's reading your email? ---> http://www.arc.unm.edu/~drosoff/pgp/ Anonymous ok, PGP ok. If it's not PGP-signed, you know that I didn't write it. === === === === === === === === === === === === === === === === === === === === "Truth is stranger than fiction, especially when truth is being defined by the O.J. Simpson Defense Team." -Dave Barry -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMdxKohguzHDTdpL5AQEFIwQAuK9Ca8ImcDka9mYWht35h8NMSr2A/tfB zvusZ8P5HIEYTbQ8GyRDQ3R+X58+k2pQmaCnO66EtI83mrVs+J9C8B7LoobroZpO u2R0SnMMJVU6eQAnkABkgYaMLVamqEMG+n6qmk7NePjsawSBvOdtuH9dmccR1/Pi +sGpQvT6RvI= =vTir -----END PGP SIGNATURE----- From furballs at netcom.com Thu Jul 4 19:30:11 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Fri, 5 Jul 1996 10:30:11 +0800 Subject: Net and Terrorism. In-Reply-To: Message-ID: On Thu, 4 Jul 1996, Timothy C. May wrote: > At 5:58 AM 7/4/96, attila wrote: > > > U.S. cash has eliminated a lot of Soviet weapons, including, I > >believe > > some chemical. however, keep in mind: the obsolete, and expensive to > > maintain, hardware predominated. However, you will never be able to > >buy out > > the religious terrorists --they are on a "mission." > > > > The Western world faces far more threat from fundamentalist religious > > terrorists than it does from the Soviet Union, etc. > > > > There is no cure for the "revolutionary" terrorists --just death > >for their > > own brand of glory. If we do not even print their obit, there is no glory! > > I recall that Attila is one of several Mormons on the list, from a recent > thread where I happened to mention Mormons as an example (and got comments, > including a statement that "Mormon" is a slur). > > Anyway, I should point out that Mormons (or Latter Day Saints, I guess) are > spreading quickly around the world...all WITHOUT using "conversion by the > sword," as some other well-known religions are wont to do. > > Islam, notably, was known for this policy of conversion by the sword: > entire national populations were given the choice of converting to Islam or > being put to the sword. Most converted, naturally enough. > > (cf. various histories, incl. Wright's "Sacred Rage.") > > Islam is one of the religions teaching that "martyrs" go directly to > Paradise/Heaven/Valhalla. A terrorist who explodes himself goes directly to > sit at Allah's dinner table. His relatives, too, as I understand their > beliefs, though the surviving relatives have to wait until they die to get > this benefit. > > Further, if a large Middle Eastern city, e.g., Tel Aviv or Haifa, were to > be nuked by Believers, then all of the vaporized Muslims in the city would > automatically be martyred, and would also go to Paradise. This makes it > more "acceptable" to Believers to hit targets which may contain their own > kind. (The famous "Kill them all and let God sort them out" line really > does apply to many Muslims.) > > (Two other religions come to mind as having similar beliefs about death in > battle and afterlives: the Viking "berserkers" circa 800-1100 A.D. and the > Japanese/Shinto suicide pilots in WW2. I'm sure there are other examples.) > > Most other religions which have strong beliefs about an afterlife, > including Mormons, Catholics, and other flavors of Christianity, > nevertheless have not adopted this "martyr" concept. This may explain why > few suicide bombings and suchlike come from these groups. > > (There are exceptions. Many Christian sects believe that abortion is > immoral and a grave sin, and that those who bomb or shoot up abortion > clinics, a la John Salvi, are doing God's work and are ensured a place in > Heaven. Personally, I expect to see more such "terrorist" acts in the > coming decades, in the U.S.) > > Calling a spade a spade, Islam is in some sense a "terrorist religion," in > that physical force is seen by many Muslims as a legitimate mechanism of > conversion. The wrinkle that those who die in the service of Allah go > directly to sit at his side is of course a major incentivizing factor for > more truck bombs, nerve gas attacks, and even nukings. > > We should all be thankful that Mormons, as economically powerful and as > well-organized as they are, steer far clear of this kind of recruiting and > service to their beliefs. > > (It's been 30 years since I've been in Salt Lake City, but I understand > that strip clubs exist there--from reading certain news groups!--and that > alcohol is not illegal there. This government tolerance of things inimical > to the dominant religion would be unthinkable in, say, Mecca.) > > There are of course other flavors of Islam, including arts-loving, > peace-loving, and scholarly sorts. The propagation of science and math > through the Dark Ages owes much to Arabic scholars, of course. Hence, we > cannot blanketly condemn Islam. > > However, for the sake of the discussion about terrorism, it's important to > recognize that some significant fraction of Muslims believe these notions > of martrydom and are willing to engage in horrific acts to accomplish > certain ends. > > (The Arab world is very poorly connected to the Net at this time. It'll be > interesting to see what happens if and when they become well-connected, > with PGP, remailers, information markets, etc.) > > --Tim May > Normally I would snip a bit to save bandwidth, but your comments, abreviated, would not be as effective. My cousin is attached to one of the Ranger companies that went to Somalia, among other "friendly" vacation spots. He told me that just prior to moving out to rescue 6 men pinned down at 900 m by sniper fire, his CO instructed them that these snipers were muslim and considered it an honor to die for their religion. His last words to them were: "Tell them 'Go with God', then fire!" As far as John was concerned it was a win-win situation... ...Paul BTW, Attila, this was one of the companies Eric had to help pull out of the fire, created courtesy of the UN and the Pakistani CO for that attachment. But that's an interesting story for another time. From markm at voicenet.com Thu Jul 4 20:16:43 1996 From: markm at voicenet.com (Mark M.) Date: Fri, 5 Jul 1996 11:16:43 +0800 Subject: ecash thoughts In-Reply-To: <199607040424.VAA02562@mail.pacifier.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 3 Jul 1996, jim bell wrote: > At 05:53 PM 7/3/96 -0400, Simon Spero wrote: > > >2) If ecash is used to create a new currency- i.e. the value of a unit of > >the ecash is not tied to any single existing currency, what should the > >value of one currency unit be set at? (let's call it a Turing) > > Low, maybe a tenth of an American cent. But probabilistic payment should be > used to allow the minimum average payment to go way below this, perhaps to > an unlimited extent. The reason is simple: The cost of providing net > transactions, and electronic transactions in general, can be expected to > drop exponentially, just like the cost of telecommunications and CPU power > do. Any arbitrary limit to how low they can go will act somewhat akin to > the minimum wage: It will deter development of any product or service whose > perceived value is less than this arbitrary minimum. If the value of a Turing is one tenth of an American cent, then it would actually just be a pseudocurrency backed by U.S. dollars. The inflation of ecash would be the same as the inflation of U.S. money. However, I do agree that the value of one unit should be low. You use Moore's Law to state that the cost of electronic transactions drops exponentially. However, this is only true if the electronic transactions use the same amount of bandwidth. As chip processing speed and transmission bandwidth double, the cost of building the equipment also doubles. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMdxhVrZc+sv5siulAQEvXQP9EpchmkFK5dlxzwGP73oh02ATNzrVfl+N nB7BrpT/Ord5cUYk9vVFVdqZ4w3rW+/uV0QQaPE+GOeDH5bnDtX7nBGBQp72TpVl Bwy+b6cuHuPMjivMSqHfOcSLhXXDO3Km+35dxx77FNOWa4MI2rgDtUdqjXOocaiR puGEgEosYDI= =6UK5 -----END PGP SIGNATURE----- From attila at primenet.com Thu Jul 4 20:18:25 1996 From: attila at primenet.com (attila) Date: Fri, 5 Jul 1996 11:18:25 +0800 Subject: Net and Terrorism. (blanc@accessone.com) Message-ID: <199607050037.RAA29295@primenet.com> Addressed to: blanc Cypherpunks To: blanc From: attila Reply-To: attila at primenet.com Subject: RE: Net and Terrorism. ** Reply to note from blanc 07/04/96 12:31am -0700 = Could you explain your statement below: = = the first time you witness a small child begging for chocolate = exploded by a remote control pressed by her father, you understand = --you do not necessarily like it, it's just survival. = = Why was the child exploded? To kill the soldier it was requesting = chocolate from? = human life is cheap in many non-Western countries, particularly the orient. Female children are considered expendable (in China where parents are limited to one child; the abortion of a female fetus is common). children in war zones have always begged chocalate from soldiers and even a small child can pack enough plastiques to wipe out an entire patrol. as I said, it is one or the other --the child dies either way, and explosives are very messy. no matter how war movies are glorified for joe six-pack, war is still hell. -- Fuck off, Uncle Sam. Cyberspace is where democracy lives! From llurch at networking.stanford.edu Thu Jul 4 20:29:23 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 5 Jul 1996 11:29:23 +0800 Subject: What remains to be done. In-Reply-To: <199607042102.OAA26752@jobe.shell.portal.com> Message-ID: On Thu, 4 Jul 1996, Hal wrote: > It would seem that an equally effective method would be to use no > encryption, but just a secret URL, one which is not linked to from > elsewhere - an "island in the net", so to speak (apologies to Bruce > Sterling). The URL would still be visible in your ISP's http log and, in som cases, to other users of the ISP. You'd have to cont on low traffic and little interest from other users in your ISP from browsing the world-readable bits of your home directory. A case of an ISP closing someone's account because of an objection to an unliked gif was sent to Declan's fight-censorship list a few days ago. -rich From attila at primenet.com Thu Jul 4 20:32:16 1996 From: attila at primenet.com (attila) Date: Fri, 5 Jul 1996 11:32:16 +0800 Subject: Net and Terrorism. Message-ID: <199607050037.RAA29288@primenet.com> Addressed to: tcmay at got.net Cypherpunks ** Reply to note from tcmay at got.net 07/04/96 5:43pm -0700 = I recall that Attila is one of several Mormons on the list, from a = recent thread where I happened to mention Mormons as an example (and = got comments, including a statement that "Mormon" is a slur). = your memory is correct as to my membership: I am an active Elder and member of the Quorum of High Priests. The official name of the church since 1838 (eight years after founding) is "The Church of Christ and the Latter Day Saints" --therefore preference for 'LDS' or 'Saints.' the use of "Mormon" to describe our members is obvious from the "Book of Mormon," so named by the fact the prophet Mormon compiled and/or authored much of the book, although the last prophet and custodian was Moroni (the gold statue on top of LDS Temples is of Moroni). = Anyway, I should point out that Mormons (or Latter Day Saints, I = guess) are spreading quickly around the world...all WITHOUT using = "conversion by the sword," as some other well-known religions are = wont to do. = our mission is simple: we only ask that you read the material (preferably including the Book of Mormon) and privately (possibly including your family) to get on your knees and humbly and openly pray to God to tell you if the LDS church is the restored Church of Christ himself, as established before his crucifixion, unfortunately, we have been met by the sword, including in Utah, which was _occupied_ by Federal troops for almost 50 years and more than one U.S. Army was sent by Washington to subjugate and/or exterminate us. = Islam, notably, was known for this policy of conversion by the sword: = entire national populations were given the choice of converting to = Islam or being put to the sword. Most converted, naturally enough. = = (cf. various histories, incl. Wright's "Sacred Rage.") = = Islam is one of the religions teaching that "martyrs" go directly to = Paradise/Heaven/Valhalla. A terrorist who explodes himself goes = directly to sit at Allah's dinner table. [snip...] = = Personally, I expect to see more such "terrorist" acts in the = coming decades, in the U.S.) = given the insolvency of the U.S. government and the absurd ratios of stock values in the NYSE and NASDAQ --most of it on 10%, or less, margin, a total economic collapse is inevitable --not if! *when?* all the "safeguards" of FDR's Glass Act, the SEC, etc. are just so many words. the monied class and the manipulators are no less than the moneychangers Jesus expelled from the temple in Jerusalem. = Calling a spade a spade, Islam is in some sense a "terrorist = religion," in that physical force is seen by many Muslims as a = legitimate mechanism of conversion. [snip...] = = We should all be thankful that Mormons, as economically powerful and = as well-organized as they are, steer far clear of this kind of = recruiting and service to their beliefs. = technically, we "turn the other cheek" as W.W. Phelps did when the mobs in Jackson, MO tarred one cheek --he turned to make it easier to tar the other. = (It's been 30 years since I've been in Salt Lake City, but I = understand that strip clubs exist there--from reading certain news = groups!--and that alcohol is not illegal there. This government = tolerance of things inimical to the dominant religion would be = unthinkable in, say, Mecca.) = our basic attitude is very simple: we do not believe in the consumption of liquor, tea, coffee, and drugs including nicotine and caffeine. all members are not perfect, and many must restore their faith by repentance; however, we believe all non-members are free to practice _any_ religion of their choice, including in indulging in [legal] harmful substances. I, myself, live in Southern Utah in a rural high desert community of <150 families. I suspect it would be difficult to obtain a drink! The LDS position of war and conscientious objects is dual: if you profess to your Bishop you wish to be a conscientious objector (following the example in Alma), you will be supported; or, if you wish to be called to duty (as the striplings of Helaman who had not covenented to not raise arms). you will be supported, as this example from the Discourses of Brigham Young: "When we were right in the midst of Indians, who were said to be hostile, five hundred men were called to go to Mexico to fight the Mexicans, and, said Mr. Benton -- 'If you do not send them we will cover you up, and there will be no more of you.' "...The boys in that battalion performed their duty faithfully. I never think of that little company of men without the next thoughts being, "God bless them for ever and for ever." All this we did to prove to the Government that we were loyal. "...Thomas H. Benton, ...obtained the requisition to call for that battalion, and, in case of non-compliance with that requisition, to call on the militia of Missouri and Iowa, and other states, ...to destroy [us]. "This same Mr. Benton said to the President of the United States, in the presence of some other persons, 'Sir, they are a pestilential race, and ought to become extinct.'" [Discourses of Brigham Young 10:106] = There are of course other flavors of Islam, including arts-loving, = peace-loving, and scholarly sorts. The propagation of science and = math through the Dark Ages owes much to Arabic scholars, of course. = Hence, we cannot blanketly condemn Islam. = = However, for the sake of the discussion about terrorism, it's = important to recognize that some significant fraction of Muslims = believe these notions of martyrdom and are willing to engage in = horrific acts to accomplish certain ends. = = (The Arab world is very poorly connected to the Net at this time. = It'll be interesting to see what happens if and when they become = well-connected, with PGP, remailers, information markets, etc.) = currently, the Arabs are poorly connected to the Internet due to the fear of their despotic rulers that they will learn Western ways, including democracy --and, spread information and democracy to rise against these leaders. In Saudi Arabia, any usage of the InterNet goes thru the official state provided (a clear case for a satellite link). Of course, it is illegal to own weird satellite equipment. Attila 960704:2359 -- Fuck off, Uncle Sam. Cyberspace is where democracy lives! From frissell at panix.com Thu Jul 4 20:32:57 1996 From: frissell at panix.com (Duncan Frissell) Date: Fri, 5 Jul 1996 11:32:57 +0800 Subject: Who was that Masked Cypherpunk? Message-ID: <2.2.32.19960705005731.00858d68@panix.com> OK, fess up. Who was it who amended the anti-key-escrow language of the Libertarian Party Platform live on CSPAN? Specific reference to cypherpunks. DCF From frissell at panix.com Thu Jul 4 20:34:52 1996 From: frissell at panix.com (Duncan Frissell) Date: Fri, 5 Jul 1996 11:34:52 +0800 Subject: Moviepunks Message-ID: <2.2.32.19960705005530.00849e80@panix.com> Not much crypto or any networking in "Independence Day." It does have a code name, however, "ID4." Disabled the mothership with computer viruses (highly unlikely.) Used a Mac Powerbook but no Apple logos showed. Film has mass appeal, however and some good bits. Good for teaching people that if 15-mile-wide spacecraft position themselves above your town--leave. The Net did get me into the film however without waits. Fired up www.777film.com at 1600 hrs, ordered tickets for the 1700 hrs showing, get to the theater, walked past lines into the lobby to use ATM, stuck in card, got tickets, went into theater. Dodged mob scene. Saw a preview of "Ransom" starring Mel Gibson in a remake of the 1956 Glenn Ford film of the same name. First ransom "note" appears to be a multimedia file (delivered by the Net?). DCF "Somehow, I doubt William Jefferson Blythe Clinton would fly an F-15 against a monster alien craft." From jimbell at pacifier.com Thu Jul 4 20:47:16 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 5 Jul 1996 11:47:16 +0800 Subject: ecash thoughts Message-ID: <199607050111.SAA17969@mail.pacifier.com> At 08:26 PM 7/4/96 -0400, Mark M. wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >On Wed, 3 Jul 1996, jim bell wrote: > >> At 05:53 PM 7/3/96 -0400, Simon Spero wrote: >> Low, maybe a tenth of an American cent. But probabilistic payment should be >> used to allow the minimum average payment to go way below this, perhaps to >> an unlimited extent. The reason is simple: The cost of providing net >> transactions, and electronic transactions in general, can be expected to >> drop exponentially, just like the cost of telecommunications and CPU power >> do. Any arbitrary limit to how low they can go will act somewhat akin to >> the minimum wage: It will deter development of any product or service whose >> perceived value is less than this arbitrary minimum. > >If the value of a Turing is one tenth of an American cent, then it would >actually just be a pseudocurrency backed by U.S. dollars. I should have said, "about a tenth of a cent." I didn't mean to imply a linkage. >The inflation of >ecash would be the same as the inflation of U.S. money. However, I do agree >that the value of one unit should be low. > >You use Moore's Law to state that the cost of electronic transactions drops >exponentially. However, this is only true if the electronic transactions >use the same amount of bandwidth. As chip processing speed and transmission >bandwidth double, the cost of building the equipment also doubles. At any given time, that's true, but over time the cost of that processing (per unit transaction) will drop, probably in some exponential fashion. For an optical fiber transmission system, the cost of the fiber does NOT go up with the speed, since it's nowhere near its limiting capacity. End-termination systems will be more expensive, but I suspect that's a relatively small fraction of the overall cost. CPU cost will be significant, but then again the Moore's law trend will predominate. CPU's probably have 1000 times the power, per unit cost, than they did in 1980 or so. It would probably be over-optimistic to think that they'll drop the same ratio over the next 15 or so years, but it'll be enough of a reduction so that whatever costs appear to be limits today won't be then. Jim Bell jimbell at pacifier.com From raph at c2.org Thu Jul 4 21:51:07 1996 From: raph at c2.org (Raph Levien) Date: Fri, 5 Jul 1996 12:51:07 +0800 Subject: Announcing the release of premail 0.44 Message-ID: <199607050216.TAA16873@infinity.c2.org> The long awaited release of premail 0.44 is now available. This release integrates PGP and anonymous e-mail functions into Unix versions of Netscape 3.0's built-in mailer. It also does a pretty good job with Pine 3.94 (transparent integration of plain PGP mail, decoding of MIME protected mail requires a single command). For those of you interested in experimenting with S/MIME, it contains some S/MIME functions, but does not yet fully comply with the standard. The main premail Web page is: http://www.c2.net/~raph/premail.html The premail documentation is at: http://www.c2.net/~raph/premail/ I appreciate any bug reports, suggestions, or comments. Raph From sameer at c2.net Thu Jul 4 21:51:19 1996 From: sameer at c2.net (sameer) Date: Fri, 5 Jul 1996 12:51:19 +0800 Subject: Restrictions on crypto overseas In-Reply-To: Message-ID: <199607050215.TAA22048@atropos.c2.org> In many countries there are none. France is pretty bad. > Greetings. > > I am looking for a concise description of the restrictions overseas on the > use of cryptography, and how those restrictions affect the operation of a > cryptographically-enabled web server. > > I have been told that users of programs like PGP in france are required by > law to register their secret keys with the state security apparatus. Does > this mean that users of secure web servers need to register their secret > keys as well? Is anybody doing this? Is the law enforced? > > What about other nations that have recently passed restrictions on the use > of crypto? Other than Russia, which are they? Is there a list anywhere? > > Thanks. > > > ====== > Simson's Summer Info: > > Mailing: 304 Newbury Street, #503, Boston, MA 02115. 617-876-6111 > Summer Salon: 236 Marlborough St. #2 Boston MA 02116. > > -- Sameer Parekh Voice: 510-986-8770 Community ConneXion, Inc. FAX: 510-986-8777 The Internet Privacy Provider http://www.c2.net/ sameer at c2.net From jimbell at pacifier.com Thu Jul 4 22:10:56 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 5 Jul 1996 13:10:56 +0800 Subject: Altair emulator? Message-ID: <199607050234.TAA20461@mail.pacifier.com> So you always wanted to run an Altair... http://www.nwlink.com/~tigger/altair.html Jim Bell jimbell at pacifier.com From vinnie at webstuff.apple.com Thu Jul 4 22:15:04 1996 From: vinnie at webstuff.apple.com (vinnie moscaritolo) Date: Fri, 5 Jul 1996 13:15:04 +0800 Subject: Lack of PGP signatures Message-ID: Folks it's time to shit or get off the pot. If what is holding us back is a PGPlib, (even though I personaly belive it's a bit late, S-MIME is becoming pretty popular) then either finish it, or make it available for someone else to finish it. I know that at least on the Mac if there was a there was a PGPlib, you would have seen more than one native email plug-in from the last Mac hack. Maybe Macintosh developers havent done crypto for a variety of reasons, whether it be NSA strong arming or not, BUT... I tell you as soon as someone releases a Mac CFM library that does crypto, thats when you will see interfaces that Joe-sixpack will use. And none of this silly telnet/unix shell I can't send my passphrase over the wire crap. Hello...Thats why they (we) make powerbooks. OH and I would suggest that you do make the interfaces/doc public in several well-known places (TM) ASAP. cause like the AT&T commercial says, have you ever been visited by the men with dark suits..you will. Vinnie Moscaritolo ------------------ "friends come and friends go..but enemies accumulate." http://www.vmeng.com/vinnie/ Fingerprint: 4FA3298150E404F2782501876EA2146A From llurch at networking.stanford.edu Thu Jul 4 22:17:47 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 5 Jul 1996 13:17:47 +0800 Subject: Philly Inquirer: More old, conterfactual "Hate on the Net" "news" Message-ID: This is fucking amazing. In the last month, the two most well-known young neo-Nazi activists on the net, having been exposed to a true diversity of opinion and true free speech on the Internet, repudiated their former beliefs (I'm buying one of them a beer next week); the most well-known neo-Nazi propagandist on the net, frustrated by having her daily newsletter posted publicly to Usenet, lashes out at DejaNews for building a case against her (she knows her own words are her best refutation); and serious attempts by neo-Nazis to rmgroup and vertical-spam two newsgroups where neo-Nazi movements are discussed and refuted failed without a single spam-cancel or account closure that could be mischaracterized as "censorship." And yet Reid comes out with the old Horsemen fear-mongering about "Hate on the Net." He even quotes an old piece from *former* net.nazi Milton Kleim WHICH MILTON NO LONGER SUPPORTS. The Dreaded Nazi Threat to the Net is in disarray, and the totally discredited and impotent kook Don Black (the man who would be king of the island of Dominica, but his coup failed) gets a front-page story in the Philadelphia Inqirer to sneer at America on July 4th. Unbelievable. No wonder Don was happy to send the full text of the article, below, to his ever-shrinking pool of supporters (and others) on his Stormfront mailing list (send "archive stormfront-l" in the body of a message to listserv at stormfront.org if you'd like to browse the last 100 messages, half of which talk about the recent breakdown in "the movement"). It seems they're determined to beat on the Four Horsemen even when it's patently obvious that they're dead. Reid Kanaley's email address is rkanaley at voicenet.com, but it seems he's only interested in talking to "experts" who are way, way out of touch with current events. -rich censor internet now! http://www.stanford.edu/~llurch/potw2/ boycott fadetoblack! http://www.fadetoblack.com/prquest.htm ---------- Forwarded message ---------- Date: Thu, 4 Jul 1996 11:13:53 GMT From: "don.black" To: rich at c2.org Subject: SF: More "Hate on the Net" news >From this morning's Philadelphia Inquirer ... Happy Independence Day! --Don Page One Thursday, July 4, 1996 Hate groups reaching vast Internet audience They are reaching a vast audience. Some Web sites are ``very, very slick says an observer. By Reid Kanaley INQUIRER STAFF WRITER Don Black, who was once national director of the Knights of the Ku Klux Klan and now runs a site on the World Wide Web called Stormfront, recognized early that the Internet was the place to be. ``The potential of the Net for organizations and for movements such as ours is enormous,'' Black, 42, of West Palm Beach, Fla., said in an interview. ``We're reaching tens of thousands of people who never before have had access to our point of view.'' Those who monitor the activities of extremists such as right-wing militias, neo-Nazis, Holocaust-denial groups and others agree that the Internet is proving irresistible to those organizations for communication, propaganda and recruitment. In a written response to an interview request e-mailed to Minuteman Press Online, a militia-oriented Web site, someone identified as R.A. Mann declined to be interviewed yesterday, but added: ``Militias use the Internet in the same way other groups do: data verification, urgent updates, tips on everything, legislation overviews, etc.'' Begun in the late 1980s as an electronic bulletin board for the so-called ``white nationalist'' movement, Stormfront was moved by Black to the Web in March 1995. The site is decorated with German-gothic text, white-pride graphics, and letters urging African Americans to thank whites for slavery. ``At the time of the Oklahoma City bombing [ in April 1995 ] , maybe two or three racist groups had Web pages,'' said Rick Eaton, senior researcher at the Simon Wiesenthal Center in Los Angeles. ``There are now dozens, if not over 100 outright racist Web pages. There's a lot of new players that we never saw before, and most importantly there is a sense of communication and instant gratification -- that they're not alone.'' And many of their online efforts amount to ``very sophisticated advertisements for their groups,'' said Paul V. Fleming, a mass communications graduate student at Oklahoma State University, who has co-authored a research paper on Internet hate speech. ``Some of these sites are just very, very slick,'' with good graphics and downloadable ``hate music,'' Fleming said. Several watchdog groups, including the Anti-Defamation League and the Wiesenthal Center, are attempting to closely monitor hate speech on the Internet. The Wiesenthal Center, Eaton said, now focuses up to 80 percent of its research activity on the worldwide linkage of computer networks where cheap, unfettered and often anonymous global discourse points up both the blessings and curses of free speech. Black said he oversees an e-mail discussion group with 380 subscribers and an electronic mailing list for 1,200 people. But since March of 1995 he says his web site has been visited by thousands more. ``What we've done is begin to break that monopoly'' of the mainstream media, said Black. ``Anyone, of course, can set up a Web page, and in our case we've been pretty successful at it as far as the traffic we've gotten.'' ``Up to now, you had a guy like Don Black . . . sitting there and basically playing at being a Nazi when the lights are out. Now all of a sudden there is a double sense of empowerment: Their message, theoretically, gets out to hundreds of thousands or millions of people . . . and they're in touch with each other instantaneously,'' said Mark Weitzman, director of the Wiesenthal Center's Task Force Against Hate. Groups serious about using violence are not likely to be using the relatively insecure Internet to communicate, several experts said. Eaton said he had not previously heard the names of any of those arrested this week as part of an alleged plot by the Viper Militia in Arizona to bomb buildings in Phoenix. Were the Vipers on the Internet? ``Nope, I can't find 'em,'' said Richard Bash of Portland, Oregon, who maintains an electronic mailing list for the academic discussion of terrorism, and is writing a doctoral dissertation about militias. Most extremist-group members are ``blowhards'' who migrated from such innocuous activities as ``bowling leagues.'' Rarely, he said, do they pose a threat to society. Weitzman said, however, that increasing electronic communication among these extremists could be inspiring more to violence. ``With the arrests in Arizona, you see more people willing to go to the extreme,'' he said. ``As the communications increase between them, there is a sense: We have this link, we can start doing something about society.'' He said impressionable young people are the propaganda targets of many extremist groups. ``They see the Internet as an incredible recruiting tool. It is wide open for kids and, essentially, the younger the better, because they can get them before they develop all the intellectual resources to combat what they're saying,'' Weitzman said. ``Organizations have recruited through Stormfront, and through their Web pages that we've linked to,'' said Black. Some experts say that the nature of the Internet makes it difficult to stumble upon extremist material without looking for it. But Eaton contests that. He pointed out that a Web search for the term ``Talmud'' on the Infoseek service turns up a page from Stormfront titled ``The Talmud: Judaism's holiest book documented and exposed,'' in the top 10 of 353 references. In another search, the first and third of 415 references found for the word, ``Auschwitz,'' were links to the Web site of an organization that denies the Holocaust took place. And an online essay by white supremacist Milton Kleim Jr., 25, of Roseville, Minn., urges a campaign by ``cyber guerrillas'' to proselytize in the Internet discussion groups called Usenet news groups: ``Usenet offers enormous opportunity for the Aryan Resistance to disseminate our message to the unaware and the ignorant . . . We MUST move out beyond our present domain, and take up positions on `mainstream' groups.'' In his paper titled ``An Examination of Hate Speech, Censorship and the First Amendment on the Internet,'' presented in March to a Las Vegas conference on American popular culture, Fleming and co-author Torey Lightcap said, ``The Internet is accused of not only giving hate groups an uncontrolled platform but also legitimizing them.'' But the paper concludes that ``like the non-electronic world, citizens of cyberspace will probably have to live with hate speech as one of its liabilities in order to enjoy the wide range of benefits the Internet offers.'' Cyberspace libertarians severely criticized the Wiesenthal Center earlier this year when it sent thousands of letters to Internet service providers asking them to deny Web space to hate groups. Eaton said he was disappointed that barely a score of providers responded. ``We would like to see providers say, `This stuff is crap, and we're not going to put it on,''' he said. ------------------------------------------------------------------------ To: Multiple recipients of the Stormfront-L Mailing List Host: Don Black Finger for PGP public key. Post to 'Stormfront-L at stormfront.org' with 'SF:' prepending the subject. To unsubscribe, send e-mail to 'Listserv at stormfront.org' with the line 'unsubscribe Stormfront-L' in the message BODY, not the subject. ------------------------------------------------------------------------ ----- Processed with Listserv v2.92 for Wildcat v4 From ponder at freenet.tlh.FL.us Thu Jul 4 22:22:56 1996 From: ponder at freenet.tlh.FL.us (P. J. Ponder) Date: Fri, 5 Jul 1996 13:22:56 +0800 Subject: InfoTrends ISTrends - Issue 55 (fwd) Message-ID: Anybody know what this is about? I noticed it in the current issue of Information Society Trends. Thanks. Happy Independence Day USA! ---------- Forwarded message ---------- Date: Tue, 2 Jul 1996 16:00:49 +0200 From: ISPO Administrator To: istrends at www.ispo.cec.be Subject: InfoTrends ISTrends - Issue 55 Information Society Trends Issue number: 55 - (13.6.96 - 27.6.96) [big piece snipped out here] TECHNOLOGY The Japanese Ministry of International trade and Industry (MITI) is planning the launch in 1997 in collaboration with Japanese electronics and computer firms of trials for an electronic certification system which would be used for the transmission of formal documents as well as to provide a high level of security for electronic commerce. [more stuff snipped out here] __________________________________________________________________________ DGXIII - The content of "Information Society Trends" does not necessarily reflect the European Commission's views. Also available electronically: http:/www.ispo.cec.be/ispo/press.html E-mail subscription: Majordomo at www.ispo.cec.be; enter SUBSCRIBE ISTRENDS + your e-mail address From vinnie at webstuff.apple.com Thu Jul 4 22:35:20 1996 From: vinnie at webstuff.apple.com (vinnie moscaritolo) Date: Fri, 5 Jul 1996 13:35:20 +0800 Subject: Net and Terrorism. Message-ID: Since this has become terror-punks I guess I should throw my e$.02 into the fray. I have to agree with the entity that call himself snow that one of the reasons that you don't see so much civil induced terrorism in the US, (as oposed to terrorism the Feds do) is because there is so many channels for free speach here. This helps to vent and depresurize the situations. There is little need for organizations to underground, since most things can (or used to be) be better done out in the open. In fact you will attract less governement attention that way. Take Greedpiece (typo) GreenPeace for instance, they are able to perform thier forms of terrorism very overtly, same for Anti-Abortionists. Sometimes I am astounded by the lack common sense that government officials display. Bill Klinton and his media budies (Ted Copulate etc) are the best recruiters for Militia groups, After the OKC bombing, his accusations of Militia involvement pissed off so many middle of the roaders that memberships showed a marked increase. Thanks to Sen Fineswine, Semi-Auto purchases had a record year in California. (does she have stock in Norinco?) There is no conspiricy on the governements part, just plain stupidity. >Then why do you float ideas such as buying out the Soviet arsenal if you >think it isn't possible? actually I know of an individual who did just that: he bought out an DDR arsenal, and flew it into Ohio on a Soviet transport. Scared the shit out of the ATC working the airport that day. Result: large supply of Soviet SKS, Moisan-Naggant and AK's for gunshops, just in time for the Fineswine blue light special. he made big bucks. >however, we will probably > see that again in parts of the world as many cultures do not have the >basic > respect for life we do. the first time you witness a small child begging > for chocolate exploded by a remote control pressed by her father, you > understand --you do not necessarily like it, it's just survival. > and faced with a decision of giving up 'n' "friendlies" for 1000n, or even > more, to survive, I know where I stood, and still stand Yes it does have a way of changing the way you look at the world. I only wish the clowns in office who make the decisions that the grunts guarding the embassies should have empty mags, could see any of this shit. War does suck, and suck in a big way, and when your there, and I don't mean watching it on CNN, you ARE in a world of hurt. > if the U.S does adopt the police state tactics Bubba > is espousing, the U.S. will be faced with _real_ terror, not staged > incidents to justify the martial law, etc. Roger that, an I for one don't want to see that war fought on US soil. This is the part that scares me the most. So my point is, the more the government inflates a non existant problem, the bigger the problem gets. The part that really bothers me is that too many times these are all diversion from important issues. The American people seem to be on a steady diet of OJ and CNN, when the war, the real war that will shape the future gets no media coverage. Things like education, and economic strategy are just not sexy enough for TV. >However, you will never be able to buy out the religious terrorists > --they are on a "mission." I was always taught They have nothing left to lose..make em happy and send em to Allah (or whatever) as quickly as you can. >There is no cure for the "revolutionary" terrorists .. > If we do not even print their obit, there is no glory! Tim, you are asking for the liberal media to act responsibly.. what were you thinking? speaking of liberal media, I have lost all creditibility with my Bostonian friends this week trying to tell em about the feature I saw in the San Jose TV news, where some animal expert actually suggested admininstrating tranquilizers to the family poodle in preparation for 4th of July festivities..something do with fireworks. OK maybe in Santa Cruz the animals (at least the ones downtown) are already on tranquilizers. But who wants a dog that can't deal with loud noises anyways, he'd be useless for huntin. But what do I know.. I just practice law Samoan style. Vinnie Moscaritolo ------------------ "friends come and friends go..but enemies accumulate." http://www.vmeng.com/vinnie/ Fingerprint: 4FA3298150E404F2782501876EA2146A From scmayo at rschp2.anu.edu.au Thu Jul 4 23:14:17 1996 From: scmayo at rschp2.anu.edu.au (Sherry Mayo) Date: Fri, 5 Jul 1996 14:14:17 +0800 Subject: What remains to be done: keeping info free Message-ID: <199607050336.UAA07204@toad.com> -----BEGIN PGP SIGNED MESSAGE----- Hal Finney writes.. > From: Black Unicorn > > A. Methods to run secure websites on insecure servers. > > [...] > > A software solution which permits local decryption makes traffic analysis > > less useful, presents the opportunity to use front end and disposable www > > pages on domestic ISPs while imposing no liability on the ISP itself, and > > opens several more effective traffic analysis deterants. > I don't quite understand what is being proposed here. If the > information on the web site is encrypted, who is supposed to be able to > decrypt it? Just one person, or some select group of people? My If the objective is to keep information available then check out Ross Andersons "eternity service" proposal (http://www.cl.cam.ac.uk:80/users/rja14/#Lib) which outlines a "highly distributed, resilient and anonymous file store. Once a document is published on it, the courts will simply not be able to find and delete all the copies" Sherry -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBMdyPeOFu4n6w1qeBAQF4igP/bhD22woqB8W2kglF6r6Z4rdUVDzGrXk4 N9Iav/KnUtAlmWb/yItHg9+uwAPRtomkTeOZye5UcmJzYI8WERyBYi5Y4OghA48a vo9C/Qo4znljc2J3+J1nWuuDp1khSVB/b+B1/r2zqN/Uv7YvwkF9cext/bf8XV/G uxPJz0DvSLE= =jiix -----END PGP SIGNATURE----- From AwakenToMe at aol.com Fri Jul 5 00:44:36 1996 From: AwakenToMe at aol.com (AwakenToMe at aol.com) Date: Fri, 5 Jul 1996 15:44:36 +0800 Subject: Word lists for passphrases Message-ID: <960705010023_427891194@emout09.mail.aol.com> In a message dated 96-07-04 16:37:24 EDT, fair at clock.org (Erik E. Fair) writes: >You could just snarf up a week's worth of netnews... > > Erik > > > There are many out there. And I doubt the net would have anything like Antidisestablishmentarianism heheh I believe it was an 8 meg wordlist I got off the net. Just use the good ole search utils!! From mixmaster at remail.obscura.com Fri Jul 5 01:10:32 1996 From: mixmaster at remail.obscura.com (Mixmaster) Date: Fri, 5 Jul 1996 16:10:32 +0800 Subject: Mix for PC: Mixmaster Remailer FAQ Message-ID: <199607050451.VAA12470@sirius.infonex.com> -----BEGIN PGP SIGNED MESSAGE----- Frequently Asked Questions about Mixmaster Remailers FAQ Verson 1.8 July 4 1996 by Lance Cottrell This document is a semi-technical discussion of Mixmaster remailers. I wrote this to answer questions often asked by new users of Mixmaster, and to explain why you would want to use Mixmaster remailers. ***Announcements*** 4 July 1996: Mixmaster for Dos and Windows is now available! I am pleased to announce the release of Mixmaster 2.0.3 It contains many bug fixes, and a much improved Makefile which makes compiling a snap! ***What is Mixmaster?*** Mixmaster is a new class of anonymous remailers. Inspired by the existing "cypherpunk" remailers and discussions on the Cypherpunk mailing list (cypherpunks at toad.com). Mixmaster is the next generation in the evolution of remailer technology. ***What is an anonymous remailer?*** Quoting from Andre Bacard's remailer FAQ: An anonymous remailer (also called an "anonymous server") is a free computer service that privatizes your e-mail. A remailer allows you to send electronic mail to a Usenet news group or to a person without the recipient knowing your name or your e-mail address. For a non-technical introduction to remailers (not including Mixmaster), I recommend Andre's FAQ. It is posted regularly to: alt.privacy alt.privacy.anon-server alt.anonymous or you can get it by sending mail to: To: abacard at well.com Subject: Help1 Message: [Ignored] There is also a version on the World Wide Web at . ***What do I need to use Mixmaster remailers?*** Unlike other remailers, you can't just make your own message and send it to the remailer. Mixmaster's security comes in part from using a special message format. The disadvantage of this is that you need a special program to make the message for you. Once you have that program (the client) remailing is as easy as running the program, and telling it which remailers you want to use. ***How do I get the Mixmaster client software?*** There are two sites for distribution. The first is at my site , or ftp to ftp.obscura.com and read /pub/remail/README.no-export. The other is by anonymous ftp to jpunix.com. You will have to follow the instructions there to get Mixmaster. Because Mixmaster contains cryptography, it may not be exported from the U.S and Canada. The reason for the circuitous route to download Mixmaster is to show my good faith efforts to keep Mixmaster from being exported. I understand that Mixmaster may be available in Europe from ftp://utopia.hacktic.nl/pub/replay/pub/remailer ***How do I get the software to run a Mixmaster remailer?*** The remailer software is available from the same sites as the client. ***But I only see one Mixmaster distribution?*** The same program is used for both the client and the remailer. The only difference is in the installation. For the client you just compile it and you are ready to go. For the remailer, you need to set up mail forwarding and cron jobs. ***What kinds of computers does Mixmaster run on?*** Unfortunately, not PCs or Macs. But it is being ported to those right now. Mixmaster runs under UNIX. The only machine it is known not to work on is Dec Alpha. It has been tested on Linux, FreeBSD, SunOS 4.1.3, Solaris, and several others. It has been compiled and tested on Netcom. If you use it on a machine or service not on this list, please let me know so I can add it. ***How does Mixmaster work, and why should I use it?*** You should use Mixmaster if you want the highest level of anonymity available, or if your are tired of building remailer messages your self. A discussion of how Mixmaster provides this level of security is beyond the scope of this FAQ, but I put an essay on the subject on my home page. ***Does Mixmaster use PGP?*** No, Mixmaster uses the rsaref package from RSA. Mixmaster uses its own keys and key file formats. To add a key to a key ring, simply append the key to your key file using your favorite text editor. ***Can Mixmaster post to News?*** Yes, like older remailers some Mixmaster remailers can post to news. Also like older remailers, not all Mixmaster remailers can post to news. Request the remailer's help file to check if it supports posting. Do this by sending mail to the remailer with the subject line remailer-help ***When Was Mixmaster Released?*** Mixmaster was originally released on an experimental basis in late 1994. There were only ever two remailers running Mixmaster 1.0. Mixmaster 2.0 was released on May 3, 1995. There are now 18 publicly available Mixmaster remailers. ***What is the latest version of Mixmaster?*** Version 2.0.3 for Dos and Windows was released July 4 1996. Version 2.0.3 was released on Nov 27, 1995. This version uses a new Makefile, which makes compiling it a snap. Several bugs were also fixed, and some esoteric functions added. Version 2.0.2 was released on Sept 22, 1995. Mixmaster remailers can now accept messages containing multiple Mixmaster packets. Mixmaster can be told to choose a random set of remailers to chain your message through. It will now route multiple packet messages over independant chains. Several minor bugs were fixed. Version 2.0.1 was released on May 27, 1995. The only changes from 2.0 are some improvements in the documentation, and the inclusion of a more up to date list of remailers. ***What remailers run Mixmaster?*** The most recent list of remailers is available on my homepage, along with the remailer list and key file for Mixmaster. You can simply replace your current type2.list and pubring.mix files with these. They are also available from . My list is simply a mirror of the one on Jpunix, which is maintained (through much hard work) by John Perry.

Please send any questions you think should be here to: loki at obscura.com. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMdxm51Vkk3dax7hlAQGfwgP9FediBro7gdVMMjCffWToLyhr6HUagxSI qcHhQU4jL1EWdebMwR6wqUBWuxDgrAsrSRT4WhftfSxTtCHCiSk9yXqg7HlRVPkx VQ+7SCF5/gnTE3a/rvj+EbH2hjBdRZWLEOdOnv+Ej00rhCB4A9T2ASQjpcZZB1iT zT+cSIlW3go= =qKtd -----END PGP SIGNATURE----- From rp at rpini.com Fri Jul 5 02:07:39 1996 From: rp at rpini.com (Remo Pini) Date: Fri, 5 Jul 1996 17:07:39 +0800 Subject: Computer-Aided Revolution Message-ID: <1.5.4.32.19960705062727.008f8f04@www.nextron.ch> >> I've thought of an application for a "revolutionary" program for peaceful >> protest, but one that requires that a substantial number (1000) of people >> have access to computer time synchronized to 1 second, ideally 0.1 second. >> How good would a time sync over the net typically be? Well, in Europe you could just buy a 40$ hardware (DCF-77 receiver) which syncs with the standardized broadcasted atomic clock. you could sync the stations every second with an accuracy of better than 10^-3 secs, like a GPS, only much cheaper. (although, you wouldn't know you geographic location ;-) ----------< fate favors the prepared mind >---------- Remo Pini Fon 1: +41 1 350 28 82 mailto:rp at rpini.com Fon 2: +41 1 465 31 90 http://www.rpini.com/remopini/ Fax: +41 1 350 28 84 --------< words are what reality is made of >-------- From tcmay at got.net Fri Jul 5 02:19:55 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Jul 1996 17:19:55 +0800 Subject: Word lists for passphrases Message-ID: At 5:00 AM 7/5/96, AwakenToMe at aol.com wrote: >In a message dated 96-07-04 16:37:24 EDT, fair at clock.org (Erik E. Fair) >writes: > >>You could just snarf up a week's worth of netnews... >> >> Erik >There are many out there. And I doubt the net would have anything like >Antidisestablishmentarianism heheh >I believe it was an 8 meg wordlist I got off the net. Just use the good ole >search utils!! The standard "large data base" of modern American English words is the "Brown corpus." Search the Web for this and you'll get a few hundred hits, including some downloadable files. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Fri Jul 5 02:41:28 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Jul 1996 17:41:28 +0800 Subject: Net and Terrorism. Message-ID: At 2:37 AM 7/5/96, vinnie moscaritolo wrote: >>There is no cure for the "revolutionary" terrorists .. >> If we do not even print their obit, there is no glory! > >Tim, you are asking for the liberal media to act responsibly.. what were >you thinking? I did not write that. However, I wouldn't think that "not printing their obit" is acting responsibly. As far as I'm concerned, I want the full news, or at least some reasonable approximation of it, not propaganda. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Fri Jul 5 02:48:34 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 5 Jul 1996 17:48:34 +0800 Subject: ecash thoughts Message-ID: First, I'm not very convinced that probabalistic payments are needed. And I'm mostly convinced that most users of digital money will be skeptical too. A few comments: At 9:18 PM 7/4/96, Steve Reid wrote: >Suppose someone is surfing the web or whatever, and various sites are >charging, say, 0.1 cents per web page, via probabilistic payments. >Suppose there is a 1 in 10 chance that the person will pay 1 cent. > >The person wanders around the web, acting as though he's perfectly willing >to pay, and participating in the fair coin tosses. Except, he really has >no intention of paying. He will gain free access to 9 out of 10 sites, and >on the ones that he loses the 1/10 gamble, he just backs out of the deal >and doesn't pay anything. The end result is that instead of seeing all of >the web at 0.1 cents per page, he sees 90% of the web completely for >free. If everyone does this, the sites will go broke. I cannot imagine _any_ protocol for probabalistic payments which "allows" someone to back out of the deal once they've seen the outcome of the coin toss (or whatever). That just makes no sense. Exactly how the deal works to force completion is another matter (maybe escrow, maybe the symmetric payment scheme described here recently, etc.). >The obvious solution would be to require that the person pay the 1 cent, >then if he wins the 9/10 bet, he gets the 1 cent back. But that will just >move the problem from the user to the server- the site can welsh on the >bet and refuse to pay back the one cent. They will get ten times the >payment that they are supposed to get. Reputations matter, too, so sites or customers who renege will have their reps diminished, in the ways we talk about so often here. (Analogies in the physical world today: casinos who fail to pay off winnings, customers of casinos who fail to pay off their markers, etc.) I don't believe probabalistic payments have any special problems with renege rates. However, I also don't think this is a promising area. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From llurch at networking.stanford.edu Fri Jul 5 03:46:43 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 5 Jul 1996 18:46:43 +0800 Subject: Net and Terrorism. In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Thu, 4 Jul 1996, vinnie moscaritolo wrote: > Sometimes I am astounded by the lack common sense that government officials > display. Bill Klinton and his media budies (Ted Copulate etc) are the best > recruiters for Militia groups, After the OKC bombing, his accusations of > Militia involvement pissed off so many middle of the roaders that > memberships showed a marked increase. Thanks to Sen Fineswine, Semi-Auto Middle of the roaders? Some road. :-) I get your drift, and I'm behind you, but I think you're deluding youurself if you think you're anywhere near the mainstream. Most people aren't that intelligent. Yeah, I'm sure some good people like we'all joined the militia, but I'm worried about the losers and loons like the "Vipers Militia." When the barely literate who can't hold a job at a donut shop are convinced that it's *K00L* to play with guns and bombs and prepare to fight The New World Order, we have a problem. Even the very few real Nazis (as opposed to everybody the SWC thinks are Nazis) are worried about the proportion of unstable loons in their midst. There are good people in that racket who don't want to see people hurt; I'm happy to have made some friends. Of course you're right, much of the blame for that problem lies with the stoopid gubmint that lacks a proper regard for the Bill of Rights, not to mention a Sense of Huumor. Absent the fearmongering, the Viperweenies would have turned to something else antisocial, buut they wouldn't have had a "movement" to cling to. (Or maybe they would have... in another era, they would have joined up with the Weathermen or the Symbionese Liberation Army.) Fortunately, and despite what, say, the SWC says in its fundraising materials, the middle of the road among the militias isn't that kooky. Bo Gritz and the leaders of the Michigan Militia were heard calling the Freemen a bunch of lying scum; I've observed more mainstream (if that's the word) militiafolk distancing themselves from the Viperweenies both online and on shortwave. > purchases had a record year in California. (does she have stock in > Norinco?) I'm sure it's a blind trust. > There is no conspiricy on the governements part, just plain > stupidity. Absolutely, on both sides of that walnut. > So my point is, the more the government inflates a non existant problem, > the bigger the problem gets. Government or whomever... > >However, you will never be able to buy out the religious terrorists > > --they are on a "mission." > > I was always taught They have nothing left to lose..make em happy and send > em to Allah (or whatever) as quickly as you can. Since the two muslims who used to give a shit about this list seem to have left in disgust, I suppose I should register my "That ain't representative of Islam, any more than Pete Peters is representative of Christianity or Lenin is representative of atheism." I think this falls under the category of "the more you inflate a nonexistent problem, the bigger it gets." Yes there is an unusually high proportion of loons in charge of movements that call themselves Islamic Fundamentalist, but do you really think it's in your interest to talk like, well, a bigot and turn the rest of the muslims against you? - -rich http://www.c2.org/~rich/ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQBVAwUBMdzGDZNcNyVVy0jxAQFDAQH/cy1hWsH29dj3AHWaH8Z5I9BxDgoPtbYB 4cVL5T0mOLiP5aW/OjP05e4yF9Y1r4af+iI0x9u8yuc6ly8NOzOK9g== =Qoe2 -----END PGP SIGNATURE----- From erehwon at c2.org Fri Jul 5 04:55:03 1996 From: erehwon at c2.org (William Knowles) Date: Fri, 5 Jul 1996 19:55:03 +0800 Subject: Word lists for passphrases Message-ID: Greg, >Are there any publically available word lists which contain just about >every word in the English language? It's not absolutley necessary, >but I'd also like the list to include english names. I would try this site out, It is very complete and should fill the bill. ftp://sable.ox.ac.uk/pub/wordlists/ Good Luck! -William Knowles erehwon at c2.org Finger for public key -- From llurch at networking.stanford.edu Fri Jul 5 05:40:36 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 5 Jul 1996 20:40:36 +0800 Subject: Net and Terrorism. In-Reply-To: Message-ID: On Fri, 5 Jul 1996, Timothy C. May wrote: > At 2:37 AM 7/5/96, vinnie moscaritolo wrote: > > >>There is no cure for the "revolutionary" terrorists .. > >> If we do not even print their obit, there is no glory! > > > >Tim, you are asking for the liberal media to act responsibly.. what were > >you thinking? > > I did not write that. > > However, I wouldn't think that "not printing their obit" is acting > responsibly. As far as I'm concerned, I want the full news, or at least > some reasonable approximation of it, not propaganda. The issue here is that terroristic actions *are* propaganda. Does every idiot with a bomb deserve to be really big news? Anyway, I don't think Vinnie was suggesting that the news be censored -- just that the press doesn't have an obligation to print the obituary the "martyrs" want. There's a spectrum from "the popular front for the liberation of kooks, which believed blah blah blah because blah blah blah, just blew up a building" to "some kook just blew up a building." The latter is usually sufficient. If I care about the kooks, I can look them up, but I don't think the fact that they blew up a building gives them the right to propagandize the front page of my newspaper. -rich From jimbell at pacifier.com Fri Jul 5 05:41:45 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 5 Jul 1996 20:41:45 +0800 Subject: ecash thoughts Message-ID: <199607051008.DAA03805@mail.pacifier.com> At 02:18 PM 7/4/96 -0700, Steve Reid wrote: >The person wanders around the web, acting as though he's perfectly willing >to pay, and participating in the fair coin tosses. Except, he really has >no intention of paying. He will gain free access to 9 out of 10 sites, and >on the ones that he loses the 1/10 gamble, he just backs out of the deal >and doesn't pay anything. The end result is that instead of seeing all of >the web at 0.1 cents per page, he sees 90% of the web completely for >free. If everyone does this, the sites will go broke. > >It's the equivalent of welshing on a bet. > >The obvious solution would be to require that the person pay the 1 cent, >then if he wins the 9/10 bet, he gets the 1 cent back. But that will just >move the problem from the user to the server- the site can welsh on the >bet and refuse to pay back the one cent. They will get ten times the >payment that they are supposed to get. If you're a store and I want to buy something that costs, say, $4.50, and we want to eliminate the need for change (for whatever reason) then I would pay $4.00 up front and we'll flip the electronic coin for the rest. At that point, you already have $4 so I'd have no reason to welsh on the remaining 50 cents. It obviously doesn't work this way if the minimum coin is larger than the current purchase... Jim Bell jimbell at pacifier.com From jgrasty at gate.net Fri Jul 5 09:21:25 1996 From: jgrasty at gate.net (Joey Grasty) Date: Sat, 6 Jul 1996 00:21:25 +0800 Subject: Libertarian Anti-GAK Platform Message-ID: <199607051311.JAA14454@osceola.gate.net> Y'all: Just got an e-mail from Jim Ray, who added the anti-GAK provision to the Libertarian Party Platform yesterday. So, yes, it WAS one of us. Good job, Jim! Regards, -- Joey Grasty jgrasty at gate.net [home -- encryption, privacy, RKBA and other hopeless causes] jgrasty at pts.mot.com [work -- designing pagers] "Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin." -- John Von Neumann PGP = A7 CC 31 E4 7E A3 36 13 93 F4 C9 06 89 51 F5 A7 From camcc at abraxis.com Fri Jul 5 09:29:06 1996 From: camcc at abraxis.com (camcc at abraxis.com) Date: Sat, 6 Jul 1996 00:29:06 +0800 Subject: Word lists for passphrases Message-ID: <2.2.32.19960705131244.00687f3c@smtp1.abraxis.com> At 02:12 AM 7/5/96 -0700, you wrote: :Greg, : :>Are there any publically available word lists which contain just about :>every word in the English language? : :I would try this site out. It is very complete and should fill the bill. : :ftp://sable.ox.ac.uk/pub/wordlists/ : :Good Luck! : : :-William Knowles : erehwon at c2.org : Finger for public key : I am not sure of your purposes, but I suggest you take a look at Arnold Reinhold's Diceware page. http://world.std.com/~reinhold/diceware.page.html The list it contains certainly is not "every word in the English language," but the list he offers is large and well set up; I load mine from Wordpad. It is part of a randomness system he espouses. Alec From talon57 at well.com Fri Jul 5 10:48:28 1996 From: talon57 at well.com (talon57 at well.com) Date: Sat, 6 Jul 1996 01:48:28 +0800 Subject: Net and Terrorism Message-ID: <199607051432.HAA25401@well.com> Tim May wrote: >Again, the Sarin attack in Tokyo had nothing to do with former >U.S.S.R. CBW weapons. Chemical and biological agents are cheap to >make, especially in the quanties needed to kill only a few >thousand people, and in the non-battlefield delivery environment. Actually Tim, the Aum Supreme truth cult was using a Russian formula for it's production of sarin, and was spending vast amounts of time and money trying to obtain Russian NBC expertise. They supposedly had an estimated 30,000 followers in the former Soviet union. I recently finished an excellent book "The cult at the end of the world" about all this and highly recommend it to my fellow cypherpunks. Brian From geoff at commtouch.co.il Fri Jul 5 10:51:05 1996 From: geoff at commtouch.co.il (geoff) Date: Sat, 6 Jul 1996 01:51:05 +0800 Subject: Lack of PGP signatures Message-ID: <19960705135901328.AAB217@[194.90.26.119]> -----BEGIN PGP SIGNED MESSAGE----- To: bshantz at nwlink.com, markm at voicenet.com, cypherpunks at toad.com Date: Fri Jul 05 17:10:11 1996 On 7/3 Brad Shantz Wrote: > Once upon a time last year or the year before, Tim May posted why he > doesn't use PGP very often. And I have always stood by that same > sentiment. Yes, it is a good encryption product, but it is not > integrated seamlessly into other applications. Tim, feel free to > whack me if you think I'm speaking for you. If, as cypherpunks, we > want to spread the use of strong crypto, we need to have a better > interface than what currently exists on PGP 2.6.2. I strongly urge anyone who uses PGP on a regular basis to take a look at Pronto Secure. It is a fully featured Windows e-mail client with complete & seamless PGP integration in its native implementation. Security features include: Single click for encrypt sign or decrypt, on the fly authentication, key management, talks to the keyservers, intuitive & flexible certification / trust management, automated key exchange between Pronto Secure clients & more. The product is in final beta & this will probably be the last opportunity to get a free registered copy. We believe that we have a pretty secure e-mail client. However before releasing Pronto Secure to a less security aware public, we would like to submit the product for additional scrutiny by the members of this list. With this objective in mind, we have decided to extend our special offer to beta testers: Any tester providing us with feedback on the product will automatically be eligible for a free copy of the soon to be released Pronto Secure 1.0. For a detailed specification see http://www.commtouch.com/s-mail.html To check out what our existing beta testers have said about Pronto Secure: http://www.commtouch.com/testers.htm To apply for the beta send signed mail to secure at commtouch.com. Also please attach your PGP key. I take this opportunity to thank all members of the list who have up to now assisted in beta-testing the product. Your input has helped make Pronto Secure into what we believe is a truely usable secure e-mail client. - --------------------------------------------------------------- Geoff Klein, Pronto Secure Product Manager; www.commtouch.com My PGP public Key 1814AD45 can be obtained by sending a message to geoff at commtouch.co.il with "Get Key" as the subject. - ---------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBMd0iTELv5OMYFK1FAQG8dQQAo2pgG+JIyHFLT/g6stvFnb+MAIpr8Ut7 43uPtRP6xSCztG1T48V/a4jIHzCYcXiYOrGdalJSRc+alpndFfehD+Ky+nzAsgKu WZPISfieWb0wQDUygi1DFkKTddzhjlStAdtwZ0J0E4fHHrZgc3NpzfoRvyVUvdtS cgmH6neWNjs= =yUlH -----END PGP SIGNATURE----- From reagle at rpcp.mit.edu Fri Jul 5 10:57:32 1996 From: reagle at rpcp.mit.edu (Joseph M. Reagle Jr.) Date: Sat, 6 Jul 1996 01:57:32 +0800 Subject: Net and Terrorism. Message-ID: <9607051439.AA07350@rpcp.mit.edu> At 05:43 PM 7/4/96 -0700, Timothy C. May wrote: >Anyway, I should point out that Mormons (or Latter Day Saints, I guess) are >spreading quickly around the world...all WITHOUT using "conversion by the >sword," as some other well-known religions are wont to do. Perhaps you've read this before (or it's even been mentioned here before) but an excellent book exists that discusses some of the points you touch upon (suicide, martyrs, religion (meme) propagation). See Bloom, "The Lucifer Principle." _______________________ Regards, He who knows others is wise. He who knows himself is enlightened. Joseph Reagle http://rpcp.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From reagle at rpcp.mit.edu Fri Jul 5 11:04:40 1996 From: reagle at rpcp.mit.edu (Joseph M. Reagle Jr.) Date: Sat, 6 Jul 1996 02:04:40 +0800 Subject: What remains to be done. Message-ID: <9607051439.AA07353@rpcp.mit.edu> At 12:58 PM 7/4/96 +0000, Deranged Mutant wrote: >Another need is for file/disk-encryption utilities. I'm not familiar >with what's out there for Macs, but for PCs there's SFS and ASPICRYP >for SCSI drives (with no source!) and SFS, SecureDrive and SecureDevice >for HD (or FD). The latter won't work on Win95. AFAIK, SFS and >SecureDrive aren't 100% friendly with Win95 either, though they'll work. I'll just add that Jetico puts out BCrypt, which works perfectly with Win95. Of course it costs, but one can try out the software only version, then upgrage to hardware encryption! _______________________ Regards, He who knows others is wise. He who knows himself is enlightened. Joseph Reagle http://rpcp.mit.edu/~reagle/home.html reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E From ota+ at transarc.com Fri Jul 5 11:20:27 1996 From: ota+ at transarc.com (Ted Anderson) Date: Sat, 6 Jul 1996 02:20:27 +0800 Subject: Fwd: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: Message-ID: See the sig at the end. -ota ---------- Forwarded message begins here ---------- Date: Thu, 4 Jul 1996 08:41:35 +0000 (GMT) From: jonathon To: "Mark M." cc: David Rosoff , Declan McCullagh , cypherpunks at toad.com Subject: Re: CWD -- Jacking in from the "Keys to the Kingdom" Port On Wed, 3 Jul 1996, Mark M. wrote: > On Wed, 3 Jul 1996, David Rosoff wrote: > > I've wondered .. could a creative child circumvent these filter programs > If the child is creative enough, he will be able to boot DOS from a bootdisk > and remove the line from config.sys that starts up the filtering software. Even more creative kids will find the Dos-based web browser that bypasses whatever is in the config.sys file, that is supposed to prevent them from seeing those "naughty" websites. xan jonathon grafolog at netcom.com AOL coasters are unique, and colourful. Collect the entire set. From um at c2.org Fri Jul 5 11:40:20 1996 From: um at c2.org (Ulf Moeller) Date: Sat, 6 Jul 1996 02:40:20 +0800 Subject: Restrictions on crypto overseas Message-ID: <9607051504.AA50380@public.uni-hamburg.de> > What about other nations that have recently passed restrictions on the use > of crypto? Other than Russia, which are they? Is there a list anywhere? http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm From hlin at nas.edu Fri Jul 5 11:43:48 1996 From: hlin at nas.edu (Herb Lin) Date: Sat, 6 Jul 1996 02:43:48 +0800 Subject: SAFE forum -- remarks of Herb Lin Message-ID: <9606058365.AA836589679@nas.edu> You're entitled to any spin you wish (see your [...] below). But my original intent was to say the part about "and it is" in any event; unfortunately, the audience started snickering before I got to it. In the future, I will say "Crime prevention ought to be, and is, a part of the FBI's mission", thereby pre-empting premature snickering by an audience pre-disposed to be unfriendly or derisive to law enforcement. Begin personal comment from herb: The "overview and recommendations" document summarizing the report notes that "Input from [..] diverse sources demonstrated to the committee a considerable amount of confrontation and disconnect between interest groups (e.g., information technology vendors, businesses, law enforcement, private individuals, national security) that fail to understand or appreciate the validity of each other's policy needs and interests with respect to cryptography. . . . Public debate based on hyperbole is unproductive. All of the stakes described above -- privacy for individuals, protection of sensitive or proprietary information for businesses, ensuring the continuing reliability and integrity of nationally critical information systems and networks, law enforcement access to stored and communicated information for purposes of investigating and prosecuting crime, and national security access to information stored or communicated by foreign powers or other entities and organizations whose interests and intentions are relevant to the national security and the foreign policy interests of the United Statesare legitimate; informed public discussion of the issues must begin by acknowledging the legitimacy both of information security for law-abiding individuals and businesses and of information gathering for law enforcement and national security purposes." My experience with the FBI and other law enforcement officials is that they are honorable people trying to do a very hard job. You may disagree with them on policy grounds -- indeed, the NRC report does disagree with the Administration in certain important ways -- but in my personal opinion, law enforcement deserves credit rather than censure for trying to anticipate a future problem, You may believe the proposed solution to be inappropriate, but I'd ask those of you who follow the debate to engage it on substantive rather than ad hominem grounds, Many of you in the cypherpunk community have done so, and I applaud such efforts. [End personal comment] herb == On Wed, 3 Jul 1996, Herb Lin wrote: > Folks -- I object to the characterization of my remarks about crime prevention > being made with sarcasm. The complete remark was "Crime prevention ought > to be part of the FBI's mission, ... and it is -- ask them, and they acknowledge > that." OK, sorry, my reading. I'd certainly hate to jeopardize any professional relationships by implying that you'd been poking fun at them on purpose. There's already far too much distrust to go around. As I recall, the sequence went "Crime prevention ought to be part of the FBI's mission [audience snickers, Herb realizes what he just said and smiles]... and it is -- ask them, and they acknowledge that." The best standup comics are the genuine straight men, I guess. To avoid any trouble, I'll be using that line *without* specific attribution from now on. -rich From Clay.Olbon at dynetics.com Fri Jul 5 12:03:36 1996 From: Clay.Olbon at dynetics.com (Clay Olbon II) Date: Sat, 6 Jul 1996 03:03:36 +0800 Subject: Lack of PGP signatures Message-ID: >It is not possible to clear-sign binaries with PGP. The point of clear- >signing >is to have signed text that is readable to people who don't have the >software >necessary to process the text. It would make sense to clearsign a file that >is base64'ed or uuencoded, which wouldn't alter the contents of the file. I >can't see how such an option would be harmful, except that it might lose >some >characters that are important to the context of the message. > Mark, Of course you can use pgp to sign binaries. How else did the pgp binary itself get signed? You can either sign it in a separate file, or in the same file. PGP sorts it out for you. What do you use it for? Same reasons you sign text. "I signed this file" means that you vouch for it in some undefined way (maybe I wrote and compiled it, or somesuch). Clay *************************************************************************** Clay Olbon II * Clay.Olbon at dynetics.com Systems Engineer * PGP262 public key on web page Dynetics, Inc. * http://www.msen.com/~olbon/olbon.html ***************************************************************** TANSTAAFL From wendigo at gti.net Fri Jul 5 12:16:39 1996 From: wendigo at gti.net (Mark Rogaski) Date: Sat, 6 Jul 1996 03:16:39 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: <1.5.4.16.19960704232548.0b77fbf4@arc.unm.edu> Message-ID: <199607051544.LAA20442@apollo.gti.net> -----BEGIN PGP SIGNED MESSAGE----- An entity claiming to be David Rosoff wrote: : : > That "creative child" would have to be pretty damn smart to do : >what you described. : : It would actually take less creativity to do the other things, bypass the : config.sys, etc. The child would thus be perhaps a little TOO creative. :) : 2 short replies in one post: A) Who said anything about a creative child? How about a creative c'punk? B) Forget the CONFIG.SYS ... what about kids using Macs or some future "Kid Safe" system that has the filters in an eeprom? I'm talking about bypassing the censorship on the client-server level. Relatively platform independent. - -- Mark Rogaski | Why read when you can just sit and | Member GTI System Admin | stare at things? | Programmers Local wendigo at gti.net | Any expressed opinions are my own | # 0xfffe wendigo at pobox.com | unless they can get me in trouble. | APL-CPIO -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMd04PA0HmAyu61cJAQHaPwP/VkH9kMZkZGXe5Njz9HRLzPep+EwRGSBf zfX5z8VPxMpDUdBWSKHyZgakckkWWg5e6zNUXtOI6diKtIuPXboVC8/5wY1PN5vX qyEGzN8L97MFOvkKNmQVmWTdfou7Tyd8sd5GfBpYt6WoIYmux2ovz+hRhW5Pg2g+ MhImPjT3k7Q= =EilI -----END PGP SIGNATURE----- From frissell at panix.com Fri Jul 5 12:22:26 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 6 Jul 1996 03:22:26 +0800 Subject: The Net and Terrorism Message-ID: <2.2.32.19960705153701.0082c960@popserver.panix.com> At 06:33 PM 7/3/96 -0700, Timothy C. May wrote: >My article made my points, so I won't rewrite it here. You are of course >not required to agree. You are free to live in crowded cites--near "soft >targets." You are welcome to lobby for world peace and for economic changes >to lessen terrorism. > >(I think this is mostly hopeless. No matter how "nice" conditions get, for >game-theoretic reasons there will be some groups seeking changes.) I am not sure who is right in this debate. I know that the "why can't we all just get along?" crowd is asking a stupid question. There are lots of reasons people can't get along and there have been enough "top-down" imposed social changes this century to suggest that "changing society" won't preserve the peace. On the other hand, I'm not sure that Tim's pessimism is warranted. This argument that cities will become completely unlivable and the only way to survive is to move out into less populated areas has been going on in the libertarian, survivalist, and right-wing-nut communities since the 1960s. The magazines Vonulife and Libertarian Connection used to talk a lot about the relative merits of Nomadism or Troglodytism, suitcase nukes, and such. Those who took the advice and moved into caves in 1969 have sure had an uncomfortable 30 years. Mel Tappan (author of Survival Guns) may have died from a heart attack which he could have survived had he not moved into the boonies. I note as well that Tim is not all that far away from civilization and its discontents. North Dakota or Labrador would be better choices if separation were really desired. Those of us in the Techno-Libertarian Panglossian Community argue that it is at least possible that the spread of markets will serve to bend the world's population to bourgeois values before nanotech gives everyone the power to destroy the world. Note that markets (like networks) can expand faster than outside observers can believe once a critical mass of participants is achieved. We see that happening all around the world in the case of both markets and networks. Even hard cases like Africa and the Middle East will find themselves swept up in a short time (by historical standards). It's hard to get people who are making lots of dough to strap dynamite to their bodies and go blow up a bus. Then Larry said: >>because it is a fact of life, is erroneous in my view. it is a common >>libertarian argument that goes, "criminality is everywhere, so why try >>to stop it?" a rather juvenile ideology. In all my years of reading and listening to libertarian agitprop, I've never heard this argument. And back to Tim: >(And my point about moving out of cities referred to what *I* am doing; >others are of course free to mingle in crowded markets, hoping that the >bombs won't come that day. Others are free to send their children to day >care centers located in likely targets for ZOG's enemies to bomb, and so >on.) Kids sent to day care centers operated by the federal government or schools operated by local governments are going to be in a bad way in any case whether or not they are blown up or shot (as in Stockton and Scotland). I *love* the Volvo ads which feature mom driving her kids to school in a Volvo with all of its safety features and then turing the kids over to the government for indoctrination. Much better she should drive them to private schools in a Chevy Corvair. They'll live longer (certainly in the spiritual sense of "live"). DCF From cyberia at cam.org Fri Jul 5 12:50:55 1996 From: cyberia at cam.org (CyberEyes) Date: Sat, 6 Jul 1996 03:50:55 +0800 Subject: Net and Terrorism. In-Reply-To: Message-ID: On Wed, 3 Jul 1996, snow wrote: > 2) When they _are_ exposed, let them fight the fuck back. Rules of > engagment are simple. When fired on, shoot to kill. If the shot > comes from a building, take out the building. If from a crowd, > well, do you best, but _get the shooter_. Basically, what you're saying is that one armed person in a crowd of a hundred needs to be killed no matter what happens to the lives of the other 99? Give me a break, we're not living in the 1800's anymore, we want to STOP wars, not create them! > If the US were to offer Russia $3 billion (or whatever) > in a one time take it or leave it for their entire chemical weapon stock, > it might get the soviet shit off the market. The nuclear stuff is a little > easier to store (I think) and it would be a harder sell. You'll never see it happen. First of all, a lot of the chemical weapons in the former Soviet Union are probably not even owned by the government, some are probably owned by private individuals. Secondly, the former Soviet Union would never give up all their chem. weapons for the same reason, that the U.S.A would not give up theirs (they'd be left defenseless, or very open). Ryan A. Rowe - Montreal, Quebec /Seeking Internet-related job!/ aka CyberEyes, Rubik'S Cube I will relocate _ANYWHERE_. Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia at cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run Read my C.V. at http://www.cam.org/~cyberia/resume-e.html "In lieu of experience, I have a willingness to learn." "Everyone has their day, mine is July 15th, 1998." From cyberia at cam.org Fri Jul 5 13:20:24 1996 From: cyberia at cam.org (CyberEyes) Date: Sat, 6 Jul 1996 04:20:24 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: Message-ID: On Thu, 4 Jul 1996, jonathon wrote: > Even more creative kids will find the Dos-based web browser > that bypasses whatever is in the config.sys file, that is > supposed to prevent them from seeing those "naughty" websites. I think you're talking about Lynx. If you are, they'd need a shell account to access it. Most ISP's like AOL, CompuServe, Prodigy, and others don't offer that. They'd also have to set it up through a communications program in DOS. Anyways, if you're NOT talking about Lynx, what DOS-based Web browser is there? Ryan A. Rowe - Montreal, Quebec /Seeking Internet-related job!/ aka CyberEyes, Rubik'S Cube I will relocate _ANYWHERE_. Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia at cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run Read my C.V. at http://www.cam.org/~cyberia/resume-e.html "In lieu of experience, I have a willingness to learn." "Everyone has their day, mine is July 15th, 1998." From cyberia at cam.org Fri Jul 5 13:32:42 1996 From: cyberia at cam.org (CyberEyes) Date: Sat, 6 Jul 1996 04:32:42 +0800 Subject: Net and Terrorism. In-Reply-To: <199607040558.WAA07424@primenet.com> Message-ID: On Thu, 4 Jul 1996, attila wrote: > "denied zones" (we were never there) is no longer in vogue. however, we > will probably see that again in parts of the world as many cultures do > not have the basic respect for life we do. What is your last comment supposed to mean exactly? Just because some Islamic militants decide to kill a few people in a terrorist attack does not mean that the entire believer population of Islam does not have respect for life. Just who is "we"? Americans? Europeans? All industrialized nations? Every country except those Third World ones? Uh... I don't see your point very clearly here... The only culture I can think of that might now have respect for life are cannibals, and they DO have respect for life in a way, they don't kill each other (I don't think), and they do it because it's their lifestyle, but they don't perform cannibalistic acts out of malice. Correct me here if I'm wrong. Ryan A. Rowe - Montreal, Quebec /Seeking Internet-related job!/ aka CyberEyes, Rubik'S Cube I will relocate _ANYWHERE_. Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia at cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run Read my C.V. at http://www.cam.org/~cyberia/resume-e.html "In lieu of experience, I have a willingness to learn." "Everyone has their day, mine is July 15th, 1998." From markm at voicenet.com Fri Jul 5 13:32:57 1996 From: markm at voicenet.com (Mark M.) Date: Sat, 6 Jul 1996 04:32:57 +0800 Subject: Lack of PGP signatures In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On 5 Jul 1996, Clay Olbon II wrote: > Mark, > > Of course you can use pgp to sign binaries. How else did the pgp binary > itself get signed? You can either sign it in a separate file, or in the > same file. PGP sorts it out for you. > > What do you use it for? Same reasons you sign text. "I signed this file" > means that you vouch for it in some undefined way (maybe I wrote and > compiled it, or somesuch). I didn't say that binaries couldn't be signed. I said they couldn't be *clear*-signed. There is a difference between clearsigning and creating a signature certificate that is either concatenated with the data or written to a separate file. If somebody who doesn't have PGP gets a file that is signed by PGP, the file is completely useless to that person. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMd1G47Zc+sv5siulAQEjvQQAg57AF6FAZbQ8EeOJ2CH9UCTDB5rfNl3B e5OUIgLMHLnkix8xQchoTEXo0f4spBRjddUu5fy16nP5k9ZNiyKCAYOYZZeiR7n9 cG/reikrCbW02/kAlCJcdoNIsTFXuauf3qity+Co1x2afu0Nl/V4vwvaAzxyLHRK tYECCec7pNY= =iR57 -----END PGP SIGNATURE----- From liberty at gate.net Fri Jul 5 13:47:14 1996 From: liberty at gate.net (Jim Ray) Date: Sat, 6 Jul 1996 04:47:14 +0800 Subject: I confess [Was: Who was that Masked Cypherpunk?] Message-ID: <199607051657.MAA67090@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- Duncan Frissell wrote: >OK, fess up. Who was it who amended the anti-key-escrow language of the >Libertarian Party Platform live on CSPAN? Specific reference to >cypherpunks. 'Twas me, the guardian of the *original* definition of the fine old term "escrow" against the slick denizens of Newspeak. I have found this Libertarian convention to be a super-fun experience, and I will be demonstrating PGP, Private Idaho, and lots of other fun stuff on Saturday at 3PM. All are invited to attend. Watch for "Pennies for Perot" this afternoon! ;) JMR -- Dade Chairman and Florida Delegate. Regards, Jim Ray -- DNRC Minister of Encryption Advocacy "It is long past time to end the laughable presumption that voters who can easily cope with the choices offered at Burger King are somehow 'confused' by more than two choices at the voting booth." -- me [From my Miami Herald article.] "Truth is stranger than fiction, especially when 'truth' is being defined by the O.J. Simpson Defense Team." -- Dave Barry 6/16/96 ___________________________________________________________________ PGP id.E9BD6D35 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 http://www.shopmiami.com/prs/jimray Coming soon, "Pennies For Perot" page! CYA with http://www.anonymizer.com ___________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMd1Ii21lp8bpvW01AQEBWAQAoWqyLNe921Dx9HXbMFVoW2ReNGp0Qo6r mZd3FvNcJDw4bOeI434sekDwAEg9G2SiCCnBMBFrilZnKscMZpZp0XdNV6+b52FN MtyYW9yYQSRRgixjf3+j6O6jecPynztdugnnWY7Y8jWcb3ukipYYt4cQAVL13sX4 Aknxd4DXtzc= =lvW8 -----END PGP SIGNATURE----- From jimbell at pacifier.com Fri Jul 5 13:47:29 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 6 Jul 1996 04:47:29 +0800 Subject: Net and Terrorism. Message-ID: <199607051652.JAA15062@mail.pacifier.com> At 07:29 AM 7/5/96 -0700, Timothy C. May wrote: >At 2:37 AM 7/5/96, vinnie moscaritolo wrote: > >>>There is no cure for the "revolutionary" terrorists .. >>> If we do not even print their obit, there is no glory! >> >>Tim, you are asking for the liberal media to act responsibly.. what were >>you thinking? > >I did not write that. > >However, I wouldn't think that "not printing their obit" is acting >responsibly. As far as I'm concerned, I want the full news, or at least >some reasonable approximation of it, not propaganda. >--Tim May Well, whoever wrote those two lines above, he hit upon something I've long believed: The ability to force other people to (in effect) ignore dissent up to and including "terrorism" is extraordinarily valuable. Remember the old philosophical question, "If a tree falls in the forest and there's nobody there to hear, does it make a sound?" Scientifically, the answer's obvious. But _politically_ it isn't so obvious: If an act of "terrorism" occurs and the government can cover it up (or merely cover up the terroristic cause), the government is probably actually better off (considering _only_ the government's own interests) ignoring it and not exposing an embarrassing vulnerability, or possibly an embarrassing guilt, which induced the terrorist to attack. The government would probably have much preferred, for example, for 160+ people to be killed in an airliner that just happened to disappear off the radar screen and fall into the ocean, than the bombing in Oklahoma City, because the latter incident puts a powerful onus on the government to "do something" while an unexplained event (or one where the cause is covered up) has no such imperative. And I'm not talking primarily of retribution or punishment, either: Today, the government's under some pressure to simply stop doing things that would be expected to lead to retribution, like Waco and Ruby Ridge, and the government's misbehavior is highlighted by incidents such as the OKC bombing. In addition, a potential "terrorist" is less likely to try something if the government is likely to be able to cover it up. Ironically, this probably tends to induce such people to do things (like huge bombings) which _can't_ be covered up, rather than smaller, more individualized strikes. That makes the non-governmental public less safe, which is a serious conflict of interest between the government and the citizenry. I consider it axiomatic that whoever bombed the OKC building, he would have preferred killing one to two dozen people most responsible for Waco or Ruby Ridge than those who actually died. The public has every reason to prefer this alterative as well. The only people who can be expected to disapprove are government employees, who don't want to be held responsible (legally or "illegally") for what they did. If anything, I think the public would be far better off if there was a mechanism to allow even these "terrorists" to speak directly to the public, without censorship by the governments or heightened risk of capture. Jim Bell jimbell at pacifier.com From tcmay at got.net Fri Jul 5 13:59:45 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 6 Jul 1996 04:59:45 +0800 Subject: The Net and Terrorism Message-ID: At 3:37 PM 7/5/96, Duncan Frissell wrote: >On the other hand, I'm not sure that Tim's pessimism is warranted. This >argument that cities will become completely unlivable and the only way to >survive is to move out into less populated areas has been going on in the >libertarian, survivalist, and right-wing-nut communities since the 1960s. >The magazines Vonulife and Libertarian Connection used to talk a lot about >the relative merits of Nomadism or Troglodytism, suitcase nukes, and such. > >Those who took the advice and moved into caves in 1969 have sure had an >uncomfortable 30 years. Mel Tappan (author of Survival Guns) may have died >from a heart attack which he could have survived had he not moved into the >boonies. I note as well that Tim is not all that far away from civilization >and its discontents. North Dakota or Labrador would be better choices if >separation were really desired. Duncan, I said no such thing. Puh-leeeese. :-} What I _said_ was that _my_ response to increasing crime, the growing threat of serious terrorist actions, and the generally ratcage-like nature of large urban areas has been to move away from such urban centers. (Not that towns like Santa Cruz are crime-free. But they are not prime targets, when more tempting, fatter, softer targets are so nearby.) I've never said cities are "completely unlivable," just that, for me, better options exist. And in the vein of Harry Browne's "How I Found Freedom in an Unfree World," I think a better response to terrorist actions is not to crack down further on civil liberties, but to decentralize. Personally, if not nationally. A variant which might be called "How I Found Security in an Insecure World." >And back to Tim: > >>(And my point about moving out of cities referred to what *I* am doing; >>others are of course free to mingle in crowded markets, hoping that the >>bombs won't come that day. Others are free to send their children to day >>care centers located in likely targets for ZOG's enemies to bomb, and so >>on.) Well, there it is. You quote my clarification to Detweiler's mischaracterizations. I'm not saying that cities are unlivable for all, just that concentratios draw attackers of various sorts, and I expect such attacks to increase in the future. And small cities are not unlivable, either. Last night, for example, I celebrated the Fourth at a free Beach Boardwalk concert with the Drifters. Fine music, resonating even in the Rap Generation's skulls, judging by the wild reaction from tens of thousands of folks crowded on the beach... (Now _that_ was a "soft target," in which a lobbed grenade could've taken out 20 or 40 people....Lots of such soft targets, and little that even a police state can do to stop it. Personal avoidance, by whatever measures one deems important, are the best bet.) If there's any meta-point I'm making is that people are best served by making their own security arrangements, be it home protection, financial security, health security, or the security from rioters, criminals, and terrorists being talked about here. Turning over increased powers to a government to do these things is a recipe for failure, at very high costs (economic and civil liberties costs). --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From Clay.Olbon at dynetics.com Fri Jul 5 14:23:04 1996 From: Clay.Olbon at dynetics.com (Clay Olbon II) Date: Sat, 6 Jul 1996 05:23:04 +0800 Subject: Lack of PGP signatures Message-ID: Mark M. wrote: >I didn't say that binaries couldn't be signed. I said they couldn't be >*clear*-signed. There is a difference between clearsigning and creating a >signature certificate that is either concatenated with the data or written >to a separate file. If somebody who doesn't have PGP gets a file that is >signed by PGP, the file is completely useless to that person. > My mistake. I guess I still don't understand your point however. Of what use is a signature on a file to someone who cannot check its validity? It seems to me that a separate signature file for a binary would serve the same purpose ("gee, it LOOKS like somebody signed it"). Clay *************************************************************************** Clay Olbon II * Clay.Olbon at dynetics.com Systems Engineer * PGP262 public key on web page Dynetics, Inc. * http://www.msen.com/~olbon/olbon.html ***************************************************************** TANSTAAFL From WlkngOwl at unix.asb.com Fri Jul 5 15:05:27 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Sat, 6 Jul 1996 06:05:27 +0800 Subject: Moviepunks [NOISE] Message-ID: <199607051823.OAA08772@unix.asb.com> Didn't see either of those flicks, but saw "The Cable Guy" a week ago. Actually has more 'net relevance, even though no one there uses the 'net. If you imagine the utopian 'everything delivered by cable' (phone, TV, 'net, video games, shopping, etc.) and mix with the power a psychotic and corrupt cable installer has, the plot has potential. (It's actualisation was something else, though.) The movie is apparently such a flop that it turned out the group of friends I was with were the only people who wanted to see it that day, so we had the theatre all to ourselves. A rare opportunity indeed... I only with the movie was worse than it actually was so we could have made it into a kind of MST3K thing... but it actually held our interest. Rob. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From WlkngOwl at unix.asb.com Fri Jul 5 15:15:22 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Sat, 6 Jul 1996 06:15:22 +0800 Subject: Shrink-Wrap Lic. uphelo by courts. From Edupage, 4 July 1996 Message-ID: <199607051823.OAA08769@unix.asb.com> ------- Forwarded Message Follows ------- Date: Thu, 4 Jul 1996 17:27:43 -0400 (EDT) From: Edupage Editors Subject: Edupage, 4 July 1996 ***************************************************************** Edupage, 4 July 1996. Edupage, a summary of news items on information technology, is provided three times each week as a service by Educom, a Washington, D.C.-based consortium of leading colleges and universities seeking to transform education through the use of information technology. ***************************************************************** [..] "SHRINK-WRAP" LICENSES OKAYED BY COURT The validity of the "shrink-wrap" licenses that many software publishers rely on for copyright protection was bolstered by a recent appellate court ruling in Chicago. Last month, the Seventh Circuit Court of Appeals reversed a lower court's finding that shrink-wrap agreements were unenforceable. Plaintiffs in the case, ProCD vs. Zeidenberg et al., charged the defendants with distributing the software program via the Internet. The defendants had argued that they couldn't be held to the license terms because they'd had no chance to negotiate or object to parts of the agreement. They also said the license agreement should be printed on the outside of the box, where it could be read before purchasing. The latest ruling found this suggestion to be an onerous burden, but did say the box must have a notice saying there's a licensing agreement inside, and that buyers should be able to return the software if they don't agree to the license once they read it. (Investor's Business Daily 3 Jul 96 A5) From jamesd at echeque.com Fri Jul 5 15:21:18 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sat, 6 Jul 1996 06:21:18 +0800 Subject: rsync and md4 Message-ID: <199607051844.LAA27223@dns1.noc.best.net> At 02:05 AM 7/1/96 -0400, David F. Ogren wrote: > I stand by my statements. When you are deep in a hole, it is time to quit digging. > The problems that you bring up have to do with situations > where an active attacker develops a slightly different > pair of documents with the same hash. > > Although this is highly undesirable characteristic for a > hash function, [...] No kidding. Current state of the art is that MD4 is broken for signing documents prepared by other people, and MD5 may be broken soon, but MD4 is not broken as proof of authorship. So if everyone was using MD4 for PGP signing, which they are not, it would still not be a problem for most people. But it would be a problem for authors of software, who should know that a security bug that sinks only *some* people is still a security bug. Therefore no author of software should employ MD5 or MD4 in new software, but existing users of software that employs MD5 and MD4 should not panic. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From markm at voicenet.com Fri Jul 5 15:25:58 1996 From: markm at voicenet.com (Mark M.) Date: Sat, 6 Jul 1996 06:25:58 +0800 Subject: Lack of PGP signatures In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On 5 Jul 1996, Clay Olbon II wrote: > Mark M. wrote: > > >I didn't say that binaries couldn't be signed. I said they couldn't be > >*clear*-signed. There is a difference between clearsigning and creating a > >signature certificate that is either concatenated with the data or written > >to a separate file. If somebody who doesn't have PGP gets a file that is > >signed by PGP, the file is completely useless to that person. > > > > My mistake. I guess I still don't understand your point however. Of what > use is a signature on a file to someone who cannot check its validity? It > seems to me that a separate signature file for a binary would serve the > same purpose ("gee, it LOOKS like somebody signed it"). A signature is of absolutely no use to someone who doesn't have PGP. However, somebody who doesn't have PGP can still read this message I am writting right now. That is why clear-signing is a Good Thing. You are correct that a separate signature file for a binary is just about the same as a clear-signed message.(In fact they are the same thing. The only difference is that a signature of text that is going to be clear-signed is calculated over the text with CRLF's and dashes and "From_"'s escaped out. The "PGP SIGNATURE" part is exactly the same as a seperate signature's "PGP MESSAGE".) OK, now the point of this message: somebody pointed out that if a binary was clear-signed using an option that would strip it down to 7 bits, the binary would be corrupted and therefore, such an option on PGP would be a Bad Thing. Then, I pointed out that not only would there be no point in a clear signature, since that would make the binary useless to someone without PGP anyway. It is best to sign a binary and extract the certificate to a separate file, which you noted above. So an option that would strip data down to 7 bits would not affect the ability to sign a binary. Such an option would probably be a Good Thing. All this is giving me a severe headache. Please excuse any run-on sentences. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMd1hMLZc+sv5siulAQHChQP/faS+DKcGht/SxCB+N0UlunSGcAcgUGaw hX/3qB4pzqwBfCoT6GsMdiQ+wJsSBs7cYm3NMEcPQHNj08cc8Vt5G7lmegjKdhcM hZBbpscafAnXf/+OcXp8KUIUbGWxEviyKfSskKoQC2IU9m607TRxMG45QHQr59Fc MEweGyt4Jsk= =TvfP -----END PGP SIGNATURE----- From frissell at panix.com Fri Jul 5 15:26:28 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 6 Jul 1996 06:26:28 +0800 Subject: I confess [Was: Who was that Masked Cypherpunk?] Message-ID: <2.2.32.19960705182536.008209bc@popserver.panix.com> At 12:56 PM 7/5/96 -0400, Jim Ray wrote: >'Twas me, the guardian of the *original* definition of the fine old >term "escrow" against the slick denizens of Newspeak. I have found >this Libertarian convention to be a super-fun experience, and I will >be demonstrating PGP, Private Idaho, and lots of other fun stuff on >Saturday at 3PM. All are invited to attend. Since no one has mentioned exactly what happened at the LP Convention, I will relate it from memory and JR can correct me. They were going to vote on adopting a platform plank that upheld the right of everybody to use any crypto they wanted and export it an everything and also opposing the proposal for a requirement that people use a key escrow system set up by the government. JR offered an amendment which changed the language to refer to "so-called Key Escrow (actually government access to keys GAK)" and he also explained that "escrow" is where you place something with a trusted third party and the government is neither trusted nor a third party. He mentioned cypherpunks live on CSPAN. Maybe when JR finished the Con he can post the original proposed language of the LPs plank and the final language as amended. DCF From attila at primenet.com Fri Jul 5 15:45:21 1996 From: attila at primenet.com (attila) Date: Sat, 6 Jul 1996 06:45:21 +0800 Subject: Net and Terrorism Message-ID: <199607051834.LAA13579@primenet.com> Addressed to: CyberEyes Cypherpunks CyberEyes pontificated at 07/05/96 12:29pm -0400 = On Thu, 4 Jul 1996, attila wrote: = = > "denied zones" (we were never there) is no longer in vogue. however, we = > will probably see that again in parts of the world as many cultures do = > not have the basic respect for life we do. = = What is your last comment supposed to mean exactly? Just because = some Islamic militants decide to kill a few people in a terrorist attack = does not mean that the entire believer population of Islam does not have = respect for life. Just who is "we"? Americans? Europeans? All = industrialized nations? Every country except those Third World ones? Uh... = I don't see your point very clearly here... The only culture I can think = of that might now have respect for life are cannibals, and they DO have = respect for life in a way, they don't kill each other (I don't think), and = they do it because it's their lifestyle, but they don't perform = cannibalistic acts out of malice. Correct me here if I'm wrong. = let me phrase it another way: there are circumstances where the lives of 'n' innocent people are of less consequence than the enemy --in other words, try to keep collateral damage to a minimum, but get the target before he executes more harm (this applies to hostage situations, as well) in general, this does not mean wipe out an entire 100 story building to find a single sniper, but sometimes a commander is faced with the choice: send a team in with a 10% chance of accomplishing the mission (i.e. the team is killed or the target escapes) or waste the village. until you have experience the death of men in combat, you will never understand this principle. I certainly did not, and even as a graduate of Harvard and an active member of the LDS Church, I found it only takes once to _clearly_ understand that it is 'to kill or be killed.' don't sit in your ivory tower and pontificate until you walk the mile in my shoes. I also had the responsibility for as many as 1600 additional 'black shirts' in a fire zone --think about it. oh, sure, I (or anyone else) will never convince you --but maybe you will think about it. war is hell, son; and war zones are somewhere beyond. if you go, just pray that you come back understanding that and not with scrambled eggs for brains. -attila -- "Don't hunt wild game, hunt lawyers! They provide better sport, suffer from severe overpopulation; and, they taste just like chicken!! From markm at voicenet.com Fri Jul 5 16:05:32 1996 From: markm at voicenet.com (Mark M.) Date: Sat, 6 Jul 1996 07:05:32 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: <199607051544.LAA20442@apollo.gti.net> Message-ID: On Fri, 5 Jul 1996, Mark Rogaski wrote: > An entity claiming to be David Rosoff wrote: > : > : > That "creative child" would have to be pretty damn smart to do > : >what you described. > : > : It would actually take less creativity to do the other things, bypass the > : config.sys, etc. The child would thus be perhaps a little TOO creative. :) > : > > 2 short replies in one post: > > A) Who said anything about a creative child? How about a creative > c'punk? I'm not following you. I don't think many people on this list are faced with the problem of getting around software used to filter out pornography, drug info, and other evil things tearing at the moral fiber of today's youth. (Hint: I write this with tongue firmly in cheek.) > > B) Forget the CONFIG.SYS ... what about kids using Macs or some future > "Kid Safe" system that has the filters in an eeprom? I'm talking > about bypassing the censorship on the client-server level. Relatively > platform independent. Using a hardware based filter is about as bad as using the IP security header fields for content descriptions. It's not at the level where filtering belongs. Filtering should be at the software level where it currently is. Since this can easily be broken, it might be better to have "Kid Safe" ISP's that would use a firewall to filter data. -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -------------- next part -------------- A non-text attachment was scrubbed... Name: pgp00000.pgp Type: application/octet-stream Size: 284 bytes Desc: "PGP signature" URL: From gary at systemics.com Fri Jul 5 16:25:00 1996 From: gary at systemics.com (Gary Howland) Date: Sat, 6 Jul 1996 07:25:00 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: <199607051544.LAA20442@apollo.gti.net> Message-ID: <31DD6A5E.28D95ABC@systemics.com> Mark Rogaski wrote: > > B) Forget the CONFIG.SYS ... what about kids using Macs or some future > "Kid Safe" system that has the filters in an eeprom? I'm talking > about bypassing the censorship on the client-server level. Relatively > platform independent. Or, more likely, the filter being at the ISP end. If set up well it would only be possible to bypass with outside help. Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 From hallam at Etna.ai.mit.edu Fri Jul 5 17:05:24 1996 From: hallam at Etna.ai.mit.edu (hallam at Etna.ai.mit.edu) Date: Sat, 6 Jul 1996 08:05:24 +0800 Subject: Noise: Re: Those Evil Republicans In-Reply-To: <31DBA835.6EEA4806@systemics.com> Message-ID: <9607052005.AA05904@Etna.ai.mit.edu> >First of all, "parasitic" is a very derogatory term to apply to these >nations. They are no more parasitic than out of town supermarkets. A parasite is omething that lives off a host to its detriment. It is easy for a small island nation to be parasitic off larger ones. The problem for the USA, UK, Germany etc is that there are no larger nations for them to be parasites of, nor are their native peoples to steal land from or colonies to exploit. In short someone, somewhere has to do some work. >Second, you suggest Liechenstein as a useful model for a modern >industrial society that has no control over its currency, but then go >on to criticise Andorra as a useful model. Why? Actually I discounted both as models. I don't consider the ecconomy of a country of less than a million to be particularly informative in considering the ecconomies of countries of fifty or a thousand times that number for the reasons advanced above. >Third, you have missed the point I was making, that of Goodhearts law, >which loosely states that "attempts by the government to regulate or >tax one channel of banking business quickly lead to the same business >being conducted through a different channel which is untaxed or >unregulated". Surely the fact that every large nation has its >banking tax havens (eg. UK has the Channel Islands, the US has the >Caribbean islands) is proof of this? I'm very skeptical about any idea that is referred to as a "law". The experience of science is that natural laws are no more constant than human ones. In the social sciences such terms tend to indicate no more than the existence of physics envy. The greatest danger is when the title "law" causes the importance of an effect to be mistaken. Just because an effect can be observed and explained does not mean that it is the only effect. To call something a "law" is almost guaranteed to lead to biased analysis. Goodhearts theorem is overbroad as stated. The banking industry will clearly attempt to move to the most beneficial channels. That does not necessarily mean unregulated. A banker's main product is trust. The fact that a bank is regulated by government increases consumer confidence and trust. If I place my money in Midland bank UK I know that those deposits are guaranteed by the government of the UK. Even if the bank itself becomes illiquid I can recover my money. The cost of this security is regulation which I am as a customer happy to take the benefit of. The fact that a proportion of money is diverted through tax havens does not imply that all money will be so diverted. The major banking centers of the world continue to be London, Geneva, New York and Tokyo, all of which are heavilly regulated. The final factor you exclude is that of ecconomic imperialism. Small countries don't have unlimited opportunities to exercise their sovereignty as the govt. of Panama discovered. While a country has the theoretical right to become a drug trafficing haven it faces the risk of sanctions ranging from ecconomic pressure to invasion and occupation. Similarly the Swiss govt no longer offers the same anonymity it once did. Phill From cyberia at cam.org Fri Jul 5 17:12:34 1996 From: cyberia at cam.org (CyberEyes) Date: Sat, 6 Jul 1996 08:12:34 +0800 Subject: Word lists for passphrases In-Reply-To: <31dbf02b.66263803@pop.mis.net> Message-ID: On Thu, 4 Jul 1996, Greg Miller wrote: > Are there any publically available word lists which contain just > about every word in the English language? It's not absolutley > necessary, but I'd also like the list to include english names. You can find a list of reliable (sic) FTP and WWW sites in the alt.2600 FAQ beta version 0.13. That in itself is available at my FTP site ftp.cam.org /users/cyberia. The English language is 450,000 words in its entirety, not including (I believe) proper names. So the file you're looking for (if it exists) would be very large. Good luck. Ryan A. Rowe - Montreal, Quebec /Seeking Internet-related job!/ aka CyberEyes, Rubik'S Cube I will relocate _ANYWHERE_. Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia at cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run Read my C.V. at http://www.cam.org/~cyberia/resume-e.html "In lieu of experience, I have a willingness to learn." "Everyone has their day, mine is July 15th, 1998." From tcmay at got.net Fri Jul 5 17:18:07 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 6 Jul 1996 08:18:07 +0800 Subject: I confess [Was: Who was that Masked Cypherpunk?] Message-ID: At 6:25 PM 7/5/96, Duncan Frissell wrote: >Since no one has mentioned exactly what happened at the LP Convention, I >will relate it from memory and JR can correct me. > >They were going to vote on adopting a platform plank that upheld the right >of everybody to use any crypto they wanted and export it an everything and >also opposing the proposal for a requirement that people use a key escrow >system set up by the government. I'm now watching the LP convention on C-SPAN, and taping it for a friend (who may have a book contract to do a book related to something along these lines). The one LP event I ever attended was the California LP annual convention, some years ago, and found it crushingly boring. This looks a bit more exciting. I suspect the LP will continue to get 3-4% of the vote, maybe a tad more this year due to widespread dissatisfaction with Dinton and Clole and with the obvious charisma of Harry Browne. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dlv at bwalk.dm.com Fri Jul 5 17:19:16 1996 From: dlv at bwalk.dm.com (Dr.Dimitri Vulis KOTM) Date: Sat, 6 Jul 1996 08:19:16 +0800 Subject: Net and Terrorism In-Reply-To: <199607051432.HAA25401@well.com> Message-ID: <4kuLqD1w165w@bwalk.dm.com> talon57 at well.com writes: > > > Tim May wrote: > > >Again, the Sarin attack in Tokyo had nothing to do with former > >U.S.S.R. CBW weapons. Chemical and biological agents are cheap to > >make, especially in the quanties needed to kill only a few > >thousand people, and in the non-battlefield delivery environment. > > Actually Tim, the Aum Supreme truth cult was using a Russian > formula for it's production of sarin, and was spending vast amounts > of time and money trying to obtain Russian NBC expertise. They > supposedly had an estimated 30,000 followers in the former Soviet > union. > > I recently finished an excellent book "The cult at the end of the > world" about all this and highly recommend it to my fellow > cypherpunks. > > Brian > > I used to do work for the company that distributed AUM literature in Russia. Curiously, the same people distribute Baha'i literature. :-) --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From sandfort at crl.com Fri Jul 5 17:46:53 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sat, 6 Jul 1996 08:46:53 +0800 Subject: Noise: Re: Those Evil Republicans Message-ID: <2.2.32.19960705212051.0076d260@popmail.crl.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ C'punks, At 04:05 PM 7/5/96 -0400, hallam at Etna.ai.mit.edu wrote: >A parasite is omething that lives off a host to its >detriment. It is easy for a small island nation to be >parasitic off larger ones...In short someone, somewhere >has to do some work. Maybe I missed something here, but only small nations that are on the dole (i.e., foreign aid) can be said to be parasitic, and even they may be giving something in return (e.g., land concessions for military bases). The service industries in these little countries--banking tourism, etc.--are free traders giving value for value. This is not parasitism by any stretch of the imagination. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From llurch at networking.stanford.edu Fri Jul 5 17:50:48 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 6 Jul 1996 08:50:48 +0800 Subject: Net and Terrorism. In-Reply-To: <199607051652.JAA15062@mail.pacifier.com> Message-ID: On Fri, 5 Jul 1996, jim bell wrote: > If anything, I think the public would be far better off if there was a > mechanism to allow even these "terrorists" to speak directly to the public, > without censorship by the governments or heightened risk of capture. Er, they have that. It's just that most people don't give a shit for their kind of nonsense, so they don't listen, so the kooks turn to bombings as PR stunts. Nobody would have read the UnaSpew if Uncle Ted hadn't bombed a few people. Nobody is going to listen to Jim Bell until you claim credit for killing some people. -rich From blancw at accessone.com Fri Jul 5 18:28:38 1996 From: blancw at accessone.com (blanc) Date: Sat, 6 Jul 1996 09:28:38 +0800 Subject: The Net and Terrorism Message-ID: <01BB6A82.856C9880@blancw.accessone.com> From: Timothy C. May If there's any meta-point I'm making is that people are best served by making their own security arrangements, be it home protection, financial security, health security, or the security from rioters, criminals, and terrorists being talked about here. Turning over increased powers to a government to do these things is a recipe for failure, at very high costs (economic and civil liberties costs). ...................................................................... This is what I also understood Tim's point to be. As long as transforming the whole world into a "kinder, gentler", safer, mix of countries, economies, politics, races, religions, recipes for living, etc., is but a remote possibility in a far-off future galaxy, and knowing that governments are typically unprepared to deal with the dangerous states of mind incited by their very own policies, then (as always) it is wise and adviseable that a person take up some responsibility for preparing themselves, mentally and otherwise, for dealing with threats of terrorism, the kind of which we are all aware of by now. This is not fatalism; it is facing the facts. .. Blanc From coryt at rain.org Fri Jul 5 19:15:44 1996 From: coryt at rain.org (coryt at rain.org) Date: Sat, 6 Jul 1996 10:15:44 +0800 Subject: New Member Registration Message-ID: <199607052258.RAA14283@fs1.houston.sccsi.com> Requested Account Name: whitney Requested Password: elbows THIS MEMBER HAS BEEN ADDED TO THE UPDATE LIST From bryce at digicash.com Fri Jul 5 19:27:42 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sat, 6 Jul 1996 10:27:42 +0800 Subject: Announce: Ecash(tm) Software Developer's Kit Beta 2 release Message-ID: <199607052316.BAA27884@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- The Ecash(tm) Software Developer's Kit is available now for download from "http://www.digicash.com/api". The major improvement it that it now _accepts_ payments as well as makes them. Accounts at the "Beta Research Bucks" Bank (dc.digicash.com:9666) are available upon request. Here's the README: - ----- begin included README ----- Announce! This is the second beta release of the Ecash(tm) Software Developer's Kit. It includes: * the beta 2 release of ecashlib * a simple test client with source code for reference * a simple TCP/IP library for use with the test client Changes since the last release: * Importantly: The EC_pocket_begin_accept_payment() function works. * Unimportantly: Some internals got upgraded. EC_main_get_ver_string() implemented. Some parameters moved from EC_pocket_new() to EC_pocket_begin_open_account(), which is their natural habitat. A small bug or two was squelched. How to download: Option 1: Menu Visit the directory structure at "http://www.digicash.com/api/distrib" and take whatever you like. Option 2: MRE For Windows (Win32 DLL): "http://www.digicash.com/api/ecashlib.zip" For FreeBSD (static lib): "http://www.digicash.com/api/ecashlib-freebsd.tar.gz" For Linux (shared ELF lib): "http://www.digicash.com/api/ecashlib-linux.tar.gz" For others: e-mail us What do I do next? Visit: "http://www.digicash.com/api" for the latest release. Subscribe to: "ecash-dev at digicash.com" for news and views. Send e-mail to: "bryce at digicash.com" for developer support. Withdraw from: the BRB Bank dc.digicash.com:9666. You'll have to send us e-mail explaining why we should allocate any of our precious Beta Research Bucks to you, and what you want your account name(s) to be. Create: innovative net applications using Ecash(tm) -- the only secure, privacy-protecting, token-based digital payment system! - ----- end included README ----- Bryce Ahoy! PGP sig ahead! -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMd2iNkjbHy8sKZitAQEGbgMAkDRKou6yt5ESqtAvJUsgDpf5xGBw0S8A zTPnC4mwVIFbyo0P8rGaiR434OkmqwkZYtkcg3Bt+6QU5b3lVx7qD0JFNp31PGyn Yn8F7dLmTr8yJhU1aCHHkZjPvwt1IcM5 =iTG3 -----END PGP SIGNATURE----- From hallam at ai.mit.edu Fri Jul 5 20:21:20 1996 From: hallam at ai.mit.edu (Hallam-Baker) Date: Sat, 6 Jul 1996 11:21:20 +0800 Subject: Shrink-Wrap Lic. uphelo by courts. From Edupage, 4 July 1996 In-Reply-To: <4rk4j2$qdr@life.ai.mit.edu> Message-ID: <31DDAECD.41C6@ai.mit.edu> Deranged Mutant wrote: > >The latest > ruling found this suggestion to be an onerous burden, but did say the box > must have a notice saying there's a licensing agreement inside, and that > buyers should be able to return the software if they don't agree to the > license once they read it. (Investor's Business Daily 3 Jul 96 A5) Perhaps Prof Froomkin could provide an opinion. It sounds to me however as if the defendants were simply ripping off the copyright of the plaintif and attempting to get arround it by claiming to have "bought" rights to resell along with the software by wrangling over the shrink wrap agreement. Or were the defendants reselling the software unopened to foreign customers via the Internet? Seems to me that that might well be open to further challenge. If a "contract" clause is expressed in a manner that means that it would not be encountered by a party which it attempts to bind there might be argument as to whether acceptance was possible. I suspect that the claims the plaintifs were making lay very definitely within the range of what people in the trade would usually expect to be the licensing terms for software purchased off the shelf. Just as there is an expectation when purchasing a book that one has purchased an instance and not the rights to the copyright. Consider the analogy with purchasing a book that is wrapped in shrink wrap film and that consequently one was unable to read the "all rights reserved" legend. The question that I am interested in is whether someone could claim that a shrink wrap license can bind a user to terms that are less widely expected in the industry. For example clauses which prohibit reverse engineering, transfer to other users etc. Might be interesting to know the precise rulling made and its terms. Phill From bal at peradam.cs.colorado.edu Fri Jul 5 20:53:28 1996 From: bal at peradam.cs.colorado.edu (Brian LaMacchia) Date: Sat, 6 Jul 1996 11:53:28 +0800 Subject: Shrink-Wrap Lic. uphelo by courts. From Edupage, 4 July 1996 In-Reply-To: <31DDAECD.41C6@ai.mit.edu> Message-ID: <199607060042.RAA00849@toad.com> Date: Fri, 05 Jul 1996 20:09:49 -0400 From: Hallam-Baker X-Mailer: Mozilla 2.01 (X11; I; OSF1 V3.2 alpha) Mime-Version: 1.0 References: <4rk4j2$qdr at life.ai.mit.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-cypherpunks at toad.com Precedence: bulk Deranged Mutant wrote: > >The latest > ruling found this suggestion to be an onerous burden, but did say the box > must have a notice saying there's a licensing agreement inside, and that > buyers should be able to return the software if they don't agree to the > license once they read it. (Investor's Business Daily 3 Jul 96 A5) Perhaps Prof Froomkin could provide an opinion. It sounds to me however as if the defendants were simply ripping off the copyright of the plaintif and attempting to get arround it by claiming to have "bought" rights to resell along with the software by wrangling over the shrink wrap agreement. Actually, defendant was exercising his right to copy uncopyrightable material as per _Feist_. Plaintiff sued, claiming inter alia that the shrinkwrap license on the box prohibited the defendant from such copying. (I'm simplifying here; read the cases for the gory details.) The case is ProCD v. Zeidenberg. The district court decision (ruling in favor of Zeidenberg) may be found at 908 F.Supp. 640. The ruling of the 7th Circuit Court of Appeals (in favor of ProCD) may be found at 1996 U.S. App. LEXIS 14951. What was at issue, if I recall correctly, was telephone book data for six states surrounding Wisconsin. ProCD took the phone books for that area, copied the data (name, address, phone numbers) out of them and published CD-ROMs with the resulting database. Zeidenberg purchased copies of the ProCD CD-ROMs, along with similar CDs from other publishers, and put the intersection of the data up on the Web for free. Now, neither ProCD nor Zeidenberg needed permission of the previous publisher of the data, *from the perspective of copyright*, in order to reuse it. This is because the Supreme Court ruled in Feist Publications, Inc. v. Rural Telephone Service Co., 499 U.S. 340,113 L. Ed. 2d 358, 111 S. Ct. 1282 (1991), that telephone book listings lacked the originality required to qualify as copyrightable subject matter under 17 USC 102. So ProCD couldn't claim copyright infringement because their *data* was uncopyrightable. (ProCD also had some searching software on the CD, but that software wasn't copied or distributed by Zeidenberg and thus there were no copyright infringement issues.) They thus resorted to claims based on the shrink-wrap license on the box. I suspect that the claims the plaintifs were making lay very definitely within the range of what people in the trade would usually expect to be the licensing terms for software purchased off the shelf. Just as there is an expectation when purchasing a book that one has purchased an instance and not the rights to the copyright. Consider the analogy with purchasing a book that is wrapped in shrink wrap film and that consequently one was unable to read the "all rights reserved" legend. When I purchase a copy of a book in the bookstore, I gain rights to that particular copy. This is what's known as "first sale doctrine." No, I can't make copies of my copy, and I can't distribute my copy to the public, but I can resell my copy. Furthermore, if the copy of the book I purchase contains uncopyrightable material, I can do what I want with that material (again, from a copyright point of view). When I buy software off-the-shelf, I gain certain rights to that copy of the software, including the right to make copies for archival purposes (17 USC 117). What concerns me about the 7th Circuit's decision is that they appear to be giving publishers a way to "extent" copyright protection to uncopyrightable subject matter, which is supposed to be pre-empted by 17 USC 301. But I'm not a copyright attorney (I'm not even an attorney at all), so I will defer to those more knowledgeable than I. --bal From EALLENSMITH at ocelot.Rutgers.EDU Fri Jul 5 20:53:37 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 6 Jul 1996 11:53:37 +0800 Subject: E-cash & G10 in the news Message-ID: <01I6Q75MZDP0984P39@mbcl.rutgers.edu> It's interesting but actually unsurprising that they're looking at the cash cards before they are the Internet money exchange stuff. They haven't spotted exactly how much of a difference the latter can make - the former will act about like cash at "worst" from their viewpoint. -Allen > Reuters New Media > _ Friday July 5 12:27 PM EDT _ >G10 mulls effect of E-cash on policy and fraud > ZURICH - The threat of fraud, money laundering and tax evasion from > new electronic payment systems will be high on the agenda of Monday's > monthly meeting of Group of 10 (G10) central bankers at the Bank for > International Settlements (BIS). > The central bank governors will be briefed on two reports that examine > the implication of emerging forms of payment -- electronic purses, > e-cash, cybercash -- on monetary policy and whether it will open the > way to widespread fraud. > With big banks already waging a fierce battle to set a new global > standard for electronic cash, central bankers want to stay on top of a > technology that is not only likely to destabilize monetary aggregates, > but also holds out the promise a cashless society and threatens the > monopoly of central banks to issue notes and coins. > William McDonough, president of the New York Federal Reserve and > chairman of the G10 Committee on Payment and Settlement Systems, will > brief his colleagues on electronic money and fraud, money laundering, > counterfeiting, tax and legal issues. > The other report, to be presented by Charles Freedman, Bank of Canada > deputy governor, explores the issue of electronic money and monetary > policy. > Whether G10 governors take action or merely note the reports and let > them fade into the BIS archives is uncertain. An initial decision will > probably be taken at the meeting. > The two reports will focus mainly on the implications of prepaid cards > rather than so-called network money, cybercash or digital cash as the > latter is less developed. [...] > The concept of electronic money covers a wide range of new payment > methods ranging from multi-purpose, rechargeable prepaid cards, such > as Mondex, to forms of digital cash or cybermoney that enable shoppers > to pay for goods over the Internet. [...] > Copyright, Reuters Ltd. All rights reserved From EALLENSMITH at ocelot.Rutgers.EDU Fri Jul 5 21:03:52 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 6 Jul 1996 12:03:52 +0800 Subject: C2's Anonymizer in Reuters Message-ID: <01I6Q712ED5S984P39@mbcl.rutgers.edu> Not the most friendly of articles... but still pretty good. As usual, edited to stay within fair use. -Allen > Reuters New Media > _ Friday July 5 12:28 PM EDT _ >Web Surfing Incognito > HOLLYWOOD - Ever felt like browsing without leaving those footprints > that site designers, your school and your employer are increasingly > inclined to harvest? > A service being offered at http://www.anonymizer.com purports to give > Web surfers the freedom to travel at will without leaving tell-tale > signs that they've been where they've been. [...] > The visited site's layout and design can be altered, so you are > probably not seeing it in all its glory -- and it is displayed within > a field with hot buttons to take you back to the anonymizer site, a > FAQ or to make a bug report (like, for example, you've reached a site > which isn't preceded by the anonymizer URL). > Privacy is one of those issues veteran Netizens take very seriously -- > it used to be called "anonymous" FTP after all. But many > sites now depend on demographics passively collected, rather than just > the number of hits, to attract advertisers. > Copyright, Reuters Ltd. All rights reserved From erleg at sdinter.net Fri Jul 5 21:44:05 1996 From: erleg at sdinter.net (Erle Greer) Date: Sat, 6 Jul 1996 12:44:05 +0800 Subject: Word lists for passphrases Message-ID: <2.2.32.19960706015358.00712dec@pop3.sdinter.net> Word-List Builder (this is not an ad) I have a small(5k) program(WordList.EXE) that will extract from any file and append the new words to a textfile(MainList.TXT). It is in early beta, but does the job nicely. I simply drag-n-drop multiple files onto the icon and let it do its dirty work. It prints new words to the screen and echos "." when it encounters old words again. It will, of course, accept parameters from DOS. This is totally free to anyone who wants it. Just email and I will send the latest version. Suggestions are certainly considered. Imagine building a word-list just from your /Netscape/Cache subdirectory! Future versions will include: Larger multiple file handling, *.* in same directory support, better binary file support, and list sorting. From vinnie at webstuff.apple.com Fri Jul 5 21:44:36 1996 From: vinnie at webstuff.apple.com (vinnie moscaritolo) Date: Sat, 6 Jul 1996 12:44:36 +0800 Subject: Net and Terrorism Message-ID: >Absent the fearmongering, the Viperweenies would >have turned to something else antisocial, buut they wouldn't have had a >"movement" to cling to. (Or maybe they would have... in another era, they >would have joined up with the Weathermen or the Symbionese Liberation Army.) last time I chacked there were at least two Leftist Militia's in the SantaCruz area. (now ain't that a scary thought... Liberals with guns). These people, both Right and Left don't get it. Blowing shit up and running around in the woods with cheap ChiCom rifles palying army does nothing for your cause. It just distances you from the mainstream morons. This makes it easier for the Feds to get away with kicking in your door, gassing your kids and shooting your wives. all in time for the 6PM news. I guess I dont understand this fascination with Militias and woods, Maybe these guys forgot how much fun it was to toast marshmellows in the woods, assuming you have the proper permit from the CA state parks. >Fortunately, and despite what, say, the SWC says in its fundraising >materials, the middle of the road among the militias isn't that kooky. The SWC arent kooks, they are con men >Bo Gritz and the leaders of the Michigan Militia were heard calling the >Freemen >a bunch of lying scum; I've observed more mainstream (if that's the word) >militiafolk distancing themselves from the Viperweenies both online and on >shortwave. Col Gritz actually does have some interesting stuff to say, He is really a very caring guy. But I do think he could use a (better) PR person. I like about 99% of what he has to say, I just filter out the stuff about UN and weather control. (the UN can't even control it's bowels much less the weather). But hey Bo is old enough to take care of himself. >Anyway, I don't think Vinnie was suggesting that the news be censored -- >just that the press doesn't have an obligation to print the obituary the >"martyrs" want. Absolutely. Something like "some asshole terrorist just blew up a building. No cause was sited, is enough" Don't quote thier organization, don;t quote thier cause. just make look like the kook they are. Oh and offering citizens some bounty money for thier hydes is a good idea. Or better yet, when you catch the fuckers, give em a fair trial, and a public hanging. Same goes for terrorists that shoot pregnant women if you know what I mean, but thats my opinion. As for a solution to governement problems, I have always and still belive in the ballot box first. And the only way to win votes is to appeal to the morons out there who do vote.. Maybe there is hope in the next generation of internet literate kids.. or maybe I am just a dreamer. Vinnie Moscaritolo ------------------ "friends come and friends go..but enemies accumulate." http://www.vmeng.com/vinnie/ Fingerprint: 4FA3298150E404F2782501876EA2146A From ceridwyn at wolfenet.com Fri Jul 5 22:36:38 1996 From: ceridwyn at wolfenet.com (Cerridwyn Llewyellyn) Date: Sat, 6 Jul 1996 13:36:38 +0800 Subject: hard drive encryption Message-ID: <2.2.32.19960704052640.006a79d8@gonzo.wolfenet.com> Thank you all for your comments... to those who suggested I remove and hide the drive, I was intending to do so, but still want a way to encrypt it's contents. Call me paranoid... For those who suggested software, thank you, I'll be d/ling and evaluating all of it, and appreciate the varied responses.. //cerridwyn// From snow at smoke.suba.com Sat Jul 6 01:45:48 1996 From: snow at smoke.suba.com (snow) Date: Sat, 6 Jul 1996 16:45:48 +0800 Subject: [NOISE] Re: Net and Terrorism. In-Reply-To: Message-ID: On Fri, 5 Jul 1996, CyberEyes wrote: > On Wed, 3 Jul 1996, snow wrote: > > 2) When they _are_ exposed, let them fight the fuck back. Rules of > > engagment are simple. When fired on, shoot to kill. If the shot > > comes from a building, take out the building. If from a crowd, > > well, do you best, but _get the shooter_. > Basically, what you're saying is that one armed person in a crowd > of a hundred needs to be killed no matter what happens to the lives of the > other 99? Give me a break, we're not living in the 1800's anymore, we want > to STOP wars, not create them! Tell that to the person on the recieving of the terrorist bullets/ gernades. The idea is have a very simple policy about terrorism/guerilla warfare/ lone kooks shooting shit up. They will be eliminated. No other changes will be made. No midnight house to house searchs, no pograms, no concentration camps, justa simple rule. You shoot at armed people you will die (remember this was in the context of terrorist attacks against military and harder targets). It is done _immediately_ if not sooner. Possibly it would have the side effect that people in a crowd would take down the guy next to them that was pulling the gun becasue they know what will happen if they don't. i Petro, Christopher C. petro at suba.com snow at crash.suba.com From snow at smoke.suba.com Sat Jul 6 01:48:08 1996 From: snow at smoke.suba.com (snow) Date: Sat, 6 Jul 1996 16:48:08 +0800 Subject: Net and Terrorism. In-Reply-To: Message-ID: On Fri, 5 Jul 1996, CyberEyes wrote: > On Thu, 4 Jul 1996, attila wrote: > > "denied zones" (we were never there) is no longer in vogue. however, we > > will probably see that again in parts of the world as many cultures do > > not have the basic respect for life we do. > > What is your last comment supposed to mean exactly? Just because > some Islamic militants decide to kill a few people in a terrorist attack > does not mean that the entire believer population of Islam does not have > respect for life. Just who is "we"? Americans? Europeans? All At this point I believe that attila was refering to the situation in South East Asia. Mostly Hindu/Bhuddist/Shinto(?). > industrialized nations? Every country except those Third World ones? Uh... > I don't see your point very clearly here... The only culture I can think > of that might now have respect for life are cannibals, and they DO have > respect for life in a way, they don't kill each other (I don't think), and > they do it because it's their lifestyle, but they don't perform > cannibalistic acts out of malice. Correct me here if I'm wrong. Most tribes place a high value on their members and little if any on the members of other tribes. Life is as live does, and it is often cheap. Petro, Christopher C. petro at suba.com snow at crash.suba.com From erleg at sdinter.net Sat Jul 6 01:48:55 1996 From: erleg at sdinter.net (Erle Greer) Date: Sat, 6 Jul 1996 16:48:55 +0800 Subject: Word lists for passphrases Message-ID: <2.2.32.19960706061818.006bbe8c@pop3.sdinter.net> At 12:09 AM 7/6/96 -0500, snow at smoke.suba.com wrote: >On Fri, 5 Jul 1996, Erle Greer wrote: > >> Word-List Builder (this is not an ad) >> I have a small(5k) program(WordList.EXE) that will extract from any >> file and append the new words to a textfile(MainList.TXT). It is in early >> beta, but does the job nicely. I simply drag-n-drop multiple files onto the >> icon and let it do its dirty work. It prints new words to the screen and >> echos "." when it encounters old words again. It will, of course, accept >> parameters from DOS. > > Is the source code available for porting to other platforms? Sure, I'm not a Unix guru, but if you can port Turbo Pascal, more power to you! I will send the source if someone specifically asks. >> This is totally free to anyone who wants it. Just email and I will send the >> latest version. Suggestions are certainly considered. > > Unixi, recursively scanning directories. Unix, you can do, but the recursive subdirs aren't a prob for me. A final dream would be to convert it to VB4, use MS's WWW custom control, and unleash it as a spider. >> Imagine building a word-list just from your /Netscape/Cache subdirectory! > > Imagine building a word list from /usr/spool/news/* > >Petro, Christopher C. >petro at suba.com >snow at crash.suba.com From snow at smoke.suba.com Sat Jul 6 01:50:45 1996 From: snow at smoke.suba.com (snow) Date: Sat, 6 Jul 1996 16:50:45 +0800 Subject: Word lists for passphrases In-Reply-To: <2.2.32.19960706015358.00712dec@pop3.sdinter.net> Message-ID: On Fri, 5 Jul 1996, Erle Greer wrote: > Word-List Builder (this is not an ad) > I have a small(5k) program(WordList.EXE) that will extract from any > file and append the new words to a textfile(MainList.TXT). It is in early > beta, but does the job nicely. I simply drag-n-drop multiple files onto the > icon and let it do its dirty work. It prints new words to the screen and > echos "." when it encounters old words again. It will, of course, accept > parameters from DOS. Is the source code available for porting to other platforms? > This is totally free to anyone who wants it. Just email and I will send the > latest version. Suggestions are certainly considered. Unixi, recursively scanning directories. > Imagine building a word-list just from your /Netscape/Cache subdirectory! Imagine building a word list from /usr/spool/news/* Petro, Christopher C. petro at suba.com snow at crash.suba.com From grafolog at netcom.com Sat Jul 6 02:08:23 1996 From: grafolog at netcom.com (jonathon) Date: Sat, 6 Jul 1996 17:08:23 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: Message-ID: On Fri, 5 Jul 1996, CyberEyes wrote: > NOT talking about Lynx, what DOS-based Web browser is there? Net-Tamer. Requires a PPP connection, and precious little else. xan jonathon grafolog at netcom.com AOL coasters are unique, and colourful. Collect the entire set. From unicorn at schloss.li Sat Jul 6 04:40:33 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 6 Jul 1996 19:40:33 +0800 Subject: What remains to be done. In-Reply-To: <31DBB50A.5656AEC7@systemics.com> Message-ID: On Thu, 4 Jul 1996, Gary Howland wrote: > Black Unicorn wrote: > > > > A. Methods to run secure websites on insecure servers. [...] > I fully agree with all of your comments, but, encrypted proxying issues > aside, what is wrong with SSL? Is it because the encryption is for > the whole server, not individual users? It provides no protection to the individual who must run on a server he does not have in a secure location with TEMPEST specs. > > Is anyone considering work on these? > With regard to the local decryption idea, then I don't see this as > much of a problem. How much interest is there in this? We already > have something similar running, but it would still need a bit of work > to make more general. What do you have running exactly? > > Gary > -- > pub 1024/C001D00D 1996/01/22 Gary Howland > Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 > From unicorn at schloss.li Sat Jul 6 04:45:49 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 6 Jul 1996 19:45:49 +0800 Subject: What remains to be done. In-Reply-To: <199607042102.OAA26752@jobe.shell.portal.com> Message-ID: >From: Black Unicorn >> A. Methods to run secure websites on insecure servers. >> [...] >> A software solution which permits local decryption makes traffic >> analysis less useful, presents the opportunity to use front end and >> disposable www pages on domestic ISPs while imposing no liability on >> the ISP itself, and opens several more effective traffic analysis >> deterants. >I don't quite understand what is being proposed here. If the >information on the web site is encrypted, who is supposed to be able to >decrypt it? Just one person, or some select group of people? My >concern is the difficulty of keeping keys secret if they are made >available to more than one or two people. >Once the keys are known to those who would oppose the publication of >the information they can go to the ISP just as easily as if the >information were not encrypted, and get them to take it down if it is >illegal. >It would seem that an equally effective method would be to use no >encryption, but just a secret URL, one which is not linked to from >elsewhere - an "island in the net", so to speak (apologies to Bruce >Sterling). >Hal I was concerned with an entirely different problem really. Given the assumption that you and three of your best friends wish to use WWW to share information, how can you do so without exposing the page to the ISP? Today, as far as I know, if you wish to hide what you have on a page you have to control the server. If you wish to try and deter traffic analysis you have to own the servers in front of the server. Cumbersome, expensive and still not entirely effective. If instead you could prevent the owner of the server from reading the stuff in the first place, while allowing it to be read at leasure by the users... It would also be much easier to construct remailer type proxies in that each server in the chain would be denied the content of data passing through. What I am hoping can be done is to stretch the points in "point to point encryption" out past the ISP. Now, if your concern is exposure by a member you have given access to the webpage, the discussion becomes an issue of certification, and signatures. An important point, but something of an overkill where the ISP has full access to your webpage whatever your passwords might be. Create a page where the data is locally encrypted, and which only accepts connections from valid certificates and you go a long way to being able to communicate via WWW securely even over insecure channels. You also free up the method to those who don't have time, or cannot afford to run their own WWW server. If the location of your page is exposed, so what? Spend the $11 a month to open a page on another ISP. In the "island on the net" example, you have to reroute the entire deal. In addition, you have now eliminated what must be the number 1 problem in running an "iffy" page. ISP intereference. You have removed their liability. How were they supposed to know what it was you were doing? They don't have the keys. Now if you really wanted to be slick about it, you would use a form of encryption to multiple users option and encrypt the page to the public keys of individuals. Sure, they could release the keys and spill the beans, but they would be compromising their own keys in the process. Mileage on this deterant will vary according to what they may have done with the key beforehand, and it requires a multiple purpose to those keys (as with PGP). From unicorn at schloss.li Sat Jul 6 04:50:26 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 6 Jul 1996 19:50:26 +0800 Subject: What remains to be done. In-Reply-To: <199607040558.WAA07414@primenet.com> Message-ID: On Thu, 4 Jul 1996, attila wrote: > Addressed to: Black Unicorn > Cypherpunks > > ** Reply to note from Black Unicorn 07/03/96 10:17pm -0400 > > good "white paper." > > modularity is the key. use of standardized encryption libraries > permitting user selection of one or more formats. Agreed. > message pools would be great from satellite channels --how do you > regulate (read this as "pay for") since someone must receive the messages to > uplink? -otherwise you have the dropouts of USENET. I think that one of the faults of the mentality of development is that people think "who will pay" first, rather than making a hack first, and then trying to apply it to a more commercial context. Seems to have worked with PGP/Netscape/Yahoo/. > user interface is the achilles heel for most programmers --the time is > spent making the code 'work.' with the tools available which allow multi- > platform development, the *functional* GUI should be done by someone who > creates "artitstic" interfaces. Concur. > I agree-- if encryption can be made so simple, and with a clean user > interface, it will be used by joe sixpack (who rarely likes uncle, anyway > --but for different reasons). once joe sixpack starts to use (probably > dropping his private keys...), then it is too pervasive to stop --even if > there are a few high level prosecutions. Exactly. > one of our greatest failings v/v encryption as a group (including > coderpunks) is we are satisfied with our access to encrytion. PGP is a > nusiance, and the instructions are not clear --so we experiment until we get > the results: on the command line. Concur most strongly. > our satisfaction makes us insular; we need to think in global terms --mass > marketing of a free product which will hold appeal for everyone. encryption > is no different than the students in China --no, they do have it, but how long > can Father Deng (and his successors) hang on against technology and quest for > knowledge? All most important questions to consider. I think if people begin to write modularly there will be nice front ends for almost everything. > -- > Fuck off, Uncle Sam. Cyberspace is where democracy lives! > > From anthony at direct.it Sat Jul 6 06:44:39 1996 From: anthony at direct.it (Anthony Daniel) Date: Sat, 6 Jul 1996 21:44:39 +0800 Subject: What remains to be done. Message-ID: <2.2.32.19960706113239.006942a4@betty.direct.it> Hi there Should try SECURE DESK-TOP as well (PC only), it can encrypt (DES and IDEA) any: - file - directory - groups of directories - Hard Disk - Floppy - Removable drive And it can add PEM capabilities to most e-mail clients and it's WIN95 and user friendly. Try it at: http://www.systems.it/secure There are NO export restrictions on it as well because it's Italian made. ciao Anthony ------------------------------------------- >At 12:58 PM 7/4/96 +0000, Deranged Mutant wrote: >>Another need is for file/disk-encryption utilities. I'm not familiar >>with what's out there for Macs, but for PCs there's SFS and ASPICRYP >>for SCSI drives (with no source!) and SFS, SecureDrive and SecureDevice >>for HD (or FD). The latter won't work on Win95. AFAIK, SFS and >>SecureDrive aren't 100% friendly with Win95 either, though they'll work. > > I'll just add that Jetico puts out BCrypt, which works perfectly >with Win95. Of course it costs, but one can try out the software only >version, then upgrage to hardware encryption! >_______________________ >Regards, He who knows others is wise. > He who knows himself is enlightened. >Joseph Reagle http://rpcp.mit.edu/~reagle/home.html >reagle at mit.edu E0 D5 B2 05 B6 12 DA 65 BE 4D E3 C1 6A 66 25 4E > From anonymous-remailer at shell.portal.com Sat Jul 6 06:45:03 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sat, 6 Jul 1996 21:45:03 +0800 Subject: CCC Crypto Lock Message-ID: <199607061110.EAA02640@jobe.shell.portal.com> MicroPatent, 4 July 96 Systems and methods for protecting software from unlicensed copying and use (Assignee -- Convex Computer Corporation) Abstract: Disclosed systems and methods for protecting a software program from unauthorized use and copying through the removal at least one of a plurality of instructions comprising a software program, and encrypting the removed instruction utilizing an encryption algorithm to produce an encrypted instruction, the encryption algorithm responsive to a randomly generated key. Ex Claim Text: A processing system for protecting a software program from unauthorized use, said software program including one or more unencrypted instructions stored in memory associated with said software program, said processing system comprising: a processing unit operable to: remove at least one selected said unencrypted instruction from an executable area in said memory associated with executable portions of said program; encrypt said at least one selected unencrypted instruction removed from said software program utilizing an encryption algorithm to produce an encrypted instruction; store said encrypted instruction within a first non-executable data area in said memory associated with said software program; and insert at least one trappable instruction in place of said encrypted instruction within said executable area in memory allowing said software program to be linked with one or more other programs. Assignee: Convex Computer Corporation Patent Number: 5530752 Issue Date: 1996 06 25 Inventor(s): Rubin, Robert J. If you would like to purchase a copy of this patent, please call MicroPatent at 800-984-9800. Copyright 1996, MicroPatent From bryce at digicash.com Sat Jul 6 09:02:30 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 7 Jul 1996 00:02:30 +0800 Subject: Need PGP-awareness in common utilities Message-ID: <199607061311.PAA08700@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- I just got a letter back from majordomo at thumper.vmeng.com because my easy-PGP script had clearsigned my outgoing message to it, and majordomo didn't know what to do with the clearsigned message. I really don't see why programs like majordomo, UseNet moderation-bots, and most noticeably the PGP key distribution program are PGP-unaware. Okay, fine. Having waited for FIVE YEARS or however long it has been, you who are responsible for such handy dandy programs may now convincingly argue that you might as well wait for another few months to get PGPlib. But I sincerely hope that once PGPlib arrives we don't wait another five years before using it. (There is another argument that people sometimes make-- that it is too complicated to ensure pubkey<->True Name. SO WHAT! Pubkey<->True Name mapping is an advanced feature that depends upon the existence of some kind of public key infrastructure. Many people, myself included, wouldn't even USE pubkey<->True Name mapping if we had it! Just implement some basic privacy/authentication functions (trivial, using PGP 2.6 under Unix) and MitCH be damned! If we had started with the simple stuff five years ago we might HAVE a complete, secure infrastructure by now.) As an example of this sad state of affairs, no less of a cryptographic enthusiast than Robert Hettinga runs a mailing list (several actually) which breaks every PGP clear-signature that it encounters. Really pitiful, that even our own mailing lists are incompatible with PGP. Regards, Bryce PGP sig follows: [If you see garbage beyond this line, it means you are an anachronistic troglodyte. If you see a "PGP sig okay!" it means you are hi- tech. If you see "PGP sig not okay!" it means some mail-handling software between me and you is written/maintained by anachronistic troglodytes. :-)] -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMd5l40jbHy8sKZitAQHZZAL7BUlItvGLZaTfBgTORFATkPM141R0P6Ux mOkQY3IG0/Vmf9nJEOg8bubdaCuYmuVCJhAek6boyQsmd6VTxqxVChniSWN1Uhth Ony1VSmufCdeqFbCGBqcAM5rfF8KM49h =9obd -----END PGP SIGNATURE----- From AwakenToMe at aol.com Sat Jul 6 09:10:06 1996 From: AwakenToMe at aol.com (AwakenToMe at aol.com) Date: Sun, 7 Jul 1996 00:10:06 +0800 Subject: Word lists for passphrases Message-ID: <960706092922_350344400@emout18.mail.aol.com> I have a util that will create a word list starting from aaaaaaaaaaa on up to anythingggggggg basically you could do every combination. Let me know if ya want it. From pgut001 at cs.auckland.ac.nz Sat Jul 6 09:39:49 1996 From: pgut001 at cs.auckland.ac.nz (pgut001 at cs.auckland.ac.nz) Date: Sun, 7 Jul 1996 00:39:49 +0800 Subject: Transforming variable- to fixed-length keys Message-ID: <199607061347.BAA08574@cs26.cs.auckland.ac.nz> In preparing the next version of cryptlib (which is going to have some cool features when it's ready, which should be before the end of the millenium), I've run into a problem in writing a general-purpose n-byte input to m-byte output transformation function. What this does is take an arbitrary-length user key and transform it to a fixed-length encryption key (for example an entered passphrase into a 112-bit triple-DES key). The constraints on memory usage are: - The input (user) key can't be altered (you can't change data passed in by the caller) - The user key can't be copied to an internal buffer (it can be of arbitrary length, and is sensitive material so shouldn't be copied elsewhere) In other words there's no temporary storage available apart from what's provided in the output key. This is almost always a different length from the input key. Some other constraints are: - The transformation must be algorithm-independant (it shouldn't, for example, rely on SHA1 to transform an input string into a fixed output of 160 bits and assume you'll never need a key longer than 160 bits). This means you can't just use a single pass of a hash function to generate the output key, since the output can be smaller or larger than the hash function output. - The transformation must be able to be iterated to make a password-guessing attack harder to perform. This one is tricky, since the lack of temporary buffer space means you can't just feed the output back to the input and iterate. Here's my initial approach, if anyone has any comments to make on this or knows of a better way to do it, please let me know. Peter. -- Snip -- Initially, the user key is passed in as a byte string: +-------------------------------------------------------+ | User Key | +-------------------------------------------------------+ The first stage in the key hashing prepends the length of the string as a big-endian 16-bit count to the user key: +------+-------------------------------------------------------+ |Length| User Key | +------+-------------------------------------------------------+ The aim of the hashing is to reduce this variable-length input string to a fixed-length key appropriate to the encryption algorithm being used. This is done by treating the user encryption keys as circular buffers and repeatedly hashing chunks of the user key and xoring the result into the output buffer. Thus the first chunk of the encryption key would be obtained with: +------+-------------------------------------------------------+ |Length| User Key | +------+-------------------------------------------------------+ | | | _ / | Hash _ / | _ / | / | | +-----------------------+ | Encryption Key | +-----------------------+ The second chunk of the enryption key would be obtained with: +------+-------------------------------------------------------+ |Length| User Key | +------+-------------------------------------------------------+ | | | _ / | Hash _ / | _ / | / | | +-----------------------+ | Encryption Key | +-----------------------+ Since the input to the hash function is much larger than its output, a significant amount of the user key affects each chunk of the encryption key. The size of each "chunk" is determined by the hash function being used. For example with the MD4 hash function, 64 bytes of user key affect each 16 bytes of encryption key. Once the end of the user key or encryption key buffer is reached, the hash function wraps around to the start of the buffer and takes its data from there. A pass over the user key is considered complete when the hash function input has wrapped around completely and is back at the start of the buffer. The amount of wraparound depends on the length of the user and encryption keys. For example with 8-byte (strictly speaking 56-bit) DES keys even a single application of MD4 will wrap around the encryption key buffer twice, shrinking up to 64 bytes down to 8 bytes in a single operation. On the other hand a 4-byte user key will wrap the user key buffer around twice, expanding it to fill 8 bytes of the encryption key buffer (without, however, actually giving 8 bytes of effective key space). In order to avoid repeatedly hashing the same data (which results in the output key cancelling out every second round), the input data is varied by adding the iteration count mod 256 to each byte before it is hashed. Therefore for five rounds of key hashing the user key "This is a key" would give the following effective input to the hash function: \x00\x0DThis is a user key \x01\x0EUijt!jt!b!vtfs!lfz \x02\x0FVjku"ku"c"wugt"mg{ \x03\x10Wklv#lv#d#xvhu#nh| \x04\x11Xlmw$mw$e$ywiv$oi} [Is this nice? Problems are that you might be able to perform some sort of related-key attack, and that if you know the input value to round n you can get the input value to round n+m without having to go through all m rounds. However I can't see how this would aid an attacker]. From perry at piermont.com Sat Jul 6 10:07:59 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 7 Jul 1996 01:07:59 +0800 Subject: Word lists for passphrases In-Reply-To: <960706092922_350344400@emout18.mail.aol.com> Message-ID: <199607061436.KAA05825@jekyll.piermont.com> AwakenToMe at aol.com writes: > I have a util that will create a word list starting from aaaaaaaaaaa on up to > anythingggggggg > basically you could do every combination. Let me know if ya want it. That would really be of great use for doing wordlist crack runs. It must have taken you a long time to write -- generous of you to offer it. From amehta at giasdl01.vsnl.net.in Sat Jul 6 11:20:00 1996 From: amehta at giasdl01.vsnl.net.in (Arun Mehta) Date: Sun, 7 Jul 1996 02:20:00 +0800 Subject: Net and Terrorism. Message-ID: <1.5.4.32.19960706205650.002d27d0@giasdl01.vsnl.net.in> At 00:37 05/07/96 -0700, Rich Graves wrote: >Since the two muslims who used to give a shit about this list seem to have >left in disgust, I suppose I should register my "That ain't representative >of Islam... Not so long ago, when Moslems were fighting the Soviet Union in Afghanistan, they were heroes to the western world, supplied arms and money enough to destabilise the whole region. Once the Soviet menace faded, the same fighters were branded terrorists. Mixed signals like this are responsible for much of the animosity that one finds in the Islamic world (possibly even in other parts of the world) against the US. Arun Arun Mehta Phone +91-11-6841172, 6849103 amehta at cpsr.org http://mahavir.doe.ernet.in/~pinaward/arun.htm From froomkin at law.miami.edu Sat Jul 6 11:26:22 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Sun, 7 Jul 1996 02:26:22 +0800 Subject: Shrink-Wrap Lic. uphelo by courts. From Edupage, 4 July 1996 In-Reply-To: <31DDAECD.41C6@ai.mit.edu> Message-ID: [My name is invoked] There has been a lengthy discussion of this issue on the cyberia-l list. I'm not an intellectual property specialist, so I stay out it... to join the cyberia-l list, send a subscribe cyberia-l to listserv at listserv.aol.com A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's hot here. And humid. From vinnie at webstuff.apple.com Sat Jul 6 11:29:39 1996 From: vinnie at webstuff.apple.com (vinnie moscaritolo) Date: Sun, 7 Jul 1996 02:29:39 +0800 Subject: Net and Terrorism Message-ID: >On Fri, 5 Jul 1996, vinnie moscaritolo wrote: > As for a solution to governement problems, I have always and still belive > in the ballot box first. And the only way to win votes is to appeal to the > morons out there who do vote.. Maybe there is hope in the next generation > of internet literate kids.. or maybe I am just a dreamer. > >snow at crash.suba.com wrote > You are a dreamer. Netscape, TV for the internet. BS. I am not being that idealistic. look all I am saying is that maybe the net just offers kids the ability to see a variety of views instead of the mainstream liberal (or whatever it will be next week) controlled media. For now anyways any entity that has something to say and can write his way out of a paper bag has pretty much the same ability to influence on the net (at least newsgroups) as say Ted Copulate does. Maybe freedom we have here wont last for long, maybe the Pointcast of the future will just create another MTV generation...but at least for now we have a voice. Vinnie Moscaritolo ------------------ "friends come and friends go..but enemies accumulate." http://www.vmeng.com/vinnie/ Fingerprint: 4FA3298150E404F2782501876EA2146A From declan+ at CMU.EDU Sat Jul 6 11:30:02 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sun, 7 Jul 1996 02:30:02 +0800 Subject: I confess [Was: Who was that Masked Cypherpunk?] In-Reply-To: <2.2.32.19960705182536.008209bc@popserver.panix.com> Message-ID: <0lrciHu00YUu03vlY0@andrew.cmu.edu> Excerpts from internet.cypherpunks: 5-Jul-96 Re: I confess [Was: Who was.. by Duncan Frissell at panix.co > JR offered an amendment which changed the language to refer to "so-called > Key Escrow (actually government access to keys GAK)" and he also explained > that "escrow" is where you place something with a trusted third party and > the government is neither trusted nor a third party. He mentioned > cypherpunks live on CSPAN. > > Maybe when JR finished the Con he can post the original proposed language of > the LPs plank and the final language as amended. I was sitting not far from Jim when he offered the amendment; I remember it passing overwhelmingly. However, I don't think think the word "GAK" was in there -- just "government access to keys." The change to the platform, including Jim's amendment, passed unanimously. -Declan From perry at piermont.com Sat Jul 6 11:38:11 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 7 Jul 1996 02:38:11 +0800 Subject: Word lists for passphrases In-Reply-To: <199607061436.KAA05825@jekyll.piermont.com> Message-ID: <199607061553.LAA05917@jekyll.piermont.com> "Perry E. Metzger" writes: > > AwakenToMe at aol.com writes: > > I have a util that will create a word list starting from > > aaaaaaaaaaa on up to anythingggggggg basically you could do every > > combination. Let me know if ya want it. > > That would really be of great use for doing wordlist crack runs. It > must have taken you a long time to write -- generous of you to offer > it. I want to apologize to everyone for being gratuitously nasty here. It wasn't called for. From dlv at bwalk.dm.com Sat Jul 6 12:21:51 1996 From: dlv at bwalk.dm.com (Dr.Dimitri Vulis KOTM) Date: Sun, 7 Jul 1996 03:21:51 +0800 Subject: Word lists for passphrases In-Reply-To: <199607061436.KAA05825@jekyll.piermont.com> Message-ID: <1cJNqD2w165w@bwalk.dm.com> "Perry E. Metzger" writes: > AwakenToMe at aol.com writes: > > I have a util that will create a word list starting from aaaaaaaaaaa on up > > anythingggggggg > > basically you could do every combination. Let me know if ya want it. > > That would really be of great use for doing wordlist crack runs. It > must have taken you a long time to write -- generous of you to offer > it. K3wl Hack, D00dz! Why don't you post it to coderpunks - it's probably way too technical for cypherpunks. I wonder if the util comes with the source code, and what language it's written in. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From declan at well.com Sat Jul 6 12:27:14 1996 From: declan at well.com (Declan McCullagh) Date: Sun, 7 Jul 1996 03:27:14 +0800 Subject: NYT/CyberTimes on CWD article Message-ID: "We are writers, not crytographers." -Declan --- http://www.nytimes.com/library/cyber/week/0706patrol-reporters.html July 6, 1996 Reporters Claim to Have Lists of Blocked Sites By PAMELA MENDELS Reporters Brock N. Meeks and Declan B. McCullagh say they've got a little list. Several actually. The lists are of Internet sites that, in the eyes of several companies making parental control software, could be considered inappropriate to children. The lists are supposed to be secret. But Meeks and McCullagh say they have obtained lists compiled by Microsystems Software, Inc., the Framingham, Mass.-based manufacturer of Cyber Patrol; Los Altos, Calif.-based SurfWatch Software, a subsidiary of Spyglass, Inc., and Santa Barbara, Calif.-based Solid Oak Software, Inc., maker of CYBERsitter -- three of the leading producers of parental- control filtering software. McCullagh said that he and Meeks were able to view the complete Cyber Patrol and CYBERsitter lists and part of the SurfWatch list. In an article published this week in CyberWire Dispatch, a report on Internet-related issues distributed through e-mail, Meeks and McCullagh wrote that they had taken a peek at some of the sites contained on the lists and had then contacted groups that might be concerned about the listings. Representatives of organizations ranging in advocacy from feminism to gun lobbying to animal rights said they been disturbed to learn that some sites they endorse had made the lists. Kim A. Gandy, executive vice president of the National Organization for Women, said Friday that she was upset to learn that CYBERSitter blocks access to NOW's Web site. Further, she said she did not like the company's rationale: that the NOW site contains links to, among other things, sites about homosexuality. "It's ridiculous," Gandy said. "It's insulting. And I think most parents would not approve of that kind of censorship. Lots of parents don't want children surfing pornography, but would not think of denying them access to legitimate information." Marc E. Kanter, director of marketing for Solid Oak, confirmed Friday that NOW's site had been included on the CYBERsitter not-for-children list because of its links leading to "sexual preferentation" sites. "This is what our users want," he said. "If they don't want to restrict access to this material, they don't have to buy it or they can simply turn it off. We are not trying to play any political role. We are simply providing a tool for parents." Officials of the Gay & Lesbian Alliance Against Defamation were also upset that the Cyber Patrol list blocked several Internet discussion groups devoted to news of interest to the gay community. "We feel that this is the kind of thing important to gay and lesbian youth, to read about our community," said Lauren R. Javier, director of information systems for the Gay & Lesbian Alliance, adding that the newsgroups contained little if any sexually explicit material. Javier added that Cyber Patrol officials had been responsive in the past to complaints, so he wanted to give them "the benefit of the doubt" and intended to contact them about the matter. For his part, Nigel R. Spicer, president of Microsystems, said he had not examined the reasons that all the gay newsgroup sites named by the article were included on the Cyber Patrol list. The one site he did check after reading Meeks' report, however, was on the list because it contained links to personals ads, he said. McCullagh is keeping mum about how he and Meeks got the lists in the first place, although he denies that either of them personally decoded the software. "Brock and I are not cyptographic analysts," he said. "We don't spend our days de-encrypting files. We are writers, not crytographers." Spicer was less than happy about the prospect that Cyber Patrol's list may have fallen into outsiders' hands. He said that, so far, he had been unable to confirm whether the reporters had the true list for Cyber Patrol and, if so, how they had managed to obtain it. "It's always a concern if you believe people are getting access to material you've gone to the trouble to not make available," he said. "If we believe the encryption scheme has been compromised, we will make another one." Kanter, of CYBERsitter, said the list mentioned in the Cyberwire Dispatch article was, indeed, his company's. "I hope that list doesn't get out beyond where it was," he said. Jay S. Friedland, vice president of marketing for SurfWatch products, said Friday that he had not yet read the article. He said the blocking companies keep their lists secret for two reasons: to prevent their misuse and to keep their competitive edge. "Clearly, each company has a proprietary advantage," Friedland said. "One of our competitors could take and use the same information." ### From WlkngOwl at unix.asb.com Sat Jul 6 13:09:39 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Sun, 7 Jul 1996 04:09:39 +0800 Subject: CCC Crypto Lock Message-ID: <199607061734.NAA18987@unix.asb.com> On 6 Jul 96 at 4:10, anonymous-remailer at shell.port wrote: > MicroPatent, 4 July 96 [..] > Abstract: Disclosed systems and methods for protecting a > software program from unauthorized use and copying > through the removal at least one of a plurality of > instructions comprising a software program, and > encrypting the removed instruction utilizing an > encryption algorithm to produce an encrypted instruction, > the encryption algorithm responsive to a randomly > generated key. Would certain computer viruses be considered prior art here? (Be it that they encrypt for the purposes of hiding rather than copy protection though.) Rob. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From WlkngOwl at unix.asb.com Sat Jul 6 13:19:47 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Sun, 7 Jul 1996 04:19:47 +0800 Subject: What remains to be done. Message-ID: <199607061734.NAA18984@unix.asb.com> On 6 Jul 96 at 13:32, Anthony Daniel wrote: > Should try SECURE DESK-TOP as well (PC only), it can encrypt (DES and IDEA) [..] > And it can add PEM capabilities to most e-mail clients and it's WIN95 and PGP capabilities would be nice. :) > user friendly. Try it at: > > http://www.systems.it/secure > > There are NO export restrictions on it as well because it's Italian made. Well, it can't be downloaded from a US site to a non-US site anyway. It's nice to see some non-US strong crypto in that it will be all the more impetus to relax ITAR. Rob --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From ichudov at algebra.com Sat Jul 6 13:40:07 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Sun, 7 Jul 1996 04:40:07 +0800 Subject: Word lists for passphrases In-Reply-To: <960706092922_350344400@emout18.mail.aol.com> Message-ID: <199607061744.MAA31864@manifold.algebra.com> AwakenToMe at aol.com wrote: > > I have a util that will create a word list starting from aaaaaaaaaaa on up to > anythingggggggg > basically you could do every combination. Let me know if ya want it. > Here's the C++ prog that I wrote 1.5 yrs ago for my friend who needed it for genetic experiments on evidence in OJ "ZAEBAL" Simpson trial: void nested_loops(int max_depth, int *lower, int *upper, void (*action)(int *indexes, int depth)) /* calls (*action) for every combination of numbers of size max_depth o max_depth - size of all combinations o lower - lower boundaries for indices 0 -- max_depth - 1 o upper - upper boundaries for indices 0 -- max_depth - 1 o action - called for every combination Example: int lwr[] = { 'a', 'a' }; int upr[] = { 'b', 'b' }; nested_loops( 2, lwr, upr, some_action ); calls some_action for every combination aa ab ba bb */ { int *indexes = new int[max_depth]; int cur_depth = 0; indexes[cur_depth] = lower[cur_depth]; do { if( indexes[cur_depth] < upper[cur_depth] ) { if( cur_depth == max_depth - 1 ) { (*action)( indexes, cur_depth ); // Acting only deep enough indexes[cur_depth]++; } else { cur_depth++; indexes[cur_depth]=lower[cur_depth]; } } else { if( --cur_depth >= 0 ) indexes[cur_depth]++; } } while( cur_depth >= 0 ); delete [] indexes; } - Igor. From alano at teleport.com Sat Jul 6 13:51:23 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 7 Jul 1996 04:51:23 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port Message-ID: <2.2.32.19960706175510.00f3a638@mail.teleport.com> At 06:27 AM 7/6/96 +0000, you wrote: >On Fri, 5 Jul 1996, CyberEyes wrote: > >> NOT talking about Lynx, what DOS-based Web browser is there? > > Net-Tamer. > > Requires a PPP connection, and precious little else. The problem is getting PPP to work under DOS. If your kid can do that, then he will have no problem in disabling any sort of filtering, as well as wiping the hard drive and installing Linux with X11R6. DOS stacks are a pain to get functioning, usually have little to no useful instructions, and tend to be harder than hell to find. (Or as Homer Simpson once said: "Mmmmmm! Packet drivers!") I expect to see a case where some kid gets in trouble for filtering out what his parents can see, read, or hear. Or sets the school filter to only allow going to porno sites. I find it humorous how many people think that they can use technology to babysit their kids when the kids understand the technology much better than they do in most cases... --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon "Microsoft -- Nothing but NT promises." From ichudov at algebra.com Sat Jul 6 14:06:26 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Sun, 7 Jul 1996 05:06:26 +0800 Subject: Need PGP-awareness in common utilities In-Reply-To: <199607061311.PAA08700@digicash.com> Message-ID: <199607061753.MAA31894@manifold.algebra.com> bryce at digicash.com wrote: > I really don't see why programs like majordomo, UseNet > moderation-bots, and most noticeably the PGP key distribution > program are PGP-unaware. My moderation bot STUMP is not only PGP-aware, it is also doing a lot of PGP-related things. Among them: 1) For posters who voluntarily chose additional protection, STUMP allows only messages with a valid PGP signature to be posted. All posts from these people that do not have a PGP sig or have an invalid sig, are automatically rejected. It protects them from forgeries. 2) All exchange between my modbot and human moderators is PGP-signed (and encrypted when necessary), to insure integrity of moderation email traffic. 3) All message approved for posting to usenet get signed with Greg Rose's PGPMoose program. 4) There is an additional service for those who post through anonymous remailers BUT want to have an identity and reputation. The idea is that they submit their PGP keys to the robomoderator, and later robomod takes the user id from the PGP key, replacing meaningless anonymous addresses with their identity. We currently have at least two posters whose real life identities are unknown, who use this feature and have sent us their PGP keys. STUMP is currently working in production mode seemingly with no problems. For details, look at http://www.algebra.com/~ichudov/usenet/scrm/robomod/robomod.html - Igor. From WlkngOwl at unix.asb.com Sat Jul 6 14:07:30 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Sun, 7 Jul 1996 05:07:30 +0800 Subject: Need PGP-awareness in common utilities Message-ID: <199607061837.OAA19841@unix.asb.com> On 6 Jul 96 at 15:11, bryce at digicash.com wrote: [..] > I really don't see why programs like majordomo, UseNet > moderation-bots, and most noticeably the PGP key distribution > program are PGP-unaware. > Okay, fine. Having waited for FIVE YEARS or however long it has > been, you who are responsible for such handy dandy programs may now > convincingly argue that you might as well wait for another few > months to get PGPlib. But I sincerely hope that once PGPlib arrives > we don't wait another five years before using it. Good point... > There is another argument that people sometimes make-- that > it is too complicated to ensure pubkey<->True Name. SO WHAT! I've never seen that argument. It's a non-issue for making programs PGP-aware. [..] --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From WlkngOwl at unix.asb.com Sat Jul 6 14:15:29 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Sun, 7 Jul 1996 05:15:29 +0800 Subject: Transforming variable- to fixed-length keys Message-ID: <199607061837.OAA19848@unix.asb.com> On 7 Jul 96 at 1:47, pgut001 at cs.auckland.ac.nz wrote: [..] > I've run into a problem in writing a general-purpose n-byte input to m-byte > output transformation function. What this does is take an arbitrary-length > user key and transform it to a fixed-length encryption key (for example an > entered passphrase into a 112-bit triple-DES key). The constraints on memory > usage are: > > - The input (user) key can't be altered (you can't change data passed in by the > caller) > - The user key can't be copied to an internal buffer (it can be of arbitrary > length, and is sensitive material so shouldn't be copied elsewhere) > > In other words there's no temporary storage available apart from what's > provided in the output key. This is almost always a different length from the > input key. > > Some other constraints are: > > - The transformation must be algorithm-independant (it shouldn't, for example, [..] > - The transformation must be able to be iterated to make a password-guessing > attack harder to perform. Hmm. What about the following: Use a constant (non-weak) key for a cipher (perhaps the hash of the passphrase under certain circumstances?) For iteration-0, CFB (or some other feedback mode)-encrypt the passphrase from the input buffer to the output buffer (assuming the library doesn't require that the plaintext and ciphertext be in the same buffer) For following iterations, repeatedly CFB-encrypt the buffer, using a counter in data bytes. This method could use hash algorithms in MDC or Luby-Rackoff forms as well as block ciphers (and perhaps some stream ciphers). Another method might be to seed a PRNG similar to that used in PGP 2.x with the passphrase, have it stir the bytes a number of times, and then use the output as the key: randPoolAddBytes(passphrase, passlen); for(i=0;i Here's my initial approach, if anyone has any comments to make on this or knows > of a better way to do it, please let me know. [..] > The first stage in the key hashing prepends the length of the string as a > big-endian 16-bit count to the user key: > > +------+-------------------------------------------------------+ > |Length| User Key | > +------+-------------------------------------------------------+ > > The aim of the hashing is to reduce this variable-length input string to a > fixed-length key appropriate to the encryption algorithm being used. This is > done by treating the user encryption keys as circular buffers and repeatedly > hashing chunks of the user key and xoring the result into the output buffer. [..] > Since the input to the hash function is much larger than its output, a > significant amount of the user key affects each chunk of the encryption key. > The size of each "chunk" is determined by the hash function being used. For > example with the MD4 hash function, 64 bytes of user key affect each 16 bytes > of encryption key. [..] Questions: Are you using the previous chaining-variables/hash for each successive chunk? How do you pad passphrases that are smaller than the minimum input for a hash function? Rob. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From alano at teleport.com Sat Jul 6 14:21:53 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 7 Jul 1996 05:21:53 +0800 Subject: [RANT] Re: CWD -- Jacking in from the "Keys to the Kingdom" Port Message-ID: <2.2.32.19960706181747.00987320@mail.teleport.com> At 03:27 PM 7/5/96 -0400, Mark M. wrote: >> B) Forget the CONFIG.SYS ... what about kids using Macs or some future >> "Kid Safe" system that has the filters in an eeprom? I'm talking >> about bypassing the censorship on the client-server level. Relatively >> platform independent. > >Using a hardware based filter is about as bad as using the IP security header >fields for content descriptions. It's not at the level where filtering >belongs. Filtering should be at the software level where it currently is. >Since this can easily be broken, it might be better to have "Kid Safe" ISP's >that would use a firewall to filter data. Or even better yet, they could actually teach thier children to deal with such information instead of sheltering them from it. I have dealt with a number of parents who have the idea that they can filter everything the kid hears or sees. The type of intelectual and emotional basketcases that result are not very plesant to interact with. They tend to go through alot of rough times when they have to go out into the world and see a wide variety of views, instead of just seeing what mommy and daddy want them to. What happens from there is generally not very pretty or very fun for the person involved. I do not believe that these types of filters are good. If you have that much concern about what your child can see, then you should not give them net access at all. (And remember to also not to leave them at the library where they might find just as much filth...) "If you don't want your kids to be hit by information, then don't let them play on the information superhighway." Without contradictoy viewpoints, children do not learn how to decern between them. They get indoctrinated into the idea that they must accept ideas as they are fed to them. That learning consists of taking what is provided and not to go out and find those ideas which might be "harmful" or "dangerous" without perental supervision. What we are getting is a bunch of emotional cripples who cannot handle anything intelectually sharper than a rubber ball. (And it must be a ball bigger than two inches in diameter, else they might choke on it.) With these sort of tools, we are conditioning our children that it is OK if someone filters their information before they see it. (Without even knowing the *KIND* of information being filtered, because even *THAT* level of knowledge is harmful and/or proprietary.) That it is OK for some parental figure to eliminate all the "nasty" and "awful" information before someone can hurt themselves with it. That itt is OK to prevent others from viewing information to complex for their childlike minds. We are becoming a nation of the babysat. Anything that our nannys deem harmful is hidden away in the bedrooms of the parental units. And maybe it is harmful. They have to scan through it all day long and look what kind of self-righous pricks they have become! At least I am able to instill some sort of love of knowledge and exploration into my daughter. Hopefully it will stick before the control freaks in this culture are able to knock it out of her... --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon "Microsoft -- Nothing but NT promises." From fiedorow at math.ohio-state.edu Sat Jul 6 15:07:52 1996 From: fiedorow at math.ohio-state.edu (Zbigniew Fiedorowicz) Date: Sun, 7 Jul 1996 06:07:52 +0800 Subject: MacPGP 2.6.3 released Message-ID: I have changed the method of distribution of FatMacPGP 2.6.3. It is now available by anonnymous FTP from Mike Johnson's ITAR compliant crypto archives at ftp://ftp.csn.net/mpj/. My web page http://www.math.ohio-state.edu/~fiedorow/PGP now contains detailed instructions and URL links explaining how to obtain the software from Mike Johnson's site, rather than the software itself. In particular, it is no longer necessary to have a previous version of PGP in order to get FatMacPGP 2.6.3. Note: my system administrators have changed the IP address of www.math.ohio-state.edu this weekend. If your DNS server has difficulty finding the site, you might try http://128.146.111.31/~fiedorow/PGP Feel free to redistribute FatMacPGP 2.6.3 to friends, acquaintances, etc and to put it up on local BBS's. It is your personal responsibility to insure you don't to violate any laws or international treaties doing so. Zig Fiedorowicz From iang at cs.berkeley.edu Sat Jul 6 15:15:19 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Sun, 7 Jul 1996 06:15:19 +0800 Subject: Netscape 3.0b5 can unanonymize Anonymizer Message-ID: <199607061933.MAA07654@abraham.cs.berkeley.edu> -----BEGIN PGP SIGNED MESSAGE----- The new netscape has this "feature" where the RHS of KEY=value pairs in tags can contain inline Javascript, which is evaluated to get the actual RHS. For example, the HTML: Did you really think you could be anonymous? will open a new, unanonymized, window (you don't even have to click on the link). The main problem is that the Anonymizer doesn't filter out the new way of embedding Javascript: &{this.is("javascript code")}; So, if you use the Anonymizer with netscape 3.0b5, _disable_ Javascript until this is fixed (better yet, disable Javascript and Java entirely, but that's another story for another time...). - Ian -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMd6/nEZRiTErSPb1AQGEPgQAu9NaxafrQDrqdTLUkzQ7k0D6Pq8FxIx1 7Mo3j6ACs6Flp2Tq+2szh6Ch+U0r21LL5NuC3zQ/BA9j/UmqU+c5XM7NRFFGEEhY f1RakLlaiWp+gnxv3dgWWMUZ30iB01kNbIGcl4X3FPLUpyavK45KoqjRJh13s/K+ ACWmg1pgmXk= =23r4 -----END PGP SIGNATURE----- From tphilp at bfree.on.ca Sat Jul 6 15:17:56 1996 From: tphilp at bfree.on.ca (Tim Philp) Date: Sun, 7 Jul 1996 06:17:56 +0800 Subject: CCC Crypto Lock Message-ID: <19004146800633@bfree.on.ca> The fact that this patent was issued indicates to me that the patent office does not understand computer technology. There is nothing new here that I was not using for other purposes at least 20 years ago. Unfortunately, once a patent is issued, it cost a great deal of money to break. Tim Philp At 04:10 AM 7/6/96 -0700, you wrote: >MicroPatent, 4 July 96 > > >Systems and methods for protecting software from >unlicensed copying and use (Assignee -- Convex Computer >Corporation) > > >Abstract: Disclosed systems and methods for protecting a >software program from unauthorized use and copying >through the removal at least one of a plurality of >instructions comprising a software program, and >encrypting the removed instruction utilizing an >encryption algorithm to produce an encrypted instruction, >the encryption algorithm responsive to a randomly >generated key. > >Ex Claim Text: A processing system for protecting a >software program from unauthorized use, said software >program including one or more unencrypted instructions >stored in memory associated with said software program, >said processing system comprising: a processing unit >operable to: remove at least one selected said >unencrypted instruction from an executable area in said >memory associated with executable portions of said >program; encrypt said at least one selected unencrypted >instruction removed from said software program utilizing >an encryption algorithm to produce an encrypted >instruction; store said encrypted instruction within a >first non-executable data area in said memory associated >with said software program; and insert at least one >trappable instruction in place of said encrypted >instruction within said executable area in memory >allowing said software program to be linked with one or >more other programs. > >Assignee: Convex Computer Corporation > >Patent Number: 5530752 > >Issue Date: 1996 06 25 > >Inventor(s): Rubin, Robert J. > >If you would like to purchase a copy of this patent, >please call MicroPatent at 800-984-9800. > >Copyright 1996, MicroPatent > > From AwakenToMe at aol.com Sat Jul 6 15:39:23 1996 From: AwakenToMe at aol.com (AwakenToMe at aol.com) Date: Sun, 7 Jul 1996 06:39:23 +0800 Subject: Word lists for passphrases Message-ID: <960706155139_428652398@emout15.mail.aol.com> In a message dated 96-07-06 14:25:18 EDT, perry at piermont.com (Perry E. Metzger) writes: << "Perry E. Metzger" writes: > > AwakenToMe at aol.com writes: > > I have a util that will create a word list starting from > > aaaaaaaaaaa on up to anythingggggggg basically you could do every > > combination. Let me know if ya want it. > > That would really be of great use for doing wordlist crack runs. It > must have taken you a long time to write -- generous of you to offer > it. I want to apologize to everyone for being gratuitously nasty here. It wasn't called for. >> Thats funny. I thought you were being completely serious and I sent you this file. You are exactly right. it is of GREAT use for doing wordlist crack runs. Why dont ya check out some realllyyy secure systems and find out what utils they use to test their own security. I ALWAYS use created segments of this when trying to brute force my way into my OWN machine. It helps finding bugs that overwrite the stack..etc. But... apology accepted. You may learn from it. From bryce at digicash.com Sat Jul 6 15:51:00 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 7 Jul 1996 06:51:00 +0800 Subject: more about the usefulness of PGP Message-ID: <199607061957.VAA21682@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Here's an idea that I always wanted to implement but never did yet. I thought I'd share and if someone else has already done it let me have a copy. I should be able to execute scripts remotely by sending e-mail to an account. Simple mail-handling scripts at that account should check the PGP signature (and timestamp/counter to prevent replay/delay attacks) and then pass the contents to a full script-language interpreter. Perl is a natural choice of interpreter. Has anybody implemented this (hopefully complete with replay/delay prevention)? Thanks! Bryce P.S. No, actually I can't think of any good use for this trick. But maybe if I had it I would find good uses for it. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMd7FIEjbHy8sKZitAQHhRQMAmZoekRgmUKSYv89/QrkzRFdTUZLZHK8a tlaXLtyJXrOjajxJRVvXWY7Rum6mVXe/4eHTPCGzzWQdXMJB/TJSQeRmTuSiSd9i 0DtWcQSmP4q5AFor48NtNvqAOEonf5Vi =My90 -----END PGP SIGNATURE----- From bryce at digicash.com Sat Jul 6 15:53:18 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 7 Jul 1996 06:53:18 +0800 Subject: Need PGP-awareness in common utilities In-Reply-To: <199607061753.MAA31894@manifold.algebra.com> Message-ID: <199607061950.VAA21507@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- An entity calling itself ichudov at algebra.com probably wrote something like: > > My moderation bot STUMP is not only PGP-aware, it is also doing > a lot of PGP-related things. Among them: > > 1) For posters who voluntarily chose additional protection, STUMP allows > only messages with a valid PGP signature to be posted. > 2) All exchange between my modbot and human moderators is PGP-signed > (and encrypted when necessary) > 3) All message approved for posting to usenet get signed with Greg > Rose's PGPMoose program. > 4) There is an additional service for those who post through anonymous > remailers BUT want to have an identity and reputation. > We currently have at least two posters whose real life identities are > unknown, who use this feature and have sent us their PGP keys. > > STUMP is currently working in production mode seemingly with no problems. Okay Igor, that is an impressive list of features! Now what I want to know (and what I want other people here to hear) is: _How_ difficult was it to incorporate these PGP features into your software? My guess is that it was a simple matter of making a couple of system calls to PGP, plus maybe extra defense against replay attacks (you _do_ have defense against replay attacks don't you?) and the fact that you have more debugging work because you have more features. Regards, Bryce Return-Path: ichudov at manifold.algebra.com Received: from galaxy.galstar.com (galaxy.galstar.com [204.251.80.2]) by digicash.com (8.6.11/8.6.10) with ESMTP id TAA15575 for ; Sat, 6 Jul 1996 19:54:16 +0200 Received: from manifold.algebra.com (manifold.algebra.com [204.251.82.89]) by galaxy.galstar.com (8.6.12/8.6.12) with ESMTP id MAA12554; Sat, 6 Jul 1996 12:52:30 -0500 Received: (from ichudov at localhost) by manifold.algebra.com (8.7.5/8.6.11) id MAA31894; Sat, 6 Jul 1996 12:53:02 -0500 Message-Id: <199607061753.MAA31894 at manifold.algebra.com> Subject: Re: Need PGP-awareness in common utilities To: bryce at digicash.com Date: Sat, 6 Jul 1996 12:53:02 -0500 (CDT) Cc: cypherpunks at toad.com, e$@thumper.vmeng.com Reply-To: ichudov at algebra.com (Igor Chudov) In-Reply-To: <199607061311.PAA08700 at digicash.com> from "bryce at digicash.com" at Jul 6, 96 03:11:48 pm From: ichudov at algebra.com (Igor Chudov @ home) X-No-Archive: yes X-Mailer: ELM [version 2.4 PL24 ME7] Content-Type: text bryce at digicash.com wrote: > I really don't see why programs like majordomo, UseNet > moderation-bots, and most noticeably the PGP key distribution > program are PGP-unaware. My moderation bot STUMP is not only PGP-aware, it is also doing a lot of PGP-related things. Among them: 1) For posters who voluntarily chose additional protection, STUMP allows only messages with a valid PGP signature to be posted. All posts from these people that do not have a PGP sig or have an invalid sig, are automatically rejected. It protects them from forgeries. 2) All exchange between my modbot and human moderators is PGP-signed (and encrypted when necessary), to insure integrity of moderation email traffic. 3) All message approved for posting to usenet get signed with Greg Rose's PGPMoose program. 4) There is an additional service for those who post through anonymous remailers BUT want to have an identity and reputation. The idea is that they submit their PGP keys to the robomoderator, and later robomod takes the user id from the PGP key, replacing meaningless anonymous addresses with their identity. We currently have at least two posters whose real life identities are unknown, who use this feature and have sent us their PGP keys. STUMP is currently working in production mode seemingly with no problems. For details, look at http://www.algebra.com/~ichudov/usenet/scrm/robomod/robomod.html - Igor. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMd7Dj0jbHy8sKZitAQGkIAMAxr5F3Lqv2cUBekFz3KRam1H4uE4qKrHx cv7DwvRUXVX89TK0TFVlt/T3nwD8NBTwMtMG+xnlltHCLcjrSC0gd+3Pu2B8o0nD 0JnXWitvZtAm405YPKaN7sX6hCGGyNOX =U+4Q -----END PGP SIGNATURE----- From ichudov at algebra.com Sat Jul 6 16:08:01 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Sun, 7 Jul 1996 07:08:01 +0800 Subject: Need PGP-awareness in common utilities In-Reply-To: <199607061950.VAA21507@digicash.com> Message-ID: <199607062013.PAA00038@manifold.algebra.com> bryce at digicash.com wrote: > An entity calling itself ichudov at algebra.com probably wrote > something like: > > > > My moderation bot STUMP is not only PGP-aware, it is also doing > > a lot of PGP-related things. Among them: > > > > 1) For posters who voluntarily chose additional protection, STUMP allows > > only messages with a valid PGP signature to be posted. > > > 2) All exchange between my modbot and human moderators is PGP-signed > > (and encrypted when necessary) > > > 3) All message approved for posting to usenet get signed with Greg > > Rose's PGPMoose program. > > > 4) There is an additional service for those who post through anonymous > > remailers BUT want to have an identity and reputation. > > > We currently have at least two posters whose real life identities are > > unknown, who use this feature and have sent us their PGP keys. > > > > STUMP is currently working in production mode seemingly with no problems. > > > Okay Igor, that is an impressive list of features! Now what thanks > I want to know (and what I want other people here to hear) is: > _How_ difficult was it to incorporate these PGP features into > your software? Almost nothing is dufficult, in general. In particular, implementation of these features was easy. Coming up with how they should work was not that easy. Thanks to members of Cypherpunks list for their suggestions, by the way. You know, this stuff is easy to do in perl and sh. > My guess is that it was a simple matter of > making a couple of system calls to PGP, plus maybe extra > defense against replay attacks (you _do_ have defense against > replay attacks don't you?) and the fact that you have more > debugging work because you have more features. Depends on what replay attacks you are talking about. If you are more specific, I can talk about it. Some of it is discussed at http://www.algebra.com/~ichudov/usenet/scrm/robomod/robomod.html - Igor. From tcmay at got.net Sat Jul 6 16:29:26 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 7 Jul 1996 07:29:26 +0800 Subject: [RANT] Giving Mind Control Drugs to Children Message-ID: At 6:17 PM 7/6/96, Alan Olsen wrote: >With these sort of tools, we are conditioning our children that it is OK if >someone filters their information before they see it. (Without even knowing >the *KIND* of information being filtered, because even *THAT* level of >knowledge is harmful and/or proprietary.) That it is OK for some parental >figure to eliminate all the "nasty" and "awful" information before someone >can hurt themselves with it. That itt is OK to prevent others from viewing >information to complex for their childlike minds. > >We are becoming a nation of the babysat. Anything that our nannys deem >harmful is hidden away in the bedrooms of the parental units. And maybe it >is harmful. They have to scan through it all day long and look what kind of >self-righous pricks they have become! The doublethink and hypocrisy of modern society is astounding. A friend of mine has an 8-year-old son, whom he has custody of on weekends. Sometimes his son wants to have his friend stay over Saturday, as kids like to do. When the mother (a single mother, as this is California) drops her son off with my friend (also single, of course), she includes several "Ritalin" capsules with instructions on how to dose her son with this depressant/behavior modification drug. My friend ignores these Ritalins, which upsets the Mom greatly the next day when she realizes her son has not been given the tranks that are also known as "Mother's little helpers." I've been over visiting my friend to see some of this. The Ritalin-sodden kid arrives like a zombie. When the Ritalin wears off, he's rambunctuous, but all kids are. My friend Paul has had to discipline him a bit to keep him from--as the psychobabbles would say--"acting out." This discipline sets him straight, but it's not something his New Age "supermom" would ever think of doing. Hence the kid throws temper tantrums, acts out, calls her "You fucking asshole" (remember, he's only 8 or so), and so on. So she cranks up his dose of Ritalin and he's zoned out for a while. Frankly, I think telling the kid that if throws a tantrum he'll get punished for it is a whole lot more normal--ever notice that a dog smacks her puppies when they get out of line, or that a cat swats her kittens the same way? It establishes the rules of the game. (No, I'm not talking about "child abuse," the sadistic beltings and lashings which some parents give. However, here in Kalifornia it is essentially illegal for parents to use corporal punishment. Heavy doses of drugs are, after all, the California way!) "Just say no to drugs!" is the mantra of these doublethinkers, as they dose their kids at school and at home with tranquilizers and behavior modification drugs. The kids grow up thinking pills are the answer to everything. Also in California, the public schools dispense these mind control drugs to a growing fraction of the school population. Apparently this has become the largest part of the job of "school nurses." I believe parents are involved in this dosing regimen, but I would not be surprised if this changes. After all, such medical procedures as abortion are now handled "discreetly" by the school nurses, without any requirement that the parent be notified. Whatever one thinks of abortion, this is surely a strange state of affairs, where the public school system is taking on such a role and is actively deceiving a parent. The connection with the themes of our list is that this linguistic doublethink is what allows Big Brother's control of our communications and private files to be called by the relatively benign name of "escrow." --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From eli+ at gs160.sp.cs.cmu.edu Sat Jul 6 17:02:40 1996 From: eli+ at gs160.sp.cs.cmu.edu (eli+ at gs160.sp.cs.cmu.edu) Date: Sun, 7 Jul 1996 08:02:40 +0800 Subject: NYT/CyberTimes on CWD article In-Reply-To: <+cmu.andrew.internet.cypherpunks+olrdBjW00UfAI10EoP@andrew.cmu.edu> Message-ID: <199607062057.NAA16062@toad.com> >http://www.nytimes.com/library/cyber/week/0706patrol-reporters.html > "If we believe the encryption scheme has > been compromised, we will make another > one." Heh. It seems that these companies are going to have a problem as long as they use lists of *excluded* sites. Forget insight into company policy; these are global indices of "smut" on the net. (The lists of the more liberal companies are probably most attractive to those not titillated by NOW position papers.) They have to give you the list, and they have to give you software that uses it, so there's no way to achieve complete secrecy. I think the best they can do is to distribute a list of hashed URLs. -- Eli Brandt eli+ at cs.cmu.edu From bryce at digicash.com Sat Jul 6 17:15:06 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 7 Jul 1996 08:15:06 +0800 Subject: Need PGP-awareness in common utilities In-Reply-To: <199607062013.PAA00038@manifold.algebra.com> Message-ID: <199607062117.XAA25154@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- You know, Igor... (It has been a few months since I was hot on this idea, but hearing about your practical PGP successes has gotten me interested again...) If you have a moderation bot for a Usenet group (and could it be pressed into service as a mailing list handler I wonder?), this would be a nice tool to start with in order to implement full-fledged content/author ratings. Anybody wanna hack a perl script or two to produce/consume content/author ratings for cypherpunks (it could surely use some!). We can use my dormant mailing list, c2punks at c2.net, as a parallel channel to transmit cypherpunk (and maybe other) ratings. Let me know. We _could_ adopt the ridiculously simple NoCeM protocol, or the ever-mutating public key certificates being designed in a nearby mailing list, or some protocol of our own. (Shouldn't be too hard to come up with an implementable, useful protocol.) (And of course we can mix Ecash(tm) in...) Bryce P.S. Look for demo in a second. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMd7XyUjbHy8sKZitAQG37QL7Br0vNB2xx4rwyGmXUqP8YYkY3GV5Q2Cv Ut0PmkdKTlmDkM0nFzZEYTuOhvPwabglpq385Dzp6vjUratILMhOQLulqueumj/C zOz4KcUEPqinK7KMg5ZnkZPy6d02goh2 =OBSL -----END PGP SIGNATURE----- From ichudov at algebra.com Sat Jul 6 17:28:05 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Sun, 7 Jul 1996 08:28:05 +0800 Subject: Need PGP-awareness in common utilities In-Reply-To: <199607062117.XAA25154@digicash.com> Message-ID: <199607062132.QAA00782@manifold.algebra.com> bryce at digicash.com wrote: > You know, Igor... > (It has been a few months since I was hot on this idea, but > hearing about your practical PGP successes has gotten me > interested again...) > > If you have a moderation bot for a Usenet group (and could it be > pressed into service as a mailing list handler I wonder?), this Yes, it can be. When I was writing it I had in mind that I want to write a general moderation bot that can be _applied_ to USENET. There is a script processApproved which is called when a message should get posted. If you replace the usenet version of processApproved to mailing list version, you will be done. > would be a nice tool to start with in order to implement > full-fledged content/author ratings. Well, STUMP is a generic moderation tool. > Anybody wanna hack a perl > script or two to produce/consume content/author ratings for > cypherpunks (it could surely use some!). We can use my dormant > mailing list, c2punks at c2.net, as a parallel channel to transmit > cypherpunk (and maybe other) ratings. So, what you want is a tool that accepts "unmoderated" cpunks list, selects messages by authors with high ratings, and forwards only these into the "filtered" list? That's neat _if_ ratings are done by people whose tastes are similar to mine.. > Let me know. We _could_ adopt the ridiculously simple NoCeM > protocol, or the ever-mutating public key certificates being > designed in a nearby mailing list, or some protocol of our own. > (Shouldn't be too hard to come up with an implementable, useful > protocol.) ????? - Igor. From bryce at digicash.com Sat Jul 6 17:40:07 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 7 Jul 1996 08:40:07 +0800 Subject: demo rating Message-ID: <199607062159.XAA28958@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Certificate-Type: Chudov/Wilcox Content/Author Rating Rating-Type: Content Object-ID: Date: Sat, 06 Jul 1996 23:16:59 +0200/From: bryce at digicash.com Topicality: 10 Entertainment: 10 Value: 10 Signer: 0x2c2998ad Timestamp: Sat Jul 6 23:59:15 MET DST 1996 Signature: -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMd7hzkjbHy8sKZitAQE2EgL/SzCdEDihADRwDnGMy/GmkUF/3z082FRz uv0QbyR32Se15q+nkNZoj0vrMB9oFdFDv5fFON7oun3kLN+BukCAQTwta2+CYaIQ F6CwqeZz5TdAFYLB8lrgM0jAQDNaIiI6 =q+l+ -----END PGP SIGNATURE----- From norm at netcom.com Sat Jul 6 17:52:53 1996 From: norm at netcom.com (Norman Hardy) Date: Sun, 7 Jul 1996 08:52:53 +0800 Subject: NYT/CyberTimes on CWD article Message-ID: At 9:17 AM 7/6/96, Declan McCullagh wrote: >"We are writers, not crytographers." > >-Declan .... This seems to be an application for Bloom filters. See page bottom of page 561 in Knuth's "Searching and Sorting", First Edition. (Vol 3 of Art of Computer Programming) With a Bloom filter you can hide which URLs you reject yet quickly rejecting particular URLs. Compute SHA(URL) yielding 160 bits. Divide that into 16 ten bit quantities b[i], for 0<=i< 10. Reject the access if P[b[i]] = 1 for each i. P is an array of 1024 bits computed by someone with the index prohibitorum. (pardon my Latin) Yes, this excludes 1/1024 "falsely accused" URLs, but you get the idea. From bryce at digicash.com Sat Jul 6 17:55:19 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 7 Jul 1996 08:55:19 +0800 Subject: ratings Message-ID: <199607062201.AAA29101@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Of course a real rating would be signed by my ratings private key and not by my e-mail private key. I might start a service where I will pay you for your ratings and then distribute them for a fee. (Note that you get paid for generating ratings, as long as your ratings get good meta-ratings. You have to pay to use other people's ratings. This is how it should be.) Regards, Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMd7iRkjbHy8sKZitAQGTEQL+IchRcLv9r7/WpDQb8tmJ0QJD7tN8KUNG AEX/UtzApwffH2kS90ThHVnsVt/8WKgI+WfsZ0Z0PtYoE5uLwBUJDzXydbZ8zHEx B5Ti4pfF0wuXwWD6kA/ISYyhZHRewcol =Dwsd -----END PGP SIGNATURE----- From bryce at digicash.com Sat Jul 6 18:04:32 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 7 Jul 1996 09:04:32 +0800 Subject: Need PGP-awareness in common utilities In-Reply-To: <199607062132.QAA00782@manifold.algebra.com> Message-ID: <199607062156.XAA28423@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- An Igor-like entity wrote something like this: > > Yes, it can be. When I was writing it I had in mind that I want > to write a general moderation bot that can be _applied_ to USENET. > > There is a script processApproved which is called when a message > should get posted. If you replace the usenet version of processApproved > to mailing list version, you will be done. Nice design. :-) > > Anybody wanna hack a perl > > script or two to produce/consume content/author ratings for > > cypherpunks (it could surely use some!). We can use my dormant > > mailing list, c2punks at c2.net, as a parallel channel to transmit > > cypherpunk (and maybe other) ratings. > > So, what you want is a tool that accepts "unmoderated" cpunks list, > selects messages by authors with high ratings, and forwards only > these into the "filtered" list? That's neat _if_ ratings are done > by people whose tastes are similar to mine.. Hm. That might be an interesting addition to my plan, but the first step is to generate ratings and to consume them at each individual's mail-handling site. So I, for example, would run a script every time I received mail (or every hour, or every day, etc) which looked for ratings certificates, PGP-verified them, and saved the rating in a database. Then I would run another script (every time I received mail, or every hour, etc.) which identified incoming messages and _did_ something to them if there were sufficient ratings in the database to merit _doing_ something to them (e.g. delete, promote to a "well-rated" folder, demote to a "poorly-rated" folder, forward to my friends, forward to my enemies, etc.). Now as you astutely note, this is only valuable if you like the ratings. Thus it is necessary to have meta-ratings. The simplest meta-rating is "rate raters by hand". That is, you manually make a list of (potential) raters and put their public key ID and a coefficient indicating how much you value their ratings into a meta-ratings database. More complicated meta-ratings include "how often did I agree with them", true (acquired from other people) meta-ratings, and... um.. automated textual analysis or whatever other whacky heuristic you want to plug in. This could be so much fun... Bryce P.S. Oh yeah... The demo. Just a sec. Return-Path: ichudov at manifold.algebra.com Received: from galaxy.galstar.com (galaxy.galstar.com [204.251.80.2]) by digicash.com (8.6.11/8.6.10) with ESMTP id XAA26531 for ; Sat, 6 Jul 1996 23:35:45 +0200 Received: from manifold.algebra.com (manifold.algebra.com [204.251.82.89]) by galaxy.galstar.com (8.6.12/8.6.12) with ESMTP id QAA11089; Sat, 6 Jul 1996 16:32:06 -0500 Received: (from ichudov at localhost) by manifold.algebra.com (8.7.5/8.6.11) id QAA00782; Sat, 6 Jul 1996 16:32:39 -0500 Message-Id: <199607062132.QAA00782 at manifold.algebra.com> Subject: Re: Need PGP-awareness in common utilities To: bryce at digicash.com Date: Sat, 6 Jul 1996 16:32:38 -0500 (CDT) Cc: ichudov at algebra.com, cypherpunks at toad.com, e$@thumper.vmeng.com Reply-To: ichudov at algebra.com (Igor Chudov) In-Reply-To: <199607062117.XAA25154 at digicash.com> from "bryce at digicash.com" at Jul 6, 96 11:16:59 pm From: ichudov at algebra.com (Igor Chudov @ home) X-No-Archive: yes X-Mailer: ELM [version 2.4 PL24 ME7] Content-Type: text bryce at digicash.com wrote: > You know, Igor... > (It has been a few months since I was hot on this idea, but > hearing about your practical PGP successes has gotten me > interested again...) > > If you have a moderation bot for a Usenet group (and could it be > pressed into service as a mailing list handler I wonder?), this Yes, it can be. When I was writing it I had in mind that I want to write a general moderation bot that can be _applied_ to USENET. There is a script processApproved which is called when a message should get posted. If you replace the usenet version of processApproved to mailing list version, you will be done. > would be a nice tool to start with in order to implement > full-fledged content/author ratings. Well, STUMP is a generic moderation tool. > Anybody wanna hack a perl > script or two to produce/consume content/author ratings for > cypherpunks (it could surely use some!). We can use my dormant > mailing list, c2punks at c2.net, as a parallel channel to transmit > cypherpunk (and maybe other) ratings. So, what you want is a tool that accepts "unmoderated" cpunks list, selects messages by authors with high ratings, and forwards only these into the "filtered" list? That's neat _if_ ratings are done by people whose tastes are similar to mine.. > Let me know. We _could_ adopt the ridiculously simple NoCeM > protocol, or the ever-mutating public key certificates being > designed in a nearby mailing list, or some protocol of our own. > (Shouldn't be too hard to come up with an implementable, useful > protocol.) ????? - Igor. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMd7hAkjbHy8sKZitAQGGwwMAtgHInUGs0ugyLJKSzigjNoZ3Tdu3NW7X NgQkc+1ZyJz8ev43FM2knFmp7F8pImP5wZU9l6swJKsSXuzc7TRi6rObaLdOIVEY 4j0y/UWGGE6O+vGtavzjYOLiuVG7uoWk =RwfO -----END PGP SIGNATURE----- From strick at versant.com Sat Jul 6 18:20:51 1996 From: strick at versant.com (strick (henry strickland)) Date: Sun, 7 Jul 1996 09:20:51 +0800 Subject: shell script (Word lists for passphrases) In-Reply-To: Message-ID: <9607062251.AA17697@vp.versant.com> # From: "Erik E. Fair" (Time Keeper) # # You could just snarf up a week's worth of netnews... This is trival and, in practice, work great. Feed it mail, news, man pages, etc. You can cascade results to eliminate huge sorts. The final grep is my hueristic for english; you can delete or modify it. Happy hacking. strick cat "$@" | tr A-Z a-z | grep -v "^message-id:" | grep -v "^received:" | tr -c "a-zA-Z" " " | grep -v "^$" | sort | uniq | grep -v "[bcdfghjklmnpqrtvwxz][bcdfghjklmnpqrtvwxz][bcdfghjklmnpqrtvwxz][bcdfghjklmnpqrtvwxz]" From llurch at networking.stanford.edu Sat Jul 6 18:42:40 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 7 Jul 1996 09:42:40 +0800 Subject: CCC Crypto Lock In-Reply-To: <19004146800633@bfree.on.ca> Message-ID: On Sun, 7 Jul 1996, Tim Philp wrote: > The fact that this patent was issued indicates to me that the patent office > does not understand computer technology. Gee. Next you'll be telling us that the US Congress isn't always sensitive to libertarian issues. -rich From ichudov at algebra.com Sat Jul 6 19:15:02 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Sun, 7 Jul 1996 10:15:02 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: Message-ID: <199607062339.SAA02129@manifold.algebra.com> > At 6:17 PM 7/6/96, Alan Olsen wrote: > >With these sort of tools, we are conditioning our children that it is OK if > >someone filters their information before they see it. (Without even knowing > >the *KIND* of information being filtered, because even *THAT* level of > >knowledge is harmful and/or proprietary.) That it is OK for some parental > >figure to eliminate all the "nasty" and "awful" information before someone > >can hurt themselves with it. That itt is OK to prevent others from viewing > >information to complex for their childlike minds. What annoys me to NO END is the laws that require that children under age of 13 (?) must always be under parental supervision. These laws even say that leaving children unsupervised is child abuse. Well, i can grant that there are dangers associated with leaving children alone. But being constantly supervised is way worse. It is like being in jail. igor From ichudov at algebra.com Sat Jul 6 19:18:06 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Sun, 7 Jul 1996 10:18:06 +0800 Subject: more about the usefulness of PGP In-Reply-To: <199607061957.VAA21682@digicash.com> Message-ID: <199607062333.SAA02110@manifold.algebra.com> make sure that you are protected from replay attacks. a good idea would be to make the server to send cookies by request of the remote user (you can limit the number of people to whom the server sends cookies) and make sure that messages without the latest cookie will NOT be executed. igor bryce at digicash.com wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Here's an idea that I always wanted to implement but never did > yet. I thought I'd share and if someone else has already done > it let me have a copy. > > > I should be able to execute scripts remotely by sending e-mail > to an account. Simple mail-handling scripts at that account > should check the PGP signature (and timestamp/counter to prevent > replay/delay attacks) and then pass the contents to a full > script-language interpreter. > > > Perl is a natural choice of interpreter. Has anybody > implemented this (hopefully complete with replay/delay > prevention)? > > > Thanks! > > Bryce > > P.S. No, actually I can't think of any good use for this > trick. But maybe if I had it I would find good uses for it. > > > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2i > Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 > > iQB1AwUBMd7FIEjbHy8sKZitAQHhRQMAmZoekRgmUKSYv89/QrkzRFdTUZLZHK8a > tlaXLtyJXrOjajxJRVvXWY7Rum6mVXe/4eHTPCGzzWQdXMJB/TJSQeRmTuSiSd9i > 0DtWcQSmP4q5AFor48NtNvqAOEonf5Vi > =My90 > -----END PGP SIGNATURE----- > - Igor. From wb8foz at nrk.com Sat Jul 6 19:24:39 1996 From: wb8foz at nrk.com (David Lesher) Date: Sun, 7 Jul 1996 10:24:39 +0800 Subject: Radiological Survey Meter (fwd) Message-ID: <199607062350.TAA03661@nrk.com> If you want such for random #'s.... Tony S. Patti <103514.36 at CompuServe.COM> of Cryptosystems Journal mentioned he'd found a meter as follows: RESOURCES UN-LTD. 800-810-4070. Victoreen Model 1 from 1964, in the original box. $39.00 -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From shamrock at netcom.com Sat Jul 6 19:35:18 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 7 Jul 1996 10:35:18 +0800 Subject: Need PGP-awareness in common utilities Message-ID: At 23:56 7/6/96, bryce at digicash.com wrote: >Hm. That might be an interesting addition to my plan, but the >first step is to generate ratings and to consume them at each >individual's mail-handling site. So I, for example, would run a >script every time I received mail (or every hour, or every day, >etc) which looked for ratings certificates, PGP-verified them, >and saved the rating in a database. Then I would run another >script (every time I received mail, or every hour, etc.) which >identified incoming messages and _did_ something to them if >there were sufficient ratings in the database to merit _doing_ >something to them (e.g. delete, promote to a "well-rated" >folder, demote to a "poorly-rated" folder, forward to my >friends, forward to my enemies, etc.). As has been discussed in numberous previous threads on this topic, even a passive rating system is very hard to implement. The computer doesn't know if you hit delete because the post was garbage or because you are running late on some project. An active rating system is virtually impossible to implement, given the added workload on the readers. Good lucky anyway, -- Lucky Green PGP encrypted mail preferred. Disclaimer: My opinions are my own. From bryce at digicash.com Sat Jul 6 20:25:05 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Sun, 7 Jul 1996 11:25:05 +0800 Subject: Need PGP-awareness in common utilities In-Reply-To: Message-ID: <199607070030.CAA05537@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Lucky wrote something like: > > As has been discussed in numberous previous threads on this topic, even a > passive rating system is very hard to implement. The computer doesn't know > if you hit delete because the post was garbage or because you are running > late on some project. What's the difference? All practical measure of value is in comparison to competing objects. This _does_ mean that your "approvalness" coefficient goes up and down as your situation changes, but it doesn't mean that your rating becomes meaningless. Hm. If it happened that a bunch of prolific raters got busy, ratings across the board would go down. (Seems statistically unlikely, but still...) Then when they went back up there would be a "burst of activity" effect. :-) Possibly what I like most about ratings and micropayments is how the quantify previously unquantified human behavior. We've all seen the "burst of activity" on a mailing list or at a party, or on a stock market, right? Well that is just people's ratings all pushing each other up! > An active rating system is virtually impossible to > implement, given the added workload on the readers. Which is where the small payments to ratings producers from ratings consumers comes in. Again this is just the quantification of a phenomena that we all take for granted. (Namely, that people who produce quality ratings are producing a value and trading/contributing it to others.) ("'Just' the quantification", I said !! That might seem like a hilarious understatement someday.) Bryce -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMd8FO0jbHy8sKZitAQEBoQMAmMtQg0cTrdXpHf07p1sYVUPAnJq+Jp1v /g6CqYu/YwIRHmnHyLmCehqB74xYJ6sjOLmKaYXd12f1oFUJL9rsx2LAEiPNeAMb gSClZhpUu++CE+PfH8GlOZ1E/75ZcIx0 =V0z6 -----END PGP SIGNATURE----- From mpd at netcom.com Sat Jul 6 20:27:14 1996 From: mpd at netcom.com (Mike Duvos) Date: Sun, 7 Jul 1996 11:27:14 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: <199607062339.SAA02129@manifold.algebra.com> Message-ID: <199607070045.RAA24335@netcom5.netcom.com> tcmay at got.net (Timothy C. May) writes: > The doublethink and hypocrisy of modern society is > astounding. > When the mother (a single mother, as this is California) > drops her son off with my friend (also single, of course), > she includes several "Ritalin" capsules with instructions on > how to dose her son with this depressant/behavior > modification drug. > My friend ignores these Ritalins, which upsets the Mom > greatly the next day when she realizes her son has not been > given the tranks that are also known as "Mother's little > helpers." This, of course, is justified by the psychiatric profession's invention of dozens of bogus diseases, syndromes, and disorders for children. These are not caused by any organic pathology, of course, but are instead defined solely by the child belonging to the upper five percent of those exhibiting perfectly normal behaviors which annoy people who have money to hire psychiatrists. For kids, that's parents and teachers, and the afflicted population jumps to ten percent if you happen to be a kid unlucky enough to be under the care of Mormons. Refuse to go to a crappy public school and you are suffering from "School Phobia." Don't jump to follow the orders of the nearest adult, or disagree with an adult, and its "Oppositional-Defiant" Disorder. Not to mention the plethora of ADD/ADDH nonsense that is used to label any kid who is bored to tears by eight hours a day of political indoctrination from the NEA and AFT. Drugs for the poor, and therapy for the rich who can afford it, are of course the way the psychiatric profession offers to "cure" these invented maladies. And since every population of children will have an upper five percent (ten percent, for Mormons), a neverending supply of patients is assured. > This discipline sets him straight, but it's not something > his New Age "supermom" would ever think of doing. Hence the > kid throws temper tantrums, acts out, calls her "You fucking > asshole" (remember, he's only 8 or so), and so on. So she > cranks up his dose of Ritalin and he's zoned out for a > while. Actually, I think calling someone who force-feeds you a mind-numbing drug "A Fucking Asshole" is, to borrow one of Tim's favorite words, "Unremarkable." :) This Soviet-style "Medicalization of Dissent", while applied primarily to children today, historically has been done by the psychiatric profession on behalf of anyone who could write their name on a large check. It wasn't too long ago that they even had an official mental disorder whose symptoms were "an abnormal desire for freedom" on the part of a Black man. Slave owners must have been just as happy with that as Ritalin-dispensing parents and teachers are today. > The connection with the themes of our list is that this > linguistic doublethink is what allows Big Brother's control > of our communications and private files to be called by the > relatively benign name of "escrow." Indeed. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From markm at voicenet.com Sat Jul 6 22:55:14 1996 From: markm at voicenet.com (Mark M.) Date: Sun, 7 Jul 1996 13:55:14 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: <199607070045.RAA24335@netcom5.netcom.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 6 Jul 1996, Mike Duvos wrote: > This, of course, is justified by the psychiatric profession's > invention of dozens of bogus diseases, syndromes, and disorders > for children. These are not caused by any organic pathology, of > course, but are instead defined solely by the child belonging to > the upper five percent of those exhibiting perfectly normal > behaviors which annoy people who have money to hire > psychiatrists. For kids, that's parents and teachers, and the > afflicted population jumps to ten percent if you happen to be a > kid unlucky enough to be under the care of Mormons. While the psychiatric profession has invented many bogus diseases, that does not mean that the profession has no credibility. Remember that psychology is little more than philosophy. Abnormal behavior patterns don't necessarily mean that a child has a disorder or disease. However, if the child experiences physical symptoms, then a chemical imbalance in the brain is not that farfetched. > > Refuse to go to a crappy public school and you are suffering from > "School Phobia." Don't jump to follow the orders of the nearest > adult, or disagree with an adult, and its "Oppositional-Defiant" > Disorder. Not to mention the plethora of ADD/ADDH nonsense that > is used to label any kid who is bored to tears by eight hours a > day of political indoctrination from the NEA and AFT. First of all, a child is considered to have "school phobia" when the child refuses to go to school and also has severe anxiety attacks, vomiting, and nausea. It's a lot more than refusing to go to a "crappy public school." Attention Deficit Disorder is hardly nonsense; it's a disorder found to be partly hereditary and strongly linked with clinical depression. [...] > > Actually, I think calling someone who force-feeds you a > mind-numbing drug "A Fucking Asshole" is, to borrow one of Tim's > favorite words, "Unremarkable." :) > > This Soviet-style "Medicalization of Dissent", while applied > primarily to children today, historically has been done by the > psychiatric profession on behalf of anyone who could write their > name on a large check. It wasn't too long ago that they even had > an official mental disorder whose symptoms were "an abnormal > desire for freedom" on the part of a Black man. Slave owners > must have been just as happy with that as Ritalin-dispensing > parents and teachers are today. > > > The connection with the themes of our list is that this > > linguistic doublethink is what allows Big Brother's control > > of our communications and private files to be called by the > > relatively benign name of "escrow." > > Indeed. I do agree that Ritalin, like Prozac, is being used inappropriately as a sort of cure-all drug. And I also agree that inventing malodies for anything undesirable to society has Orwellian implications. Everyone who doesn't agree with the State is obviously mentally ill and must be "cured." There are real illnesses, and there are fake ones. Just because the psychiatic profession does attribute certain behavior to some non-existent illness doesn't mean there is any reason to not believe in any psychological maladies. There are many severe and very painfull illnesses such as depression, schizophrenia, obsessive-compulsive disorder, and multiple personality disorder. There are also psychological disorders such as anorexia, phobias, and mood disorders. It's surprising to me that people consider the Unabomber "insane" but yet do not believe that many very real mental illnesses and disorders exist. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMd8rRLZc+sv5siulAQGw4gQAmCLWrkz1Cql7tpPXypzfoGRS6PL2cjIQ TDa+Q/htq1OV5PjKYo7a06jfMQbpoR+fLmXHi9dc4DOVNfSeExXSEc5Y1RLu7ZvH lLAmKdefLUZ7BuYAWgPxSYCHzWk9hEqK4A7Vj2rhpDQ7r9TpplQ3otkf0mZyul5X EIIdF1jGfEY= =GIrL -----END PGP SIGNATURE----- From AwakenToMe at aol.com Sat Jul 6 23:38:45 1996 From: AwakenToMe at aol.com (AwakenToMe at aol.com) Date: Sun, 7 Jul 1996 14:38:45 +0800 Subject: Word lists for passphrases Message-ID: <960706235319_428841777@emout16.mail.aol.com> In a message dated 96-07-06 21:46:03 EDT, stend at grendel.austin.texas.net (Firebeard) writes: << It's also trivial enough to be done by 99% of the people on cypherpunks in their sleep. As for realy secure systems, they aren't on the net, they don't have dialups, and you access them from vaults. >> Yes. But let me ask you this. Have you done it yet?? I doubt it. And if ya needed it.. and someone had it...wouldnt you just say.. Uh.. OK.. Ill take it rather than spend my precious time on it. Exactly. Later. From jamesd at echeque.com Sun Jul 7 00:56:32 1996 From: jamesd at echeque.com (James A. Donald) Date: Sun, 7 Jul 1996 15:56:32 +0800 Subject: Net and Terrorism. Message-ID: <199607070519.WAA14764@dns1.noc.best.net> At 09:03 PM 7/6/96 +0500, Arun Mehta wrote: > Once the Soviet menace faded, the same > fighters were branded terrorists. Mixed signals like this are responsible > for much of the animosity that one finds in the Islamic world (possibly even > in other parts of the world) against the US. Some of them *were* and are terrorists. Some of them are not. If Islamic freedom fighters refrained from murdering monks and sixteen year old girls then people would refrain from calling them terrorists. It is not the mixed signals, it is the mixed behavior. The islamic fundamentalists have a thoroughly well deserved reputation for malevolent evil, for rape and the deliberate individual personal murder of women and children as an instrument of terror. While the guys fighting the Israelis in Lebanon are more or less honorable men who fight according to the laws of war, the Islamic fundamentalists in Algeria are simply vicious subhuman monsters who deserve to die, each and every one, and their pals in Egypt and the Sudan are not much better. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From dlv at bwalk.dm.com Sun Jul 7 01:02:32 1996 From: dlv at bwalk.dm.com (Dr.Dimitri Vulis KOTM) Date: Sun, 7 Jul 1996 16:02:32 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: <199607062339.SAA02129@manifold.algebra.com> Message-ID: <52FoqD17w165w@bwalk.dm.com> ichudov at algebra.com (Igor Chudov @ home) writes: > What annoys me to NO END is the laws that require that children under > age of 13 (?) must always be under parental supervision. These laws > even say that leaving children unsupervised is child abuse. Igor, it was safe to leave childred alone in Russia because in Russia perverts and child molesters were jailed and/or castrated. Here in the U.S. perverts have 'civil rights'. Hence the children must be protected from them. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From cyberia at cam.org Sun Jul 7 01:33:52 1996 From: cyberia at cam.org (CyberEyes) Date: Sun, 7 Jul 1996 16:33:52 +0800 Subject: Word lists for passphrases In-Reply-To: <1cJNqD2w165w@bwalk.dm.com> Message-ID: On Sat, 6 Jul 1996, Dr.Dimitri Vulis KOTM wrote: > K3wl Hack, D00dz! Why don't you post it to coderpunks - it's probably way > too technical for cypherpunks. I wonder if the util comes with the source > code, and what language it's written in. It's 10K long (the exe file), so it's probably programmed in Pascal, not Assembler, which would probably be more efficient. Ryan A. Rowe - Montreal, Quebec /Seeking Internet-related job!/ aka CyberEyes, Rubik'S Cube I will relocate _ANYWHERE_. Tel. -> +1-514-626-0328 | __o o E-Mail -> cyberia at cam.org | _ \<_ <\ WWW -> http://www.cam.org/~cyberia | __/\o_ (_)/(_) /> IRC -> #CAli4NiA, #Triathlon, #Surfing | FTP -> ftp.cam.org /users/cyberia | swim bike run Read my C.V. at http://www.cam.org/~cyberia/resume-e.html "In lieu of experience, I have a willingness to learn." "Everyone has their day, mine is July 15th, 1998." From furballs at netcom.com Sun Jul 7 02:25:52 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Sun, 7 Jul 1996 17:25:52 +0800 Subject: CCC Crypto Lock In-Reply-To: <199607061734.NAA18987@unix.asb.com> Message-ID: On Sat, 6 Jul 1996, Deranged Mutant wrote: > On 6 Jul 96 at 4:10, anonymous-remailer at shell.port wrote: > > > MicroPatent, 4 July 96 > [..] > > Abstract: Disclosed systems and methods for protecting a > > software program from unauthorized use and copying > > through the removal at least one of a plurality of > > instructions comprising a software program, and > > encrypting the removed instruction utilizing an > > encryption algorithm to produce an encrypted instruction, > > the encryption algorithm responsive to a randomly > > generated key. > > Would certain computer viruses be considered prior art here? (Be it > that they encrypt for the purposes of hiding rather than copy > protection though.) > > > > Rob. > Possibly, when looked on in a narrow venue. Polymorphic viruses exhibit this as only one characteristic though. It would be a tough sell in my book. Unless the patent's author stipulates in his method that this issue is the basis for the claim and that his claim is unique because of this method - then it just one step of many from point A to B. As a hunch, I would suspect that Vault Corp. may have existing code that might qualify as prior art. Dave Lawrence and a few of his coding buddies spent several years staying one step ahead of software products like copyright, and it is concievable that some of this methodology may have been employed to do so. ...Paul From furballs at netcom.com Sun Jul 7 02:47:32 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Sun, 7 Jul 1996 17:47:32 +0800 Subject: CCC Crypto Lock In-Reply-To: Message-ID: On Sat, 6 Jul 1996, Rich Graves wrote: > On Sun, 7 Jul 1996, Tim Philp wrote: > > > The fact that this patent was issued indicates to me that the patent office > > does not understand computer technology. > > Gee. Next you'll be telling us that the US Congress isn't always sensitive > to libertarian issues. > > -rich > Don't rush to judge too quickly. Software patents (For the most part) are *not* really understood by the patent office. Why do you think Compton's slid one by on Multi-media ? Fortunately, there was so much fuss set up over that one, the office pulled it for review. All it takes is someone "skilled in the art" to backup your claim that method "A" is provably workable... ...Paul From mpd at netcom.com Sun Jul 7 03:40:37 1996 From: mpd at netcom.com (Mike Duvos) Date: Sun, 7 Jul 1996 18:40:37 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: Message-ID: <199607070742.AAA26296@netcom5.netcom.com> "Mark M." writes: > While the psychiatric profession has invented many bogus > diseases, that does not mean that the profession has no > credibility. Remember that psychology is little more than > philosophy. Abnormal behavior patterns don't necessarily > mean that a child has a disorder or disease. However, if > the child experiences physical symptoms, then a chemical > imbalance in the brain is not that farfetched. There are, of course, real mental illnesses with underlying pathology, like schizophrenia, bipolar disorder, and clinical depression. I'm not sure the existence of genuine mental illness makes the psychiatric profession credible, however, when they are all too willing to climb in bed with the latest political fad. Recall those "experts" during World War I who explained with prefect seriousness to the American public that the reason the Germans' heads fit so well into those pointy helmets was that their brains were missing the part that distinguished right from wrong. Adolescent Psychiatric Imprisonment and Insurance Fraud are a multi-million dollar well-organized business in the United States, and talk shows are filled with women who split into 1,000 different personalities, some of them alien visitors, after being traumatized by some sexual oddity. > First of all, a child is considered to have "school phobia" > when the child refuses to go to school and also has severe > anxiety attacks, vomiting, and nausea. Goodness gracious, you make these people sound almost reasonable. I remember last year one local TV station did a piece on "school phobia", and the wonderful drugs that could be used to treat it. The kid profiled simply didn't like school, and refused to attend it, and the list of symptoms given to help parents recognize the disorder were entirely attendance related. Of course, with enough Mellaril in your system, you can probably put up with just about anything. > Attention Deficit Disorder is hardly nonsense; it's a > disorder found to be partly hereditary and strongly linked > with clinical depression. ADD people are simply the upper 5-10% of the population with regard to behavioral traits which make learning more difficult. Of course such things can be hereditary and of course people who can't live up to expectations placed upon them sometimes get clinically depressed. The thing to remember here is that we are looking at things which show continuous normal variation in any population, like height and hatsize, and the people who are being labeled and treated here are hardly some huge number of standard deviations away from the norm. > There are real illnesses, and there are fake ones. Just > because the psychiatic profession does attribute certain > behavior to some non-existent illness doesn't mean there is > any reason to not believe in any psychological maladies. Which of course is not the issue here. No one has stated that legitimate mental illness does not exist, merely that the profession has a tendency to use creative imagination where a market or political pressure exists. > It's surprising to me that people consider the Unabomber > "insane" but yet do not believe that many very real mental > illnesses and disorders exist. Insanity is a legal term which by its very construction, is an almost impossible set of criteria to meet. It has nothing to do with any scientific definition of mental illness. You can be completely bonkers and carrying on meaningful conversations with wall ornaments, and the government will be more than happy to fry you in the electric chair. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From ses at tipper.oit.unc.edu Sun Jul 7 08:37:17 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 7 Jul 1996 23:37:17 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: Message-ID: On Sat, 6 Jul 1996, Timothy C. May wrote: > > When the mother (a single mother, as this is California) drops her son off > with my friend (also single, of course), she includes several "Ritalin" > capsules with instructions on how to dose her son with this > depressant/behavior modification drug. Er... Tim... Ritalin is an amphetamine. --- Cause maybe (maybe) | In my mind I'm going to Carolina you're gonna be the one that saves me | - back in Chapel Hill May 16th. And after all | Email address remains unchanged You're my firewall - | ........First in Usenet......... From ses at tipper.oit.unc.edu Sun Jul 7 08:46:11 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 7 Jul 1996 23:46:11 +0800 Subject: NYT/CyberTimes on CWD article In-Reply-To: Message-ID: Actually, no matter what scheme you use, you are always vulnerable to a quite practical brute force attack- simply treat the filter as an oracle, and feed it the result of a 'web-crawl'. Simon --- Cause maybe (maybe) | In my mind I'm going to Carolina you're gonna be the one that saves me | - back in Chapel Hill May 16th. And after all | Email address remains unchanged You're my firewall - | ........First in Usenet......... From sandfort at crl.com Sun Jul 7 10:09:59 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Mon, 8 Jul 1996 01:09:59 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Sun, 7 Jul 1996, Simon Spero wrote: > On Sat, 6 Jul 1996, Timothy C. May wrote: > > > > ...she includes several "Ritalin" > > capsules with instructions on how to dose her son with this > > depressant/behavior modification drug. > > Er... Tim... Ritalin is an amphetamine. Yes, normally, but doesn't it have a paradoxical reaction for hyperactive children (i.e., it acts as a depressant for them)? S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From dlv at bwalk.dm.com Sun Jul 7 11:09:25 1996 From: dlv at bwalk.dm.com (Dr.Dimitri Vulis KOTM) Date: Mon, 8 Jul 1996 02:09:25 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: Message-ID: Simon Spero writes: > On Sat, 6 Jul 1996, Timothy C. May wrote: > > > > When the mother (a single mother, as this is California) drops her son off > > with my friend (also single, of course), she includes several "Ritalin" > > capsules with instructions on how to dose her son with this > > depressant/behavior modification drug. > > Er... Tim... Ritalin is an amphetamine. Yes, it's an _anti-depressant, supposedly turning up those pieces of the brain responsible for "tuning out" outside interference, and letting the hyperactive kid concentrate. But a true cypherpunk never lets any facts interfere with his political agenda. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From mpd at netcom.com Sun Jul 7 11:10:28 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 8 Jul 1996 02:10:28 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: Message-ID: <199607071543.IAA26229@netcom22.netcom.com> Sandy writes: > Yes, normally, but doesn't it have a paradoxical reaction for > hyperactive children (i.e., it acts as a depressant for them)? So the medical profession tells us. It's a curious message. College students who take methamphetamine during exam week to increase their alertness and performance are criminals, and bomber pilots and kids who take this or a similar drug for the same reasons are not. "Just Say No to Drugs Big Brother Doesn't Give You" -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From owner-mblvd at telebase.com Sun Jul 7 11:13:13 1996 From: owner-mblvd at telebase.com (owner-mblvd at telebase.com) Date: Mon, 8 Jul 1996 02:13:13 +0800 Subject: Exciting News on Music Boulevard Message-ID: <199607071407.KAA01680@telebase.com> Dear Friends of Music Boulevard: We're excited to announce a major redesign of Music Boulevard, the Ultimate Online Music Store(tm). We invite you - as someone who has visited and/or opened an account with us - to check out our new look at WWW.MUSICBLVD.COM! Many of the changes and improvements we have made are in response to your feedback. The new Music Boulevard is faster, contains more content, and is easier to navigate. Our fantastic collection of music magazines and Billboard(r) charts are now available to everyone! We think you'll really enjoy shopping in our new environment. We are also pleased to introduce the Music Boulevard Frequent Buyers Club. Membership in the Frequent Buyers Club is free. Once you sign-up, you will be rewarded with a free CD of your choice for every 10 you purchase! As always, we continue to provide the best Customer Service of any site on the internet. We have recently added more customer service representatives who will be glad to assist you with your inquiries. We'd like to thank you for visiting Music Boulevard, and we'd be very interested in your feedback on our new interface. If you have any questions, feel free to contact us at 1.800.216.6000 or 610.293.4793. Our email address is service at musicblvd.com. Sincerely, The Music Boulevard Staff From tcmay at got.net Sun Jul 7 12:42:52 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 8 Jul 1996 03:42:52 +0800 Subject: [RANT] Giving Mind Control Drugs to Children Message-ID: At 1:14 PM 7/7/96, Simon Spero wrote: >On Sat, 6 Jul 1996, Timothy C. May wrote: >> >> When the mother (a single mother, as this is California) drops her son off >> with my friend (also single, of course), she includes several "Ritalin" >> capsules with instructions on how to dose her son with this >> depressant/behavior modification drug. > >Er... Tim... Ritalin is an amphetamine. Whatever. It acts as a calmant/tranquilizer/depressant on many. (As with many drugs, there are apparently paradoxical effects. Alcohol is a downer for some, and upper for others.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sun Jul 7 12:48:04 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 8 Jul 1996 03:48:04 +0800 Subject: [RANT] Giving Mind Control Drugs to Children Message-ID: At 3:06 PM 7/7/96, Dr.Dimitri Vulis KOTM wrote: >Simon Spero writes: >> Er... Tim... Ritalin is an amphetamine. > >Yes, it's an _anti-depressant, supposedly turning up those pieces of the brain >responsible for "tuning out" outside interference, and letting the hyperactive >kid concentrate. But a true cypherpunk never lets any facts interfere with his >political agenda. Vulis, time to put you back in my killfile. Gratuitous insults, especially those not based on important factual points, is your standard mode. (As Sandy S. also noted, Ritalin has "paradoxical" effects. (I saw Sandy's remark after sending off my reply to Simon.)) I've _seen_ the kid on Ritalin, and he's zombie. When it wears off, he's back to being alert and active. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From rah at shipwright.com Sun Jul 7 13:08:32 1996 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 8 Jul 1996 04:08:32 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: Message-ID: At 10:25 AM -0400 7/7/96, Sandy Sandfort wrote: > > Er... Tim... Ritalin is an amphetamine. > > Yes, normally, but doesn't it have a paradoxical reaction for > hyperactive children (i.e., it acts as a depressant for them)? Yes. And for some of *them*, it makes them monomaniacal SOBs. ;-). I get more work done with Ritalin, but I'm *much* nicer without it. I've decided to live with ADD rather than treat it, which is what most people (including "Dr. ADD", Richard(?) Hallowell) do. Jolt cola is also popular. :-). Like a lot of pop-psychopharmacology, "syndromes" frequently get defined by whether the right drug has the desired effect. If prozac works, you're depressed, if Ritalin does, you're an ADDer, and so on. By Tim's anecdotal evidence, the little hellion (hey, *I* was one...) must be ADD because Ritalin works. You can actually see ADD with a PET scan, but the proper way to get a diagnosis of ADD is to get tested for it, which, in the case of ADD, is an expensive man-day or two with with some clinical shrink in your face, and a bunch of frustrating (if you're ADD) tests of your attention and ability to focus in the presence of a lot of distractions. Oddly enough, *another* pop-psychologist from Harvard was on "20/20" this week talking about "emotional" intellegence, and one of the determinants was inability to understand delayed gratification. Like most kids with ADD, I must have been a drooling idiot, in that case. However, I practically agree with Tim on all of his screed. (A good one, I might add. He probably only reread it once for punctuation and spelling before he did a command-e to send it on its way. After wiping the foam from his mouth, that is. ;-)) It seems to me that the very *last* person to be allowed to diagnose ADD is some crypto-socialist, fucking-statist, control-freak, industrial-mode, human-warehouse-zookeeping "educator". The humorous irony of all this is, of course, that my wife is a senior education bureaucrat for the People's Republic of Massachusetts. An "equal time" marriage indeed. And *she* pays the health insurance, because I couldn't keep a *steady* job if my life depended on it. (A compensatory mechanism?) Well, maybe if my *life* depended on it. That *might* get my attention. BarelyObCrypto: ADD is more about lack of attention *control* than lack of attention itself. Hyperfocus is also a trait of ADHD, and computers tend to cause hyperfocus for a lot of ADDers. How many easily distracted knee-jiggling wunderkind hackers do *you* know? Care to guess how many ADDers there are on cypherpunks? Wiping foam from *my* mouth, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "If they could 'just pass a few more laws', we would all be criminals." --Vinnie Moscaritolo The e$ Home Page: http://www.vmeng.com/rah/ From WlkngOwl at unix.asb.com Sun Jul 7 13:13:34 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Mon, 8 Jul 1996 04:13:34 +0800 Subject: NYT/CyberTimes on CWD article Message-ID: <199607071744.NAA25788@unix.asb.com> On 6 Jul 96 at 16:56, eli+ at gs160.sp.cs.cmu.edu wrote: > >http://www.nytimes.com/library/cyber/week/0706patrol-reporters.html > > "If we believe the encryption scheme has > > been compromised, we will make another > > one." [..] > They have to give you the list, and they have to give you software > that uses it, so there's no way to achieve complete secrecy. I think > the best they can do is to distribute a list of hashed URLs. What? After they paid for the rights to use "Infinite Vigniere Key" Technology.... I'm surprised that they went so far as to try to encrypt the naughty URLs list (but some kids would get off on just reading the list alone anyway). Hashing could be problematic... how to differentiate between a site and it's users. www.pornopix.com is obvious, but the directory tree of www.localisp.com/~perv/mypix/ is harder to filter out with hashing if subdirectories or specific images are called up, unless the software has a way to differentiate between sites and specific users or directories on those sites. (I wonder if the software can tell that ~perv/ and /users/home/perv/ or /home/perv/ can be the same directory on some systems? That would be an interesting flaw. Has anyone hacked with the software?) Another problematic with Net-Nurse type software: a database of naughty sites and naughty users... a real goldmine for prosecutors. Rob. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From WlkngOwl at unix.asb.com Sun Jul 7 13:17:35 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Mon, 8 Jul 1996 04:17:35 +0800 Subject: Oh no! No ratings again... (Re: Need PGP-awareness in common uti Message-ID: <199607071744.NAA25792@unix.asb.com> On 6 Jul 96 at 23:16, bryce at digicash.com wrote: > If you have a moderation bot for a Usenet group (and could it be > pressed into service as a mailing list handler I wonder?), this > would be a nice tool to start with in order to implement > full-fledged content/author ratings. [..] Bad idea unless the list is rating authors who are not on the list. It would be equivalent to setting up a reputation web. Or is this a stab at humor? Rob. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From WlkngOwl at unix.asb.com Sun Jul 7 13:31:54 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Mon, 8 Jul 1996 04:31:54 +0800 Subject: Need PGP-awareness in common utilities Message-ID: <199607071744.NAA25785@unix.asb.com> On 6 Jul 96 at 23:56, bryce at digicash.com wrote: [..] > Hm. That might be an interesting addition to my plan, but the > first step is to generate ratings and to consume them at each > individual's mail-handling site. So I, for example, would run a > script every time I received mail (or every hour, or every day, > etc) which looked for ratings certificates, PGP-verified them, > and saved the rating in a database. Then I would run another > script (every time I received mail, or every hour, etc.) which > identified incoming messages and _did_ something to them if > there were sufficient ratings in the database to merit _doing_ > something to them (e.g. delete, promote to a "well-rated" > folder, demote to a "poorly-rated" folder, forward to my > friends, forward to my enemies, etc.). Some lists require plenty of time to read each day (let alone if I go on a vacation for a few days and want to catch up). Managing a rating system would double the work if I were to do it by hand-rating the raters, etc. It's easier to put certain people or subject threads in a twit-list folder and delete the rest by hand rather than put twice that effort into a rating system... chances are most people who quickly tire of maintaining it, let the rating system run on autopilot and then disable it when they realize they missed something really important or interesting. Rob. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From jya at pipeline.com Sun Jul 7 14:13:36 1996 From: jya at pipeline.com (John Young) Date: Mon, 8 Jul 1996 05:13:36 +0800 Subject: Wiretapping Rises EYE_son Message-ID: <199607071830.SAA23675@pipe4.ny3.usa.pipeline.com> The Wash Post today has page one lead story on the sharp rise in wiretapping by the Clinton administration. Former restraints due to high cost have been overcome with more money and more efficeint technology, eagerly supported by a bipartisan Congress and grateful LEA and DoJ cartelest conspiracists. And, there is a lengthy Op-Ed on the "growing stealth slice of the shrinking defense pie." Lots and lots of secrets, can't get enough of them, can't tell the public what they are, about real and imaginary terrorists and anti-terrorists -- and bypass the private citizens that threaten budgets and jobs and inner sanctum privileges. See at: http://www.washingtonpost.com No Web access? Or hate snooping newspapers, and spies traffic-analyzing? Send us via Ross Anderson's true anonymizer end-to-end encrypted spize-only top secret E-mail with the subject: EYE_son From minow at apple.com Sun Jul 7 14:14:53 1996 From: minow at apple.com (Martin Minow) Date: Mon, 8 Jul 1996 05:14:53 +0800 Subject: [RANT] Giving Mind Control Drugs to Children Message-ID: Simon Spero comments on Tim May's Ritalin rant: >On Sat, 6 Jul 1996, Timothy C. May wrote: >> >> When the mother (a single mother, as this is California) drops her son off >> with my friend (also single, of course), she includes several "Ritalin" >> capsules with instructions on how to dose her son with this >> depressant/behavior modification drug. > >Er... Tim... Ritalin is an amphetamine. > Yup, and it was the illegal drug of choice in Sweden in the 1960's, making its use as a convenient way to quiet down rambuncious kids a bit strange -- but the "medical professionals" have an explanation. Interestingly, it is illegal to hit kids in Sweden -- the courts call it assault, just as if you hit an adult. When I lived there (in the '60 and '70s), I took an informal survey and found only one person who had ever been spanked as a child -- and only once, for breaking her brother's violin. A good friend would infrequently give her infant a pat on the bottom (when he tried climbing on the stove), but was always careful to aim for the well-padded diaper. You may wish to consider whether Sweden's low murder rate is related to the lack of parent-child violence. Martin Minow minow at apple.com From blackavr at aa.net Sun Jul 7 14:19:07 1996 From: blackavr at aa.net (Michael Myers) Date: Mon, 8 Jul 1996 05:19:07 +0800 Subject: [RANT] Giving Mind Control Drugs to Children Message-ID: <2.2.32.19960707181403.0068e0c4@aa.net> At 07:25 AM 7/7/96 -0700, Sandy Sandfort wrote: >Yes, normally, but doesn't it have a paradoxical reaction for >hyperactive children (i.e., it acts as a depressant for them)? As one of those "ADD" kids back in the '70's, the dextroamphetamine I was given actually did seem to calm me down. Of course, coffee also put me to sleep then. Happily, that situation has reversed itself as I've grown older. *grin* -- /^^^^^^^^^Instead of being born again, why not just GROW UP?^^^^^^^^^^^\ Michael Myers Vote Libertarian....you'll sleep better! Don't like abortion? Don't have one. Don't like guns? Don't buy one. blackavr at aa.net E-mail for PGPv2.6.2 public key \____________ http://www.aa.net/~blackavr/homepage.htm ________________/ From jamesd at echeque.com Sun Jul 7 14:30:49 1996 From: jamesd at echeque.com (James A. Donald) Date: Mon, 8 Jul 1996 05:30:49 +0800 Subject: [RANT] Giving Mind Control Drugs to Children Message-ID: <199607071816.LAA19127@dns1.noc.best.net> > > Er... Tim... Ritalin is an amphetamine. At 07:25 AM 7/7/96 -0700, Sandy Sandfort wrote: > Yes, normally, but doesn't it have a paradoxical reaction for > hyperactive children (i.e., it acts as a depressant for them)? Not really: Ordinary college students who use it to facilitate cramming report that it has the same effect on them as on hyperactive children. A well known symptom of amphetamine abuse is that the abusers will cheerfully persist in pointless and boring activities for hours on end, such as folding paper bags or stirring long overcooked spaghetti. Furthermore, people generally have to be forced by the threat of violence to take depressant drugs, especially neuroleptics, whereas everyone cheerfully takes their Ritalin. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From AwakenToMe at aol.com Sun Jul 7 14:31:42 1996 From: AwakenToMe at aol.com (AwakenToMe at aol.com) Date: Mon, 8 Jul 1996 05:31:42 +0800 Subject: [RANT] Giving Mind Control Drugs to Children Message-ID: <960707143334_429064903@emout08.mail.aol.com> Did I miss something?? I fisrt came here and asked something about protected mode and was yelled at for asking it in this newsgroup. Now we're onto mind control drugs? uhhhhhh ok. From markm at voicenet.com Sun Jul 7 15:22:31 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 8 Jul 1996 06:22:31 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: <199607070742.AAA26296@netcom5.netcom.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- This will be my last comment on this thread. On Sun, 7 Jul 1996, Mike Duvos wrote: > Goodness gracious, you make these people sound almost reasonable. > I remember last year one local TV station did a piece on "school > phobia", and the wonderful drugs that could be used to treat it. > The kid profiled simply didn't like school, and refused to attend > it, and the list of symptoms given to help parents recognize the > disorder were entirely attendance related. Then the list of symptoms given was incorrect. The list I got was from _Living with Fear_ by Isaac M. Marks, M.D. > ADD people are simply the upper 5-10% of the population with > regard to behavioral traits which make learning more difficult. > Of course such things can be hereditary and of course people who > can't live up to expectations placed upon them sometimes get > clinically depressed. > > The thing to remember here is that we are looking at things which > show continuous normal variation in any population, like height > and hatsize, and the people who are being labeled and treated > here are hardly some huge number of standard deviations away from > the norm. That still doesn't mean it isn't a disorder. People with ADD _want_ to get better and be able to concentrate more. Drugs such as ritalin help them do just this. Dyslexia is also something that is a normal variation. Somehow, since it isn't psychologically related, no one would object if a drug was discovered that could cure it and was administered to children with dyslexia. Many people with ADD do not want to act the way they do, so it doesn't make sense to not treat it as a disorder. > > > There are real illnesses, and there are fake ones. Just > > because the psychiatic profession does attribute certain > > behavior to some non-existent illness doesn't mean there is > > any reason to not believe in any psychological maladies. > > Which of course is not the issue here. No one has stated that > legitimate mental illness does not exist, merely that the > profession has a tendency to use creative imagination where a > market or political pressure exists. Who decides which mental illnesses or disorder are legitimate? I think both school phobia and ADD are disorders that can be treated if the person with the disorder is willing to be treated. You are, of course, free to believe that these disorders are illegitimate, but the millions of people afflicted with these would tend to disagree. > > > It's surprising to me that people consider the Unabomber > > "insane" but yet do not believe that many very real mental > > illnesses and disorders exist. > > Insanity is a legal term which by its very construction, is an > almost impossible set of criteria to meet. It has nothing to do > with any scientific definition of mental illness. You can be > completely bonkers and carrying on meaningful conversations with > wall ornaments, and the government will be more than happy to fry > you in the electric chair. People who use the term to describe people who are abnormal don't know that. The word "sane" comes from the same root as "sanitary" which means clean or disease-free. Hence, insane means ill. It is true that the legal term "insane" is different from the scientific term "mentally ill", most people use insane as a diminutive term for someone they believe to be abnormal. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMeAExbZc+sv5siulAQHVeAQAhrXpJLpvvjGJC1eU7zckqHROBsPEmc2Y d5f1URfKOp4bxiL48vrGqiCzX3GSEgZ8XabvPPDa4NK14mvyF6D2ReILAtfGpDOw CG71cMZVOq8PXjJlTBN8Z4TQ0m4D+duA//eCqhJUiLgGOdznPcNY4ZOl9FWxf2gh 78d6Bbv4fjg= =cpBT -----END PGP SIGNATURE----- From markm at voicenet.com Sun Jul 7 15:38:46 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 8 Jul 1996 06:38:46 +0800 Subject: SAFE Forum--some comments In-Reply-To: <199607031912.MAA08980@netcom8.netcom.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 3 Jul 1996, Bill Frantz wrote: > I hear this as the server sends out a key which the client uses to encrypt > the username/password. This algorithm makes less sense than the one I > thought I heard at the SAFE forum on Monday which was: True. That algorithm is completely useless. > > (1) The server sends out a challenge/salt (different each time) > (2) The client uses a secure hash to compute hash(salt||password) and > returns the username and the hash. > (3) The server computes hash(salt||password) and compares the hashes. > > Given that there is still some interest in algorithms and protocols on this > list, can you describe what is really happening? That one makes more sense. If the salt is completely random, then an attacker will not be able to use a replay attack. Since the password is hashed, there is no way to find it out given the output. This does require the server to maintain a list of cleartext passwords, but that's not any worse then Kerberos which requires a KDC store everyone's DES key. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMeAGBrZc+sv5siulAQEzGwQAp6rB1eJ5DIzn9Zs5LlEDFu3K7XFRcl7S /9MQ5ykCmvgnOqgN1Pud/KYLsZuY2x+G5W68EF0kTVfwarS2ZCT2wYVhH5cMaEQs 2YfxtoK9opB73GiMP3OJUTZlNPnwCCe/y/iHJN7HqAv/YLi+gdIc9rGXtfegE/eY sASbbC7C1oY= =NJSu -----END PGP SIGNATURE----- From tcmay at got.net Sun Jul 7 16:00:42 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 8 Jul 1996 07:00:42 +0800 Subject: [RANT] Giving Mind Control Drugs to Children Message-ID: At 5:02 PM 7/7/96, Robert Hettinga wrote: >Like a lot of pop-psychopharmacology, "syndromes" frequently get defined by >whether the right drug has the desired effect. If prozac works, you're >depressed, if Ritalin does, you're an ADDer, and so on. By Tim's anecdotal >evidence, the little hellion (hey, *I* was one...) must be ADD because >Ritalin works. Probably so, and I think I recall my friend mentioning that this was the kid needed the dose. Whether it's an upper or a downer or whatever is immaterial: it acts as a downer for this kid. A zombie drug, at least on this kid. (And I gather that this is the main effect on the many California schoolchildren who are getting their school-administered doses of mind control drugs.) >You can actually see ADD with a PET scan, but the proper way to get a >diagnosis of ADD is to get tested for it, which, in the case of ADD, is an >expensive man-day or two with with some clinical shrink in your face, and a >bunch of frustrating (if you're ADD) tests of your attention and ability to >focus in the presence of a lot of distractions. Oddly enough, *another* >pop-psychologist from Harvard was on "20/20" this week talking about >"emotional" intellegence, and one of the determinants was inability to >understand delayed gratification. Like most kids with ADD, I must have been >a drooling idiot, in that case. >From what I've read--and I'm no expert, having long had essentially the _opposite_ of "attention deficit disorder," assuming it really even exists!--most children getting Ritalin are just being sedated. Behavior control in its purest form. While the kids stop their wandering attention and constant physical motions, it's because they're in a mental fog, just one step away from drooling. (The 8-year-old friend of my friend's son is so zoned out he can't play video games well at all...until the drugs wear off.) >However, I practically agree with Tim on all of his screed. (A good one, I >might add. He probably only reread it once for punctuation and spelling >before he did a command-e to send it on its way. After wiping the foam >from his mouth, that is. ;-)) It seems to me that the very *last* person to Au contraire, I almost _never_ rework my posts. They are sent out as I write them, just as conversation is not reworked and edited. For an informal list, the conversational mode works best for me. (I get a kick out of John Young's obscure stuff, but if he _talks_ this way, whoah!) >BarelyObCrypto: ADD is more about lack of attention *control* than lack of >attention itself. Hyperfocus is also a trait of ADHD, and computers tend to >cause hyperfocus for a lot of ADDers. How many easily distracted knee-jiggling >wunderkind hackers do *you* know? Care to guess how many ADDers there are >on cypherpunks? BTW, I saw a comment that Bill Gates is almost certainly an ADD person...or maybe the comment was that he is borderline autistic? (I think it was the latter, based on his focus on things, his physical mannerisms, etc. Perhaps growing up in rainy Seattle made him a kind of "rain man.") --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From raph at cs.berkeley.edu Sun Jul 7 16:03:15 1996 From: raph at cs.berkeley.edu (Raph Levien) Date: Mon, 8 Jul 1996 07:03:15 +0800 Subject: NYT/CyberTimes on CWD article In-Reply-To: Message-ID: <31E03A02.15F4A87C@cs.berkeley.edu> Declan McCullagh wrote: > > "We are writers, not crytographers." > > -Declan Well done. Very well done. I'm not sure why Brock is constructing this hard-drinking bad-boy persona (perhaps he's trying to become the Trent Reznor of crypto journalism), but the piece was great. This work sends a very clear message (which is obvious to cypherpunks, but not to the pro-censorship side): that in practice, what exactly gets censored has a lot more to do with politics, and a lot less to do with the original good intentions of the pro-censorship forces, than appears on the surface. There's no reason to believe that government-sponsored censorship would be any more carefully done than the privately available software packages of today. In fact, there is ample evidence to believe the contrary; these programs are subject to the discipline of the marketplace. Sorry for the mini-rant. Keep up the good work. Raph From drosoff at arc.unm.edu Sun Jul 7 16:09:40 1996 From: drosoff at arc.unm.edu (David Rosoff) Date: Mon, 8 Jul 1996 07:09:40 +0800 Subject: [RANT] Giving Mind Control Drugs to Children Message-ID: <1.5.4.16.19960707191849.330f2470@arc.unm.edu> -----BEGIN PGP SIGNED MESSAGE----- At 07.25 AM 7/7/96 -0700, Sandy Sandfort wrote: >On Sun, 7 Jul 1996, Simon Spero wrote: >> Er... Tim... Ritalin is an amphetamine. > >Yes, normally, but doesn't it have a paradoxical reaction for >hyperactive children (i.e., it acts as a depressant for them)? Yes. I once had a friend who took it, and it calmed him down, but after I had known him for a few years, it began to have the opposite effect; and "they" decided he didn't need it anymore. =============================================================================== David Rosoff (nihongo ga sukoshi dekiru) ---------------> drosoff at arc.unm.edu PGP public key 0xD37692F9 -----> finger drosoff at acoma.arc.unm.edu or keyservers 0xD37692F9 Key fingerprint = 25 7D AA 01 85 41 43 89 50 5A 33 76 F1 F1 99 67 Do you know who's reading your email? ---> http://www.arc.unm.edu/~drosoff/pgp/ Anonymous ok, PGP ok. -------------- If it's not PGP-signed, I didn't write it. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMeAJxhguzHDTdpL5AQGuPAP/T8aBKGwnNSEjv0VW/Kn8+lYgkRPxEB39 1zKPxuAzwfF+dnPpTKp5R5kdGHtv/KvRGhKRQt0V+ocUdAFHVIhI2AghxunUIPjv 9hLbzJx635LwUuHQBAONdV4tzTC6D5MqH+V5WqOWgPWe1Oqa8bHrSiDVdBX31M4P N7T2cii/s3E= =ebXI -----END PGP SIGNATURE----- From alano at teleport.com Sun Jul 7 16:18:56 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 8 Jul 1996 07:18:56 +0800 Subject: [RANT] Giving Mind Control Drugs to Children Message-ID: <2.2.32.19960707194409.00f12000@mail.teleport.com> At 06:10 PM 7/7/96 -0700, Timothy C. May wrote: >(As Sandy S. also noted, Ritalin has "paradoxical" effects. (I saw Sandy's >remark after sending off my reply to Simon.)) > >I've _seen_ the kid on Ritalin, and he's zombie. When it wears off, he's >back to being alert and active. Stimulants tend to have an odd effect on children. Instead of making them more active, they tend to do just the opposite. (My daughter used to have that problem with caffiene. Used to put her to sleep.) This makes the situation even more scary, considering how little is known about the brain chemistry of growing children. I am expecting the long term effects of these drugs will be "interesting". (And not in a good way.) I know a woman who was tranq'ed as a kid. She is nice and sweet, cannot dream at all, and is a total and unrepentant sociopath. Your results may vary. --- |"Computers are Voodoo -- You just have to know where to stick the pins."| |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From tcmay at got.net Sun Jul 7 16:37:43 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 8 Jul 1996 07:37:43 +0800 Subject: [RANT] Giving Mind Control Drugs to Children Message-ID: At 6:33 PM 7/7/96, AwakenToMe at aol.com wrote: >Did I miss something?? I fisrt came here and asked something about protected >mode and was yelled at for asking it in this newsgroup. Now we're onto mind >control drugs? >uhhhhhh ok. I did not yell at you. Bear in mind that there are many subscribers, with many views of what is interesting and what is important to talk about. There are only so many times that a particular thread can be talked about meaningfully, and some of the more crypto-related threads (which no one is stopping anyone from starting!) have covered the same ground through dozens of cycles. Thus, while "Where can I get SFS to encrypt my hard drive?," as an example, may _seem_ to be list-relevant than discussions of Ritalin and the use of it in public schools for behavior modification, I think the former thread is "tired," and generates little response, where the latter thread has obviously generated a lot of responses. This speaks for itself, as I see it. But, then, I view the list as partly a social community of reasonably like-minded folks, with a shared interest in several obvious things, and not just a place to discuss C++ code or where to find SFS and PGP. Personally, I'm just as glad the list is not a clone of Libernet or Commienet, but most political threads die out quickly enough. The "Ritalin" thread will die out eventually, In the meantime, it appears to interest quite a few people, and some readers may not have previously known that the public schools are sending out the message of "Just say "No!" to drugs!" while simultaneously using mind-control drugs to dose kids into submission. Sort of like the Feds calling for strict controls on privacy technology while freely passing around confidential FBI dossiers of their political enemies. The foxes guarding the henhouses. All of these examples are useful for our agenda. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dlv at bwalk.dm.com Sun Jul 7 16:40:07 1996 From: dlv at bwalk.dm.com (Dr.Dimitri Vulis KOTM) Date: Mon, 8 Jul 1996 07:40:07 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: Message-ID: tcmay at got.net (Timothy C. May) writes: > At 3:06 PM 7/7/96, Dr.Dimitri Vulis KOTM wrote: > >Simon Spero writes: > > >> Er... Tim... Ritalin is an amphetamine. > > > >Yes, it's an _anti-depressant, supposedly turning up those pieces of the bra > >responsible for "tuning out" outside interference, and letting the hyperacti > >kid concentrate. But a true cypherpunk never lets any facts interfere with > >political agenda. > > Vulis, time to put you back in my killfile. Gratuitous insults, especially > those not based on important factual points, is your standard mode. I don't believe you. > (As Sandy S. also noted, Ritalin has "paradoxical" effects. (I saw Sandy's > remark after sending off my reply to Simon.)) > > I've _seen_ the kid on Ritalin, and he's zombie. When it wears off, he's > back to being alert and active. This has no cryptographic relevance, but... What about _other kids? You have 1 kid unlucky enough to be born hyperactive (genetic predisposition + idiot parents) and 40 kids unlucky enough to be stuck in class with one jerk who won't let them learn. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From jya at pipeline.com Sun Jul 7 17:38:38 1996 From: jya at pipeline.com (John Young) Date: Mon, 8 Jul 1996 08:38:38 +0800 Subject: DEA Intercepts Message-ID: <199607072119.VAA10773@pipe1.t2.usa.pipeline.com> Would anyone know more about the DEA "process the intercepts by computer" in the excerpt below from today's Wash Post? Any connection to Peter Neuman's remarks at the CRISIS press conference about LEA training and technology as alternatives to breaking strong crypto? This new funding has been a factor in making possible increased use of electronic surveillance. Federal wiretaps cost more than $70,000 a month to operate and generate hundreds of hours of labor for monitors, transcribers, surveillance teams and investigators. Larger budgets mean cost is less of an obstacle. Building for the future, the DEA is carrying out a $33 million program to replace single-line wiretapping gear with new equipment that can monitor 40 lines simultaneously and process the intercepts by computer. The FBI is plowing millions into developing new intercept techniques for digital lines and expanding its cadre of agents who use the bureau's high tech surveillance gear. "I don't think J. Edgar Hoover would contemplate what we can do today in terms of technology," Reno testified during a Senate hearing in May. The total number of federal wiretaps is just one measure of the rise in federal surveillance. The build-up also is evident in the increased use of electronic devices that record the numbers dialed by a target telephone, and the origin of calls to it. These devices allow agents to identify a person's associates. Beginning in 1993, Justice agencies began using the court-authorized monitors more often and leaving them installed for longer periods of time, according to a Justice Department report. From tcmay at got.net Sun Jul 7 17:43:27 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 8 Jul 1996 08:43:27 +0800 Subject: Style gettting in the way of clear reporting Message-ID: At 10:28 PM 7/7/96, Raph Levien wrote: >Declan McCullagh wrote: >> >> "We are writers, not crytographers." >> >> -Declan > > Well done. Very well done. I'm not sure why Brock is constructing >this hard-drinking bad-boy persona (perhaps he's trying to become the >Trent Reznor of crypto journalism), but the piece was great. I found it unreadable. No doubt some fine reporting, but the "faux Chandler" touches made it unreadable for me. "The last gin joint in cyberspace, and I had to to be the one to break it the babe, a thirty-two bit floozy with gams as long as, well, let's just say they made me forget about the Feds waiting to send me up the river for the long one..." With no _personal_ criticism of either Brock or Declan, I find that most modern cyberspace journalism--much more so than the mainstream press--is this kind of "performance piece" stuff, where pastiches of Chandler, Hunter S. Thompson, Jack Kerouac, and all the like are lathered all over the articles. The clearest and most extreme examples of this trend are the columns by Spencer S. Katt, Robert X. Cringely, and the other rumor-mongers of the trade weeklies, where a few morsels of actual reporting are buried in vast amounts of phony stuff. Such as endless crap about "Pammy," a dingbat--and utterly fictional--Valley Girl who one of these columnists uses to pads his columns with. This New Journalism kind of stuff is also rampant in "Wired." I suppose some people like it. I call them easily impressed. Or as Raymond S. might put it, "She was the kind of dame impressed by a paint by numbers Mona Lisa." Sadly, simple expository prose must be considered to be too boring, too banal. (Actually, were only a few writers doing this, it might be mildy tolerable. Speaking for myself, that is. But so _many_ "cyberspace journalists" are doing bad pastiches of famous stylists that the reportage is being lost in the noise. "A screaming comes across the screen." Wake up, Brock and Declan! And all the other too clever by half New Journalists. I'd like to read some of your stuff, not hit the delete key as soon as see the style-laden ersatz Chandler larding up the article. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dlv at bwalk.dm.com Sun Jul 7 17:50:22 1996 From: dlv at bwalk.dm.com (Dr.Dimitri Vulis KOTM) Date: Mon, 8 Jul 1996 08:50:22 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: <199607071816.LAA19127@dns1.noc.best.net> Message-ID: "James A. Donald" writes: > > > > Er... Tim... Ritalin is an amphetamine. > > At 07:25 AM 7/7/96 -0700, Sandy Sandfort wrote: > > Yes, normally, but doesn't it have a paradoxical reaction for > > hyperactive children (i.e., it acts as a depressant for them)? > > Not really: Ordinary college students who use it to facilitate > cramming report that it has the same effect on them as on hyperactive > children. > > A well known symptom of amphetamine abuse is that the abusers will > cheerfully persist in pointless and boring activities for hours > on end, such as folding paper bags or stirring long overcooked > spaghetti. Please don't shit on speed. One of the brightest people I know is 70+ years old. He's been eating several grams of speed a day since WW2. He's brilliant and doesn't look a day over 40. Disclaimer: I don't take speed - I don't need any drugs to be the way I am. --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From merriman at amaonline.com Sun Jul 7 18:00:53 1996 From: merriman at amaonline.com (David K. Merriman) Date: Mon, 8 Jul 1996 09:00:53 +0800 Subject: EYE_son Message-ID: <2.2.32.19960707074506.0069c9c0@mail1.amaonline.com> From adam at homeport.org Sun Jul 7 18:45:58 1996 From: adam at homeport.org (Adam Shostack) Date: Mon, 8 Jul 1996 09:45:58 +0800 Subject: Restrictions on crypto overseas In-Reply-To: <199607050215.TAA22048@atropos.c2.org> Message-ID: <199607072344.SAA00327@homeport.org> http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm is Bert-Jaap Koops Crypto Law Survey. Seems pretty good, but I haven't tried to verify any of it. | > Greetings. | > | > I am looking for a concise description of the restrictions overseas on the | > use of cryptography, and how those restrictions affect the operation of a | > cryptographically-enabled web server. | > | > I have been told that users of programs like PGP in france are required by | > law to register their secret keys with the state security apparatus. Does | > this mean that users of secure web servers need to register their secret | > keys as well? Is anybody doing this? Is the law enforced? | > | > What about other nations that have recently passed restrictions on the use | > of crypto? Other than Russia, which are they? Is there a list anywhere? -- "It is seldom that liberty of any kind is lost all at once." -Hume From tcmay at got.net Sun Jul 7 19:07:15 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 8 Jul 1996 10:07:15 +0800 Subject: DEA Intercepts Message-ID: At 9:19 PM 7/7/96, John Young wrote: >Would anyone know more about the DEA "process the intercepts by computer" >in the excerpt below from today's Wash Post? Any connection to Peter >Neuman's remarks at the CRISIS press conference about LEA training and >technology as alternatives to breaking strong crypto? > and process the intercepts by computer. The FBI is plowing > millions into developing new intercept techniques for > digital lines and expanding its cadre of agents who use the > bureau's high tech surveillance gear. I have no way of knowing (and I doubt anybody knows and can also speak publically about it), but my informed speculation would be that the FBI is continuing its cooperation with the NSA (as noted by Ken Bass at last week's SAFE forum) and is using COMINT processing gear and programs developed at the Agency. It has been widely reported, from Bamford on, that much of the Agency's computer power is devoted to keyword analysis from audio intercepts. While computer translation programs may not have progressed much beyond "The vodka is strong, but the meat is rotten" stage, it is quite reasonable to assume that computers can mark for later analysis vast amounts of audio surveillance material, based on words said, voiceprints of known targets, etc. The trend of the next few decades is likely to be the turning of the government's Big Ears and Big Eyes on its _real enemies_, namely, the people. > "I don't think J. Edgar Hoover would contemplate what we > can do today in terms of technology," Reno testified during > a Senate hearing in May. Actually, I think Hoover could well imagine the capabilities. Minaret and such programs were in place while he was alive, and his use of confidential dossiers as an instrument of power predated the current use by the Clintons by several decades. > The total number of federal wiretaps is just one measure of > the rise in federal surveillance. The build-up also is > evident in the increased use of electronic devices that > record the numbers dialed by a target telephone, and the > origin of calls to it. > > These devices allow agents to identify a person's > associates. Beginning in 1993, Justice agencies began using > the court-authorized monitors more often and leaving them > installed for longer periods of time, according to a > Justice Department report. Needless to say, key escrow is quite useful in compiling contact lists. A virtual pen register, as it were. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From AwakenToMe at aol.com Sun Jul 7 19:32:00 1996 From: AwakenToMe at aol.com (AwakenToMe at aol.com) Date: Mon, 8 Jul 1996 10:32:00 +0800 Subject: [RANT] Giving Mind Control Drugs to Children Message-ID: <960707193940_232651692@emout12.mail.aol.com> Tim, You have a very good point about what goes on in this thread. I wasnt speaking about you yelling at me.. some of the members decided to write me 'personal' memos..one idiot being 'AOL SUCKS KILL ALL AOL SUCKS' or some stupid idiotic undereducated statement like that. Thanks for the response though..it was appreciated. :) Adam From jamesd at echeque.com Sun Jul 7 20:53:11 1996 From: jamesd at echeque.com (James A. Donald) Date: Mon, 8 Jul 1996 11:53:11 +0800 Subject: Style gettting in the way of clear reporting Message-ID: <199607080050.RAA05944@dns2.noc.best.net> Believe it or not, this has some very slight cypherpunk relevance. (Gasp) At 10:06 PM 7/7/96 -0700, Timothy C. May wrote: > Sadly, simple expository prose must be considered to be too boring, too banal. > > (Actually, were only a few writers doing this, it might be mildy tolerable. > Speaking for myself, that is. But so _many_ "cyberspace journalists" are > doing bad pastiches of famous stylists that the reportage is being lost in > the noise. When news media were concentrated into fewer and fewer hands during the twentieth century, the appearance of neutrality, objectivity, and authoritativeness became a major selling point, and so media adopted a tone and manner of neutrality, with an accompanying "just-the-facts" style, though in reality they became far less neutral Now that everyone can grab the megaphone, people are not so worried about objectivity. If something is unfair to Nazis or blacks or evil polluting capitalists, they know they will hear about it from the Nazis, the blacks or the evil polluting capitalists. As a result, people no longer value the superficial appearance of neutrality and objectivity. Suddenly colorful and openly biased reporting has become popular. This has led to some people engaging in florid excesses of colorful style and concocting totally phony attitudes., just as when word processing programs first gained the capability to handle a wide variety of fonts, some people produced memos that looked like ransom notes. Soon enough they will settle down. English prose was at its greatest in the eighteenth and nineteenth centuries, when many voices could be heard, and some of them were on the florid side. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From tcmay at got.net Sun Jul 7 21:32:50 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 8 Jul 1996 12:32:50 +0800 Subject: Style gettting in the way of clear reporting Message-ID: At 12:40 AM 7/8/96, James A. Donald wrote: >When news media were concentrated into fewer and fewer hands during >the twentieth century, the appearance of neutrality, objectivity, >and authoritativeness became a major selling point, and so media >adopted a tone and manner of neutrality, with an accompanying >"just-the-facts" style, though in reality they became far less neutral An interesting point. You are probably right that journalism is becoming more florid as "amateurs" flood the market. However, I don't quite buy the concentration argument, as things were pretty concentrated in the Hearst era, and the explosion of magazines in the past few decades has not been as concentrated. (In any case, these are hard things to quantify without more research, which I for one am unlikely to pursue.) >Now that everyone can grab the megaphone, people are not so worried >about objectivity. If something is unfair to Nazis or blacks or evil >polluting capitalists, they know they will hear about it from the >Nazis, the blacks or the evil polluting capitalists. > >As a result, people no longer value the superficial appearance of >neutrality and objectivity. Suddenly colorful and openly biased >reporting has become popular. I still think of "The Wall Street Journal" and "The Economist," two of my favorites, as being _careful_ in their reporting (careful is different from unbiased). But my main focus in this thread was on the _styles_, and this I think is more explained by faddishness. And advertising. To get "mind space," as with "shelf space," the packaging must entice, fool, and trick the reader. >This has led to some people engaging in florid excesses of colorful >style and concocting totally phony attitudes., just as when word >processing programs first gained the capability to handle a wide >variety of fonts, some people produced memos that looked like >ransom notes. Yes, and many of the newsletters we're seeing--as many are cc:ed or forwarded to our list--are the kissing cousins of "zines." Same faux style, same emphasis on "flash" over substance. (Not all of them of course.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From root at edmweb.com Sun Jul 7 22:12:16 1996 From: root at edmweb.com (Steve Reid) Date: Mon, 8 Jul 1996 13:12:16 +0800 Subject: more about the usefulness of PGP Message-ID: > make sure that you are protected from replay attacks. > a good idea would be to make the server to send cookies by request of > the remote user (you can limit the number of people to whom the server > sends cookies) and make sure that messages without the latest cookie > will NOT be executed. A simpler solution would be for the user to number each message. He would send message #1, then message #2, then #3, etc... Skipping some numbers should not be a problem. The server would just have to keep track of the most recently recieved message number, and only accept messages with a larger number. The user would also have to keep track... It would be very easy to do; the user could number each message based on date and time. ===================================================================== | Steve Reid - SysAdmin & Pres, EDM Web (http://www.edmweb.com/) | | Email: steve at edmweb.com Home Page: http://www.edmweb.com/steve/ | | PGP (2048/9F317269) Fingerprint: 11C89D1CD67287E68C09EC52443F8830 | | -- Disclaimer: JMHO, YMMV, TANSTAAFL, IANAL. -- | ===================================================================:) From bdavis at thepoint.net Sun Jul 7 22:23:18 1996 From: bdavis at thepoint.net (Brian Davis) Date: Mon, 8 Jul 1996 13:23:18 +0800 Subject: NYT/CyberTimes on CWD article In-Reply-To: <199607071744.NAA25788@unix.asb.com> Message-ID: On Sun, 7 Jul 1996, Deranged Mutant wrote: > > Another problematic with Net-Nurse type software: a database of > naughty sites and naughty users... a real goldmine for prosecutors. My soon-to-be-former colleagues hardly need such software to find naughty sites. Anyway, that takes all the fun out of it! Brian > > > Rob. > --- > No-frills sig. > Befriend my mail filter by sending a message with the subject "send help" > Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) > AB1F4831 1993/05/10 Deranged Mutant > Send a message with the subject "send pgp-key" for a copy of my key. > Not a lawyer on the Net, although I play one in real life. ********************************************************** Flame away! I get treated worse in person every day!! From fletch at ain.bls.com Mon Jul 8 00:04:39 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Mon, 8 Jul 1996 15:04:39 +0800 Subject: Style gettting in the way of clear reporting [borderline NOISE] In-Reply-To: Message-ID: <9607080328.AA10834@outland.ain_dev> > I still think of "The Wall Street Journal" and "The Economist," two of my > favorites, as being _careful_ in their reporting (careful is different from > unbiased). But my main focus in this thread was on the _styles_, and this I > think is more explained by faddishness. > > And advertising. To get "mind space," as with "shelf space," the packaging > must entice, fool, and trick the reader. This might can be tied back in with Tim's other RANT about prozac/ritalin/Haagen Daas/[insert your favorite mood altering substance here] and ADD. Today's kids supposedly can't concentrate on anything for more than the duration of a music video or the first "act" of Baywatch. But it's all just simpler to dope them up and let 'em watch Pamela Sue jiggle than try to raise them properly. > Yes, and many of the newsletters we're seeing--as many are cc:ed or > forwarded to our list--are the kissing cousins of "zines." Same faux style, > same emphasis on "flash" over substance. (Not all of them of course.) But media in general is becomming a meme-eat-meme world. If you don't entertain enough to hook the reader they won't bother with you (and your meme never propagates). Who cares if CSPAN is broadcasting hearings on changes to some law that could fundamentally change American society as we know it, there's an infomercial on for that amazing new flameproof car wax that cures baldness and predicts the future more accurately than Dionne Warwick. The Sci-Fi Channel needs to update their "Max Headroom" episodes from "20 minutes into the future..." to only about ten (if that). Now where'd I leave my Zik Zak . . . :) --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From vince at offshore.com.ai Mon Jul 8 00:07:08 1996 From: vince at offshore.com.ai (Vincent Cate) Date: Mon, 8 Jul 1996 15:07:08 +0800 Subject: Hurricane Bertha hitting Offshore Information Services Message-ID: Hurricane Bertha is almost certainly going to hit Anguilla, where Offshore Information Services is located. It will probably be at the strongest about 9 am Eastern time Monday morning. This is still not a really big hurricane, so we will not get anything like the trouble we had with Luis last year. Still, there is some chance that we will be offline at some time. If so please understand why. I have about 8 hours of battery backup. If power is out at our location for longer than that I will relocate the server to another location, as I did after Luis. There is little chance that power will go out everywhere for longer than 8 hours. There is a good chance that we get through this without going down, but I just wanted to let people know what our status is. Be patient if sometime tomorrow you can not get to our site. -- Vince Cate Offshore Information Services, Ltd. Anguilla http://online.offshore.com.ai/ From jimbell at pacifier.com Mon Jul 8 01:35:33 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 8 Jul 1996 16:35:33 +0800 Subject: Style gettting in the way of clear reporting Message-ID: <199607080519.WAA16763@mail.pacifier.com> At 06:38 PM 7/7/96 -0700, Timothy C. May wrote: >At 12:40 AM 7/8/96, James A. Donald wrote: > >>When news media were concentrated into fewer and fewer hands during >>the twentieth century, the appearance of neutrality, objectivity, >>and authoritativeness became a major selling point, and so media >>adopted a tone and manner of neutrality, with an accompanying >>"just-the-facts" style, though in reality they became far less neutral > >An interesting point. You are probably right that journalism is becoming >more florid as "amateurs" flood the market. However, I don't quite buy the >concentration argument, as things were pretty concentrated in the Hearst >era, and the explosion of magazines in the past few decades has not been as >concentrated. (In any case, these are hard things to quantify without more >research, which I for one am unlikely to pursue.) It is probably true that journalism was more concentrated in the late 1800's and early 1900's, since it consisted of a few newspapers. However, I think a good argument could be made that because government was dramatically smaller than today, that concentration was not nearly as detrimental as it would be today under similar circumstances. Jim Bell jimbell at pacifier.com From enquirer at alpha.c2.org Mon Jul 8 02:49:33 1996 From: enquirer at alpha.c2.org (enquirer at alpha.c2.org) Date: Mon, 8 Jul 1996 17:49:33 +0800 Subject: Cypherpunk Enquirer Message-ID: <199607080632.XAA09042@infinity.c2.org> I finally lost the tail somewhere around the docks, and slowly worked my way into Chiba, watching my back all the way. I dumped the chip in the saddlebag of a bike messenger who almost ran me down in front of the Jarre, figured he'd get a good scare out of a midnight visit from the NSA goons who'd been using it to follow my tracks out of Tokyo. They weren't going to like the way I rearranged the facial features of their buddy who tried to waylay me outside of the pachinko parlor. One last glance behind me, and I ducked into the Chatsubo. She was waiting for me there, a vision of pure lust in a red mini-dress with cleavage all the way down to her waist and legs all the way down to the floor. I tried to stay casual as I sauntered over to the bar next to her. "Vodka martini. Shaken, not stirred," I said to Ratz, the regular bartender. Ratz slammed the drink down on the counter in front of me. "Shaken enough for you, Dick?" he said. "Dick. Nice name." She had a voice that sounded like wind blowing through pine trees on a hot summer night. Low. Breathy. Wet. "He's being an asshole. Dick's American slang for a PI. Mind if I join you?" "Suit yourself." I pulled up a stool, surreptitiously slipping her PGP signature into my PDA. It checked out. Good. Now if she just had the merchandise. I hadn't come 5,000 miles just to check out her pectoral development. I leaned over close, trying not to stare at that pair of 38Ds. "You got anything else you'd like to show me?" Her emerald green eyes bored into mine, and then slowly dropped down to the level of my zipper. She slowly slid the hem of her dress up her creamy thigh, just high enough so that I could see that she wasn't wearing any panties. And there it was. Tucked into the top of her silk stocking, just next to the black lace garter. "That floppy's got the source to Declan McCullagh and Ian Goldberg's crack of the Surfwatch database. Worth a small fortune to anyone with the cojones to spam a sample to K12." She licked her lips like she was getting ready to go down on a double dip of Cherry Garcia. "Would you like to come up to my room and take a closer look?" (OK, Nobody, knock it off. You got rid of Tim May three paragraphs ago. Let's get on with it, huh?) (Shit, boss, just trying to have a little fun ... ) THE CYPHERPUNK ENQUIRER "Encyphering minds want to know." Fresh on the heels of the Chicago Bull's triumph in the NBA finals, Michael Jordan has announced the release of his new signature Internet encryption product, Michael Jordan's Awfully Good Snake Oil. Based on a tried and tested but proprietary algorithm, AGSO is guaranteed to provide superior 40 bit encryption of all important Internet traffic. Michael himself personally guarantees that AGSO will integrate perfectly with the Eudora mailer, and used no 14 year old Nicaraguan programmers like that inferior Kathy Lee Gifford shit, and no feminine frou-frou like with Liz Taylor's Black Perl. Jim Bell was injured today when a mail exploder went off in his hands. Doctors at the Bethesda Naval Hospital reported that the mail exploder had been upgraded from critical to stable condition and was resting comfortably in a private room. After a visit from fellow patient Louis Freeh, the mail exploder commented, "It's surprising how well he's learned to talk through that proctoscope." Matt Blaze has finally come clean, and agreed to provide a partial transcript of the NSA's famous "If you knew what we know, you'd support key escrow" presentation, which according to Mr. Blaze starts out, "If you knew about the video tapes we have of you with that 16 year old blonde at the Motel Six ... " Due to continuing controversy over the Michael Jackson case, and bowing to extreme election year pressure from the religious right, President Clinton today announced a new policy to prevent child abuse in the music industry. The Rock Musicians Penis Escrow Bill would require all musicians selling more than 10,000 CDs to file photographs of their (presumably tumescent) genitals with the FBI so that they could be examined and identified in the event of accusations of lascivious behavior with minors. Leon Panetta was reportedly flying to Chicago for discussions with the presently retired Plaster Casters, hoping to garner their support for the bill, while the Wall Street Journal announced an investigation into rumors that Chelsea has a standing request with the FBI for multiple copies. The Libertarian Party immediately announced its whole-hearted support for the plan after Jim Ray snuck the plank into the party platform when no one was looking. Tim May's experimental plan to reduce the noise level on the Cypherpunk Mailing List was declared a resounding success after massive doses of Ritalin actually caused Perry Metzger to apologize for flaming a clueless AOLer. In related news, AwakenToMe has finally figured out protected mode, and has announced the first Pentium condom that actually fits over the cooling fan. Sameer Parkesh announced that c2.org is now hosting an "Unanimizer" web browser, which makes web servers think that the entire population of the WhoWhere search engine has just accessed their pages. Next in the Enquirer: Bob Dole on the dangers of the abacus virus. From amehta at giasdl01.vsnl.net.in Mon Jul 8 03:13:40 1996 From: amehta at giasdl01.vsnl.net.in (Arun Mehta) Date: Mon, 8 Jul 1996 18:13:40 +0800 Subject: [RANT] Giving Mind Control Drugs to Children Message-ID: <1.5.4.32.19960708130935.002db9e0@giasdl01.vsnl.net.in> I sent Tim's original post to a psychiatrist friend, who responded: Ritalin is a lifesaver for a small % of children who suffer from a condition characterized by hyperactivity and poor attention span. These kids (usually boys) may be bright as hell but fail in school because they can't sit still or pay attention; they get made fun of, they behave badly, get depressed, it's a mess. Some of them (milder cases) respond to behavior modification therapies which involve training of the parents and teachers to have realistic expectation, recognize the specific difficulties the kids have, set them goals, reward them for achieving them, give them disincentives for misbehaving etc. Others really do need Ritalin. It's a relief not just for the parents and teachers but for the kids to be able to sit still and pay attention and learn and succeed and be liked etc. Most of them grow out of it by their mid-teens. However, there are many more kids on Ritalin than there need to be; some teachers pressure parents to get kids put on it... I know one very bright little girl who's bored out of her mind in school, the school refuses to move her up a grade or give her more challenging work to do, instead complain that she is not paying attention and suggested that she be put on Ritalin... mother was furious. Some of the kids who use foul language (a very small %) have Tourette's disease, and also need medicine (a different one)... by and large the politically correct thing is sometimes to label a kid as sick rather than bad or spoiled, this is probably why drugs are over-used. But we can't throw the baby out with the bathwater! By the way, some old people who are severely depressed after a stroke also do well with Ritalin and don't respond to any other antidepressants... Arun Mehta Phone +91-11-6841172, 6849103 amehta at cpsr.org http://mahavir.doe.ernet.in/~pinaward/arun.htm The protestors of Tiananmen Square will be back. Next time, the battle will be fought in cyberspace, where the students have the more powerful tanks... From enquirer at alpha.c2.org Mon Jul 8 03:17:30 1996 From: enquirer at alpha.c2.org (enquirer at alpha.c2.org) Date: Mon, 8 Jul 1996 18:17:30 +0800 Subject: Cypherpunk Enquirer Message-ID: <199607080632.XAA09082@infinity.c2.org> I finally lost the tail somewhere around the docks, and slowly worked my way into Chiba, watching my back all the way. I dumped the chip in the saddlebag of a bike messenger who almost ran me down in front of the Jarre, figured he'd get a good scare out of a midnight visit from the NSA goons who'd been using it to follow my tracks out of Tokyo. They weren't going to like the way I rearranged the facial features of their buddy who tried to waylay me outside of the pachinko parlor. One last glance behind me, and I ducked into the Chatsubo. She was waiting for me there, a vision of pure lust in a red mini-dress with cleavage all the way down to her waist and legs all the way down to the floor. I tried to stay casual as I sauntered over to the bar next to her. "Vodka martini. Shaken, not stirred," I said to Ratz, the regular bartender. Ratz slammed the drink down on the counter in front of me. "Shaken enough for you, Dick?" he said. "Dick. Nice name." She had a voice that sounded like wind blowing through pine trees on a hot summer night. Low. Breathy. Wet. "He's being an asshole. Dick's American slang for a PI. Mind if I join you?" "Suit yourself." I pulled up a stool, surreptitiously slipping her PGP signature into my PDA. It checked out. Good. Now if she just had the merchandise. I hadn't come 5,000 miles just to check out her pectoral development. I leaned over close, trying not to stare at that pair of 38Ds. "You got anything else you'd like to show me?" Her emerald green eyes bored into mine, and then slowly dropped down to the level of my zipper. She slowly slid the hem of her dress up her creamy thigh, just high enough so that I could see that she wasn't wearing any panties. And there it was. Tucked into the top of her silk stocking, just next to the black lace garter. "That floppy's got the source to Declan McCullagh and Ian Goldberg's crack of the Surfwatch database. Worth a small fortune to anyone with the cojones to spam a sample to K12." She licked her lips like she was getting ready to go down on a double dip of Cherry Garcia. "Would you like to come up to my room and take a closer look?" (OK, Nobody, knock it off. You got rid of Tim May three paragraphs ago. Let's get on with it, huh?) (Shit, boss, just trying to have a little fun ... ) THE CYPHERPUNK ENQUIRER "Encyphering minds want to know." Fresh on the heels of the Chicago Bull's triumph in the NBA finals, Michael Jordan has announced the release of his new signature Internet encryption product, Michael Jordan's Awfully Good Snake Oil. Based on a tried and tested but proprietary algorithm, AGSO is guaranteed to provide superior 40 bit encryption of all important Internet traffic. Michael himself personally guarantees that AGSO will integrate perfectly with the Eudora mailer, and used no 14 year old Nicaraguan programmers like that inferior Kathy Lee Gifford shit, and no feminine frou-frou like with Liz Taylor's Black Perl. Jim Bell was injured today when a mail exploder went off in his hands. Doctors at the Bethesda Naval Hospital reported that the mail exploder had been upgraded from critical to stable condition and was resting comfortably in a private room. After a visit from fellow patient Louis Freeh, the mail exploder commented, "It's surprising how well he's learned to talk through that proctoscope." Matt Blaze has finally come clean, and agreed to provide a partial transcript of the NSA's famous "If you knew what we know, you'd support key escrow" presentation, which according to Mr. Blaze starts out, "If you knew about the video tapes we have of you with that 16 year old blonde at the Motel Six ... " Due to continuing controversy over the Michael Jackson case, and bowing to extreme election year pressure from the religious right, President Clinton today announced a new policy to prevent child abuse in the music industry. The Rock Musicians Penis Escrow Bill would require all musicians selling more than 10,000 CDs to file photographs of their (presumably tumescent) genitals with the FBI so that they could be examined and identified in the event of accusations of lascivious behavior with minors. Leon Panetta was reportedly flying to Chicago for discussions with the presently retired Plaster Casters, hoping to garner their support for the bill, while the Wall Street Journal announced an investigation into rumors that Chelsea has a standing request with the FBI for multiple copies. The Libertarian Party immediately announced its whole-hearted support for the plan after Jim Ray snuck the plank into the party platform when no one was looking. Tim May's experimental plan to reduce the noise level on the Cypherpunk Mailing List was declared a resounding success after massive doses of Ritalin actually caused Perry Metzger to apologize for flaming a clueless AOLer. In related news, AwakenToMe has finally figured out protected mode, and has announced the first Pentium condom that actually fits over the cooling fan. Sameer Parkesh announced that c2.org is now hosting an "Unanimizer" web browser, which makes web servers think that the entire population of the WhoWhere search engine has just accessed their pages. Next in the Enquirer: Bob Dole on the dangers of the abacus virus. From amehta at giasdl01.vsnl.net.in Mon Jul 8 03:50:39 1996 From: amehta at giasdl01.vsnl.net.in (Arun Mehta) Date: Mon, 8 Jul 1996 18:50:39 +0800 Subject: The Net and Terrorism Message-ID: <1.5.4.32.19960708130958.002e8e58@giasdl01.vsnl.net.in> At 19:52 02/07/96 -0500, John Deters wrote: >Even so, there are a couple of problems with even attempting "to take away >the root causes", not the least of which is the Constitutionally protected >right to free speech. I am allowed to teach my kid to hate anyone for any >reason. I can blame this or that group for this set of troubles, and that >the best way to deal with this is not only to scare them away, but to kill >as many of them as possible. It may be morally repugnant, but it is >protected speech. I think we've all been exposed to awful teaching in some aspects of our upbringing, but experience taught us otherwise. I love the anarchist poster that says, "We are the people whom our parents used to warn us about." Just because you were taught hate, doesn't mean you won't outgrow it. My mother was active in the freedom struggle against the British, and told me enough horror stories that I grew up hating them. But once I met some perfectly decent specimens, it evaporated. If the hate persists, there is likely to be reinforcement in the form of injustices, further bad experiences, etc. India is a large, diverse country with lots of injustice, poverty and other problems. When we analyze what breeds terrorism, we find aspects such as: - Severe neglect by the government (i.e. problems keep getting worse): For instance, the north east (which is east of Bangladesh, and has a long history of militant opposition) had to agitate for a long time to even get a railway line to connect them to the rest of the country. - Meddling by politicians: in Punjab, there was a Sikh regional party that was quite strong. To erode its popular base, Indira Gandhi encouraged the fundamentalists on its right. Similarly, Rajiv Gandhi's government helped train the Tamil LTTE. Both paid for these blunders with their lives, at the hands of the very groups they had once tried to foster. - Disenfranchisement: In Kashmir, most elections were rigged, as the central government pretty much admits now. Interestingly, some of the leaders of the terrorists were polling agents at the time of the previous elections, and were quite disgusted at what they saw. >The countries that sponsor terrorists have not been noted for their >successful educational systems. And they certainly are not going to listen >to Western discussions on how best to solve their "problems". No, but give the people the conviction that they can get their problems redressed legally, that they can win political power peacefully, and basically not let problems fester for so long that all trust in government is lost, and people will be far less likely to take to arms. Phoolan Devi (seen "Bandit Queen"? Great movie) was a dacoit, supposedly responsible for serious massacres. She went to jail, now she is an elected member of the federal Parliament. That is a great message to send to the poor and deprived. The cynic in me sees this as a way of depriving the poor suffering masses of their leaders, by co-opting them into the ruling elite. But there is no shortage of followers eager and willing to take their place. >The U.S. has a level of tolerance for diversity that I >only recently came to >appreciate. We hosted a foreign exchange student from Scotland (hardly >culture shock to him), but he surprised me when he commented on how >surprised he was that different groups of people were mixed together I've had a similar experience. I was part of the Indian delegation to a couple of Amnesty International International Council meetings. In this organisation, multiracialism and multiculturalism are heavily promoted. But if you looked at delegations from Europe, even from countries with sizable racial minorities, they were typically all-white. The US delegation, on the other hand, had blacks, different kinds of Asians, Hispanics... and not by design -- the US section leadership is highly "mixed", so they did not have to think about multiracialism, it just happened. Of course, given the "melting pot" ethos in the US, this is hardly surprising. However, every society has its blind spots. Communism is a real US phobia. The way you treat puny Cuba I find truly amazing. Arun Mehta Phone +91-11-6841172, 6849103 amehta at cpsr.org http://mahavir.doe.ernet.in/~pinaward/arun.htm The protestors of Tiananmen Square will be back. Next time, the battle will be fought in cyberspace, where the students have the more powerful tanks... From WlkngOwl at unix.asb.com Mon Jul 8 04:34:01 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Mon, 8 Jul 1996 19:34:01 +0800 Subject: DEA Intercepts Message-ID: <199607080850.EAA28667@unix.asb.com> On 7 Jul 96 at 23:59, Timothy C. May wrote: > At 9:19 PM 7/7/96, John Young wrote: [..] > > "I don't think J. Edgar Hoover would contemplate what we > > can do today in terms of technology," Reno testified during > > a Senate hearing in May. A double-edged quote, isn't it? [Tim's sort-of techie comments deleted.] Who needs high-tech for a surveillance state? I remember several years back a Soviet-history class that put a lot of emphasis on the Czar's totalitarian regime, much of which was already in place when the Bolshviks took power (and one of the reasons they held it). Irregardless of the literacy rate (which I'm guessing was low anyway), it was apparently common practice in many European countries in the early 19th century (incl. Russia) to have 'black offices' in the post offices that would steam open EVERY piece of mail to be read for intelligence and surveillance purposes. And back then there was probably a higher proportion of meaningful mail since there was no telephone, radio, or (very little) direct-mail marketing. Generally such offices were used for political purposes. Oddly enough the secret police organizations spied heavily on those in power as well: sometimes I wonder if Americal political scandals are (or will ever be) linked to US intelligence agencies listening in one some pol's calls. This is akin in some ways to building a postal system where there's a black office in every station. Rob. --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From declan+ at CMU.EDU Mon Jul 8 07:53:48 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 8 Jul 1996 22:53:48 +0800 Subject: NYT/CyberTimes on CWD article In-Reply-To: <199607071744.NAA25788@unix.asb.com> Message-ID: Excerpts from internet.cypherpunks: 7-Jul-96 Re: NYT/CyberTimes on CWD a.. by "Deranged Mutant"@unix.a > (I wonder if the software can tell that ~perv/ and /users/home/perv/ > or /home/perv/ can be the same directory on some systems? That would > be an interesting flaw. Has anyone hacked with the software?) The software can't tell. Take webcom.com, where some ~perv directories are blocked and some /users/perv directories are blocked by CyberPatrol. -Declan From m5 at vail.tivoli.com Mon Jul 8 08:45:45 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Mon, 8 Jul 1996 23:45:45 +0800 Subject: CWD -- Jacking in from the "Keys to the Kingdom" Port In-Reply-To: Message-ID: <31E0FC31.4E1C@vail.tivoli.com> Michael H. Warfield wrote: > > Scenario: [ naughty parents allow nice kids access to the nasty > > internet ] > Scenario update: Replace all instances of Bart's computer and > internet connections with Playboy or Penthouse (or worse - Hustler!) > magazines found in a drawer in the house. You then discover this to be > the shear and utter gibberish that it really is... Of course it's a ridiculous situation, but "the Internet" is the Daemon Du Jour. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From raph at CS.Berkeley.EDU Mon Jul 8 11:33:27 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Tue, 9 Jul 1996 02:33:27 +0800 Subject: List of reliable remailers Message-ID: <199607081350.GAA31890@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail. For more information, see: http://www.c2.org/~raph/premail.html For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ksub"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'nymrod'} = ' alpha pgp'; $remailer{"lead"} = " cpunk pgp hash latent cut ek"; $remailer{"treehole"} = " cpunk pgp hash latent cut ek"; $remailer{"nemesis"} = " cpunk pgp hash latent cut"; $remailer{"exon"} = " cpunk pgp hash latent cut ek"; $remailer{"vegas"} = " cpunk pgp hash latent cut"; $remailer{"haystack"} = " cpunk mix pgp hash latent cut ek"; $remailer{"ncognito"} = " mix cpunk pgp hash latent"; $remailer{"lucifer"} = " cpunk mix pgp hash"; $remailer{"jam"} = " cpunk mix pgp hash latent cut ek"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 alpha) (flame replay) (alumni portal) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 8 Jul 96 6:48:30 PDT remailer email address history latency uptime ----------------------------------------------------------------------- alumni hal at alumni.caltech.edu *+*#+*#-*### 3:36 100.00% replay remailer at replay.com **+*******+* 4:23 99.99% jam remailer at cypherpunks.ca ******** 16:45 99.98% c2 remail at c2.org +-++++++-+++ 46:47 99.97% nemesis remailer at meaning.com +*********** 17:25 99.97% nymrod nymrod at nym.jpunix.com #+#-##*##### 2:49 99.97% lead mix at zifi.genetics.utah.edu ++++++++++++ 38:37 99.96% vegas remailer at vegas.gateway.com *___.+#*+#*+ 4:34:27 99.95% mix mixmaster at remail.obscura.com .------+++++ 5:42:01 99.92% flame remailer at flame.alias.net .-++---+--++ 3:59:13 99.91% haystack haystack at holy.cow.net +###+#* #+## 3:07 99.80% lucifer lucifer at dhp.com +++ -+++++++ 48:41 99.78% ncognito ncognito at rigel.cyberpass.net .__.___-... 24:13:12 99.68% extropia remail at miron.vip.best.com ----.----.- 7:38:28 99.39% amnesia amnesia at chardos.connix.com ---- -----+ 3:42:52 99.31% alpha alias at alpha.c2.org +++*****++++ 38:39 99.29% penet anon at anon.penet.fi ...--....- 27:11:56 99.00% ecafe cpunk at remail.ecafe.org --##* ### 1:26:57 98.73% portal hfinney at shell.portal.com #+*####- ## 3:52 98.05% treehole remailer at mockingbird.alias.net +++- --+ + 2:18:51 97.06% exon remailer at remailer.nl.com **+**** ** 4:35 95.60% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From jamesd at echeque.com Mon Jul 8 12:39:55 1996 From: jamesd at echeque.com (James A. Donald) Date: Tue, 9 Jul 1996 03:39:55 +0800 Subject: The Net and Terrorism Message-ID: <199607081534.IAA07424@dns1.noc.best.net> At 01:16 PM 7/8/96 +0500, Arun Mehta wrote: >India is a large, diverse country with lots of injustice, poverty and other >problems. When we analyze what breeds terrorism, we find aspects such as: > >- Severe neglect by the government (i.e. problems keep getting worse): For >instance, the north east (which is east of Bangladesh, and has a long >history of militant opposition) had to agitate for a long time to even get a >railway line to connect them to the rest of the country. this is totally back to front. The primary cause of terrorism, and indeed the primary party guilty of terrorism in India *is* the government. For example the war upon the Sikhs started off with government sponsored terror against Sikh civilians, similar to Krystalnacht. We mostly see terrorism in countries with a large and intrusive government, not in countries like Hong Kong where there is massive government "neglect" >- Disenfranchisement: In Kashmir, most elections were rigged, as the central >government pretty much admits now. Oh wow: So the Muslims of Kashmir were more upset by rigged elections than by the murder of women and children. If that is true, why do we not see terror in Hong Kong (no elections until recently) and Singapore, (rigged elections) > The US delegation, on the > other hand, had blacks, different kinds of Asians, Hispanics... and not by > design -- the US section leadership is highly "mixed", so they did not have > to think about multiracialism, it just happened. Pull the other leg. They even have a black lesbian quota. US ambassadorships had gay quota even under Reagan, though not a black lesbian quota. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From bryce at digicash.com Mon Jul 8 13:44:10 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Tue, 9 Jul 1996 04:44:10 +0800 Subject: Laughing my ass off Message-ID: <199607081617.SAA25649@digicash.com> -----BEGIN PGP SIGNED MESSAGE----- Holy Exon that was good!! Please publish a PGP pubkey so that I may send you a token of my appreciation. (A token which is exchangeable for a national currency, perhaps.) Bryce - -----BEGIN PGP SIGNED MESSAGE----- Certificate-Type: Chudov/Wilcox Content/Author Rating Rating-Type: Content Object-ID: Date: Sun, 7 Jul 1996 23:32:37 -0700/From: enquirer at alpha.c2.org Topicality: 10 Entertainment: 10 Value: 8 Signer: 0x2c2998ad Signature: - -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMeE0U0jbHy8sKZitAQF6QwMAqj1CTsV7VzSLBxbwL8vZKG93a1nG8nrn p6WQB7BXQ/0shyjKpaKhfQKiiYVAAcINvfS2Df8ZcAYaEbIzoh3R6jMFvEye3ocp qI1ipX08vdUp8H01CqtDugjfmGt1ZcM6 =Wnyy - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Auto-signed under Unix with 'BAP' Easy-PGP v1.1b2 iQB1AwUBMeE0kUjbHy8sKZitAQEKIAL+IGV5vlaKU9PL6fGdr2dCGUsDoLNnl+un oWowEa4+Wtw3lAoPN68kEaXd+UPedS+oaxuTNwvFz7SHmS25+BvhTOylYVhs+ASx L0+Cv/BCDqCx22r2EfGm9JSncidwmF9G =mP3K -----END PGP SIGNATURE----- From eadams at voyager.net Mon Jul 8 14:02:39 1996 From: eadams at voyager.net (Eric Adams) Date: Tue, 9 Jul 1996 05:02:39 +0800 Subject: Computing Message-ID: <31E15B77.2888@voyager.net> I am a new person here, so I am not directing this message to any specific person. Answer freely. It seems to me that the computing age is advancing too quickly. I bought an excellent Pentium 75Mhz system about one and a half years ago. Now, I can buy a laptop of the same setup for the same price. I do computer programming and just bought a copy of Borland C++ 5.0 for $300. I expect it to be out-dated very quickly. I dodn't bother with Windows '95, because it is way too buggy and Windows '97 is soon to come. '95 was simply an introduction to what Microshaft can already do. I don't fall for the daily updates, or bug changes, because I know that none of my internet software or printer software will run on it. I wouldn't mind, however, making a program for '95 that would make me a few buck$. I have observed that in the time that the P6 came out, Motorola (if that's how you spell it) has signed with another company to make a Gigabyte RAM chip. Won't that be interesting? From tcmay at got.net Mon Jul 8 14:11:13 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 9 Jul 1996 05:11:13 +0800 Subject: Technology- vs. Human-based Surveillance Message-ID: At 4:35 AM 7/8/96, Deranged Mutant wrote: >Who needs high-tech for a surveillance state? I remember several >years back a Soviet-history class that put a lot of emphasis on the >Czar's totalitarian regime, much of which was already in place when >the Bolshviks took power (and one of the reasons they held it). ... A human-based surveillance state is very expensive, even by the standards of modern America and its bloated government. The recent example of the DDR's "Staasi" provides an example. Hard to hide the extent of the surveillance when so many people are involved. Better, think the Thought Police, to use technology to do the intercepts and pre-screening of the take. Also, the right technology (right for them, not us) makes widespread tapping possible, where human-based systems are not. (As but one example, hard to get human spies into companies on short notice to monitor a target.) In short, technology-based surveillance is "scalable" in a way that human-based surveillance is not. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From perry at piermont.com Mon Jul 8 14:42:17 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 9 Jul 1996 05:42:17 +0800 Subject: Word lists for passphrases In-Reply-To: <960706155139_428652398@emout15.mail.aol.com> Message-ID: <199607081635.MAA10394@jekyll.piermont.com> AwakenToMe at aol.com writes: > > > I have a util that will create a word list starting from > > > aaaaaaaaaaa on up to anythingggggggg basically you could do every > > > combination. Let me know if ya want it. > > > > That would really be of great use for doing wordlist crack runs. It > > must have taken you a long time to write -- generous of you to offer > > it. > > I want to apologize to everyone for being gratuitously nasty > here. It wasn't called for. > > Thats funny. I thought you were being completely serious and I sent you this > file. You are exactly right. it is of GREAT use for doing wordlist crack > runs. If you generate every possible word, you aren't getting any advantage by using crack and not just trying every possibility in your cracker itself. The whole point of trying english words is to try to reduce the search space. I would try to explain this to you, but it probably isn't worth while. Furthermore, generating every possible word is trivial -- its the sort of assignment you give to kids in their first week of programming. No one needs to be given such a program -- its only about four or five lines of C. > Why dont ya check out some realllyyy secure systems and find out what > utils they use to test their own security. Don't teach granpaw to suck eggs, sonny. Perry From Steven.J.Vaughan-Nichols at access.digex.net Mon Jul 8 14:45:47 1996 From: Steven.J.Vaughan-Nichols at access.digex.net (Steven J. Vaughan-Nichols) Date: Tue, 9 Jul 1996 05:45:47 +0800 Subject: Style gettting in the way of clear reporting Message-ID: <199607081653.MAA17946@access5.digex.net> May complains loudly about Meek and other writers style. Meek hardily needs my defense, he's the best in the biz (speaking as another writer, I add, damn it!) But, your problem is simply one of style, not of substance. Like it or not, Meek does communicate well with the vast majority of his readers. His faux-Chandler isn't for everyone, but he makes his points loud and clear. Steven Steven J. Vaughan-Nichols sjvn at access.digex.net http://www.access.digex.net/~sjvn/vna.html QOTD: "You have a job. I work for a living" -- sjvn, freelance writer From perry at piermont.com Mon Jul 8 14:57:33 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 9 Jul 1996 05:57:33 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: <199607070045.RAA24335@netcom5.netcom.com> Message-ID: <199607081653.MAA10428@jekyll.piermont.com> > tcmay at got.net (Timothy C. May) writes: > The doublethink and hypocrisy of modern society is > astounding. > > When the mother (a single mother, as this is California) > drops her son off with my friend (also single, of course), > she includes several "Ritalin" capsules with instructions on > how to dose her son with this depressant/behavior > modification drug. > > My friend ignores these Ritalins, which upsets the Mom > greatly the next day when she realizes her son has not been > given the tranks that are also known as "Mother's little > helpers." Ritalin is not a tranquilizer or anything like a tranquilizer. It is an amphetamine -- it is a close chemical analog to speed and could only be characterized as a tranquilizer by someone without any knowledge of the drug or its effects. Most people would become very "up" on the stuff, but it has a paradoxical, completely reverse effect on some people who have problems with their dopamine/norephinepherine (sorry, I may have the spellings wrong) systems in their brains that cause them to have difficulty focusing or to become hyperactive -- it calms and focuses such children and adults. The support newsgroup on Usenet for people with ADD discusses this in detail. Most people would have no particular urge to stop a child with diabetes from taking her insulin. Your friend seems to have the sick idea that they know better than the child's parents whether the child should be taking their meds or not, simply because the medication is for a "mental" problem. This isn't your friend's child. Its someone else's child. They have no right to make such decisions. Oh, and by the way, Ritalin has never been known in slang as "mother's little helper". That would be a tranquilizer taken by the mother to help her get through her own day. Perry From perry at piermont.com Mon Jul 8 14:58:48 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 9 Jul 1996 05:58:48 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: Message-ID: <199607081713.NAA10490@jekyll.piermont.com> Timothy C. May writes: > At 1:14 PM 7/7/96, Simon Spero wrote: > >On Sat, 6 Jul 1996, Timothy C. May wrote: > >> > >> When the mother (a single mother, as this is California) drops her son off > >> with my friend (also single, of course), she includes several "Ritalin" > >> capsules with instructions on how to dose her son with this > >> depressant/behavior modification drug. > > > >Er... Tim... Ritalin is an amphetamine. > > Whatever. It acts as a calmant/tranquilizer/depressant on many. Only those who have ADD, which you claim doesn't exist. > (As with many drugs, there are apparently paradoxical effects. Alcohol is a > downer for some, and upper for others.) Alcohol is a CNS depressant for all. Lowering inhibitions tends to make people relax and "party", but it doesn't have particularly paradoxical effects. .pm From perry at piermont.com Mon Jul 8 15:01:17 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 9 Jul 1996 06:01:17 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: Message-ID: <199607081710.NAA10477@jekyll.piermont.com> Sandy Sandfort writes: > On Sun, 7 Jul 1996, Simon Spero wrote: > > > On Sat, 6 Jul 1996, Timothy C. May wrote: > > > > > > ...she includes several "Ritalin" > > > capsules with instructions on how to dose her son with this > > > depressant/behavior modification drug. > > > > Er... Tim... Ritalin is an amphetamine. > > Yes, normally, but doesn't it have a paradoxical reaction for > hyperactive children (i.e., it acts as a depressant for them)? 1) If you believe that Ritalin has a different effect on hyperactive children, that would seem to indicate that the May hypothesis that hyperactivity isn't a biological phenomenon is false. 2) Yes, it appears that Ritalin has s different effect on children with ADD, in that it reduces their symptoms. "depressant", though, isn't the right term. 3) Of course, this isn't a crypto mailing list any more, so why NOT discuss every topic under the sun. .pm From perry at piermont.com Mon Jul 8 15:30:08 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 9 Jul 1996 06:30:08 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: Message-ID: <199607081725.NAA10514@jekyll.piermont.com> Timothy C. May writes: > From what I've read--and I'm no expert, having long had essentially the > _opposite_ of "attention deficit disorder," assuming it really even > exists!--most children getting Ritalin are just being sedated. Speed is not a sedative. Ritalin is amphetamine, not a barbituate. For most people, its like drinking lots of coffee -- it seriously increases attention and lowers your ability to sleep. > Behavior control in its purest form. While the kids stop their > wandering attention and constant physical motions, it's because > they're in a mental fog, just one step away from drooling. Thats not what Ritalin does to *anyone*. If anything, amphetamines are abused by people who want to remain awake and alert. Perry From tcmay at got.net Mon Jul 8 15:35:56 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 9 Jul 1996 06:35:56 +0800 Subject: The Net and Terrorism Message-ID: Thanks for the fine comments (and the comments from your shrink-wrapped friend on Ritalin). A very few comments: At 8:16 AM 7/8/96, Arun Mehta wrote: >because you were taught hate, doesn't mean you won't outgrow it. My mother >was active in the freedom struggle against the British, and told me enough >horror stories that I grew up hating them. But once I met some perfectly >decent specimens, it evaporated. This is my experience, too, with using common sense in deciding which races, if any, to hate. >India is a large, diverse country with lots of injustice, poverty and other >problems. When we analyze what breeds terrorism, we find aspects such as: > >- Severe neglect by the government (i.e. problems keep getting worse): For >instance, the north east (which is east of Bangladesh, and has a long >history of militant opposition) had to agitate for a long time to even get a >railway line to connect them to the rest of the country. A case, of course, where the government set the policy on who to connect, based on votes and influence. In a market economy, regions get connected by rail when a market for goods to be shipped appears likely, when customers will pay for tickets, etc. (Until the last several decades, this is the way railroads and shipping in the U.S. expanded. J.J. Hill built the "Great Northern" rail line across the northern part of the U.S. without a dime of subsidy and without much interference by government.) >- Meddling by politicians: in Punjab, there was a Sikh regional party that >was quite strong. To erode its popular base, Indira Gandhi encouraged the >fundamentalists on its right. Similarly, Rajiv Gandhi's government helped >train the Tamil LTTE. Both paid for these blunders with their lives, at the >hands of the very groups they had once tried to foster. This "tactical move" of pitting one religious or ethnic group against another should be a lesson for the rest of us. Much better to take a hands-off attitude and essentially pretend that differences don't matter. (As opposed, say, to giving special privileges to Baptists, blacks, Catholics, etc.) In this regard, I think the U.S. got it "right" (though we are drifting toward a "minority rights" situation, which is sowing the seeds of Indian-style sectarian conflict, e.g., the riots in Los Angeles a few years ago). (Arun is now quoting someone else) >>The U.S. has a level of tolerance for diversity that I >>only recently came to >>appreciate. We hosted a foreign exchange student from Scotland (hardly >>culture shock to him), but he surprised me when he commented on how >>surprised he was that different groups of people were mixed together > >I've had a similar experience. I was part of the Indian delegation to a >couple of Amnesty International International Council meetings. In this >organisation, multiracialism and multiculturalism are heavily promoted. But >if you looked at delegations from Europe, even from countries with sizable >racial minorities, they were typically all-white. The US delegation, on the >other hand, had blacks, different kinds of Asians, Hispanics... and not by >design -- the US section leadership is highly "mixed", so they did not have >to think about multiracialism, it just happened. Of course, given the >"melting pot" ethos in the US, this is hardly surprising. Indeed, Americans are often branded as racist yahoos by the enlightened, racially-tolerant folks of Europe. They cluck at our "racial problems." However, America is a melting pot, as Arun notes. On a daily basis we interact with blacks, Asians, Mexicans, whites of all flavors, etc. Blacks, for example, are very well-represented in so many areas (not science and technology, for educational/cultural/image reasons--see Note if you want to hear why). For anyone who buys the UNESCO line about how American is a fundamentally racist society, a visit for a few weeks should clarify things. There is still a lot of racial separation, by choice and not by law, and economic disparities. But the fact is that the races mix on a daily basis, with little or no conflict. Music, sports, entertainment, business, etc. (Note: For various cultural and image reasons, science and technology are _not_ emphasized as careers for black children. Contrast the image of science in predominantly black environments with the image of science in, say, predominantly Jewish environments. The result is clear: blacks are severely underrepresented in these areas, and Jews are overrepresented in these same areas. Hey, I'm just citing a basic truth of our times, at least in this country. Similar statistics apply to Asians, with more than half of all U.C. Berkeley science and engineering undergrad students being Asian, and something less than 3% of them being black. The figures for who _graduates_ are even more skewed. There are various reasons for this. One of my pet peeves is how the terms "dweeb," "nerd," and "geek" are used to characterize science and engineering majors and professionals. Hardly terms that are likely to make a brother in the hood consider studying science!) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Licensed Ontologist | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From habs at warwick.com Mon Jul 8 15:54:55 1996 From: habs at warwick.com (Harry S. Hawk) Date: Tue, 9 Jul 1996 06:54:55 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: <199607081725.NAA10514@jekyll.piermont.com> Message-ID: <199607081628.MAA16827@cmyk.warwick.com> I've taken Ritalin as both an adult and a child. It is by experiance not a sedative. It helps me focus more and increase my attention span. It is as perry indicates a amphetamine. > > > Timothy C. May writes: > > From what I've read--and I'm no expert, having long had essentially the > > _opposite_ of "attention deficit disorder," assuming it really even > > exists!--most children getting Ritalin are just being sedated. > > Speed is not a sedative. Ritalin is amphetamine, not a barbituate. For > most people, its like drinking lots of coffee -- it seriously > increases attention and lowers your ability to sleep. > > > Behavior control in its purest form. While the kids stop their > > wandering attention and constant physical motions, it's because > > they're in a mental fog, just one step away from drooling. > > Thats not what Ritalin does to *anyone*. If anything, amphetamines are > abused by people who want to remain awake and alert. > > Perry > -- Harry Hawk, Manager of Interactive Communications Warwick Baker O'Neil, 212 941 4438, habs at warwick.com "the strength of our liberty depends upon the chaos and cacophony of the unfettered speech the First Amendment protects" "As the most participatory form of mass speech yet developed, the Internet deserves the highest protection from governmental intrusion" Philadelphia Federal Judges Panel ( Dolores K. Sloviter, chief judge of the 3rd U.S. Circuit Court of Appeals, and U.S. District Court Judges Ronald L. Buckwalter and Stewart Dalzell.) From sunder at dorsai.dorsai.org Mon Jul 8 16:24:59 1996 From: sunder at dorsai.dorsai.org (Ray Arachelian) Date: Tue, 9 Jul 1996 07:24:59 +0800 Subject: What remains to be done. In-Reply-To: <199607041710.NAA00995@unix.asb.com> Message-ID: On Thu, 4 Jul 1996, Deranged Mutant wrote: > There's a need for something that will work under Win95, WinNT, > and/or OS/2 for encrypting partitions. Aside from a few commercial > or shareware apps which use some variant of DES, there's little out there. > (One problem is that DD kits for Win95/NT and OS/2 cost $$$.) Yeah, I'm kinda lusting after something that would work under NT as well as under 95. Too bad NT won't allow the use of BIOS INT 13 calls so that one may load the SecureDrive TSR. :( I don't have OS/2, but if I did you could easily add that to the list. I'm constantly switching between NT and 95 and have them installed on the same drive. Would be cool to have some low level driver to encryption from the Master Boot Record for example to get around unfriendly OS's- but then NT won't respect the BIOS calls, 95 in 32 bit mode won't, Linux sure as hell wont, etc.... that was the whole idea of having a BIOS in the first place, but woe is us. ========================================================================== + ^ + | Ray Arachelian |FL| KAOS KERAUNOS KYBERNETOS |==/|\== \|/ |sunder at dorsai.org|UL|__Nothing_is_true,_all_is_permitted!_|=/\|/\= <--+-->| --------------- |CG|What part of 'Congress shall make no |=\/|\/= /|\ | Just Say "No" to|KA|law abridging the freedom of speech' |==\|/== + v + | Janet Reno & GAK|AK| do you not understand? |======= ===================http://www.dorsai.org/~sunder/========================= Key Escrow Laws are the mating calls of those who'd abuse your privacy! From hua at XENON.chromatic.com Mon Jul 8 16:51:58 1996 From: hua at XENON.chromatic.com (Ernest Hua) Date: Tue, 9 Jul 1996 07:51:58 +0800 Subject: SAFE forum -- remarks of Herb Lin In-Reply-To: <9606058365.AA836589679@nas.edu> Message-ID: <199607081836.LAA23597@server1.chromatic.com> > My experience with the FBI and other law enforcement officials is that > they are honorable people trying to do a very hard job. Very good point. However, their primary representatives are still Louie Freeh, Jim Kallstom (sp?) and a few others who specialize in technologically-inaccurate hype. They have special backdoor access priviledges to Congress which none of us have (at least on the scale with which they can summon). They do NOT have to answer to anyone, except on warm and fuzzy Congressional hearings during which the technical inaccuracy of their words are rarely challenged. I would give a lot to have a public one-on-one discussion/debate with Freeh or Kallstrom. The problem is that they will stick to the obvious sound bites of "child pornographers" and "terrorists" instead of discussing the technical issues. I do agree that, if Freeh and cypherpunks would stop the hyperbole, and start discussing what would help privacy as well as law enforcement, then much more useful If Freeh and Kallstom played fair, and did not insist on behind-the-scene lobbying for Digital Telephony and GAK, then I might even consider compromising my hard-line stance against GAK and encryption regulation. However, they insisted on pushing it even when they could not get enough public support. Right now, THEY have the power, THEY have the access, THEY do not have to answer to us (and the Devil is always in the details), so I think it is a bit unfair to say that some cypherpunk is being too harsh on the FBI. They (the FBI) are supposed to serve us. Instead, they are taking away our own control of our lives. It reminds me much of the power-hungry MIS suit who swoops in and takes away all of our root passwords without setting up the backups and the firewalls and add to our productivity. We can get some solutions for both sides, but it takes work, and Freeh and Kallstrom (and Clinton) cannot get political credits for these more subtle solutions, so they must choose between highly-visible (but technically wrong) solutions and real (but possibly thankless) solutions. I get the feeling I know what they are choosing right now. Ern From dp at tir.com Mon Jul 8 17:27:50 1996 From: dp at tir.com (dp) Date: Tue, 9 Jul 1996 08:27:50 +0800 Subject: doubleclick monitoring web browsing habits Message-ID: <199607081942.PAA15748@tir.com> How do I get off the list....... From janke at unixg.ubc.ca Mon Jul 8 17:44:30 1996 From: janke at unixg.ubc.ca (janke at unixg.ubc.ca) Date: Tue, 9 Jul 1996 08:44:30 +0800 Subject: Pseudo-DC-net Project Message-ID: <199607081845.LAA00269@clouds.heaven.org> -----BEGIN PGP SIGNED MESSAGE----- I am working on a project to implement a variation of a DC-net to be run over the Internet. I am posting this summary to find out if it overlaps with projects others are working on; to see what members of the lists think of the general ideas for the network I have in mind; and to see if anyone is interested in helping me out. The variation of a DC-net I have in mind will vary in three important ways from a true DC-net: Difference (1) (Pseudo-random numbers) It will use pseudo-random numbers in place of true random numbers. Difference (2) (Star shaped network) The graph of the network will be star shaped instead of completely connected. Difference (3) (MACs) Messages broadcast on the pseudo-DC-net will have a MAC appended in a key shared by the channel participants. Difference (4) (Encryption) Messages sent to the channel will be encrypted in a key shared by the participants. Because of these difference from a true DC-net I will refer to the network I have in mind as a "pseudo-DC-net". Difference (1) is desirable since current techniques for generating true random numbers on PC's are slow, and distribution of the resulting true random numbers is enormously consumptive in terms of bandwidth. Difference (2) is made possible by the use of pseudo-random number generators, and is desirable since it reduces the total number of messages that need to transferred. Difference (3) is desirable to identify messages broadcast by unauthorized parties to the network, and, as a side benefit, to help clients filter out collisions--- when two parties try to broadcast at the same time. Difference (4) is desirable so that eavesdroppers cannot determine what messages are being broadcast to the network. Difference (1) implies a downgrading of the level of anonymity from unconditional to cryptographic, and difference (2) opens the possibility for protocol attacks. I would like to break this project up into three parts: a formal protocol specification, a client implementation or implementations, and a server implementation or implementations. I would like the formal protocol specification to be publicly available to allow anyone to write their own clients and servers, and to communicate their criticisms of the protocol. The protocol will not dictate what pseudo-random number generator is to be used, although there will be a note of a rule to ensure that pairs of users are using the same generator for the "coin flips" they share. Similarly, the protocol should be flexible enough to allow the use of any reasonable length MAC. A general outline of the protocols I have in mind are as follows: Protocol (1) (Channel registration protocol) Channels will be registered with the server. A channel will be specified by a time frame in which a pseudo-DC-net is to be run; the IP address and port to which clients are to connect to join the channel; the length of each message block to be transmitted to the channel; and a channel ID. Protocol (2) (Pseudo-DC-net real-time protocol) The protocol for running the channel will consist of a series of "rounds". Each round will consist of the following steps: Step (1) The transmission of a round synchronization number from the server to the clients, along with a string of bits specifying the set of users connected. Old clients should make sure that the synchronization number is consistent with the synchronization number of the previous round. Step (2) Receipt by the server from each client of a block of input for that round. (If the user does not wish to broadcast, this will be the XOR sum of the next blocks in the the pseudo-random number streams shared by the user with the other users (call this sum S). If the user wishes to broadcast, it will be the encryption of the following: the XOR of S with a message consisting of the concatenation of the channel id, round number, message length, message, message padding, and MAC of these five components.) Step (3) Transmission from the server to each client of the XOR sum of the blocks received. Protocol (3) (Optional Payment Protocol) I would like to add the option for the server to charge e-cash for the administration of the channel. I have also thought about an extension in which messages to the server would be signed so that the server could prevent an unauthorized user from hijacking a connection and disrupting a channel. If you would like to help me out with this project, if it overlaps with something you are already doing or have done, or you just think my ideas are no good (or good! :) ), please let me know. I am especially interested in attacks in which the server lies about the round number or set of connected users. If this project is works out well, I would like to later work on protocols for voting using a pseudo-DC-net. Leonard Janke (pgp key id 0xF4118611) -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBMeFVY0MBIFf0EYYRAQErKwf+OcQjqoODovlRJZtrXuqTGeiRHTobFDa+ DFWEmGl+yditRBt9nAlCgXGiRkCXhqroX30M+SEVw02trc1eBMCeJUSvxB9d0pN6 9x3vDN/XB4Kj6kAuAypulBCa0f74Uim4nJvZDw7boEW/hXY3Yuf7d3mgOsNY/LRT p62FL24wnz8aeBAVYnE6SJp59u9Yssrvb2lez1IuKIdN8Rqx590Fwn1VBZ2oqGk8 6UucJkvTht7XmKPuckND+Lhq7jv1vVZKZD3NRe4Uy21JstwKwwpuVXVX98YlNc+Y a15wW4WstZIzsKuPrYVsLsb+wXsETp1sgp5jDkKQABfit7XS8FVC9g== =KZsI -----END PGP SIGNATURE----- From gary at systemics.com Mon Jul 8 17:57:30 1996 From: gary at systemics.com (Gary Howland) Date: Tue, 9 Jul 1996 08:57:30 +0800 Subject: [Announcement] - Crypto library for Java available Message-ID: <31E159E2.1CFBAE39@systemics.com> The Systemics Cryptix crypto library for Java is now available for download at http://www.systemics.com/software/ The library is FREE FOR COMMERCIAL AND NON-COMMERCIAL USE. Apart from much tidying up, there have been several signigicant additions to the library, including a Blowfish implementation, RSA encryption (including key generation routines), CFB and CBC block cipher mode modules, and a cryptographically secure random InputStream. Enjoy! CRYPTIX 1.1 - CRYPTOGRAPHIC EXTENSIONS FOR JAVA _________________________________________________________________ DESCRIPTION This library contains a suite of cryptographic classes for Java. Some of the classes have been implemented in native code for performance reasons, and have been tested on Windows 95, Windows NT, Solaris, Linux and IRIX. The package documentation is available on line. FEATURES All of the following have been implemented: * java.crypt.BlockCipher This class is a base class for all block ciphers. * java.crypt.Blowfish (based on code from A.M. Kuchling, Bryan Olson and Bruce Schneier) An implementation of Bruce Schneier's Blowfish block cipher. * java.crypt.CipherFeedback A class for implementing the cipher feedback mode of block cipher encryption. * java.crypt.CSRandomStream A cryptographically secure pseudo random input-stream. * java.crypt.DES (based on code from Eric Young) An implementation of the DES block cipher. * java.crypt.HashMD5 An class encapsulating MD5 hashes. * java.crypt.HashSHA An class encapsulating SHA hashes. * java.crypt.IDEA An implementation of the IDEA block cipher algorithm. Based on native libraries. * java.crypt.MD5 (based on code from RSA Data Security, Inc.) An implementation of the MD5 message digest algorithm. Based on native libraries. * java.crypt.MD5OutputStream An output stream the creates an MD5 hash of its input. * java.crypt.MessageDigest A base class for all messsage digest algorithms. * java.crypt.MessageDigestOutputStream A class for using message digest functions to hash an output stream. * java.crypt.MessageHash A base class for classes encapsulating hashes. * java.crypt.rsa.PublicKey An RSA public key. * java.crypt.rsa.RSAKeyGen A class for generating RSA public/secret key pairs. * java.crypt.rsa.SecretKey An RSA secret key. * java.crypt.SHA (based on code from NIST and Peter C. Gutmann) An implementation of NISTs SHA message digest algorithm. Based on native libraries. * java.crypt.SHAOutputStream An output stream the creates an SHA hash of its input. * java.crypt.StreamCipher A base class for stream ciphers. * java.math.BigInteger (based on code from Eric Young). This class implements arbitrary length integers and some associated mathematical functions. Based on native libraries. * java.math.MPI A class for converting BigIntegers to and from MPI format integers. * java.math.PRNG A class for generating a pseudo random sequence with a period of 2**160. * java.math.RandomStream An input stream that is random. * java.math.TestPrime A class for testing the primality of BigIntegers. COPYRIGHT This library includes (or is derived from) software developed by (and owned by) the following: * Peter C. Gutmann * A.M. Kuchling * NIST * Bryan Olson * RSA Data Security, Inc. * Bruce Schneier * Eric Young <eay at mincom.oz.au> Other parts of the library are covered by the following licence: Copyright (c) 1995, 1996 Systemics Ltd (http://www.systemics.com/) All rights reserved. This library and applications are FREE FOR COMMERCIAL AND NON-COMMERCIAL USE as long as the following conditions are adhered to. Copyright remains with Systemics Ltd, and as such any Copyright notices in the code are not to be removed. If this code is used in a product, Systemics should be given attribution as the author of the parts used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by Systemics Ltd (http://www.systemics.com/) THIS SOFTWARE IS PROVIDED BY SYSTEMICS LTD ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] _________________________________________________________________ From Ryan.Russell at sybase.com Mon Jul 8 18:08:05 1996 From: Ryan.Russell at sybase.com (Ryan Russell/SYBASE) Date: Tue, 9 Jul 1996 09:08:05 +0800 Subject: Web redirector to defeat kiddie-filters? Message-ID: <9607082055.AA23265@notesgw2.sybase.com> Well, sort of..... http://www.mordor.com/neslon/decide/ Ryan From wendigo at gti.net Mon Jul 8 18:21:31 1996 From: wendigo at gti.net (Mark Rogaski) Date: Tue, 9 Jul 1996 09:21:31 +0800 Subject: The Net and Terrorism In-Reply-To: Message-ID: <199607082044.QAA20776@apollo.gti.net> -----BEGIN PGP SIGNED MESSAGE----- An entity claiming to be Timothy C. May wrote: : : (Note: For various cultural and image reasons, science and technology are : _not_ emphasized as careers for black children. Contrast the image of : science in predominantly black environments with the image of science in, : say, predominantly Jewish environments. The result is clear: blacks are : severely underrepresented in these areas, and Jews are overrepresented in : these same areas. Hey, I'm just citing a basic truth of our times, at least : in this country. Similar statistics apply to Asians, with more than half of : all U.C. Berkeley science and engineering undergrad students being Asian, : and something less than 3% of them being black. The figures for who : _graduates_ are even more skewed. There are various reasons for this. One : of my pet peeves is how the terms "dweeb," "nerd," and "geek" are used to : characterize science and engineering majors and professionals. Hardly terms : that are likely to make a brother in the hood consider studying science!) : I attended a school in the Pittsburgh area that had an active recruiting effort centered in Philadelphia. Thus, most of the black students were from inner-city Philly. What I noticed about their failure to show up in upper level math/science classes was that they had to spend too much time in remedial classes to undo the damage done by city schools. Considering the percentage of America's black population that lives in urban areas, that seems to explain the lack of black representation. Even more distressing on the whole was the lack of female students in the Comp. Sci. department ... but that's another story. As for the slang, I don't think it's going to attract white kids from the suburbs either. Screw the stereotypes, it's a little too close to the "They could but they don't have the drive/will/intelligence" arguments to say that Dilbert cartoons are going to turn off a "brother in the hood" to math/science. Also, most of the Asian students at my school were not US citizens. Most were from China or Japan. mark - -- Mark Rogaski | Why read when you can just sit and | Member GTI System Admin | stare at things? | Programmers Local wendigo at gti.net | Any expressed opinions are my own | # 0xfffe wendigo at pobox.com | unless they can get me in trouble. | APL-CPIO -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMeFzDg0HmAyu61cJAQFSqgP/YH7+mjoAqIcGcyM5OfciOdfebjBPfPK7 f7hIUdxO55E2JDusOqJUtmxq9SRaBvYoNh95T2yKvK6PQZm2ott5E2nP9f4YbOAy ejRD4WX3pdxJTFEcbJgaQeNCsDl8n59HMV/Q76PY4CluIzARSYFt7kN1oyB4oIhU hCxdiNEkeLY= =KksE -----END PGP SIGNATURE----- From snow at smoke.suba.com Mon Jul 8 18:23:27 1996 From: snow at smoke.suba.com (snow) Date: Tue, 9 Jul 1996 09:23:27 +0800 Subject: [RANT] Giving Mind Control Drugs to Children In-Reply-To: <1.5.4.32.19960708130935.002db9e0@giasdl01.vsnl.net.in> Message-ID: On Mon, 8 Jul 1996, Arun Mehta wrote: > Ritalin is a lifesaver for a small % of children who suffer from a condition ^^^^^^^ Key word here. ||||||| > Ritalin... mother was furious. > > Some of the kids who use foul language (a very small %) have Tourette's > disease, and also need medicine (a different one)... by and large the Bullshit. Most kids (these days) who use profanity are simply undisiplined louts. Yes, I use profanity today, at 28. However, I would NEVER have called my mother a "Fucking Asshole" under ANY circumstances, My father would have torn my head off. In fact if my father had caught me speaking like that to ANYONE at 8 years of age, I would have had trouble sitting for a couple days at least. Of course my parents made sure not to talk like that around me. > politically correct thing is sometimes to label a kid as sick rather than > bad or spoiled, this is probably why drugs are over-used. But we can't > throw the baby out with the bathwater! On the other hand, if only 20% of the children that are being drugged need it, that means that we are sacrificing 80% of these children to save 20%. Drugs are supposed to be for fun, not for long term behavior modification. People need to learn to deal with life. Petro, Christopher C. petro at suba.com snow at crash.suba.com From winn at Infowar.Com Mon Jul 8 18:36:22 1996 From: winn at Infowar.Com (winn at Infowar.Com) Date: Tue, 9 Jul 1996 09:36:22 +0800 Subject: InfoWarCon V: DC Message-ID: <199607081810.OAA23694@mailhost.IntNet.net> * * * * * * * P L E A S E D I S T R I B U T E W I D E L Y * * * * * * * InfoWarCon 5, 1996 Electronic Civil Defense for the 21st. Century The Convergence of the Commercial and the Military Sectors: Vulnerabilities, Capabilities and Solutions September 5-6, 1996 Washington, DC Sponsored by: Winn Schwartau, Interpact, Inc./Infowar.Com National Computer Security Association/NCSA.Com Robert Steele, OPEN SOURCE SOLUTIONS, Inc./OSS.Net Sponsoring Organizations: Command Software Systems Digital Equipment Corporation Norman Data Defense IBM Phillips Publications Jane's Information Group Historically, civil defense has meant to protect citizenry against hostile military actions. Today, with the specter of Information Warfare representing new challenges to late-industrial and information age nation-states, the rules have radically changed. Societies are rapidly migrating to increased dependance upon four critical interrelated infrastructures and adequate methods of protection must be developed: - The Power grid is the basis of most of modern society. With it gone, not much else happens. If you think this is just a matter of building more generators, think again--what happens if the factories that *make* the generators are taken down, too? - The Communications infrastructure: land, sea, air and satellite. 95% of military communications go over the public networks, and 100% of all financial and industrial communications. Is it worth protecting? - The Global Financial structure depends upon the first two infrastructures, and is perhaps the most vulnerable to theft and denial of service attack. 99+% of all "wealth" is digital--what happens if it vaporizes? - Transportation systems rely upon the other three. The air traffic systems require both power and communications to manage the thousands of airplanes in the sky. What happens to the thousands of airplanes in the air if air traffic control across an entire country goes down? Without all of these infrastructures properly and reliably functioning, the private sector and the national security community cannot function. No heat, no air conditioning, no food distribution, no light, no radio or TV, no Internet. Are we prepared? Do we have a a crisis response for the day money as we know it vanishes? Electronic Civil Defense will soon become a critical component of any nation's well being while the needs of both the private sector and government converge. The convergence of military and civilian interests that Mr. Schwartau predicted two years ago is happening before our eyes. Defensive and commercial postures have so intertwined as to make them indistinguishable. This Fifth International Conference on Information Warfare is an unclassified, open source forum, and will examine the myriad questions of Electronic Civil Defense from the US, International and multi-cultural perspectives. Our seasoned experts will work with InfoWarCon5 delegates to outline a framework for the vulnerabilities, threats, risks and solutions for Electronic Civil Defense. From this conference participants will be able to draw critical insights which will improve their own legislative, regulatory, financial, and operational readiness and security. Last year's Washington InfoWarCon brought together over 600 people and was covered by CNN among other major media organizations. This year key world players in information warfare from the economic, military, and law enforcement communities of over 30 countries are expected to participate. Be prepared for highly interactive sessions with plenty of audience participation. Please bring your opinions and be ready to discuss them with us all! PRELIMINARY SCHEDULE September 4, 1996 16:00 - 20:00 Registration Begins 18:00 - 20:00 Sponsored Reception for attendees, speakers, sponsors and the press. Light food fare and liquid refreshments. Meet Mr.Schwartau, Mr. Steele, Dr. Kabay and many of our other world-class speakers. September 5, 1996 6:30 - 7:50 Registration 7:50 - 8:00 Welcoming Comments and Administration: Dr. Peter Tippett, NCSA Winn Schwartau, Interpact, Inc. 8:00 - 8:30 Keynote Presentation: "National Security in the Information Age" Senator William Cohen (R-Maine) * 8:30 - 9:00 "A Commander in Chief's View of Rear-Area, Home-Front Vulnerabilities and Support Options." General John J. Sheehan, U.S. Supreme Allied Commander, Atlantic, Commander-in-Chief Atlantic Command 9:00 - 9:30 "Global Finance: Protection in the Age of Electronic Conflict" Colin Cook, V.P. Information Security, Citibank * 9:30 - 10:00 "We Can't Do It Without the Private Sector" Ken Minihan, Director, NSA * 10:00-10:30 Break 10:30-11:45 National Policy Reviews of Electronic Civil Defense Programs Ms. Sally Katzen, Administrator for Information and Regulatory Affairs, Office of Management and Budget, USA Dr. Anders Eriksson and Peter Wallstroem, National Defence Research Establishment, Dept. of Defence Analysis: Sweden Dr. Leroy Pearce, Canada, What is the current thinking in Electronic Civil Defense? How do plan on protecting our citizens against invisible unnamed assailants? What are the top policy makers planning for? International experts will present their views as well. 11:45 - 13:15 Sponsored Lunch 12:30 - 13:00 Luncheon Address 13:15 - 14: 30 Breakout Sessions A1 - A4 A1 A Military Briefing: The Electronic Projection of Power in a C4I World Moderated by General Jim McCarthy, USAF (Ret) Barry Horton, Principle Deputy Assistant Secretary of Defense for C3I * Captain Patrick Tyrrell, Assistant Director, Information Warfare Policy, Ministry of Defence, United Kingdom A2 Protecting the Global Financial and Communications Infrastructures: Weaknesses at the Transport Layer Ron Eward, Martech, Inc. One scary session. Forget about HERF Guns and hackers. Mr. Eward will tell us how to wreak disaster with a few well placed pick- axes, from New York to Palermo to Taipei. An incredible research effort with global on the generally forgotten physical underpinnings of Cyberspace. Do not miss his tremendously important findings. Messrs. Eward and Schwartau upcoming book on this overlooked topic will shake the financial global community. A3 Media Manipulation, Perception Management and PsyOps Moderated by Dr. Mich Kabay, NCSA Mark Bender, ABC News * Jim Roberts, SOLIC Neil Munro, Washington Technology How can a nation-state use the media to bend the will of an adversary, or leverage its own position prior to, in or after a conflict? Who is really using who? A4 National Defense University Session Moderator - Dr. Dan Kuehl, Professor, NDU Top students from the School of Information Warfare and Strategy, the Nation's top-level school for potential flag officers in the IW arena, will discuss their findings and concerns. 14:30 - 15:00 Break 15:00 - 16:15 Breakout Sessions B1-B4 B1 - Emergency/Disaster Planning for the Effects of Information Warfare: Moderator: Mark Aldrich, Chief Infosec Engineer, GRC International, Inc. Michael Logan, Federal Planning Associate, American Red Cross William W. Donovan, CISSP, FEMA Ken Barksdale, Association of Contingency Planners Assume the worst happens, and an infowar assault takes down major life sustaining portions of the infrastructure. What do we do about it? How do we minimize the damage and protect the victims and citizens? These esteemed experts will tell you what they think and then invite your comments. B2 Legal Liabilities and Responsibilities in Information Warfare Danielle Cailloux, Judge, Committee on Intelligence, Belgium Charles Dunlap, Judge Advocate, USAF Kenneth Bass III, Cyber-Attorney, Washington If a company is attacked and it loses significant assets, what are the recourses of the stakeholders? How do we measure and evaluate the losses and responsibility? On the military side, what constitutes an Act of War and what steps are necessary to formulate a response? B3 The Forensics of Information Wafare for Law Enforcement Moderated by Michael Anderson, New Technologies Investigation Division Howard Schmidt, Director, AF Office of Special Investigations Ken Rosenblat, Santa Clara County Prosecutor, Author "High-Technology Crime: Investigating Cases Involving Computers" How can you tell you are under attack? Once you determine you are, how do you make a case which will stand up in court? How do you collect evidence? How do you involve law enforcement without compromising your efforts? Experts share years of experience with you. B4 Naval Postgraduate School Session Moderator: Dr. Fred Levien, NPS Top field grade students from the Naval Postgraduate School in Monterey, California will present InfoWar papers and concepts. 16:15 - 16:45 Break 16:45 - 18:00 The Hacker/Underground and Social Engineering Moderated by: Nic Chantler, Australian Intelligence (Ret) Andy Mueller-Maguhn, CHAOS Computer Club, Germany Chris Goggans, co-founder, Legion of Doom, USA John Gilmore, Electronic Frontier Foundation If you've ever wanted to know how hackers think; what makes them tick and how they became the first Information Warriors, here are the people who can answer your questions. These sessions are among the most popular at every InfoWarCon. Gilmore will present his unique concepts for Defensive Information Warfare. 18::00 - 20:30 Sponsored Reception/"Live Hackers" Off-Line September 6, 1996 6:30 - 7:50 Continental Breakfast 7:50 - 8:00 Opening Remarks and Administration 8:00 - 8:30 "Domestic Law Enforcement and Electronic Civil Defense" Louis Freeh, Director, FBI * 8:30 - 9:00 "The Convergence of Military and Civilian Defense" General Jim McCarthy, USAF (Ret) 9:00 - 9:30 "What is National Security?" Michael R. Nelson, Ph.D. Special Assistant for Information Technology White House Office of Science and Technology Policy 9:30 - 10:00 "Building a Society from the Net Up" Pedrag Pale, Chairman of the InfoTech Coordinating Committee, Ministry of Science, Technology and Informatics, Croatia 10:00-10:30 Break 10:30-11:45 The Russians are Coming Moderated by: Greg Treverton, Director of National Security Program, Rand Corporation From academia to the military to their business community, the Russians have been thinking long and had about Information Warfare. Here's what they have to say. Get front row seats and be ready to ask your questions. Dr. Victor I. Solntsev, Assoc. Prof. Moscow State Tech. Univ. "Information Warfare and Human-Operator Security" Dr. Dmitry Chereshkin Russian Academy of Sciences; Editorial Board, "Information Infrastructure and Policy." Dr. Georgy Smolian Russian Academy of Sciences and Scientific Council "Democratization of Russia and Information Security." 11:45 - 13:15 Sponsored Lunch 12:30 - 13:00 Luncheon Address 13:00 - 14: 15 Breakout Sessions C1-C4 C1 Corporate Civil Defense: Moderated by Don Sortor, Director Security Prgms, Corp. InfoSec., Motorola, Inc. A team of cross-industry experts from the primary infrastructures, will examine how industry and government can and should interact in the event of an Electronic Pearl Harbor. What is the role of the company and its management? What policies should be put into place to prepare for the malicious Acts of Man? How should the government work with the private sector to mitigate damages? These experts will set you on the right track. C2 Denial of Service in the Private Sector: The Nuclear Weapons of the Information Age: Magnetic Weapons from the Military to Electronic Pipe Bombs Carlo Copp, Defense Analyst, Australia Kelly Goen, Penetration and Security Engineer Get Seats Early! Magnetic weapons; directed energy weapons; HPM; HERF Guns; electromagnetic pulse cannons and EMP. Learn about the latest in high energy weapons systems and how they can be used to attack and destroy critical electronically based infrastructures. Then find out what the terrorist can do with home-brew electronic pipe bombs. C3 The Net Under Attack Dr. Dorothy Denning, Chair, Computer Science Dept., Georgetown Univ. Jim Christy, Permanent Subcommittee Investigations U.S. Senate (And USAF OSI) What makes an attack on the Internet and what do we do about it? Ms. Denning is an internationally recognized expert who will guide us and her panel of experts through the maze of possibilities. Incredibly valuable for security professionals. C4 USAF School of Advanced Airpower Studies Moderated by Col. Richard Szafranski, USAF, Air War College National Military Strategy Col. Szafranski and his top students will discuss their views, opinions on Information Warfare. The USAF SAAS has produced some of the most revolutionary papers in IW, including the now globally recognized papers on taking down telecommunications and national power systems. 14:30 - 15:00 Break 15:00 - 16:15 Breakout Sessions D1-D4 D1 Anonymous Global Banking: Pitfalls and Solutions Moderated by Bruce Schneier Kelly Goen, Security Engineer Eric Hughes, Cypherpunks Phil Zimmermann * How does anonymous international banking work? Is it merely a front for Criminal Central? Or is there a true value? How do conventional banking institutions view it? What about cryptographic solutions? Are your funds "naked on the Net today? Come see for yourself! D2 The Ethics of Information Warfare Moderated by Winn Schwartau Col. Phil Johnson, Judge Avocate, USAF Dr. Dan Kuehl, NDU While CNN is looking over your shoulder, as a military commander, here is your choice: either use a precision smart bomb which will immediately kill 20 civilians for the world to see. Or, use a non-lethal IW weapon, no immediate TV deaths, but a predicted 200 civilian collateral fatalities within 30 days. What do you do? The Ethical conundra of Information Warfare will be examined from all perspectives. Or: you have been attacked anonymously--you suspect one party, without proof--another attack is coming. What now? Should we develop new intelligence capabilities to permit precision detection and response in cyberwar? D3 National Information Assurance: Cooperation is the Key to Safeguarding Communications, Power and Transportation Moderated by: Major Brad Bigelow, Office of the Manager, National Communications System Jeff Sheldon, General Counsel, Utilities Telecommunications Council Steve Fabes, Director of Electronic Delivery Services, BankAmerica Carl Ripa, VP National Security/Emergency Preparedness, Bellcore Experts from the major civilian infrastructures will discuss how past cooperation between industry and government has echoed economic realities. The bulk of the nations information infrastructure is not under the economic or regulatory control of the Federal government. So, how do we maintain a healthy balance between private initiative and legislative and regulatory actions? Today there is no "due diligence" standard which requires that communications and computing services be guaranteed in terms of security and data integrity. Our panel will provoke an active discussion of remedial cooperative measures. D4 "Understanding and Defending Against Industrial Espionage and Information Terrorism." Tom Fedorek, Managing Director, Kroll Associates New York* Matt DeVost TITLE COMING Charlies Swett, Acting Deputy Director for Low-Intenstity Conflict Policy, Office of the Assistant Secretary of Defense for Special Operations and Low-Intensity Conflict A look at how modern espionage and information is conducted, why it's done and who's doing it. How much can it cost your company and how can you tell if you're targeted? Do not miss this fascinating session which is expected to feature the Kroll Managing Directors from Paris, London, and New York. 16:15 - 16:30 Break 16:30 - 17:00 Wrap Up: "What is War?" Moderated by Dr. Mich Kabay, NCSA General Jim McCarthy, USAF (Ret) John Petersen, President, The Arlington Institute You - The Audience An exciting 'don't miss' interactive audience session. What a closing! (* Speakers with an * have been invited but have not confirmed as of June 28, 1996.) HOTEL INFORMATION: Crystal Gateway Marriott 1700 Jefferson Davis Highway Arlington, VA 22202 The Crystal Gateway Marriott is offereing a special conference rate of $129 single/$139 double occupancy. This rate is good until August 14, 1996. 703-920-3230 (Voice) 703-271-5212 (Fax) CANCELLATION POLICY After August 9th, any cancellation will incur a $100.00 processing fee. If the reservation is not cancelled and no one attends, the full registration price will be charged. Substitute attendees are welcome. InfoWarCon '96 Registration Form: Name: ___________________________________________________________ Title: ___________________________________________________________ Org: ___________________________________________________________ Address: ___________________________________________________________ Address: ___________________________________________________________ City: ___________________________________________________________ State: _______________________________ Zip: _____________________ Country: __________________________ Email: ________________________ Phone: __________________________ Fax: _________________________ FEES: Payment made BEFORE August 9, 1996: ( ) 595.00 NCSA Members/OSS '96 Attendees ( ) 645.00 All others Payment made AFTER August 9, 1996: ( ) 645.00 NCSA Members/OSS '96 Attendees ( ) 695.00 All others Make checks payable to NCSA, or Charge to: ( ) VISA ( ) MasterCard AMEX ( ) Number: ___________________________________________ Exp date: ___________________________ Signature: ___________________________________________ MAIL OR FAX OR EMAIL REGISTRATION TO: National Computer Security Association 10 South Courthouse Avenue Carlisle, PA 17013 Phone 717-258-1816 or FAX 717-243-8642 EMAIL: conference at ncsa.com For more information about NCSA: WWW: http://www.ncsa.com CompuServe: GO NCSA EMail: info at ncsa.com Version: 1.10 Peace Winn Winn Schwartau - Interpact, Inc. Information Warfare and InfoSec V: 813.393.6600 / F: 813.393.6361 Winn at InfoWar.Com From anonymous-remailer at shell.portal.com Mon Jul 8 18:42:39 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Tue, 9 Jul 1996 09:42:39 +0800 Subject: [RANT] Giving Mind Control Drugs to Children [RitalinPunks] Message-ID: <199607082103.OAA07069@jobe.shell.portal.com> Something like 10% of ALL public school students in Tennessee are on Ritalin. Presumably, the percentages are similar in other states. I have trouble believing there are so many kids suddenly suffering from a disorder that wasn't even discovered until a few years ago. The following rant from a Ritalin user may be of interest (though not too relevant to cryptography): ************************************************************************* Occasionally I will see something about the practice of giving kids RITALIN for alleged attention-deficit disorder. I can't think of better evidence that the owners of the schools and the world are trying to destroy the kids in this country. I was big drug-taker. I've also had occasion to receive medication by prescription. I wil admit that I took a lot of amphetamines. Speed that is. I liked it and took it frequently, so I can attest that it has some very attractive char-acteristics that anyone taking it could not help but like at the time. It also has a gigantic letdown that is nearly intolerable. This discomfort leads ANYONE to do something to alleviate it. It's probably a matter of personal preference as to whether the discomfort of the letdown outweighs the positive feeling of the high. If not, people will keep taking speed. Now for reasons, I also had a prescription for ritalin. You know it's a controlled substance. The fact is it's an amphetamine derivative and imparts nearly the exact same experience, though not as sharp-edged. It has the high and the letdown. And people undoubtedly make the same kinds of decisions as is the case with amphetamines. They say that ritalin has a paradoxical effect on kids - meaning, I suppose, that the reasons that make it a controlled substance for adults doesn't apply to kids. Then they say in the same breath that ritalin treats disorders in the ability to concentrate or to pay attention, which are the exact things that speed and ritalin accomplish in adults. Both of these allow someone to focus exclusively on one task in an enjoyable state of mind and body and accomplish it. Any nervousness is just left over from the channeling of all the generated energy into one task. What is created is not only the false sense of security but the false ability to accomplish things. As time goes on, one aspect of the letdown is the now- understood knowledge that speed is generating false successes. This is a depressing realization that can have detrimental ramifications beyond anything to do with the drug. In college, say, false successes on exams are acceptable and desired because this is one occasion in which performance is measured. But when someone's life consists of false successes, false interactions, and false experiences - and the fact that these are false is well-realized - the result can be a very unhealthy individual self-conception whose validity is proved and reproved constantly as amphetamine use continues. I heard recently that now educators and other quacks find that ritalin enhances performance for everyone (I just said that), and they're thinking of prescribing it for that reason. This kind of poisoning of the self-concepts being developed by kids will create a generation of suicidal invalids. The idea is outrageous. This has gotten extremely long, and I wasn't planning on it. But this ritalin thing is so insidious and is so OBVIOUSLY meant to do harm that I have to write this long thing about it. The whole attention-deficit disorder is a fabrication that traitors use to pump kids full of controlled substances. Now i saw yesterday that kids not on ritalin are paying those who have it, stealing to get it, killing to get it, and on and on. Ritalin is speed, and the idea that educators, doctors, and other alleged public servants are colluding in this way to cripple kids into thinking they have no innate skills and no ability to function without a drug is one of the worst things I have come across in my entire life. From janke at unixg.ubc.ca Mon Jul 8 18:47:42 1996 From: janke at unixg.ubc.ca (janke at unixg.ubc.ca) Date: Tue, 9 Jul 1996 09:47:42 +0800 Subject: Synchronization Attack on Pseudo-DC-net's Message-ID: <199607082122.OAA00405@clouds.heaven.org> -----BEGIN PGP SIGNED MESSAGE----- Here's an easy attack on a pseudo-DC-net that I thought up over lunch if the clients trust the server to be honest in telling both the round number and who is on. Let Stephanie be the person running the server, and let Alice and Bob be two users. Let f(n) be the pseudo random function they share. Assume that Stephanie knows their secret encryption key. It is then possible for her to compromise their anonymity as follows: First Alice joins the net, and Stephanie tells her that it is round 100 and Bob is on. Alice sends a messages. Stephanie sends back some random junk to Alice to convince her that there was a collision. Alice backs off for a few rounds. Stephanine now receives f(101), f(102), f(103), etc. and then tells Alice that Bob has left. Alice leaves now. Later Bob joins. Stephanine tells him that it is round 101 and Alice is here. Bob starts talking right away, sending three message: f(101) xor M1, f(102) xor M2, and f(103) xor M3. From this Stephanie is able to recover M1, M2, and M3 by xor'ing f(101), f(102), and f(103), which she has from before, back in. Bob has completely lost his anonymity! Thus, it looks like trusting the server for both who is on and the round number is a bad idea! It might be possible to remove the need for a round number if the number of seconds since channel creation is used instead, and the clients are time synchronized. In that case running the pseudo-DC-net on top of UDP might be preferable to running it on top of TCP. Can anyone think of an attack if the server is just trusted for a list of who is on? If there is one, I guess new clients could ask for signed messages of who is on: "It is 456 seconds since channel creation, and, I---Alice---am on. (signature)". That would complicate the protocol, of course, and cost Nancy---a new client---some time in verifying the signatures. Good attacks so far! Keep 'em coming. :) Leonard Janke (pgp key id 0xF4118611) -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBMeF6nUMBIFf0EYYRAQGITQf/U0Wjpsyb7XpG6uCVFCPNaAYVIJpLeEyk Mxl6X/TQPhJFRclbRJwFoWfwH46M2le/QKHu6nFFjioyYbXofaLWqDeOa61XY5/c 4law80/xxAg9IdzoQp4mAz6QOvToMCOlNE21MCL8YlPrrdhIL4MfAH9gpU8+Otui IH1S5VB7TGE6ttZEx18sKdBUxYeJeU4jrXb4Uj2HEN5inLrhJBic/fsZ0hZXjCAH 5kbZLI8sf+leLyoW03qILeVl8jjYuPy/z16MsY2SDzJ3hFv8nngT9+fzVItX7sO2 ngvqvyUW4SIWfK8XwRWUiMFW7i7gyMcKteSSEJBaEdOZNcGUvXY+5Q== =jmVk -----END PGP SIGNATURE----- From WlkngOwl at unix.asb.com Mon Jul 8 18:47:53 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Tue, 9 Jul 1996 09:47:53 +0800 Subject: What remains to be done. Message-ID: <199607082124.RAA09624@unix.asb.com> On 8 Jul 96 at 14:12, Ray Arachelian wrote: [..] > I'm constantly switching between NT and 95 and have them installed on the > same drive. Would be cool to have some low level driver to encryption > from the Master Boot Record for example to get around unfriendly OS's- but > then NT won't respect the BIOS calls, 95 in 32 bit mode won't, Linux sure > as hell wont, etc.... that was the whole idea of having a BIOS in the > first place, but woe is us. BIOS was written for real mode... part of the problem. Another is the not-made-here syndrome, and in a sense Linux, OS/2, NT and 95 are different types of operating systems, so a shared BIOS is unfeasible. It would be nice to develop an encrypted filesystem that could be ported across operating systems for those of us with multiple OS's. BTW, Linux 2.0 is making a nice step in that direction by adding support for mounting a file (which contains a filesystem), specifically to allow encrypted file systems as well as things like testing out iso9660-fs before buring CD-ROMs, etc. In theory something similar can be done with Win95/NT and OS/2, but it hasn't been done the proper way (SecureDevice is really a hack in that sense). --- No-frills sig. Befriend my mail filter by sending a message with the subject "send help" Key-ID: 5D3F2E99 1996/04/22 wlkngowl at unix.asb.com (root at magneto) AB1F4831 1993/05/10 Deranged Mutant Send a message with the subject "send pgp-key" for a copy of my key. From ncognito at gate.net Mon Jul 8 19:22:01 1996 From: ncognito at gate.net (Ben Holiday) Date: Tue, 9 Jul 1996 10:22:01 +0800 Subject: Word lists for passphrases In-Reply-To: <199607081635.MAA10394@jekyll.piermont.com> Message-ID: On Mon, 8 Jul 1996, Perry E. Metzger wrote: > If you generate every possible word, you aren't getting any advantage > by using crack and not just trying every possibility in your cracker I'm not sure if anyone actually still cares about getting wordlists, if not you can delete this now.. :) Someone probably mentioned this anyway, but just in case.. If you have access to a shell, and to the news spool, you can generate some quick lists by hopping into the directory of any newsgroup that interests you and doing: cat * | tr -cs A-Za-z '\n' | tr A-Z a-z | sort | uniq > my-big-ol-wordlist With most unixes that will generate an alphabetized list of all the unique words in your source text, converted to lowercase. I've had some problems with tr on a few machines, however. Adding a '-c' after 'uniq' will tell you how many times each word occured (useful for grepping out words that appear too infrequently, or too frequently) .. Incidentally, if you're running crack against a particular person it might be useful to check dejanews for posts by the individual, and generate your wordlists from that, I havn't had occasion to actually try this but it seems like a good idea. --nc From cme at clark.net Mon Jul 8 19:26:19 1996 From: cme at clark.net (Carl Ellison) Date: Tue, 9 Jul 1996 10:26:19 +0800 Subject: TACDFIPSFKMI (fwd) Message-ID: <199607082152.RAA14280@clark.net> Date: Mon, 08 Jul 1996 16:36:09 -0400 From: Elaine Frye Subject: Announcement re New TAC July 8, 1998 Note To: Key Escrow Distribution List From: Ed Roback Subject: Establishment of the Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure (TACDFIPSFKMI) FYI, the following notice was published today in the Federal Register. --------- Published 7-8-96 in the Federal Register, Volume 61, Number 131 U.S. DEPARTMENT OF COMMERCE Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure In accordance with the provisions of the Federal Advisory Committee Act, 5 U.S.C. App. 2, and the General Services Administration (GSA) rule on Federal Advisory Committee Management, 41 CFR Part 101-6, and after consultation with GSA, the Secretary of Commerce has determined that the establishment of the Technical Advisory Committee to Develop a Federal Information Processing Standard for the Federal Key Management Infrastructure is in the public interest in connection with the performance of duties imposed upon the Department by law. The Committee will advise the Secretary on the development of a draft Federal Information Processing Standard for the Federal Key Management Infrastructure. The Committee will consist of no more than twenty-four members to be appointed by the Secretary to assure balanced representation among individuals with established expertise in cryptography and the implementation and use of cryptographic systems. The Committee will function solely as an advisory body, and in compliance with provisions of the Federal Advisory Committee Act. The charter will be filed under the Act, fifteen days from the date of publication of this notice. Interested parties are invited to submit comments regarding the establishment of this committee to Edward Roback, Computer Security, National Institute of Standards and Technology, Gaithersburg, MD 20899, telephone: 301-975-3696. Dated: June 27, 1996 Mark Bohannon Chief Counsel for the the Technology Administration [FR Doc. 96-16896, Filed 7-5-96; 8:45 a.m.] ***************************************************** Elaine Frye Computer Security Division National Institute of Standards and Technology Bldg. 820, M.S. Room 426 Gaithersburg, MD 20899-0001 Voice: 301/975-2819 Fax: 301/948-1233 ***************************************************** From frantz at netcom.com Mon Jul 8 19:34:06 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 9 Jul 1996 10:34:06 +0800 Subject: NYT/CyberTimes on CWD article Message-ID: <199607082221.PAA27343@netcom8.netcom.com> At 3:01 PM 7/6/96 -0800, Norman Hardy wrote: >At 9:17 AM 7/6/96, Declan McCullagh wrote: >>"We are writers, not crytographers." >> >>-Declan >.... >This seems to be an application for Bloom filters. >See page bottom of page 561 in Knuth's "Searching and Sorting", First Edition. >(Vol 3 of Art of Computer Programming) > >With a Bloom filter you can hide which URLs you reject yet quickly rejecting >particular URLs. > >Compute SHA(URL) yielding 160 bits. Divide that into 16 ten bit quantities >b[i], for 0<=i< 10. >Reject the access if P[b[i]] = 1 for each i. P is an array of 1024 bits >computed by someone >with the index prohibitorum. (pardon my Latin) > >Yes, this excludes 1/1024 "falsely accused" URLs, but you get the idea. As Norm knows, we used this algorithm to provide a label search function (What Unix people use grep for) for an IBM OS back in the 1970s. SHA is probably overkill for the hash function, but you need something better than a barber poll hash. ------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz at netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA From vznuri at netcom.com Mon Jul 8 19:52:51 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Tue, 9 Jul 1996 10:52:51 +0800 Subject: DIAL: directed information assembly line Message-ID: <199607082052.NAA02741@netcom6.netcom.com> over the past few months I've been intermittently posting some snippets and fragments of ideas on a new information processing system. I've codified most of what I was talking about into a semi-formal protocol description. I think this has tremendous potential for wide applications, and I suspect many of these ideas below are already being used in many diverse contexts but have not been unified into a single specification (which I think will increase their value and use signficantly). I suspect something like the following is actually going to be a natural, inevitable evolution of the current "information infrastructure" and cyberspace-- i.e. something like the following is going to evolve whether I personally work on it or not, or whether future designers see this particular essay or not. anyway, I will try to incorporate comments from correspondents into future revisions. I would love to put together a group of people interested in continuing to develop this although that's probably premature at this point. thanks to everyone who has (unwittingly) contributed to this so far based on responding to my earlier essays. === DIAL = introduction = terminology: flits, floutes & bloxes = fault tolerance = tracing = time estimation = common bloxes = implementation = examples introduction == The industrial revolution was driven by specific technologies. Similarly, the "information revolution" is now in full pace using a different array of new tools. However, it is unlikely that all information processing tools have been invented yet. This paper is a preliminary sketch of one such potentially significant tool called DIAL. DIAL stands for "directed information assembly line". This document contains a description of this novel information processing architecture. This proposal outlines the idea and contrasts it with existing systems, showing how it highlights certain aspects of data processing that are not specifically addressed in, but seem to be implied by, other existing tools. The system can be viewed variously as a programming environment, a monitoring system, a revision control system, a quality assurance and quality control mechanism, a fault tolerant computing system, a workflow (re)engineering technology, a company intranet routing algorithm, an operating system based on virtual reality, etc. terminology == DIAL is something like a "dataflow" oriented system. This document will not describe any specific implementation of the DIAL concepts (such as giving a language syntax) but instead focus on its abstract properties which can be implemented in multiple ways. There are 3 basic components in the DIAL universe: "flit" - a flit is a unit of information that has an associated DIAL state. The information can change over time. One aspect of state is "location". "flit" stands for "fleeting bit", i.e. a piece of data that can "move". The number of binary bits allocated to a flit may vary per flit or over time. "floute" - a floute is a "flit route" or a path that a flit can take. Conceptually flits move through the flouts. A flout can be implemented in various ways, such as "last in, first out", "first in, last out", a pool of data, etc. "blox" - a blox is a "black box" or a component that changes the information content of a flit. Bloxes are connected to floutes. The DIAL system is recursive in that any of the 3 basic objects can be contained or encoded in the 3 objects. For example, flits can contain flits, bloxes can contain further floutes and bloxes, etc. Conceptually, a DIAL system is a directed graph, with nodes called "bloxes", edges called "floutes", and a superimposed set of things called "flits" that can, over time, "move through" the network. In many cases flits have a natural analogy to messages being passed through the system. Bloxes contain a single internal state, like a regular automaton. They can send requests, and respond to, memory bloxes. DIAL is unlike a programming language in that "time" is considered a key property of what it models. Many languages handle the concept of time implicitly through the use of variables. But programming languages have a computation-centric view of processing, such that programs are seen as directing and operating on data. In DIAL, data is seen as flowing through components, a data-centric view. fault tolerance == To be implemented correctly, the state of a DIAL system at any given time is incorruptable. All operations have total integrity. The system is designed to coordinate unreliable subprocesses and must itself be reliable. In DIAL, a blox is roughly analogous to some kind of process. The process may or not be entirely computational. The blox models an unreliable process. The process is activated when a flit approaches the blox from a connecting floute, at which point the flit "enters" the blox. DIAL handles the protocol of informing the blox (or rather, the process represented by the blox) of the presence of the flit. DIAL keeps track of all flits that are currently being processed by bloxes. The blox should process the flit and push the flit into some other floute which signals it has successfully operated on the flit. Combinations of flits at inputs can be processed, and multiple outputs are supported. The DIAL system allows processing time limit rules to be associated with flits, floutes, and bloxes, such as a floute assigning time limits to flits that move through it, time limits associated with all flits going through particular bloxes, or time limits attached to flits. (The system will have a precedence to these rules.) The motion of flits through floutes is handled by the DIAL system and is incorruptable. Flits can "pile up" in floutes if not processed by connecting bloxes as rapidly as they accumulate. All bloxes may have different amounts of processing times on incoming flits. When a blox fails to "return" a flit in the time limit, the DIAL system can be programmed to automatically take particular countermeasures. The countermeasure programs are associated with flits in the same way the expiration time is (via the flit, a floute, or a blox, and having precedence rules). - DIAL can ask the blox, "have you heard of this flit". The blox can reply, (1) "yes, I am still working on it", or (2) "no, I have not heard of it". The rules can specify possibilities such as resubmitting the flit, cancelling the flit processing and redirecting it elsewhere, propagating other flits into floutes (which might represent message(s) sent to "failure controllers"), etc. - The blox may reply, "the flit has corrupted the blox". This may happen in systems without transaction integrity. Again rules can automatically be followed to try to "clean up" the system by propagating new flits to particular floutes or possibly resubmit the flit. - The blox may not reply. Again, rules for countermeasures can be programmed into the DIAL system. tracing == All flits have unique IDs that can be traced. At any time a query can be sent to the DIAL system, "where is so-and-so flit?" and the system will describe the exact location of the flit. Flits can never vanish, even when bloxes fail to operate correctly. Every flit has a history as well. The flit may contain different information at different times. The system allows some number of earlier information states of the flit to be accessed. Information about the past flow-path of the flit and each associated change in contents (prior and subsequent to entry and exit of a blox) is available. This could be called a "replay" feature. In a query of a DIAL system, it may actually reply, "the flit was deleted", although its earlier states would still be accessable. Another possible response is, "the flit moved out of this DIAL system", but again some number of its penultimate states, while it was still "inside", would still be accessable. Again, customizable rules determine how much history is available. General queries such as "locate all type [y] flits that have not moved within [x] time period" are supported. Past histories of the flits that have moved through flouts and bloxes are also available. The system can support some degree of "global or local rollbacks" in which prior processing flows are reset, redirected, restarted, etc. An ability to locate components based on traffic is supported, such as floutes where current flit queue lengths are of some size, etc. The system allows the assignment of arbitrary version numbers with particular flit states that are also allowed in queries. time estimation == An implementer of a DIAL system might support specialized queries called "time estimates". A flit is passed into a system with a special flag that indicates processing time should be estimated but results should not be computed. The flit flows as far through the system as possible and records time estimates as it passes the bloxes. When it finally emerges, cumulative statistics on the time estimates that would be associated with an actual processing of the flit are available to the requester. Common bloxes == - extracter/combiner Bloxes to extract flits, floutes, or bloxes encoded in flits are available, as well as to create flits that encode any of the same objects. - warehouse The DIAL system can support a flit warehouse in which all flits are stored when they are not being propagated elsewhere through the system. The warehouse is a blox that responds to flit queries in the form, "move flit [x] into floute [y]". (The motion of the flits into and out of the warehouse resembles the checkin and checkout task of RCS software.) - create bloxes In a static DIAL system, all bloxes and floutes are predetermined and fixed. In a dynamic system, the bloxes and floutes may change over time. This is accomplished by feeding special flits into bloxes that can create other bloxes and floutes as their result. Other bloxes can connect them in specified ways. The dynamic system is far more complex and is reserved for specialized situations. - rerouter A special rerouter blox is useful for dealing with new versions of other bloxes. A frequent problem that arises with new versions of software (i.e. a new blox) is that it is incompatible or has bugs. The rerouter