From johan at eniac.campus.luth.se Fri Mar 1 06:50:43 1996 From: johan at eniac.campus.luth.se (Johan Sandberg) Date: Fri, 1 Mar 96 06:50:43 PST Subject: Thanks! Message-ID: <191.6634T53T2971@eniac.campus.luth.se> I have to thank everyone who helped me with using cypherpunk remailers! Thank you very much.. I've got very much response on this so I have to thank you all in this message! Johan Sandberg From lmccarth at cs.umass.edu Fri Mar 1 07:27:09 1996 From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu) Date: Fri, 1 Mar 96 07:27:09 PST Subject: SET spec available In-Reply-To: Message-ID: <199603011527.KAA19582@opine.cs.umass.edu> John Pettitt writes:: # The SET transaction spec is now available on www.visa.com (and presumably on # www.mastercard.com although I didn't check). Norman Hardy writes: > I am unable to find the specs. Anyone have an URL? http://www.mastercard.com still works for me. I haven't looked at the Visa site in a few days. -Lewis From combee at sso-austin.sps.mot.com Fri Mar 1 07:39:24 1996 From: combee at sso-austin.sps.mot.com (Ben Combee) Date: Fri, 1 Mar 96 07:39:24 PST Subject: [AUSTIN] Local Cypherpunks Meeting Saturday Message-ID: <9603011538.AA25235@sso-austin cliffy.sps.mot.com> Here is your friendly reminder of the Austin Cypherpunks meeting tomorrow, Saturday the 2nd. We'll meet at the Central Market Cafe at 38th and Lamar at 6PM. Topics include the video (I'll have a camera!), ITAR relaxation, RC4 now being called PC1, how to duck the CDA using crypto, hardware random number generators, and stuff like that. The meeting should go around 2 hours depending on the crowd, and there is a Bookstop next door if you want to browse some reading material later. Look for the people with technical books and/or crypto-related shirts. They will be us. (I'm sending this to both austin-cpunks and cypherpunks.) -- Ben Combee, CAD Software Developer, small language enthusiast, HTML dude Motorola, Paging Products Group, Strategic Semiconductor Operation--Austin E-mail: combee at sso-austin.sps.mot.com Phone: (512) 891-7141 From master at internexus.net Fri Mar 1 07:40:20 1996 From: master at internexus.net (Laszlo Vecsey) Date: Fri, 1 Mar 96 07:40:20 PST Subject: Location of Cyphermericon? Message-ID: Where can I find it? Please send ftp or URL via private E-Mail. (define(RSA m e n)(list->string(u(r(s(string->list m))e n))))(define(u a)(if(> a 0)(cons(integer->char(modulo a 256))(u(quotient a 256)))'()))(define(s a)(if (null? a)0(+(char->integer(car a))(* 256(s(cdr a))))))(define(r a x n)(cond((= 0 x)1)((even? x)(modulo(expt(r a(/ x 2)n)2)n))(#t(modulo(* a(r a(1- x)n))n)))) From lmccarth at cs.umass.edu Fri Mar 1 07:42:54 1996 From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu) Date: Fri, 1 Mar 96 07:42:54 PST Subject: Nortel "Entrust" In-Reply-To: Message-ID: <199603011542.KAA19745@opine.cs.umass.edu> Jonathon Fletcher writes: > Can anyone tell me anything about a product called "Entrust", by Nortel > (Northern Telecom). The notes talk about the software using DES ("which > employs a 56-bit key") so I guess it's single DES, not triple DES. It also > mentions a proprietary algorithm called CAST. > > Is this worthy of further investigation, or is it suspect ? What is > CAST, and would it be classed as snake oil ? I asked one of the NorTel sales reps. about this at the RSA conference. As I recall, CAST is an espionage-enabled version of DES -- i.e. 16 of the key bits are sent in the clear, or have a fixed value, or something along those lines. The guy I spoke to didn't know the technical details. Of course, maybe we should consider 56-bit DES espionage-enabled at this point too ! > Please cc to me in mail (done) -Lewis From ericm at lne.com Fri Mar 1 08:06:47 1996 From: ericm at lne.com (Eric Murray) Date: Fri, 1 Mar 96 08:06:47 PST Subject: A brief comparison of email encryption protocols In-Reply-To: <199603010356.WAA10509@homeport.org> Message-ID: <199603011603.IAA16596@slack.lne.com> Adam Shostack writes: > > In suggesting key:// urls, I (without commenting) placed a path of > /s/telnetd/ in a URL. I was considering that a telnetd might need > many keys and associated documents, all of which could be found in a > directory. > > gateway's master telnetd public key. > daily keys > policy statements about who may connect, or how > etc > > I expect that we could extend the syntax in such a way that a URL > could contain most of the data we need. Thus, the default document > might be a 'cert of the day,' with possibly with references within the > certificate to the master telnetd key, the hosts master key. > > To expand, I was thinking of: > > key://foo.bar.com/{u,s,h,d}/family/instance While that would be useful in a lot of cases, I would hope that all that path gunk wouldn't be required.... most people would have one key, at least initially, and so a simple key://foo.bar.com/username/key.asc would be enough for them. I wouldn't want to prevent people from using your system, in fact it's a good idea. I just don't think that it should be required, just recommended. Something else to add would be a specifier for the type of key, i.e. key://slack.lne.com/pgp/ericm/key.asc The reason for the keytype specifier is obvious, so that the system can support more than just PGP keys. The problem with the above example is that the 'pgp' part is imbedded in the path. Since the apps that read these key URLS need to know which ones are for PGP and which for DH or DSS or whatever, the keytype specifier needs to be in a standard location in the URL. Suggestions? maybe key:/pgp/slack.lne.com/ericm/key/asc? Finally, a question: should the keyserver be able to serve keys in a way that is secure from a MITM attack, or can it depend on the certificate chain in the key certificate itself to validate the key certificate? I think it can, but I am not sure, so perhaps someone smarter than I can explain why, or why not. The attraction is obvious, if the key server doesn't have to validate the keys it serves, the whole problem of distributed key servers becomes much easier. -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF From reagle at rpcp.mit.edu Fri Mar 1 08:15:11 1996 From: reagle at rpcp.mit.edu (Joseph M. Reagle Jr.) Date: Fri, 1 Mar 96 08:15:11 PST Subject: A brief comparison of email encryption protocols Message-ID: <9603011612.AA09147@rpcp.mit.edu> -----BEGIN PGP SIGNED MESSAGE----- At 07:20 PM 2/29/96 -5300, Adam Shostack wrote: >key://ftp.clark.net/pub/u/cme/cme-current.asc >key://ftp.clark.net/pub/u/cme/cme-longterm.asc Just as a head up on not duplicating work with regards to incorporating URL's into key certificates and DBs you might want to consider URI's, URC's or URN's as the piece to bind since URL's are considered to be almost as unstable as email.. Check out for more on these naming schemes. Linkname: WRL: Web: URXs URL: http://webreference.com/urx.html -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQCVAwUBMTcfaP0Ael7bLK1/AQG56QQAxr+Tii4UMytdQUXIrKzIp2ckY4UfbGqW BpkduSxha0lL8Mo2kmzOL4Z3s4NiJMExvzUKOo6Y16MuCXhKgJyxH5VN+Nk1Y/ov qNpm4zaFOiAFQTbjMhSWJgFGmm6uaHuOez5jZDpSCpZTSBbXUwR349lxXjEtuvy8 hm+w0ADr/VQ= =SYWa -----END PGP SIGNATURE----- _______________________ Regards, There is no point at which you can say, 'Well, I'm successful now. I might as well take a nap.' -Carrie Fisher Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu 0C 69 D4 E8 F2 70 24 33 B4 5E 5E EC 35 E6 FB 88 From galvin at eit.com Fri Mar 1 08:15:38 1996 From: galvin at eit.com (James M. Galvin) Date: Fri, 1 Mar 96 08:15:38 PST Subject: [ Death of MOSS? ] Message-ID: At 1:17 PM 2/29/96, Housley, Russ wrote: >Jim, in what way does the end user distinguish between the MOSS-like >integration and the S/MIME-and-MSP-like integration? It seems to me that a >good user agent implementation provides the same services to the user. Russ, since you weren't present at the workshop I'll repeat the very first words I said in the presentation I gave there. Functionally, from a user's perspective, there is for all practical purposes no difference between any of these technologies. Today I would add that we could pick one out of hat and just move on. However, there are differences in the technologies. Some are easier to implement, some are more flexible, some perform better, and the list goes on. We need to explore those differences to develop a criteria for evaluating the technologies so we can provide the best possible solution to the user community. I proposed one possible criteria in my presentation, by no means the only one and by no means complete. Jim ---------------------------------------------------------------------------- James M. Galvin galvin at eit.com VeriFone/EIT, PO Box 220, Glenwood, MD 21738 +1 410.795.6882 From warlord at MIT.EDU Fri Mar 1 08:19:09 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Fri, 1 Mar 96 08:19:09 PST Subject: a brief comparison of e-mail encryption protocols In-Reply-To: <960301090649.202002a4@hobbes.orl.mmc.com> Message-ID: <199603011617.LAA15140@toxicwaste.media.mit.edu> I think we are in violent agreement here... > I disagree but then my worldview is different. For personal use the > compact distributed system is workable however when you start thinking > in terms of a large distributed organization, the quanta changes. > > Mention was made of the difficulty of handling 20,000 keys. I am looking at > over 80,000 today and over 200,000 tomorrow *for a single organization*. For > quantities like this, a hierarchial system of management seems inevitable. Perhaps you misunderstood what I mean by "central keyserver model". What I mean by that is the status quo, where we have a set of central keyservers and each keyserver knows about each key. When I say that this will disappear, I mean that we will move towards a more distributed system, similar to the DNS for looking up hostnames. Yes, we will need a distributed, hierarchial [sic] system in the future, and if we want to continue using PGP we will need to provide a simpler way to use that. > First, I am not about to give up my personal PGP key, it is trustworthy and > effective for my needs. It is not necessarily incompatable with an > organizational structure. This is true. > However *for the organization* something else is needed. I can see a > future in which the bulk of the population has only two keys: their own > and the punlic key of their post office (not talking USNail - private ones > though not saying the US might not operate one as well). I disagree. I know the addresses of the people with whom I communicate regularly. I know my parent's USnail address, my grandparents', my SO's, etc. I dont need to tell the Post Office "Send this to my parents" and trust them to do it. I give them a destination address and trust them to send it to the proper destination. The same thing is true in the electronic world. I put a destination on the email, give it to the mailer, and trust it to send it to the appropriate destination. A similar anology can be made when I dont know an address: I ask someone for it. Same thing with an email address/PGP key, I need to ask for it before I can use it. The same thing is true of hostnames. I can find a hostname<->IP address for just about any host on the planet. Do I have them all on my local disk? No, of course not. I look them up when I need them. However, I do cache local copies of the names I frequently use. > As noted, a hierarchal mechanism will be needed for key retrieval - > only local keys and "frequent fliers" will be kept locally. Not new > concept, just not used by post offices that I know of today. Yes, this is true. And it is used -- its called regional phone books. If I want to get a number for someone, I go to the regional phone book and look them up. I have to know something about them first, so I know where to look. If I asked you to find the machine "incommunicado" and tell me it's IP address, what would you do? You'd have to look in every domain for machines named "incommunicado". However, if you knew that I meant "in the 'ihtfp.org' domain", you'd know exactly where to look. The same is true of phone numbers. The same is true for keys. > Will need a bit of fleshing out and expect the end-state to be 2-4 years out > but is a good time to think about it. True. The problem is that with PGP messages, the only information about keys is a "random" keyID. From a keyID there is no way to determine that key unless you already have it. This means that if you do not already have the key, you have no way to find that key. See the problem? This is like the "find 'incommunicado'" problem above. What I propose is to modify, slightly, the PGP signature certificate to add a "hint" field. This hint field would tell you where to look for the key. This is the way to add the "ihtfp.org" info to the PGP signature. I hope this clears up any misconceptions... -derek From droelke at rdxsunhost.aud.alcatel.com Fri Mar 1 08:22:02 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Fri, 1 Mar 96 08:22:02 PST Subject: Nortel "Entrust" Message-ID: <9603011621.AA05015@spirit.aud.alcatel.com> Applied Crypto 2nd Edition - page 334-335. Brief stuff: Block Cypher (symetrical), 64 bit key, 64 bit block size "The S-boxes are implemenation dependent, but not key dependent." resistant to differential and linear cryptanalysis "Northern Telecom is using CAST in their Entrust security software package for Macintoshes, PCs, and UNIX workstations. The particular S-boxes they chose are not public. The Candadian government is evaluating CAST as a new encryption standard. CAST is patent pending." If you don't have the book - GET IT! ;-) Dan > From: "Stephen A. Gutknecht" > To: "'cypherpunks at toad.com'" > Subject: RE: Nortel "Entrust" > > I too would like to see an open discussion on this. Microsoft uses this for > their new Exchange Server client/server email product.... > > ---------- > From: Jonathon Fletcher[SMTP:jonathon at japan.sbi.com] > Sent: Friday, March 01, 1996 10:17 AM > To: cypherpunks at toad.com > Subject: Nortel "Entrust" > > > Can anyone tell me anything about a product called "Entrust", by Nortel > (Northern Telecom). The notes talk about the software using DES ("which > employs a 56-bit key") so I guess it's single DES, not triple DES. It also > mentions a proprietary algorithm called CAST. > > Is this worthy of further investigation, or is it suspect ? What is > CAST, and would it be classed as snake oil ? > ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From banisar at epic.org Fri Mar 1 08:35:54 1996 From: banisar at epic.org (Dave Banisar) Date: Fri, 1 Mar 96 08:35:54 PST Subject: FWD> ADMIRAL WILLIAM O. STU Message-ID: Mail*Link(r) SMTP FWD> ADMIRAL WILLIAM O. STUDEMAN Gee I guess we can trust these guys.... ---- CONCORD, Calif., Feb. 28 /PRNewswire/ -- Premenos Technology Corp. (Nasdaq: PRMO), a leading provider of electronic data interchange (EDI) software solutions for electronic commerce applications, today announced the election of Admiral William O. Studeman, U.S. Navy-retired, to its Board of Directors effective immediately. Studeman will also act as consultant on special projects including security and encryption issues. Admiral Studeman, age 56, is the former Deputy Director of Central Intelligence and served for five months in 1995 as the acting Director of Central Intelligence. He retired from the Navy in October 1995. Prior to his assignment at the Central Intelligence Agency (CIA), Studeman was the Director of the National Security Agency (NSA), and before that was the Director of Naval Intelligence. In these positions, Studeman was involved in attempting to develop public policies and technologies that addressed the complex and often conflicting issues of enhanced economic competitiveness, law enforcement's warranted requirement for information transparency in pursuit of criminal investigations, national security interest in combating potential information warfare threats, and the country's overall increased need for enhanced protection of its information-related systems and applications. In commenting on his election to the Board of Premenos, Studeman stated that "Premenos is not only a leader in facilitating the promising future of electronic commerce, it is the first company in the marketplace with a product line for enhanced protection, security and integrity for the Internet and other electronic communications-related business transactions." Studeman added, "In working with Lew Jenkins and others in the company, I have an opportunity to better frame the government-industry dialogue and define the infrastructure, standards, regulatory, technical and other directional factors which must be addressed for electronic commerce -- a rapidly evolving industry segment so fundamental to the future of the American lifestyle and national security." Lew Jenkins, chairman and founder of Premenos said, "The infrastructure for moving critical business data over the Internet is crucial to the success of electronic commerce. We welcome Admiral Studeman to our team and look forward to his help in developing a trusted model for the electronic commerce market and establishing a solid infrastructure similar to the stringent military requirements that have been in place for decades." About Premenos Corp. Premenos is setting the agenda for electronic commerce and EDI through open networks such as the Internet. Premenos EDI software is an enabling strategy for transforming how corporations conduct business in extended enterprises using electronic communications. Templar -- a suite of software and services that enable businesses to send and receive EDI documents securely and reliably over the Internet -- was awarded the EMA '95 Electronic Commerce Product Excellence Award recognizing the most innovative new product debuted at EMA's annual conference. Premenos products support the IBM AS/400, RISC System/6000, HP 9000, SunSparc, Windows 3.x, NT and Windows 95. Premenos has a worldwide presence with sales offices in California, London and Paris. Contact Premenos World Wide Web (WWW) home page at http://www.premenos.com to access over 3000 pages of information on electronic commerce, EDI, standards, as well as Premenos corporate information materials. NOTE: Premenos is a registered trademark of Premenos Corp. All other product and company names are trademarks of their respective corporations. CO: Premenos Technology Corp. ST: California IN: CPR SU: PER From gary at kampai.euronet.nl Fri Mar 1 08:52:10 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Fri, 1 Mar 96 08:52:10 PST Subject: Problems with certificates Message-ID: <199603011649.LAA05110@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- PADGETT at hobbes.orl.mmc.com wrote: > Next rage might well be "vanity" PGP keys. While at the moment it is not known > how to create a specific match key to a sequence, if you generate enough > keys, there will be some interesting sequences found. Possibly some PGP > signatures will even be in violation of the CDA (now that should start a > rush 8*). Funny you should mention that, I noticed a strange message in my key the other day ... Type bits/keyID Date User ID pub 1024/C001D00D 1996/01/22 Gary Howland -----BEGIN PGP PUBLIC KEY BLOCK----- mQDKAjED/fgD6AEEANi8U98UJ/Wm3rxiZuPrkvLmOifV8y68MgdRnQQtQDsoGa0L OWjoH8yLTVEi8dKeU52Bdr0p+M2TaW8Z+0phW43P9mBaM2sw42vq1FyBxv0EjtEn 8VbN6i7SC1+Xp4GsX9I8ctlN4y59gEcOFSHFCJjw9heRlM8Cq9M+30vAAdANAekB livXDe0T+PGPesUeMedaMliveDehT+PGPesUeMedaMliveDehT+PGPesUeMedaMl iveDehT+PGPes6eMA7QlR2FyeSBIb3dsYW5kIDxnYXJ5QGthbXBhaS5ldXJvbmV0 Lm5sPokBFQIFEDED/i7oDjFwD/HBoQEB3K4H/icZoG0lE5pitriLdqqwNZB0kZiT yEnvhg1NqOZwCusHqzMV71S+vDfYYSrl7VjmCVaEOgPAT3kpc7ShXsWpFa4y9pXF AjBgR/9crcH98cbrIlGMArKKNiGITGq8tpKvAowyIaG6gn1W7XZRFd0hISrI1C3y j13JUFWyYLjNuA/tPiIfZ2h/HUu4LgFr2WhFn4/l3IVcGVLeCLK6Gv4dxd8HEt2d mGn7WAygarf7PQevHLIoxElwJkIea6necbgYx5p2GOUNW3/N478n3n6TT1jpu1pU RUGYRd5cGYc7z6gXb15FZw0z3uh4ybTEP4pOflBjBPJm27RcEYtuZxSuKQg= =Liso -----END PGP PUBLIC KEY BLOCK----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTcqiyoZzwIn1bdtAQHwaQF/ZBY9JZ6e6dgXjAORuRLQSbRY2JuZHGbN 1a69D0NwvRBdrB4iIjWCdwBQuhXXCd+K =8nI2 -----END PGP SIGNATURE----- From perry at piermont.com Fri Mar 1 08:57:11 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 1 Mar 96 08:57:11 PST Subject: Nortel "Entrust" In-Reply-To: Message-ID: <199603011655.LAA21202@jekyll.piermont.com> Jonathon Fletcher writes: > Can anyone tell me anything about a product called "Entrust", by Nortel > (Northern Telecom). The notes talk about the software using DES ("which > employs a 56-bit key") so I guess it's single DES, not triple DES. It also > mentions a proprietary algorithm called CAST. > > Is this worthy of further investigation, or is it suspect ? What is > CAST, and would it be classed as snake oil ? "Entrust" was built by Smart People. Of course, any given component of it is only as strong as the underlying algorithms; you yourself are probably aware of the problems associated with DES vs 3DES and such. I would suggest examining the documents. I don't know anything about CAST. Perry From lgl at qualcomm.com Fri Mar 1 09:15:27 1996 From: lgl at qualcomm.com (Laurence Lundblade) Date: Fri, 1 Mar 96 09:15:27 PST Subject: A brief comparison of email encryption protocols In-Reply-To: Message-ID: The database size is really only half the problem I think. The bigger problem is managing the database. I can't quite see it being possible to have one organization serve as a distribution point for all keys. With millions of billions of certs, you're going to have having thousands or millions of database updates on a daily basis. It does seem though that if you can truly eliminate revocations then things get a lot easier. You never have to go back a check with the issuer about anything. This will probably work for some applications, but there's certainly others for which it won't. LL At 2:21 PM 2/29/96, Carl Ellison wrote: >At 12:01 2/29/96, Laurence Lundblade wrote: >>I think a problem occurs when you have 20 billion of >>these certs (two for every person in the year 2010 or such). A simple hash >>into a table isn't going to cut it because you a single database (with >>replication?) isn't going to be possible. > >BTW, at the rate that memory gets cheaper and smaller, it might be quite >reasonable to have that single database fit alongside your daily appointments >in your shirt-pocket daily organizer and e-mail terminal, in 2010. > > >+--------------------------------------------------------------------------+ >|Carl M. Ellison cme at cybercash.com http://www.clark.net/pub/cme | >|CyberCash, Inc., Suite 430 http://www.cybercash.com/ | >|2100 Reston Parkway PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 | >|Reston, VA 22091 Tel: (703) 620-4200 | >+--------------------------------------------------------------------------+ From jya at pipeline.com Fri Mar 1 09:27:58 1996 From: jya at pipeline.com (John Young) Date: Fri, 1 Mar 96 09:27:58 PST Subject: MAF_ios Message-ID: <199603011727.MAA21665@pipe3.nyc.pipeline.com> 3-1-96. TWP: "Expert Panel Wants Intelligence Director to Hold More Power." The commission finds that the patchwork of 14 separate intelligence agencies is functioning well in its current form. To meet tbe growing threat of worldwide criminal activity the panel suggested creation of a high-level policy group run out of the White House, called tbe Global Crime Committee. It would be chaired by the president's national security adviser and would include the AG, State, DoD, and the DCI. "Turner: CIA Nearly Used A Journalist in Tehran." CIA's covert operators do not want to reopen the debate. As Turner put it, "Is the media case stronger than businessmen or academics? The covert operators are worried that we may reach a point where prohibitions will get us down to where there is nobody left to spy but the Foreign Service." 3-1-96. NYT: "Commission Recommends Streamlined Spy Agencies." Most of the changes the report will recommend are evolutionary, not revolutionary. Intelligence officials used the same word to describe it: "underwhelming." The report fails to answer the big overstaffing problem. An official said the resistance within the intelligence agencies to staff cutting would be so strong that the downsizing would never happen. MAF_ios From stewarts at ix.netcom.com Fri Mar 1 02:27:44 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 1 Mar 1996 18:27:44 +0800 Subject: going back to stone axes Message-ID: <199603010951.BAA22486@ix16.ix.netcom.com> At 02:32 PM 3/1/96 +1100, Steven Legg wrote: >DistinguishedName wasn't defined the way it was because of ASN.1. I'd always assumed it was just the ugly X.400 email naming convention. >No one at Telstra Research would want to replace DistinguishedName with >a byte string because of all the constant reparsing, cutting and splicing >that would entail. We would end up writing more code, not less. Given the >sort of heavy duty processing we do to DNs, trying to pack a DN into a >string is considered brain dead. Those rich semantics matter to us. I don't see how a DN is any better than an Internet-style Domain Naming Service name, except that it puts a bunch of pre-defined labels on subdomain parts which can generally be guessed from context and aren't very relevant to computer programs. Compare joeuser at purchasing.fnord.edu.au vs. /FN=Joseph/Ln=User/NN=Joe/OU=Purchasing/O=First.National.Organization.- [for].Research.[and].Development/S=Academic/C=AU/ Is there really any additional information in the latter, except possibly some detail you could have looked up with a "whois" request? #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com / billstewart at attmail.com +1-415-442-2215 # http://www.idiom.com/~wcs Pager +1-408-787-1281 From sinclai at ecf.toronto.edu Fri Mar 1 06:09:57 1996 From: sinclai at ecf.toronto.edu (SINCLAIR DOUGLAS N) Date: Fri, 1 Mar 1996 22:09:57 +0800 Subject: Nortel "Entrust" In-Reply-To: Message-ID: <96Mar1.074938edt.921@cannon.ecf.toronto.edu> > Is this worthy of further investigation, or is it suspect ? What is > CAST, and would it be classed as snake oil ? CAST is discussed in _Applied Cryptography_. From jya at pipeline.com Fri Mar 1 07:11:58 1996 From: jya at pipeline.com (John Young) Date: Fri, 1 Mar 1996 23:11:58 +0800 Subject: HYP_not Message-ID: <199603011328.IAA22156@pipe1.nyc.pipeline.com> 3-1-96. NYT: "Speed Record: One Trillion Bits a Second." Fujitsu, NTT and AT&T have succeeded, each separately, for the first time in transmitting information at the rate of one trillion bits a second through optical fiber. "Microsoft Backs Ratings System For the Internet." The system, called RSAC-1, will enable parents and teachers to censor Web sites due to violence, sexual themes, nudity or offensive language. Other companies support the PICS form of censorship in terror of market- share loss to the tele-vigilantes. [Gates told a Mexican sports stadium audience that no real money can be made on the Internet until it has the speed to interactively out-hypnotize television.] HYP_not From PADGETT at hobbes.orl.mmc.com Fri Mar 1 07:27:39 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Fri, 1 Mar 1996 23:27:39 +0800 Subject: Problems with certificates. Message-ID: <960301083512.202002a4@hobbes.orl.mmc.com> I suspect the real danger would come from issuance of duplicate certificates. MasterCard conrols MarterCard numbers by issuing all of them (and I suspect that there is coding to separate MC from Visa from AmEx). Today, each person generates their own PGP key. While it is unlikely that any two will match, it is likely that at some point some two will match (see matching birthdays in a bar - number is less than you would think). Next rage might well be "vanity" PGP keys. While at the moment it is not known how to create a specific match key to a sequence, if you generate enough keys, there will be some interesting sequences found. Possibly some PGP signatures will even be in violation of the CDA (now that should start a rush 8*). For some time I have been concerned about the scalability of PGP. It works well in small groups but after trying once to create a 6,000 member keyring (took over three days on a 386 & was several meg when done) I decided that areas were going to need work to be a real anyone/anywhere/anytime mechanism. Not saying I have a good answer, just that at some point there will be a problem. Warmly, Padgett From PADGETT at hobbes.orl.mmc.com Fri Mar 1 08:45:05 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Sat, 2 Mar 1996 00:45:05 +0800 Subject: a brief comparison of e-mail encryption protocols Message-ID: <960301090649.202002a4@hobbes.orl.mmc.com> Derek rites: >Oh, of course the central keyserver model would disappear, but I'm >still trying to design a system which is as compact as possible. I disagree but then my worldview is different. For personal use the compact distributed system is workable however when you start thinking in terms of a large distributed organization, the quanta changes. Mention was made of the difficulty of handling 20,000 keys. I am looking at over 80,000 today and over 200,000 tomorrow *for a single organization*. For quantities like this, a hierarchial system of management seems inevitable. First, I am not about to give up my personal PGP key, it is trustworthy and effective for my needs. It is not necessarily incompatable with an organizational structure. However *for the organization* something else is needed. I can see a future in which the bulk of the population has only two keys: their own and the punlic key of their post office (not talking USNail - private ones though not saying the US might not operate one as well). Messages are composed with addressing and encrypted with the PO key. PO decrypts message key (NOT necessarily message but that will have to rely on trust - nothing will stop double wrapping anyway), checks address list, retrieves key for each adressee, adds header & sends copy (may use single mailing for group at distant post office but that is getting ahead). If recipient key is not found, adressee wil be removed from list and notice sent back to originator. If plaintext is desired, special operation will be required. As noted, a hierarchal mechanism will be needed for key retrieval - only local keys and "frequent fliers" will be kept locally. Not new concept, just not used by post offices that I know of today. Will need a bit of fleshing out and expect the end-state to be 2-4 years out but is a good time to think about it. Warmly, Padgett From owner-cypherpunks at toad.com Fri Mar 1 11:54:06 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Sat, 2 Mar 1996 03:54:06 +0800 Subject: No Subject Message-ID: John Pettitt writes:: # The SET transaction spec is now available on www.visa.com (and presumably on # www.mastercard.com although I didn't check). Norman Hardy writes: > I am unable to find the specs. Anyone have an URL? http://www.mastercard.com still works for me. I haven't looked at the Visa site in a few days. -Lewis From owner-cypherpunks at toad.com Fri Mar 1 14:01:34 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Sat, 2 Mar 1996 06:01:34 +0800 Subject: No Subject Message-ID: At 1:17 PM 2/29/96, Housley, Russ wrote: >Jim, in what way does the end user distinguish between the MOSS-like >integration and the S/MIME-and-MSP-like integration? It seems to me that a >good user agent implementation provides the same services to the user. Russ, since you weren't present at the workshop I'll repeat the very first words I said in the presentation I gave there. Functionally, from a user's perspective, there is for all practical purposes no difference between any of these technologies. Today I would add that we could pick one out of hat and just move on. However, there are differences in the technologies. Some are easier to implement, some are more flexible, some perform better, and the list goes on. We need to explore those differences to develop a criteria for evaluating the technologies so we can provide the best possible solution to the user community. I proposed one possible criteria in my presentation, by no means the only one and by no means complete. Jim ---------------------------------------------------------------------------- James M. Galvin galvin at eit.com VeriFone/EIT, PO Box 220, Glenwood, MD 21738 +1 410.795.6882 From owner-cypherpunks at toad.com Fri Mar 1 14:23:21 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Sat, 2 Mar 1996 06:23:21 +0800 Subject: No Subject Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 07:20 PM 2/29/96 -5300, Adam Shostack wrote: >key://ftp.clark.net/pub/u/cme/cme-current.asc >key://ftp.clark.net/pub/u/cme/cme-longterm.asc Just as a head up on not duplicating work with regards to incorporating URL's into key certificates and DBs you might want to consider URI's, URC's or URN's as the piece to bind since URL's are considered to be almost as unstable as email.. Check out for more on these naming schemes. Linkname: WRL: Web: URXs URL: http://webreference.com/urx.html -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQCVAwUBMTcfaP0Ael7bLK1/AQG56QQAxr+Tii4UMytdQUXIrKzIp2ckY4UfbGqW BpkduSxha0lL8Mo2kmzOL4Z3s4NiJMExvzUKOo6Y16MuCXhKgJyxH5VN+Nk1Y/ov qNpm4zaFOiAFQTbjMhSWJgFGmm6uaHuOez5jZDpSCpZTSBbXUwR349lxXjEtuvy8 hm+w0ADr/VQ= =SYWa -----END PGP SIGNATURE----- _______________________ Regards, There is no point at which you can say, 'Well, I'm successful now. I might as well take a nap.' -Carrie Fisher Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu 0C 69 D4 E8 F2 70 24 33 B4 5E 5E EC 35 E6 FB 88 From owner-cypherpunks at toad.com Fri Mar 1 14:32:19 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Sat, 2 Mar 1996 06:32:19 +0800 Subject: No Subject Message-ID: Jonathon Fletcher writes: > Can anyone tell me anything about a product called "Entrust", by Nortel > (Northern Telecom). The notes talk about the software using DES ("which > employs a 56-bit key") so I guess it's single DES, not triple DES. It also > mentions a proprietary algorithm called CAST. > > Is this worthy of further investigation, or is it suspect ? What is > CAST, and would it be classed as snake oil ? I asked one of the NorTel sales reps. about this at the RSA conference. As I recall, CAST is an espionage-enabled version of DES -- i.e. 16 of the key bits are sent in the clear, or have a fixed value, or something along those lines. The guy I spoke to didn't know the technical details. Of course, maybe we should consider 56-bit DES espionage-enabled at this point too ! > Please cc to me in mail (done) -Lewis From owner-cypherpunks at toad.com Fri Mar 1 14:51:43 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Sat, 2 Mar 1996 06:51:43 +0800 Subject: No Subject Message-ID: -----BEGIN PGP SIGNED MESSAGE----- PADGETT at hobbes.orl.mmc.com wrote: > Next rage might well be "vanity" PGP keys. While at the moment it is not known > how to create a specific match key to a sequence, if you generate enough > keys, there will be some interesting sequences found. Possibly some PGP > signatures will even be in violation of the CDA (now that should start a > rush 8*). Funny you should mention that, I noticed a strange message in my key the other day ... Type bits/keyID Date User ID pub 1024/C001D00D 1996/01/22 Gary Howland -----BEGIN PGP PUBLIC KEY BLOCK----- mQDKAjED/fgD6AEEANi8U98UJ/Wm3rxiZuPrkvLmOifV8y68MgdRnQQtQDsoGa0L OWjoH8yLTVEi8dKeU52Bdr0p+M2TaW8Z+0phW43P9mBaM2sw42vq1FyBxv0EjtEn 8VbN6i7SC1+Xp4GsX9I8ctlN4y59gEcOFSHFCJjw9heRlM8Cq9M+30vAAdANAekB livXDe0T+PGPesUeMedaMliveDehT+PGPesUeMedaMliveDehT+PGPesUeMedaMl iveDehT+PGPes6eMA7QlR2FyeSBIb3dsYW5kIDxnYXJ5QGthbXBhaS5ldXJvbmV0 Lm5sPokBFQIFEDED/i7oDjFwD/HBoQEB3K4H/icZoG0lE5pitriLdqqwNZB0kZiT yEnvhg1NqOZwCusHqzMV71S+vDfYYSrl7VjmCVaEOgPAT3kpc7ShXsWpFa4y9pXF AjBgR/9crcH98cbrIlGMArKKNiGITGq8tpKvAowyIaG6gn1W7XZRFd0hISrI1C3y j13JUFWyYLjNuA/tPiIfZ2h/HUu4LgFr2WhFn4/l3IVcGVLeCLK6Gv4dxd8HEt2d mGn7WAygarf7PQevHLIoxElwJkIea6necbgYx5p2GOUNW3/N478n3n6TT1jpu1pU RUGYRd5cGYc7z6gXb15FZw0z3uh4ybTEP4pOflBjBPJm27RcEYtuZxSuKQg= =Liso -----END PGP PUBLIC KEY BLOCK----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTcqiyoZzwIn1bdtAQHwaQF/ZBY9JZ6e6dgXjAORuRLQSbRY2JuZHGbN 1a69D0NwvRBdrB4iIjWCdwBQuhXXCd+K =8nI2 -----END PGP SIGNATURE----- From owner-cypherpunks at toad.com Fri Mar 1 14:54:51 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Sat, 2 Mar 1996 06:54:51 +0800 Subject: No Subject Message-ID: I have to thank everyone who helped me with using cypherpunk remailers! Thank you very much.. I've got very much response on this so I have to thank you all in this message! Johan Sandberg From owner-cypherpunks at toad.com Fri Mar 1 15:03:59 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Sat, 2 Mar 1996 07:03:59 +0800 Subject: No Subject Message-ID: Mail*Link(r) SMTP FWD> ADMIRAL WILLIAM O. STUDEMAN Gee I guess we can trust these guys.... ---- CONCORD, Calif., Feb. 28 /PRNewswire/ -- Premenos Technology Corp. (Nasdaq: PRMO), a leading provider of electronic data interchange (EDI) software solutions for electronic commerce applications, today announced the election of Admiral William O. Studeman, U.S. Navy-retired, to its Board of Directors effective immediately. Studeman will also act as consultant on special projects including security and encryption issues. Admiral Studeman, age 56, is the former Deputy Director of Central Intelligence and served for five months in 1995 as the acting Director of Central Intelligence. He retired from the Navy in October 1995. Prior to his assignment at the Central Intelligence Agency (CIA), Studeman was the Director of the National Security Agency (NSA), and before that was the Director of Naval Intelligence. In these positions, Studeman was involved in attempting to develop public policies and technologies that addressed the complex and often conflicting issues of enhanced economic competitiveness, law enforcement's warranted requirement for information transparency in pursuit of criminal investigations, national security interest in combating potential information warfare threats, and the country's overall increased need for enhanced protection of its information-related systems and applications. In commenting on his election to the Board of Premenos, Studeman stated that "Premenos is not only a leader in facilitating the promising future of electronic commerce, it is the first company in the marketplace with a product line for enhanced protection, security and integrity for the Internet and other electronic communications-related business transactions." Studeman added, "In working with Lew Jenkins and others in the company, I have an opportunity to better frame the government-industry dialogue and define the infrastructure, standards, regulatory, technical and other directional factors which must be addressed for electronic commerce -- a rapidly evolving industry segment so fundamental to the future of the American lifestyle and national security." Lew Jenkins, chairman and founder of Premenos said, "The infrastructure for moving critical business data over the Internet is crucial to the success of electronic commerce. We welcome Admiral Studeman to our team and look forward to his help in developing a trusted model for the electronic commerce market and establishing a solid infrastructure similar to the stringent military requirements that have been in place for decades." About Premenos Corp. Premenos is setting the agenda for electronic commerce and EDI through open networks such as the Internet. Premenos EDI software is an enabling strategy for transforming how corporations conduct business in extended enterprises using electronic communications. Templar -- a suite of software and services that enable businesses to send and receive EDI documents securely and reliably over the Internet -- was awarded the EMA '95 Electronic Commerce Product Excellence Award recognizing the most innovative new product debuted at EMA's annual conference. Premenos products support the IBM AS/400, RISC System/6000, HP 9000, SunSparc, Windows 3.x, NT and Windows 95. Premenos has a worldwide presence with sales offices in California, London and Paris. Contact Premenos World Wide Web (WWW) home page at http://www.premenos.com to access over 3000 pages of information on electronic commerce, EDI, standards, as well as Premenos corporate information materials. NOTE: Premenos is a registered trademark of Premenos Corp. All other product and company names are trademarks of their respective corporations. CO: Premenos Technology Corp. ST: California IN: CPR SU: PER From owner-cypherpunks at toad.com Fri Mar 1 15:16:39 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Sat, 2 Mar 1996 07:16:39 +0800 Subject: No Subject Message-ID: The database size is really only half the problem I think. The bigger problem is managing the database. I can't quite see it being possible to have one organization serve as a distribution point for all keys. With millions of billions of certs, you're going to have having thousands or millions of database updates on a daily basis. It does seem though that if you can truly eliminate revocations then things get a lot easier. You never have to go back a check with the issuer about anything. This will probably work for some applications, but there's certainly others for which it won't. LL At 2:21 PM 2/29/96, Carl Ellison wrote: >At 12:01 2/29/96, Laurence Lundblade wrote: >>I think a problem occurs when you have 20 billion of >>these certs (two for every person in the year 2010 or such). A simple hash >>into a table isn't going to cut it because you a single database (with >>replication?) isn't going to be possible. > >BTW, at the rate that memory gets cheaper and smaller, it might be quite >reasonable to have that single database fit alongside your daily appointments >in your shirt-pocket daily organizer and e-mail terminal, in 2010. > > >+--------------------------------------------------------------------------+ >|Carl M. Ellison cme at cybercash.com http://www.clark.net/pub/cme | >|CyberCash, Inc., Suite 430 http://www.cybercash.com/ | >|2100 Reston Parkway PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 | >|Reston, VA 22091 Tel: (703) 620-4200 | >+--------------------------------------------------------------------------+ From owner-cypherpunks at toad.com Fri Mar 1 15:24:59 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Sat, 2 Mar 1996 07:24:59 +0800 Subject: No Subject Message-ID: 3-1-96. TWP: "Expert Panel Wants Intelligence Director to Hold More Power." The commission finds that the patchwork of 14 separate intelligence agencies is functioning well in its current form. To meet tbe growing threat of worldwide criminal activity the panel suggested creation of a high-level policy group run out of the White House, called tbe Global Crime Committee. It would be chaired by the president's national security adviser and would include the AG, State, DoD, and the DCI. "Turner: CIA Nearly Used A Journalist in Tehran." CIA's covert operators do not want to reopen the debate. As Turner put it, "Is the media case stronger than businessmen or academics? The covert operators are worried that we may reach a point where prohibitions will get us down to where there is nobody left to spy but the Foreign Service." 3-1-96. NYT: "Commission Recommends Streamlined Spy Agencies." Most of the changes the report will recommend are evolutionary, not revolutionary. Intelligence officials used the same word to describe it: "underwhelming." The report fails to answer the big overstaffing problem. An official said the resistance within the intelligence agencies to staff cutting would be so strong that the downsizing would never happen. MAF_ios From owner-cypherpunks at toad.com Fri Mar 1 15:46:41 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Sat, 2 Mar 1996 07:46:41 +0800 Subject: No Subject Message-ID: I think we are in violent agreement here... > I disagree but then my worldview is different. For personal use the > compact distributed system is workable however when you start thinking > in terms of a large distributed organization, the quanta changes. > > Mention was made of the difficulty of handling 20,000 keys. I am looking at > over 80,000 today and over 200,000 tomorrow *for a single organization*. For > quantities like this, a hierarchial system of management seems inevitable. Perhaps you misunderstood what I mean by "central keyserver model". What I mean by that is the status quo, where we have a set of central keyservers and each keyserver knows about each key. When I say that this will disappear, I mean that we will move towards a more distributed system, similar to the DNS for looking up hostnames. Yes, we will need a distributed, hierarchial [sic] system in the future, and if we want to continue using PGP we will need to provide a simpler way to use that. > First, I am not about to give up my personal PGP key, it is trustworthy and > effective for my needs. It is not necessarily incompatable with an > organizational structure. This is true. > However *for the organization* something else is needed. I can see a > future in which the bulk of the population has only two keys: their own > and the punlic key of their post office (not talking USNail - private ones > though not saying the US might not operate one as well). I disagree. I know the addresses of the people with whom I communicate regularly. I know my parent's USnail address, my grandparents', my SO's, etc. I dont need to tell the Post Office "Send this to my parents" and trust them to do it. I give them a destination address and trust them to send it to the proper destination. The same thing is true in the electronic world. I put a destination on the email, give it to the mailer, and trust it to send it to the appropriate destination. A similar anology can be made when I dont know an address: I ask someone for it. Same thing with an email address/PGP key, I need to ask for it before I can use it. The same thing is true of hostnames. I can find a hostname<->IP address for just about any host on the planet. Do I have them all on my local disk? No, of course not. I look them up when I need them. However, I do cache local copies of the names I frequently use. > As noted, a hierarchal mechanism will be needed for key retrieval - > only local keys and "frequent fliers" will be kept locally. Not new > concept, just not used by post offices that I know of today. Yes, this is true. And it is used -- its called regional phone books. If I want to get a number for someone, I go to the regional phone book and look them up. I have to know something about them first, so I know where to look. If I asked you to find the machine "incommunicado" and tell me it's IP address, what would you do? You'd have to look in every domain for machines named "incommunicado". However, if you knew that I meant "in the 'ihtfp.org' domain", you'd know exactly where to look. The same is true of phone numbers. The same is true for keys. > Will need a bit of fleshing out and expect the end-state to be 2-4 years out > but is a good time to think about it. True. The problem is that with PGP messages, the only information about keys is a "random" keyID. From a keyID there is no way to determine that key unless you already have it. This means that if you do not already have the key, you have no way to find that key. See the problem? This is like the "find 'incommunicado'" problem above. What I propose is to modify, slightly, the PGP signature certificate to add a "hint" field. This hint field would tell you where to look for the key. This is the way to add the "ihtfp.org" info to the PGP signature. I hope this clears up any misconceptions... -derek From owner-cypherpunks at toad.com Fri Mar 1 15:57:09 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Sat, 2 Mar 1996 07:57:09 +0800 Subject: No Subject Message-ID: Where can I find it? Please send ftp or URL via private E-Mail. (define(RSA m e n)(list->string(u(r(s(string->list m))e n))))(define(u a)(if(> a 0)(cons(integer->char(modulo a 256))(u(quotient a 256)))'()))(define(s a)(if (null? a)0(+(char->integer(car a))(* 256(s(cdr a))))))(define(r a x n)(cond((= 0 x)1)((even? x)(modulo(expt(r a(/ x 2)n)2)n))(#t(modulo(* a(r a(1- x)n))n)))) From perry at piermont.com Fri Mar 1 16:05:38 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 2 Mar 1996 08:05:38 +0800 Subject: A brief comparison of email encryption protocols In-Reply-To: <199603010154.TAA05515@proust.suba.com> Message-ID: <199603011621.LAA21143@jekyll.piermont.com> Alex Strasheim writes: > Sorry for the stupid questions, but I want to make sure I'm on the same > page as the rest of you. Correct me where I'm wrong -- > > The idea to have a distributed database (like DNS?) that allows you to > retrieve keys with query strings similar to urls. So if you wanted to do > a secure telnet to host.foobar.com, you'd submit something like > "telnet://host.foobar.com" to the key server, and it would give you back a > key. If you wanted to send mail to me, you'd submit something like > "mailto://alex at suba.com". Etc. That wasn't actually what I had in mind. When I said a new URL I meant something like key://foo.bar.com/bleh/blah/foo, to go with the new key server protocol. I'm not exactly sure what the key servers should take as lookup values -- that is, at this point, a matter for discussion. > Finally, does anyone know if anything's been happening with Matt's key > management project? Matt does, I presume... Perry From owner-cypherpunks at toad.com Fri Mar 1 16:06:41 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Sat, 2 Mar 1996 08:06:41 +0800 Subject: No Subject Message-ID: Here is your friendly reminder of the Austin Cypherpunks meeting tomorrow, Saturday the 2nd. We'll meet at the Central Market Cafe at 38th and Lamar at 6PM. Topics include the video (I'll have a camera!), ITAR relaxation, RC4 now being called PC1, how to duck the CDA using crypto, hardware random number generators, and stuff like that. The meeting should go around 2 hours depending on the crowd, and there is a Bookstop next door if you want to browse some reading material later. Look for the people with technical books and/or crypto-related shirts. They will be us. (I'm sending this to both austin-cpunks and cypherpunks.) -- Ben Combee, CAD Software Developer, small language enthusiast, HTML dude Motorola, Paging Products Group, Strategic Semiconductor Operation--Austin E-mail: combee at sso-austin.sps.mot.com Phone: (512) 891-7141 From willer at carolian.com Fri Mar 1 16:35:29 1996 From: willer at carolian.com (Steve Willer) Date: Sat, 2 Mar 1996 08:35:29 +0800 Subject: PGP to PC mail integration In-Reply-To: <01I1SHIHFEBKAKTPB8@mbcl.rutgers.edu> Message-ID: <31374977.245533825@saturn> On Thu, 29 Feb 1996 15:50 EDT, you wrote: > You'd put something into the mail message itself that would tell it >"don't encrypt this" and/or "don't sign this". Hmm... you'd need to put in >messages to be signed and/or encrypted your passphrase, or have it gotten some >other way... which doesn't look very safe. Not very user-friendly either. >An attacker could still potentially slip >something in between the mail program and the proxy program, though - the same >problem as with the passphrase in the message. Usually the proxy would be on the same machine as the mail program (i.e. "your machine"). That would mean the "attack proxy" would have to be installed on the user's PC, and if someone has that kind of access to your machine, their secret keyring is vulnerable anyway. From anon-remailer at utopia.hacktic.nl Fri Mar 1 17:16:03 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Sat, 2 Mar 1996 09:16:03 +0800 Subject: Seeking Position Message-ID: <199603012135.WAA12346@utopia.hacktic.nl> Long time cypherpunk reader seeks position. Class of 1996/J.D.: Top 10 U.S. Law School. B.A. International Affairs: Top 25 U.S. University. Highly proficent in modern fieldcraft, intelligence operations and communications security. Will sit for bar exam of employer's choice. Expert pistol, advanced tactical carbine, master level tactical driving abilities. Significant previous international clandestine fieldwork experience in developing and Eastern European countries pursuant to political risk analysis projects. Extensive legal expertise in white collar criminal investigation, national security law, bankrupcy, U.S. taxation of international and expatriot income, corporate governence, antitrust, 10(b), 10b-5 and misappropriation insider trading issues. Ideal canidate for high level position in emerging or existing security/economic/political risk analysis department of international firm, field agent for political risk consultant or to address the discrete needs of private client. Most rigorous international travel regime welcome. Serious inquiries only. TLA's need not apply. No wet work. Illegal proposals will be ignored. Borderline proposals considered with interest. Submit position description along with firm/client CV to: an436533 at anon.penet.fi -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCPAzE3Z7oAAAEEAMClYX8ZIZ/3iwlH96s/JssxRPdmoh6fQcpBLFL8kLkthgkr bXo+Hh/gAKYmYYgDgT/SKfbpAE7qIMg+Ra8WvpMoBuhKNcCt7D7aruxGvId+l7nq KFfSLy6lVviQyVSPjCNxnCvbACIpEtXC1NnyxlShE+l6RvuVA/HuoJlH4LbVABEB AAG0FmFuNDM2NTMzQGFub24ucGVuZXQuZmk= =D7tQ -----END PGP PUBLIC KEY BLOCK----- From norm at netcom.com Fri Mar 1 17:20:25 1996 From: norm at netcom.com (Norman Hardy) Date: Sat, 2 Mar 1996 09:20:25 +0800 Subject: SET spec available Message-ID: At 12:09 AM 2/24/96, John Pettitt wrote: >The SET transaction spec is now available on www.visa.com (and presumably on >www.mastercard.com although I didn't check). .... I am unable to find the specs. Anyone have an URL? From inglem at adnetsol.com Fri Mar 1 17:22:54 1996 From: inglem at adnetsol.com (Mike Ingle) Date: Sat, 2 Mar 1996 09:22:54 +0800 Subject: PGP to PC mail integration Message-ID: <199603010652.WAA00782@cryptical.adnetsol.com> >Seriously, the idea here is that the pgp front end shouldn't deal with >the user interface in your present mail program. Nobody (before you) >have considered doing it completely without a user interface. Exactly. Yes, it will at least have to have a config screen. It will probably have to prompt for a passphrase on the fly, unless you want to store it. It can ask to encrypt or not, or it can have a header in the message. The important thing is I don't care about the user interface of the mail program. This has been the big barrier so far. Mike From lmccarth at cs.umass.edu Fri Mar 1 18:29:51 1996 From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu) Date: Sat, 2 Mar 1996 10:29:51 +0800 Subject: Paint Your Own Scarlet Letter (Was: Edited Edupage, 29 Feb 1996) In-Reply-To: <01I1U06TWSP2AKTQC0@mbcl.rutgers.edu> Message-ID: <199603012351.SAA21083@thor.cs.umass.edu> >From EduPage via E. ALLEN SMITH: > >SELF-PATROLLING THE WEB > >The World Wide Web Consortium is pushing the Web page rating system that it > >developed in cooperation with the Platform for Internet Content Selection, a > >group of 22 online firms. Operators at about 20,000 Web sites have already > >coded themselves using the Internet Relay System, which is similar to the > >rating system for films. To rate your Web site, go to the SafeSurf site at > >< http://www.safesurf.com/ > and fill out the form that helps them come up > >with a rating. I couldn't resist the temptation. I rushed out and rated my home page as evil incarnate, at least according to the SafeSurf rating system. No innocent rugrats are gonna be learning anything about my work in crypto and symbolic computation on the web ! It's, uh, interesting to note that "homosexual themes" gets a whole separate category from "heterosexual themes". :[ Here's the reply I received after filling out the SafeSurf web form. It looks as though anyone can use the code below by sticking it in their HTML as directed: --- begin included message --- >To: lmccarth at cs.umass.edu >From: SafeSurf Rating Page >Subject: Rating your site with the SafeSurf System ____________________________________________________________ 01_Site = www.cs.umass.edu/~lmccarth/ Email_Address = lmccarth at cs.umass.edu (SS~~000) Recommended Age = 9. Explicitly for Adults (SS~~001) Profanity = 9. Explicit and Crude (SS~~002) Heterosexual Themes = 9. Explicit and Crude or Explicitly Inviting Participation (SS~~003) Homosexual Themes = 9. Explicit and Crude or Explicitly Inviting Participation (SS~~004) Nudity = 9. Explicit and Crude (SS~~005) Violence = 9. Encouraging Personal Participation, Weapon Making (SS~~006) Sex Violence and Profanity = 9. Explicit and Crude (SS~~007) Intolerance = 9. Advocating Violent or Hateful Action (SS~~008) Drug Use = 9. Soliciting Personal Participation (SS~~009) Other Adult Themes = 9. Explicit and Crude or Explicitly Inviting Participation (SS~~00A) Gambling = 9. Providing Means with Stakes ____________________________________________________________ The following code should be placed directly after the statement of your HTML document: ____________________________________________________________ Here's an example of how to place the code in your HTML document: Your Web Page Title --- Your Content Begins here -- ____________________________________________________________ Thank you for making the Internet a safer place without censorship. Until later, SafeSurfing to you! From m5 at dev.tivoli.com Fri Mar 1 18:29:55 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Sat, 2 Mar 1996 10:29:55 +0800 Subject: Edited Edupage, 29 Feb 1996 In-Reply-To: <01I1U06TWSP2AKTQC0@mbcl.rutgers.edu> Message-ID: <9603012357.AA27392@alpha> E. ALLEN SMITH writes: > The below is worrisome; I am willing to bet that the European > governments might try to require it, and that the US might follow suit if the > CDA gets tossed out (analogous to the V-chip). I'll send a further message > after I've analyzed the rating system in question a bit more. Require it? Of whom? What will all these people do the day somebody implements a new web-like internet protocol and makes a daemon available for free anonymous download? There seems to be some kind of wierd idea floating around that all we need to do is to "rate those web pages". Anyway, I don't know what more needs to be said about a rating system other than that it's a rating system. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From lmccarth at cs.umass.edu Fri Mar 1 18:57:19 1996 From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu) Date: Sat, 2 Mar 1996 10:57:19 +0800 Subject: Certificate validity issues In-Reply-To: Message-ID: <199603020030.TAA22084@thor.cs.umass.edu> some hairboy ;) writes: > I don't see any that there could be any sort of automatic way to > distinguish between the necessity for recipient-signed vs. > recipient-unsigned certificates; One would assume that recipient-unsigned > certificates would be effective only when issued from a high-reputation > source. > > Some method should be required to allow user decisions as to this, but > whatever system is designed should definitely allow for both types, and > *require* relevant software to handle both types. I think this is a policy issue, not a technology issue. In general, key owners should be able to sign certificates that say arbitrary things, regardless of whether or not some third party agrees that the statement being signed is "true". Unless you believe in libel, slander, etc., which raises policy issues of a different sort entirely. The John Birch Society can sign something claiming that I'm a member. A policy that says that's sufficient information to conclude that I *am* a John Bircher is a broken policy. A policy that requires both the above and a signature by me on the same certificate, among other things, is viable. > There's actually a third sort of important certificate the system should > handle: > > (3) I might be a member of a secret society; I might need a membership > certificate to get access, say, to certain web sites. The system > should allow a "secret certificate," readable only by the issuer. Your description is a bit ambiguous. Do you really mean "readable", or do you mean "verifiable" ? If the former, it sounds like this could be handled by distributing signed certificates encrypted with the issuer's public key. If the latter, you could distribute signed certificates but not the public key needed to verify the signatures on the certs. It might be handy to use a hybrid approach, such as distributing signed certificates that refer to encrypted entity names (suitably padded with random bytes to avert trial encryption of plaintext guesses). -Lewis "You're always disappointed, nothing seems to keep you high -- drive your bargains, push your papers, win your medals, fuck your strangers; don't it leave you on the empty side ?" (Joni Mitchell, 1972) From frantz at netcom.com Fri Mar 1 19:17:00 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 2 Mar 1996 11:17:00 +0800 Subject: Paint Your Own Scarlet Letter (Was: Edited Edupage, 29 Feb 1996) Message-ID: <199603020108.RAA20068@netcom7.netcom.com> >From EduPage via E. ALLEN SMITH: >SELF-PATROLLING THE WEB >The World Wide Web Consortium is pushing the Web page rating system that it >developed in cooperation with the Platform for Internet Content Selection, a >group of 22 online firms. >From SafeSurf Rating Page via lmccarth at cs.umass.edu wrote: >Thank you for making the Internet a safer place without censorship. >Until later, SafeSurfing to you! Remember, my goal is to convince the congress, president, courts, and Americans in general that the government should not be in the censorship business, not to have a system that actually works. I really hope this self rating system works in practice because (1) it is in line with current Internet practice, and (2) having it work makes a one hell of a fine argument. For many years people on the Internet have been encouraged to provide warnings on things they think others may find offensive. The the use of rot13 "encryption" is one example, another is the practice of putting warning labels (advertisements?) on material. Killfiles (in their most general sense) are analogous to the censoring browsers in this system. (I know it doesn't work for ftp/gopher/email/usenet newsgroups. I hope that the censors think that the web is the net.) (I think I want to start a web search engine looking for pages rated SS~~002 9, SS~~004 9, SS~~005 <5, and all the others don't care.) Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From frankw at in.net Fri Mar 1 19:40:08 1996 From: frankw at in.net (Frank Willoughby) Date: Sat, 2 Mar 1996 11:40:08 +0800 Subject: Seeking Position Message-ID: <9603020134.AA15923@su1.in.net> Those interested in an Information Security-related position might be interested in checking out: Cameron Carey Computer Security Placement Service (508) 393-7803 He specializes in placing InfoSec persons (only). His contacts are numerous and last time I checked, he knew of about a dozen or so openings. I have used him in the past. He's one of very few headhunters I have met who will actually work your resume & call you frequently with the status (where your resume is, the type of company, etc.). FWIW, it doesn't matter if you mention my name or not - I have no vested interest in recommending him other than I believe that people who do a good job ought to be recommended to others. Best Regards, Frank The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified Home of the Free Internet Firewall Evaluation Checklist From platypus at alpha.c2.org Fri Mar 1 20:09:46 1996 From: platypus at alpha.c2.org (The Warm-Blooded One) Date: Sat, 2 Mar 1996 12:09:46 +0800 Subject: Anyone else getting duplicate ACKs sending alpha.c2.org messages? Message-ID: <199603020231.SAA04039@eternity.c2.org> I just started a couple days ago, so it's entirely possible that I'm doing something wrong, but I seem to be getting two acknowledgement messages, about 5 minutes apart, for the last four messages (which happen to be my first four messages) sent through alias at alpha.c2.org. The recipient only seems to be getting one copy of the message. I happen to be using Private Idaho (thanks Joel!), but I don't think it should matter. Just wanted to check whether this was a common experience before troubleshooting more or bugging Sameer (yeah, so I go and bug EVERYBODY instead). I was going to figure it out myself, but since I'm bugging you anyway, is there a decent newbie guide on the web for using the mail-news gateways that parse the Newsgroups: header? I gather you just add the header after a ::, but do you just add headers, or repeat them all? I am mostly just educating myself and playing around with this stuff at the moment, so don't waste your time giving me a detailed reply on the assumption that I'm an Australian political dissident or anything. -- platypus at alpha.c2.org From sgutknec at computek.net Fri Mar 1 20:40:38 1996 From: sgutknec at computek.net (Stephen A. Gutknecht) Date: Sat, 2 Mar 1996 12:40:38 +0800 Subject: Nortel "Entrust" Message-ID: <01BB074E.BFFA0E20@ssitsc-sag1.swspectrum.com> I too would like to see an open discussion on this. Microsoft uses this for their new Exchange Server client/server email product.... ---------- From: Jonathon Fletcher[SMTP:jonathon at japan.sbi.com] Sent: Friday, March 01, 1996 10:17 AM To: cypherpunks at toad.com Subject: Nortel "Entrust" Can anyone tell me anything about a product called "Entrust", by Nortel (Northern Telecom). The notes talk about the software using DES ("which employs a 56-bit key") so I guess it's single DES, not triple DES. It also mentions a proprietary algorithm called CAST. Is this worthy of further investigation, or is it suspect ? What is CAST, and would it be classed as snake oil ? From erc at dal1820.computek.net Fri Mar 1 20:59:24 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Sat, 2 Mar 1996 12:59:24 +0800 Subject: Chaff in the Channel (Stealth PGP work) In-Reply-To: <199603010418.VAA02087@nelson.santafe.edu> Message-ID: On Thu, 29 Feb 1996, Nelson Minar wrote: > tcmay at got.net (Timothy C. May) writes: > >This is my take on fixing the stego situation. Instead of worrying about a > >"stealth PGP version," which is likely to be only a slight speed bump > >(because of the statistics), think about flooding the detection channels. > As noble as "flood the detection channels" sounds, has it really ever > succeeded? Do people who don't care about privacy day to day ever go > through extra trouble to make other people's privacy easier? I can I still like the idea of EVERYONE using encryption. Hiding stuff in plain sight always has appealed to me. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From dwhite at pris.bc.ca Fri Mar 1 22:03:05 1996 From: dwhite at pris.bc.ca (dwhite at pris.bc.ca) Date: Sat, 2 Mar 1996 14:03:05 +0800 Subject: Anonymous Web Browsing Message-ID: <199603020519.WAA01634@pris.bc.ca> Hi guys..... I'm new here and I don't have the same technical expertise as I am witnessing with most of the other posters here. I do have a question and I hope that it is not too technically naive. I have followed the ongoing discussion on PGP security, remailers and the like. I am wondering if the current trend with interactive Web browsing, Java, etc, is not going to create a privacy problem every bit as significant as insecure e-mail. As these "applets" become more sophisticated are we not going to have to face up to the issue of dynamic links to web sites that gather a lot of info from your computer as you interact with it? The recent controversy at Microsoft indicates to me that interactive Web applets could easily be programmed with hidden "siphon hoses" that are quitely sucking data from you while you look at the latest Baywatch poses. I am not a programer so I don't know how it would work. It just seems to me that it would not be that tall an order to accomplish. Correct me if I am wrong. My question is this: Would it be possible to create a web site that would function along the same lines as remailers do? Something that would allow a person to browse anonymously. So lets say I surfed into a Interactive Web site that has some kind of Java applet for......say portfolio projections..... Any personal financial info I dumped into it for analysis sake could be collected by the server for some kind of customer profile. Lets say that I didn't want sensitive financial info exposed to someone else without my knowledge. So then I would log into a "Re-Webber" that would allow me to continue on to the subject site with any electronic signature following back to the anonymous Web, not back to me. Another example that this would be a concern would be in the coming explosion of Bank oriented services that are coming available. A "Re-Web" would let you use applets on a Bank server without the concern that the Bank is gathering MORE sensitive info on you. Forgive me if this technically naive. I admit I don't know what I am talking about. It was something that piqued my curiosity as I was reading various posts about e-mail security. Doug dwhite at pris.bc.ca From adam at lighthouse.homeport.org Fri Mar 1 22:22:25 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 2 Mar 1996 14:22:25 +0800 Subject: A brief comparison of email encryption protocols In-Reply-To: <199603010154.TAA05515@proust.suba.com> Message-ID: <199603010434.XAA10712@homeport.org> Alex Strasheim wrote: | What's the advantage of using this url type system instead of "fully | qualified" certificates, ie., attaching all the keys and signatures to the | object? Doesn't the give and take with the key servers more than wipe out | the advantage of the smaller data object? | | Does the win come from solving the revocation problem? The win from a referenced system can come in two places. First is standard places for keys, so I can ask a host for its telnetd's key simply. Second is that I may already have cached some of the keys, and not need, for example, they key for toad.com/s/sendmail/ Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From nelson at santafe.edu Fri Mar 1 22:25:01 1996 From: nelson at santafe.edu (Nelson Minar) Date: Sat, 2 Mar 1996 14:25:01 +0800 Subject: Chaff in the Channel (Stealth PGP work) In-Reply-To: Message-ID: <199603010418.VAA02087@nelson.santafe.edu> Is anyone here on the Steganography mailing list? Last I checked it looked pretty dead, which is a shame. Stego seems to be a really important topic, and a difficult one at that. The good news is there's all sorts of entropy in the data we send back and forth, the bad news is it's hard to actually exploit it. tcmay at got.net (Timothy C. May) writes: >This is my take on fixing the stego situation. Instead of worrying about a >"stealth PGP version," which is likely to be only a slight speed bump >(because of the statistics), think about flooding the detection channels. The stealth PGP is, of course, a necessary element: you have to remove the big "THIS IS AN ENCRYPTED MESSAGE FOR RESISTOR-CELL-23" before you can slip it in somewhere. As noble as "flood the detection channels" sounds, has it really ever succeeded? Do people who don't care about privacy day to day ever go through extra trouble to make other people's privacy easier? I can think of two public efforts to increase noise that have failed: putting Spook keywords in all Usenet posts, and using PGP email for normal day to day traffic. The failure of the second channel-flooding is especially notable: even people doing serious crypto hacking, with well established public keys, don't seem to PGP encrypt normal day to day traffic. It's just not convenient enough. I think asking people to increase entropy in their day to day communication is doomed to fail, it's just too much trouble. Better to exploit the entropy we already have, and maybe encourage designers of new systems to build in some extra entropy sources when they get the chance. I've got some specific ideas, but am a bit nervous about talking about them because of intellectual property issues. Also, I'm not convinced that unlike cryptography, some extra security can be maintained in a steganographic system by not disclosing the way it works. I haven't resolved these concerns, but would be happy to engage in some metadiscussion about them. From adam at lighthouse.homeport.org Fri Mar 1 22:28:08 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 2 Mar 1996 14:28:08 +0800 Subject: A brief comparison of email encryption protocols In-Reply-To: <199602292135.QAA18937@jekyll.piermont.com> Message-ID: <199603010356.WAA10509@homeport.org> In suggesting key:// urls, I (without commenting) placed a path of /s/telnetd/ in a URL. I was considering that a telnetd might need many keys and associated documents, all of which could be found in a directory. gateway's master telnetd public key. daily keys policy statements about who may connect, or how etc I expect that we could extend the syntax in such a way that a URL could contain most of the data we need. Thus, the default document might be a 'cert of the day,' with possibly with references within the certificate to the master telnetd key, the hosts master key. To expand, I was thinking of: key://foo.bar.com/{u,s,h,d}/family/instance The first two bits, the scheme (key) and host are pretty clear. They're followed by an (arbitrary) grouping, of User, System, Host or Domain. User is for user space certificates, such as personal certs, or possibly currently in use IPv6 keys. System is for system daemons, such as telnetd. Host is for host certificates, such as might be generated for a host to sign its daemon's keys. Domain could be analogous to host, but for an entire domain. Family is for natural groupings, such as telnetd or adam, or within a domain, certificates by host. An thus a host's certificates would be available under h/main/cert.asc or d/mailhost/cert.asc. It would be possible to extend this by date, to d/mailhost/96/march/cert.asc Instance would then be the particular certificate, in a standardized namespace. These are no longer particularly short in the verbose version, but they are capable of being optimized (by ommission) for the usual cases. Adam Perry E. Metzger wrote: | Carl Ellison writes: | > Key: ftp://ftp.clark.net/pub/cme/cme.asc | | URLs are nice, but I'm not quite sure they are sufficient in practice, | though they are certainly theoretically sufficient. If I get a | document from someone, and it is signed, I'd like to be able to get | the key associated with the signature, and the URL is in theory enough | to do that. However, going in the opposite direction -- retrieving a | key associated with, say, a remote host's TELNET server, I'd like to | be able to query a server ask much more flexible questions than an FTP | URL would let me ask -- I might have a prefered public key system (RSA | versus DSS or what have you), I might want to be able to distinguish | between versions of the key, I might want to ask for all keys of a | certain class, etc. | | In the end, we are probably going to need something in the way of key | servers, which may (or may not) imply either a new type of URL or | something other than a URL to do retrieval off of. | | Perry | -- "It is seldom that liberty of any kind is lost all at once." -Hume From tcmay at got.net Fri Mar 1 23:24:41 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 2 Mar 1996 15:24:41 +0800 Subject: Cryptanalysis Message-ID: At 6:52 AM 3/2/96, Alan Olsen wrote: >The author has failed to call me back. I do have some serious concerns >about the code. (There is not a single XOR used, except to clear >registers!) I am starting to suspect that it is based on a mathematical >progression based on the numbers 40, 28, 36. I need to spend a bit of time ^^^^^^^^^^ Ah, note that the magic key, 42, is not included. Coincidence, or stupidity? Alan, there is not enough time in the universe to waste it on those who will not learn even the basics. The "author," who I had understood to be a friend of yours (though apparently a more distant relationship is involved), is apparently developing something John Dee would have been proud of. Fortunately for the rest of us, cryptology has moved on in the last several hundred years. I again urge you not to waste your time on this. Or our time. (Trust me, in five or six years, if your friend sticks to his current course, he will announce to the world his "discovery" of the "virtual one time pad" and will be preparing a public stock offering in Silicon Snakeoiltronics.) A few other minor points: >>* The journal "Cryptologia" is largely devoted to amateur cryptanalysis. > >The web info for back issues listed a web page from a publisher that had no >listing for them on the server. I will be sending mail to get more info... Last I checked, Tony Patti was still the editor. Not all things are on the Web in serious ways, obviously. I had no problems finding copies in my local university library (UC Santa Cruz), but it was several years ago that I last checked (conventional cryptanalysis not being very germane and all). Reed College might have copies. >>There are very good reasons to say little about "conventional >>cryptanalysis": it just doesn't matter much with modern ciphers, such as >>public key systems. Modern ciphers don't fall to conventional attacks based >>on word frequency, pattern analysis, etc. > >Still an interesting topic... Perhaps as a hobby, for those who find the NYT crosswords exciting. But of little significance for modern cryptology, except as a cautionary tale. --Tim May THE X-ON CONGRESS: INDECENT COMMENT ON AN INDECENT SUBJECT, by Steve Russell, American Reporter Correspondent....You motherfuckers in Congress have dropped over the edge of the earth this time... "the sorriest bunch of cocksuckers ever to sell out the First Amendment" or suggesting that "the only reason to run for Congress these days is to suck the lobbyists' dicks and fuck the people who sent you there," ....any more than I care for the language you shitheads have forced me to use in this essay...Let's talk about this fucking indecent language bullshit. From atzet at vnet.ibm.com Fri Mar 1 23:34:58 1996 From: atzet at vnet.ibm.com (Michael A. Atzet) Date: Sat, 2 Mar 1996 15:34:58 +0800 Subject: X.509 certs that don't guarantee identity In-Reply-To: <199602260448.WAA01201@proust.suba.com> Message-ID: <3135CC13.41C6@vnet.ibm.com> Jeff Weinstein wrote: > > Alex Strasheim wrote: > > > > On the 23rd, Jeff Weinstein said this concerning the natural > > semi-anonymity of the net: > > > > > Given that verisign and others will soon begin issuing large numbers of > > > certificates that do not guarantee the identity of the key holder, it seems > > > that this tradition will continue even with the wide deployment of X509 > > > certs. > > > > This has been bugging me since I read it. I'm not sure I understand the > > plan; it only makes sense to me if "anonymous" X.509 certs are issued > > for user authentication only, not for server authentication. Is that > > what this is about? > > > > (If anonymous certs are issued for servers, why should such a cert be > > treated any differently than one I generate on my own, which causes > > warning screens about an unknown CA to pop up?) > > The navigator will not be configured to automatically trust the verisign > level 1 and 2 certificates for SSL servers. You will get the same warning > dialog with these certs as you do with one you generate on your own. > > --Jeff > > -- > Jeff Weinstein - Electronic Munitions Specialist > Netscape Communication Corporation > jsw at netscape.com - http://home.netscape.com/people/jsw > Any opinions expressed above are mine. How will Navigator differentiate between the different level certs? I am not aware of any fields in the cert itself that designate what level it is. I know that the subject info would "look" different for a persons name vs. email address vs commom name. -- Michael A. Atzet IBM AIX Systems Center Roanoke, Texas *** All opinions above are mine and not necessarily that of IBM. *** atzet at vnet.ibm.com From perry at piermont.com Sat Mar 2 00:47:18 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 2 Mar 1996 16:47:18 +0800 Subject: Problems with certificates. In-Reply-To: <199603020757.XAA18751@dns1.noc.best.net> Message-ID: <199603020819.DAA24292@jekyll.piermont.com> jamesd at echeque.com writes: > At 08:35 AM 3/1/96 -0500, A. Padgett Peterson P.E. Information Security wrote : > >Today, each person generates their own PGP key. While it is unlikely that > >any two will match, it is likely that at some point some two will match > >(see matching birthdays in a bar - number is less than you would think). > > If if we colonized every planet in the galaxy, and every planet had a > trillion people, and every single person on every planet generated a billion > keys a second for a billion billion years, not one pair would match, assuming > they were generated from truly random seeds. Well, lets see. For a 1024 bit key, a birthday match is a 1 in 2^512 proposition, assuming that a key could be any random 1024 bit number. Assuming 100 million planets: 100000000*(10^12)*(10^9)*60*60*24*365*(10^9)*(10^9)= 3153600000000000000000000000000000000000000000000000000 2^512= 134078079299425970995740249982058461274793658205923933777235614437217\ 640300735469768018742981669034276900318581864860508537538828119465699\ 46433649006084096 However, the density of prime numbers isn't so high as to make the probability truly 1/2^512 -- indeed, I would guess it is much lower. However, you may indeed be right. None the less, one would hope that the software handled it gracefully even if the impossible happened... Perry From rsnyder at janet.advsys.com Sat Mar 2 01:25:58 1996 From: rsnyder at janet.advsys.com (Bob Snyder) Date: Sat, 2 Mar 1996 17:25:58 +0800 Subject: X.509 certs that don't guarantee identity In-Reply-To: <199602260448.WAA01201@proust.suba.com> Message-ID: > The navigator will not differentiate them. We build in a default set of >CA certificates into the navigator, and then allow the user to modify them as >they see fit based on their local trust policy. The default set of CAs that >we ship with our product will not include the verisign level 1&2 CAs as >trusted >SSL Server CAs. With the level 1&2 CA certs be include but not enabled, or will users have to go pull them themselves? Bob From jamesd at echeque.com Sat Mar 2 01:32:12 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sat, 2 Mar 1996 17:32:12 +0800 Subject: Problems with certificates. Message-ID: <199603020912.BAA28408@dns1.noc.best.net> jamesd at echeque.com writes: >> If if we colonized every planet in the galaxy, and every planet had a >> trillion people, and every single person on every planet generated a billion >> keys a second for a billion billion years, not one pair would match, assuming >> they were generated from truly random seeds. At 03:19 AM 3/2/96 -0500, Perry E. Metzger wrote: >Well, lets see. For a 1024 bit key, a birthday match is a 1 in 2^512 >proposition, assuming that a key could be any random 1024 bit number. >Assuming 100 million planets: > >100000000*(10^12)*(10^9)*60*60*24*365*(10^9)*(10^9)= > 3153600000000000000000000000000000000000000000000000000 >2^512= > 134078079299425970995740249982058461274793658205923933777235614437217\ > 640300735469768018742981669034276900318581864860508537538828119465699\ > 46433649006084096 > >However, the density of prime numbers isn't so high as to make the >probability truly 1/2^512 -- indeed, I would guess it is much >lower. However, you may indeed be right. The number of prime numbers less than n is n/ln(n). Presumably the number of valid PGP keys is somewhat larger. Assume 768 bit PGP keys: The number of randomly selected 768 bit primes that you would need for a reasonable chance of a birthday collision is 1.708E104 Which is 170 800 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 A number substantially larger than 3 153 600 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From stewarts at ix.netcom.com Sat Mar 2 02:12:44 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 2 Mar 1996 18:12:44 +0800 Subject: PGP to PC mail integration Message-ID: <199602290844.AAA03839@ix4.ix.netcom.com> At 12:18 AM 2/28/96 -0800, Mike Ingle suggested setting up a VB program on localhost to proxy POP and SMTP requests for PGP, rather than hitting it from the user interface. >Once this is set up, the user burden is near zero, and it works with >any winsock-based mail program. What do you think of the idea? It'd probably be pretty convenient for incoming, though you need to build some mechanism for displaying the PGP output for signatures (since PGP gives you the contents of the signed material when you check the sig.). One interesting security problem is how to distinguish between the message your PGP bot drops in your mailbox containing the message and an indication that the signature is good from a message that someone carefully constructed that _looks_ identical but includes its _own_ indication that the (possibly bad) signature is good. For outgoing mail, you'd either have to sign everything, which may be good, or have a way to tell it the proxy whether or not to sign the mail, and you'd either need to hand it your passphrase each time or take the security risk of leaving an autosigner hanging around listening on a port, just _waiting_ for somebody to lie about where they're connecting from and get your bot to sign arbitrary things..... There are also minor issues if you use multiple keys, which most people probably should. Interfaces between VB and PGP262 are a bit crude - Private Idaho is a good example. The problem is that PGP262 is a DOS program, so you need to POP up a DOS window to run it in, and then make the window go away. PI does that just fine, but it's a bit ugly to watch; it's much cleaner with ViaCrypt's Windows-based PGP. PGP 3.0 will simplify this, since you'll be able to use PGP as a library instead of a hauling up DOS to run it in. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com / billstewart at attmail.com +1-415-442-2215 # http://www.idiom.com/~wcs Pager +1-408-787-1281 From eggplant at inlink.com Sat Mar 2 02:12:49 1996 From: eggplant at inlink.com (eggplant) Date: Sat, 2 Mar 1996 18:12:49 +0800 Subject: Learning about Cryptography Message-ID: I am interested in learning more about cryptography. Where could I obtain some good, recent books on cryptography for the beginner. -- "... In Germany they first came for the Communists and I didn't speak up because I wasn't a Communist. Then they came for the Jews, and I didn't speak up because I wasn't a Jew. Then they came for the trade unionists, and I didn't speak up because I wasn't a trade unionist. Then they came for up because I wasn't a trade unionist. Then they came for Catholics, and I didn't speak up because I was a Protestant. Then they came for me-and by that time no one was left to speak up..." Pastor Martin Niemoller ************************************************ * * * Matthew Murphy ------------ eggplant at inlink.com * * * ************************************************ From geeman at best.com Sat Mar 2 02:33:52 1996 From: geeman at best.com (geeman at best.com) Date: Sat, 2 Mar 1996 18:33:52 +0800 Subject: Percy the Python loves IPG Message-ID: <199603010545.VAA26039@dns1.noc.best.net> At 12:44 AM 2/29/96 -0800, you wrote: >At 10:41 PM 2/25/96 -0500, ab411 at detroit.freenet.org (David R. Conrad) wrote: >>I think the IPG system is great! Percy, my pet python, has never been >>slicker or better lubricated! >:-) > >>IPG Sales wrote: >>>Perhaps so, but our system does employ a true hardware generated OTP, and >>>operates similiar to what you describe - however, the important >>>differernce is that we use a small OTP to generate a larger OTP, like >>>stringing the cable across the Golden Gate narrows. > ..removed.. >So please email me the keys to your company; I'll donate 10% of the value >to David's python Percy for extra snake oil. Send me some money to me too, and I'll send you back 10,000 disks with Certified Random Data on them. Getcher One Time Pads here, folks! From Q101NOW at st.vse.cz Sat Mar 2 04:41:46 1996 From: Q101NOW at st.vse.cz (Powers Glenn) Date: Sat, 2 Mar 1996 20:41:46 +0800 Subject: Chaff in the Channel (Stealth PGP work) Message-ID: - However, I suspect that the ideal would be like cryptography: - Assume the enemy knows everything about your system but the keys. - Thus, your gifs need to look like normal gifs in the lsb. Your audio - needs to have normal levels of hiss in it. Etc. the problem with many current stego programs (jsteg/stools) is that given a data stream, they will tell you if there is data steg'ed (by the same program, of course) it in. jsteg goes out of it's way to hide it's content-length header, but jsteg can still detect jsteg headers... glenn From asgaard at sos.sll.se Sat Mar 2 05:30:43 1996 From: asgaard at sos.sll.se (Asgaard) Date: Sat, 2 Mar 1996 21:30:43 +0800 Subject: PARTY PICTURES! In-Reply-To: Message-ID: On Thu, 29 Feb 1996, Sandy Sandfort wrote: > http://www.c2.org/party/masquerade/ OK, nice pictures of some interesting-looking people. But the only globally known participant featured is Eric Hughes; he is also the only one presented with a second name. For the others, it would be nice if you wrote clarifying texts, including crypto-anarchic relevance, in the way of: 'N.N., well known Java-programmer who wrote the Foo firewall-cracker. N.N., fanatical anarcho-capitalist with $2M in Cayman bank accounts. N.N., wife of N.N., cute and proficient at Word and Pagemaker, voted for Clinton. N.N., hardware salesman, boring but paid for the booze. N.N., as always out to get laid but didn't make it this time either.' This would make the masquerade site so much more interesting to us outsiders. Asgaard From sameer at atropos.c2.org Sat Mar 2 06:25:15 1996 From: sameer at atropos.c2.org (sameer at atropos.c2.org) Date: Sat, 2 Mar 1996 22:25:15 +0800 Subject: Win a free Apache-SSL-US Commercial license Message-ID: <199603020048.QAA24966@atropos.c2.org> See http://apachessl.c2.org/ for more details. Thanks, -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From wlkngowl at unix.asb.com Sat Mar 2 06:28:17 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sat, 2 Mar 1996 22:28:17 +0800 Subject: Is there any work on entropy-lowering schemes? Message-ID: <199603020046.TAA08670@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- I'm wondering if anyone has done any work on schemes to lower the entropy of a given stream. Why? Save you've got message M encrypted with a good cipher, but you're worried that it can be detected because even with stego, the entropy is a lot higher than normal 'random' data flowing through a network. So it seems possible to create a scheme that given a key will take a block of n bits and expand it to 1.5n or 2n bits, recoding it in such a way that determining the key is difficult even if one suspects such a scheme has been used... but that using the scheme will make the data look more like the MSBs of graphical data rather than encrypted data. Rob - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTeaeioZzwIn1bdtAQGNagF/cmAH45G1v1Yt1Bg+7qgZVVnIYdj9EfzV rqzPx7MRyGbVW4HtNWkYjiPxgn2iUQaH =t114 -----END PGP SIGNATURE----- From dlv at bwalk.dm.com Sat Mar 2 08:07:14 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 3 Mar 1996 00:07:14 +0800 Subject: Learning about Cryptography In-Reply-To: Message-ID: eggplant at inlink.com (eggplant) writes: > > I am interested in learning more about cryptography. Where could I obtain > some good, recent books on cryptography for the beginner. A number of people on this list will shout in unison, Schneier!, and they'll probably be wrong. For an absolute beginnger I'd suggest Abraham Sinkov, Elementary Cryptanalysis, MAA: New mathematical library, ISBN 0-888385-622-0, and Lawrence Dwight Smith, Cryptography, Dover, ISBN 0-486-20247-x. If you want to learn more about the history of the field, try to get the hardcover (unabridged) edition of David Kahn's _Codebreakers_. (It might be a worthwhile project on run Kahn's book through an OCR and to place it on Internet. :-) If you want to understand the communication theory that underlies modern cryptography, check out Dominic Welsh, Codes and Cryptography, Oxford, ISBN 0-19-853287-3. If you're teaching an undergraduate C course and are looking for examples of badly written C code, then get Schneier's book. :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From erc at dal1820.computek.net Sat Mar 2 08:29:16 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Sun, 3 Mar 1996 00:29:16 +0800 Subject: Anonymous Web Browsing In-Reply-To: Message-ID: On Sat, 2 Mar 1996, Powers Glenn wrote: > use netcom (or something similiar) that gives you dynamic ip > addresses. as a bonus, netcom doesn't require an actual name or > address. (yes, they require a CC#). this allows fairly anonymous > access. (prehaps one reason the neeed for web proxies isn't that high) I wouldn't give Netcom my CC# if my life depended on it. They have a really lousy record of people breaking in, stealing their lists of CC numbers, then Netcom trying to sweep it under the rug and not telling their users that their CC# was compromised. Besides, their service really sucks, and their technical "support" doesn't exist. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From stevenw at best.com Sat Mar 2 08:58:37 1996 From: stevenw at best.com (Steven Weller) Date: Sun, 3 Mar 1996 00:58:37 +0800 Subject: PARTY PICTURES! Message-ID: >> http://www.c2.org/party/masquerade/ > >OK, nice pictures of some interesting-looking people. >But the only globally known participant featured is >Eric Hughes; he is also the only one presented with >a second name. For the others, it would be nice if >you wrote clarifying texts, including crypto-anarchic >relevance, in the way of: [sniperoo] > >Asgaard Maybe it wasn't made clear that all the pictures have been postprocessed with an experimental version of PGP* to optically anonymize them, thus protecting the identies of both the innocent and the guilty without bias. Software problems triggered by Eric's neckware prevented the anonymizing process from working properly in his case. Sources tell me that PRZ himself was in many of the pictures, very nicely rendered as a classic marble and rought-iron fireplace. Steve * PGP = Pretty Groovy Party ------------------------------------------------------------------------- Steven Weller | "The Internet, of course, is more | than just a place to find pictures | of people having sex with dogs." stevenw at best.com | -- Time Magazine, 3 July 1995 From frogfarm at yakko.cs.wmich.edu Sat Mar 2 09:13:36 1996 From: frogfarm at yakko.cs.wmich.edu (Damaged Justice) Date: Sun, 3 Mar 1996 01:13:36 +0800 Subject: PARTY PICTURES! In-Reply-To: Message-ID: <199603021657.LAA02030@yakko.cs.wmich.edu> Unfortunately, the images are all inlined, making it impossible for text browsers to view them. Cross-platform compatibility, indeed. All the compatibility in the world won't help you if you don't use the features. -- http://yakko.cs.wmich.edu/~frogfarm ...for the best in unapproved information Tell your friends 'n neighbors you read this on the evil pornographic Internet "Where one burns books, one will also burn people eventually." -Heinrich Heine People and books aren't for burning. No more Alexandrias, Auschwitzs or Wacos. From fletch at ain.bls.com Sat Mar 2 09:58:57 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Sun, 3 Mar 1996 01:58:57 +0800 Subject: Chaff in the Channel (Stealth PGP work) In-Reply-To: Message-ID: <9603021720.AA04821@outland> > the problem with many current stego programs (jsteg/stools) is > that given a data stream, they will tell you if there is data steg'ed > (by the same program, of course) it in. jsteg goes out of it's way to > hide it's content-length header, but jsteg can still detect jsteg > headers... Just a stab, but maybe this might work: Get two picures of with both at minimum sufficient size to carry the message. Use the lsb's (or any bit for that matter) of the second image to XOR with the message before stego'ing (L'eggo my S'tego :) into the first. Of course you'ld have to arrange which bit in the pad image will be used, how to associate the images, etc. before hand. --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From adam at lighthouse.homeport.org Sat Mar 2 10:06:34 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sun, 3 Mar 1996 02:06:34 +0800 Subject: New PRNG method! In-Reply-To: <199603021656.LAA13644@bb.hks.net> Message-ID: <199603021741.MAA16483@homeport.org> The fact that something is complex does not mean your end of it can not be monitered. You need to discover random numbers from something very local to you, or your opponents can mess with your numbers. David Wagner posted something about how Mallet could muck with your RNG if it was based on incoming packet checksums, back in September. If you want good random numbers, track the mouse. Don't go looking outside your computer to things other computers do. Lastly, using collision-resistant hashing in considered preferable to encrypting information. Adam Olcay Cirit wrote: | If the internet is so huge and complex, why not, say, use | the least significant bits of ping times from random internet | hosts as seeds for a PRNG? (Practical Random Number Gen.) | After all this, you could wash it with a secure symmetric | cryptosystem such as idea in CBC mode. -- "It is seldom that liberty of any kind is lost all at once." -Hume From tcmay at got.net Sat Mar 2 11:23:33 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 3 Mar 1996 03:23:33 +0800 Subject: Netcom and Credit Cards Message-ID: At 5:32 PM 3/2/96, Dr. Dimitri Vulis wrote: ... >(I'd never deal with an ISP who doesn't accept checks or money orders. >And I mean checks, not automatic withdrawals from a checking account.) For the record, Netcom has always accepted personal checks mailed in to them. The credit card debit was offered as a convenience to those who wanted it; it was and remains optional. The "credit card numbers were stolen" point, that I believe Ed Carp was referring to, had to do with the Mitnick affair, and is very old news. I no longer use Netcom as my primary account, but thought some misconceptions needed correcting. I don't plan to debate the merits of Netcom, Mitnick, etc., and will post no more on this topic. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From PADGETT at hobbes.orl.mmc.com Sat Mar 2 11:26:06 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Sun, 3 Mar 1996 03:26:06 +0800 Subject: Cryptoanalysis Message-ID: <960302132805.20201e1e@hobbes.orl.mmc.com> >(I am amazed how little exists on the web on the topic.) I had seen a >few of the books at a local bookstore, but I was uncertain of their quality. >(They also had a number of snake-oil crypto books.) Well, as soon as people can charge a cyber-dime/quarter/or buck to read/ download you will see a change. Most authors make little (like $1.00/copy) from book sales so if made cheap enough so that is easier to download than pirate you will see a big change. >The author has failed to call me back. I do have some serious concerns >about the code. (There is not a single XOR used, except to clear >registers!) Why bother (kind like reinventing ASCII), we have good, proven crypto algorithms, some even in public domain. Is easy to code. Hard part is making it fast and easy & available anywhere (what I like about the PGP enclyptor). Another hard part is good key management. Like computer viruses in which there is nothing interesting about the propagation (what makes a virus a virus), the crypto part is a done deal, have had good stuff for years. > I am starting to suspect that it is based on a mathematical >progression based on the numbers 40, 28, 36. Ah yes, being hearing impaired I always wanted a watch that would poke. My 1968 Seiko "Bellmatic" is close - ringing the bell makes it vibrate. >I am trying to convince him of the futility of the task. (It is hard as his >ego keeps getting in the way.) I just want to give him reasons why it is >weak and not just glittering generalities. Not futile, just already done. Should concentrate on things that are "impossible" 8*). Warmly, Padgett From PADGETT at hobbes.orl.mmc.com Sat Mar 2 11:49:51 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Sun, 3 Mar 1996 03:49:51 +0800 Subject: Truelly Random Numbers Message-ID: <960302142608.202017b7@hobbes.orl.mmc.com> >The number of randomly selected 768 bit primes that you would need for a >reasonable chance of a birthday collision is 1.708E104 True however the current mechanism of generating PGP keys which consists primarily of pseudo-randomly pounding on a keyboard is hardly "truely random. Have no idea of the true number but expect it to be significantly less than that quoted above, even for a 1024 bit key like mine. Warmly, Padgett From PADGETT at hobbes.orl.mmc.com Sat Mar 2 11:55:12 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Sun, 3 Mar 1996 03:55:12 +0800 Subject: Anonymous Web Browsers Message-ID: <960302143535.202017b7@hobbes.orl.mmc.com> >Note to Netscape people: Is it possible to have an option that will *always* >pop up a mail window and request confirmation before mail is sent out? Or >disable mailto altogether? It would be a lot easier than binary editing >the executable to remove all the mailto strings... Disabling is easy, just do not specify a mail server (or better, one that will refuse mail) in "options/preferences/mail and news". Netscape (at least 1.1n) initiates a port 25 connection to the designated server to send mail. Warmly, Padgett From adam at lighthouse.homeport.org Sat Mar 2 12:20:06 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sun, 3 Mar 1996 04:20:06 +0800 Subject: Truelly Random Numbers In-Reply-To: <960302142608.202017b7@hobbes.orl.mmc.com> Message-ID: <199603022011.PAA16975@homeport.org> A. Padgett Peterson P.E. Information Security wrote: | >The number of randomly selected 768 bit primes that you would need for a | >reasonable chance of a birthday collision is 1.708E104 | | True however the current mechanism of generating PGP keys which consists | primarily of pseudo-randomly pounding on a keyboard is hardly "truely random. | | Have no idea of the true number but expect it to be significantly less than | that quoted above, even for a 1024 bit key like mine. Accroding to Stephan Neuhaus's 'Statistical Properties of IDEA session keys in PGP,' the session keys are very well distributed, when tested for equidistribution and serial correlation. This does not demonstrate that the RSA keys are as well distributed, but it does generate some confidence that the key generation methods of PGP are not very broken. Testing for RSA generation would be more difficult, since there are some practical difficulties in getting a large sample of RSA private keys. Stephan Neuhaus is neuhaus at informatik.uni-kl.de. He has a long (24 page), and short (8? page) version of the paper available. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From unicorn at schloss.li Sat Mar 2 12:34:36 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 3 Mar 1996 04:34:36 +0800 Subject: Assassination Politics 9! In-Reply-To: Message-ID: On Wed, 28 Feb 1996, jim bell wrote: > "Assassination Politics" Part 9, by Jim Bell, February 27, 1996 > > For about a year I have been considering the implications of "Assassination > Politics," and for more than six months I've been sharing the subject and my > musings with you, the interested reader. ^^^^^^^^^^^^^^^^^^^^^^^^^^ You're pushing it here. --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From rich at c2.org Sat Mar 2 12:42:42 1996 From: rich at c2.org (Just Rich) Date: Sun, 3 Mar 1996 04:42:42 +0800 Subject: Assassination Politics 9! In-Reply-To: Message-ID: On Sat, 2 Mar 1996, Black Unicorn wrote: > On Wed, 28 Feb 1996, jim bell wrote: > > > "Assassination Politics" Part 9, by Jim Bell, February 27, 1996 > > > > For about a year I have been considering the implications of "Assassination > > Politics," and for more than six months I've been sharing the subject and > > my musings with you, the interested reader. > ^^^^^^^^^^^^^^^^^^^^^^^^^^ > You're pushing it here. No he's not. "Reader" is singular, and Jim is on cypherpunks. -rich mumbling quietly to himself From tcmay at got.net Sat Mar 2 12:57:17 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 3 Mar 1996 04:57:17 +0800 Subject: Truelly Random Numbers Message-ID: At 8:11 PM 3/2/96, Adam Shostack wrote: >A. Padgett Peterson P.E. Information Security wrote: >| True however the current mechanism of generating PGP keys which consists >| primarily of pseudo-randomly pounding on a keyboard is hardly "truely random. >| >| Have no idea of the true number but expect it to be significantly less than >| that quoted above, even for a 1024 bit key like mine. > > Accroding to Stephan Neuhaus's 'Statistical Properties of IDEA >session keys in PGP,' the session keys are very well distributed, when >tested for equidistribution and serial correlation. > > This does not demonstrate that the RSA keys are as well >distributed, but it does generate some confidence that the key >generation methods of PGP are not very broken. Testing for RSA >generation would be more difficult, since there are some practical >difficulties in getting a large sample of RSA private keys. In some PK code I did several years ago in Mathematica, the primes for the RSA modulus were found by picking a "random" (more on this later) starting point and then counting up from there, testing for primality (actually, pseudoprimality, technically). As one would expect, primes are found fairly quickly. The "randomness" of the resulting primes--and hence the randomness of the modulus and hence the "RSA key"--is set by the randomness of the starting point. With a reasonable amount of entropy, such as picking the next digit from several keyboard timings, I expect the 150-decimal-digit number to be *very* random! (In fact, I'd venture that merely asking people to type in digits would produce starting points that essentially would be very random...maybe some clustering here and there, or an unequal number of digits, or too equal a distribution, but adequate. An since an attacker could not know what the sources of randomness were for some particular person, I doubt strongly that factoring the modulus would be any easier.) Suppose a = 4801747274372727828487361830183561393615106551195496693610351528409257572926 659 2027575902673957001560102249600798767153757681546836352857811107361291541511 (which is about 140-150 digits, "randomly" entered by me) and p is computed as the first prime larger than this. q found the same way Now, is the modulus, n = pq, any more factorable than if a "more random" source of p and q were used? (I am actually asking this as a real question. Does anyone know if factoring is significantly easier for such not-completely-random numbers? I would expect that in theory it is, but in practice this is not a useful point of entry into factoring n. Just a hunch.) --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From don at wero.cs.byu.edu Sat Mar 2 13:43:17 1996 From: don at wero.cs.byu.edu (Don) Date: Sun, 3 Mar 1996 05:43:17 +0800 Subject: Anonymous Web Browsers In-Reply-To: <960302143535.202017b7@hobbes.orl.mmc.com> Message-ID: The following message is a courtesy copy of an article that has been posted as well. -----BEGIN PGP SIGNED MESSAGE----- - -----BEGIN PGP SIGNED MESSAGE----- In article <960302143535.202017b7 at hobbes.orl.mmc.com> PADGETT at hobbes.orl.mmc.com ("A. Padgett Peterson P.E. Information Security") writes: > Disabling is easy, just do not specify a mail server (or better, one that > will refuse mail) in "options/preferences/mail and news". Netscape (at least > 1.1n) initiates a port 25 connection to the designated server to send mail. I took the JavaScript stuff that was posted and put it in one of my web pages (http://students.cs.byu.edu/~don/mail2news.html). I had to pick a new address because support at netscape.com is reportedly now just an autoresponder. I've disabled java, I've changed the mail server to null (from the default localhost) and none of it stops the JavaScript from sending mail. Don - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMTi3DMLa+QKZS485AQE06gL+N2kXHkygX1WycJFLcNOXD+jGLQQxNWXY 9XcVRUbxTh0lWcRx+nPxIXREBGlx9ip5FYYQ1ZHn3KpDOsN4Dm8JlFcwwo/mHxZo BdRkCrtw+PviQZoesRK01udf9KI6O4Jv =9GzS - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMTi3WMLa+QKZS485AQEqQgMAqMhWSzZ7bCMFTwyMaON6V+x1Tysv26AP /QAp2emQ7D7Mt2zN4PYdkMTWiitKhRXQD+pELC3TmbHQ2zwo75mvMRYQo2sK+v4T uK7LybYyp0MQwW9HXgVM232EGAvom6TC =PsyM -----END PGP SIGNATURE----- From jonathon at japan.sbi.com Sat Mar 2 14:00:05 1996 From: jonathon at japan.sbi.com (Jonathon Fletcher) Date: Sun, 3 Mar 1996 06:00:05 +0800 Subject: Nortel "Entrust" Message-ID: Can anyone tell me anything about a product called "Entrust", by Nortel (Northern Telecom). The notes talk about the software using DES ("which employs a 56-bit key") so I guess it's single DES, not triple DES. It also mentions a proprietary algorithm called CAST. Is this worthy of further investigation, or is it suspect ? What is CAST, and would it be classed as snake oil ? Please cc to me in mail - I have a little trouble dealing with the volume here. Sincerely, -Jon -- Jonathon Fletcher, "opinions are my own, not my employer's" jonathon at japan.sbi.com From stewarts at ix.netcom.com Sat Mar 2 14:02:48 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 3 Mar 1996 06:02:48 +0800 Subject: PGP backdoor? (No, I'm not paranoid.) Message-ID: <199603010717.XAA00785@ix4.ix.netcom.com> No, you're not being paranoid, you're just believing someone who is, or else they're having a good time at your expense .... At 01:22 PM 2/28/96 -0800, Mark Bainter wrote: > Now, I had heard about all the people who claimed the reason versions > later than 2.3 wouldn't work with 2.3 was because of a backdoor for the government. > I personally thought they were being paranoid. You acquaintance, aside from his level of chemical enhancement (:-), doesn't have the facts straight. The 2.6-vs-2.3 incompatibility is to keep RSA's patent lawyers happy; 2.5 and later versions use RSAREF instead of Phil's homegrown RSA implementation, and the incompatibility lets them maintain the fiction that they're protecting their patent. The _technical_ reason they're incompatible is that the version number in the headers is different, and PGP has the good design sense not to mess with files that have a version number newer than the one they know how to read. Nothing more. The RSA implementation code is different, but you can look at it and see that it's functionally equivalent, and read all the nice legalese comments about how this stuff belongs to RSA and/or PKP and is patented in the US and other fine countries and not to be exported. Its primary difference is that it's a bit slower :-) > However, this guy tells me that he met Phil at defcon and phil told him > that he co-operated with the government and gave them information > that would enable them to crack key's for versions later than 2.3. He may very well have met a guy called "Phil" at defcon who said that...... The one Phil that I know who's told the NSA how to break his crypto code was Phil Karn from Qualcomm, who had to explain to the NSA how to crack the too-short encryption they were being forced to use in their digital cellphones in return for being allowed to use that instead of yet-wimpier encryption. Phil knows crypto and security, and has commented on the stupidity and offensiveness of the whole process. He's also the guy suing the Feds to get export permission for the Applied Cryptography (compatible) source code disks, after getting export permission for the paper version. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com / billstewart at attmail.com +1-415-442-2215 # http://www.idiom.com/~wcs Pager +1-408-787-1281 From blancw at accessone.com Sat Mar 2 14:03:11 1996 From: blancw at accessone.com (blanc) Date: Sun, 3 Mar 1996 06:03:11 +0800 Subject: FW: Online Cyberlaw Workshop Message-ID: <01BB06FC.6E0A13A0@blancw.accessone.com> FYI, for anyone here who might be interested..... .. Blanc ---------- From: Dick Moores[SMTP:rdm at netcom.com] Sent: Thursday, February 29, 1996 7:26 AM To: SEASIGI Subject: Online Cyberlaw Workshop (from TOURBUS) CYBERSPACE LAW FOR NONLAWYERS ----------------------------- Three highly respected law school professors (Professor Larry Lessig, University of Chicago Law School; Professor David Post, Georgetown University Law Center; and Professor Eugene Volokh, UCLA School of Law) have written a *FREE*, online cyberlaw workshop called, appropriately, "CYBERSPACE LAW FOR NONLAWYERS." CYBERSPACE LAW is specifically written for lay people like you and me, and the workshop's lessons use easy-to-understand English -- NOT legalese and Latin! YEAH, BUT WILL I *UNDERSTAND* IT? --------------------------------- Actually, yes. The workshop's authors really are writing CYBERSPACE LAW's lessons for educated lay people, *NOT* lawyers. I took a look at an earlier article written by one of the workshop's professors (Eugene Volokh, "Cheap Speech and What It Will Do", 104 Yale L.J.1805 (1995)), and I have to say that I am quite impressed ... although I have to say that I am quite disappointed that Volokh did not have a single Southern word *anywhere* in his article :) WHAT WILL THE WORKSHOP COVER? ----------------------------- CYBERSPACE LAW is going to help you learn the basic principles of -- and unlearn some common myths about -- - copyright law, - free speech law, - libel law, - privacy law, - contract law, and - trademark law as they apply on the Net. Each CYBERSPACE LAW "lesson" should be about the size of an average TOURBUS post (about a page or two), and will e-mailed to you through an e-mail distribution list. The CYBERSPACE LAW workshop will last a couple of weeks, and you'll get two or three letters a week from the authors ... and, best of all, the entire workshop is FREE! THE INSTRUCTORS --------------- Professor Larry Lessig clerked for U.S. Supreme Court Justice Antonin Scalia, and now teaches constitutional law and the law of cyberspace at the University of Chicago Law School. He's written about law and cyberspace for the Yale Law Journal and the University of Chicago Legal Forum (forthcoming). Professor David Post practiced computer law for six years, then clerked for U.S. Supreme Court Justice Ruth Bader Ginsburg. He now teaches constitutional law, copyright law, and the law of cyberspace at the Georgetown University Law Center. He's written about law and cyberspace for the University of Chicago Legal Forum (forthcoming) and the Journal of Online Law, and writes a monthly column on law and technology issues for the American Lawyer. Professor Eugene Volokh worked as a computer programmer for 12 years, and is still partner in a software company that sells the software he wrote for the Hewlett-Packard Series 3000. He clerked for U.S. Supreme Court Justice Sandra Day O'Connor, and now teaches constitutional law and copyright law at the UCLA School of Law. He's written about law and cyberspace for the Yale Law Journal, Stanford Law Review, Michigan Law Review (forthcoming), and the University of Chicago Legal Forum (forthcoming). TO SUBSCRIBE ------------ The CYBERSPACE LAW workshop probably won't start for a month or so, but you should sign up as soon as you can. To subscribe to the workshop (for FREE!) send an e-mail letter to LISTPROC-REQUEST at COUNSEL.COM with the command SUBSCRIBE CYBERSPACE-LAW yourfirstname yourlastname in the body of your e-mail letter, replacing "yourfirstname" and "yourlastname" with your first and last names. From adam at lighthouse.homeport.org Sat Mar 2 14:07:38 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sun, 3 Mar 1996 06:07:38 +0800 Subject: Truly Random Numbers In-Reply-To: Message-ID: <199603022126.QAA17169@homeport.org> My expectation would be that your numbers are not random in a cryptographic sense, and that this route of attack is much less efficient than others that would be used. I'll note that PGP does NOT take your data entered and convert it to numbers, but takes timings to choose a hard to predict starting point for its prime searching. I'd expect this use of timings is better than using the large random number you entered, but in a theory sense only. Both are pretty difficult; thats why we like large numbers. :) Adam Timothy C. May wrote: | (In fact, I'd venture that merely asking people to type in digits would | produce starting points that essentially would be very random...maybe some | clustering here and there, or an unequal number of digits, or too equal a | distribution, but adequate. An since an attacker could not know what the | sources of randomness were for some particular person, I doubt strongly | that factoring the modulus would be any easier.) | | Suppose a = | 4801747274372727828487361830183561393615106551195496693610351528409257572926 | 659 | 2027575902673957001560102249600798767153757681546836352857811107361291541511 | | (which is about 140-150 digits, "randomly" entered by me) | | and p is computed as the first prime larger than this. | | q found the same way | | Now, is the modulus, n = pq, any more factorable than if a "more random" | source of p and q were used? | | (I am actually asking this as a real question. Does anyone know if | factoring is significantly easier for such not-completely-random numbers? I | would expect that in theory it is, but in practice this is not a useful | point of entry into factoring n. Just a hunch.) | | --Tim | | | Boycott "Big Brother Inside" software! | We got computers, we're tapping phone lines, we know that that ain't allowed. | ---------:---------:---------:---------:---------:---------:---------:---- | Timothy C. May | Crypto Anarchy: encryption, digital money, | tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero | W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, | Higher Power: 2^756839 - 1 | black markets, collapse of governments. | "National borders aren't even speed bumps on the information superhighway." | | | | -- "It is seldom that liberty of any kind is lost all at once." -Hume From stewarts at ix.netcom.com Sat Mar 2 14:12:35 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 3 Mar 1996 06:12:35 +0800 Subject: Problems with certificates. Message-ID: <199603022121.NAA10418@ix8.ix.netcom.com> At 08:35 AM 3/1/96 -0500, "A. Padgett Peterson P.E. Information Security" wrote: >Today, each person generates their own PGP key. While it is unlikely that >any two will match, it is likely that at some point some two will match >(see matching birthdays in a bar - number is less than you would think). PGP KeyIDs are 8 hexes long (formerly 6), and there have been some natural collisions and it's easy to manufacture them. On the other hand, the MD5 hash used for key fingerprints is 128 bits long, and cryptographically strong. So birthday-problem collisions occur when you have ~ 2**64 keys around, which is not a problem, and you can't generate collisions on purpose either. A 64-bit hash would be more interesting; you get collisions if you have around 2**32 keys, which could actually happen. >Next rage might well be "vanity" PGP keys. While at the moment it is not known >how to create a specific match key to a sequence, if you generate enough >keys, there will be some interesting sequences found. Possibly some PGP >signatures will even be in violation of the CDA (now that should start a rush 8*). :-) The main problem is the limitations of hex; keyids like 0xdeadbeef are available, but it's tough to really trigger Exonization that way. Using 32 bits as ASCII instead is a bit more flexible. >For some time I have been concerned about the scalability of PGP. It works >well in small groups but after trying once to create a 6,000 member keyring >(took over three days on a 386 & was several meg when done) Yeah - lots of people have been concerned about this. Keyservers simplify the problem a lot, since you no longer need to carry a large number of keys around yourself, but the keyring handling mechanism of PGP wasn't designed to scale. Wouldn't be too hard to redesign, once PGP 3.0 comes out and we've got tools to do it - you could use a database or decently structured ASCII file or files. And DNS or similar distributed keyserver can make it easier to find, for people who are on-line. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com / billstewart at attmail.com +1-415-442-2215 # http://www.idiom.com/~wcs Pager +1-408-787-1281 From tcmay at got.net Sat Mar 2 14:13:04 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 3 Mar 1996 06:13:04 +0800 Subject: Truly Random Numbers Message-ID: At 9:26 PM 3/2/96, Adam Shostack wrote: > My expectation would be that your numbers are not random in a >cryptographic sense, and that this route of attack is much less >efficient than others that would be used. > > I'll note that PGP does NOT take your data entered and convert >it to numbers, but takes timings to choose a hard to predict starting >point for its prime searching. Yes, which is why I said this in my post: "...With a reasonable amount of entropy, such as picking the next digit from several keyboard timings, I expect the 150-decimal-digit number to be *very* random!" > I'd expect this use of timings is better than using the large >random number you entered, but in a theory sense only. Both are >pretty difficult; thats why we like large numbers. :) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From stewarts at ix.netcom.com Sat Mar 2 16:00:24 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 3 Mar 1996 08:00:24 +0800 Subject: M A F_i o s Message-ID: <199603022335.PAA18923@ix15.ix.netcom.com> At 12:27 PM 3/1/96 -0500, John Young wrote: > 3-1-96. TWP: > "Expert Panel Wants Intelligence Director to Hold More Power." > The commission finds that the patchwork of 14 separate > intelligence agencies is functioning well in its current > form. To meet tbe growing threat of worldwide criminal > activity the panel suggested creation of a high-level > policy group run out of the White House, called tbe > Global Crime Committee. But they've already _got_ the Pentagon! The title does remind me somewhat of "Buckaroo Banzai against the World Crime League".... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com / billstewart at attmail.com +1-415-442-2215 # http://www.idiom.com/~wcs Pager +1-408-787-1281 From mark at unicorn.com Sat Mar 2 16:07:04 1996 From: mark at unicorn.com (Mark Grant, M.A. (Oxon)) Date: Sun, 3 Mar 1996 08:07:04 +0800 Subject: Is there any work on entropy-lowering schemes? Message-ID: On Fri, 1 Mar 1996, Mutant Rob wrote: >So it seems possible to create a scheme that given a key will take a >block of n bits and expand it to 1.5n or 2n bits, recoding it in such >a way that determining the key is difficult even if one suspects such >a scheme has been used... but that using the scheme will make the data >look more like the MSBs of graphical data rather than encrypted data. Stealth 1.3 (or is it 1.2?) does that, but it only makes the data look more like the MSBs, and not *exactly* like the MSBs. I think it's available from Adam Back's WWW site (http://dcs.ex.ac.uk/~aba/stealth/). Mark From Q101NOW at st.vse.cz Sat Mar 2 16:10:28 1996 From: Q101NOW at st.vse.cz (Powers Glenn) Date: Sun, 3 Mar 1996 08:10:28 +0800 Subject: Anonymous Web Browsing Message-ID: - From: tcmay at got.net (Timothy C. May) - At 5:24 AM 3/2/96, dwhite at pris.bc.ca wrote: - > My question is this: Would it be possible to create a web site that - >would function along the same lines as remailers do? Something that would - >allow a person to browse anonymously. So lets say I surfed into a - Tim May writes: - Your intuitions are correct, that protection steps are needed. The - technology is developing, but the perceived need (anonymous browsing) is - probably less than the perceived need for anonymous e-mail. simple, not real secure solutions: find a unix host, run the cern httpd server, turn on proxying, turn off logs. (about 10-15 minute setup) if this is not run often, it works well. use netcom (or something similiar) that gives you dynamic ip addresses. as a bonus, netcom doesn't require an actual name or address. (yes, they require a CC#). this allows fairly anonymous access. (prehaps one reason the neeed for web proxies isn't that high) glenn From PADGETT at hobbes.orl.mmc.com Sat Mar 2 16:43:38 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Sun, 3 Mar 1996 08:43:38 +0800 Subject: Random keys ? Message-ID: <960302193021.20202137@hobbes.orl.mmc.com> > This does not demonstrate that the RSA keys are as well >distributed, but it does generate some confidence that the key >generation methods of PGP are not very broken. Testing for RSA >generation would be more difficult, since there are some practical >difficulties in getting a large sample of RSA private keys. True but do not need private keys, just public ones (one to one relation), should be able to get a large sample (20,000 in one place did I hear ?) of those. Warmly, Padgett From stewarts at ix.netcom.com Sat Mar 2 16:59:58 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 3 Mar 1996 08:59:58 +0800 Subject: Anonymous Web Browsing Message-ID: <199603030038.QAA06256@ix2.ix.netcom.com> At 03:44 PM 3/2/96 +0000, "Mark Grant, M.A. (Oxon)" wrote: >> These are "web proxies," and searching on this should produce some >> information to answer your questions. >.... hidden mailto: .... even worse with Javascript. > >Note to Netscape people: Is it possible to have an option that will *always* >pop up a mail window and request confirmation before mail is sent out? Or >disable mailto altogether? It would be a lot easier than binary editing >the executable to remove all the mailto strings... At least in the Windows version, you can set the SMTP server you want to use for your outgoing mail. So you could do a proxy email server that listens for SMTP and pops up confirmations for outgoing traffic. For the moment, you'd probably have to write your own, but the new Winsock Remailer probably has the code you need to do most of the work, and you'd only have to add some GUI buttons and whistles. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com / billstewart at attmail.com +1-415-442-2215 # http://www.idiom.com/~wcs Pager +1-408-787-1281 From PADGETT at hobbes.orl.mmc.com Sat Mar 2 17:14:59 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Sun, 3 Mar 1996 09:14:59 +0800 Subject: Anonymous Web Browsers Message-ID: <960302194141.20202137@hobbes.orl.mmc.com> >I took the JavaScript stuff that was posted and put it in one of my web >pages (http://students.cs.byu.edu/~don/mail2news.html). I had to pick a new >address because support at netscape.com is reportedly now just an autoresponder. >I've disabled java, I've changed the mail server to null (from the default >localhost) and none of it stops the JavaScript from sending mail. You did this to the *server* or the *client* ? (the latter is what I was talking about). If the client, then is Netscape/Java acting as its own mail server ? Guess I am going to have to did out a sniffer and see just what is going on... Warmly, Padgett From stewarts at ix.netcom.com Sat Mar 2 17:20:55 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 3 Mar 1996 09:20:55 +0800 Subject: Web of Trust vs other models Message-ID: <199603030054.QAA28602@ix7.ix.netcom.com> At 09:48 AM 3/1/96 -0500, you wrote: >There are a pool of 1 million keys. Each of those keys is signed by between > two and 5 other randomly chosen keys in the pool. > Each signature implies a trust relation between the key and the signer. >Given that, determine mean, min, and max path lengths for purposes of > "certification". >Has anyone done this experiment? Probably been done, though not necessarily in a PGP context. The problem is equivalent to analyzing a randomly selected directed graph, and some Operations Research or CS grad student has probably done it. Meanwhile, Don Kitchen at one point collected all the data off the MIT keyserver for analysis, which is a much different problem than random signatures. I found that the chain from some middle point, such as Phil Zimmermann's or Derek Atkins's key was about 12-14 levels deep, averaging about 6, which compares interestingly with the default PGP depth limit of4. From my key, it was pretty deep, especially since my certification from Phil Karn was from one of his older keys, which is why I asked Derek to sign my key... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com / billstewart at attmail.com +1-415-442-2215 # http://www.idiom.com/~wcs Pager +1-408-787-1281 From stewarts at ix.netcom.com Sat Mar 2 17:27:16 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 3 Mar 1996 09:27:16 +0800 Subject: PGP 3.0/4.0 Message-ID: <199603030054.QAA28612@ix7.ix.netcom.com> At 11:23 AM 3/1/96 -0500, you wrote: >At the same time am trying to set up a secure mailing system for >80,000 mailboxes (soon to be over 200,000) and the last time I put >together a 6,000 key ring on a 386 it took three days & several Mb. Fortunately, on a site this big, you can afford to use a Pentium or Sparcstation and 32-bit code :-) However, if it took you that long (as opposed to, say 4 hours), you probably were short of RAM and were paging a lot. >This will require a "different" mechanism. Yup. You may be able to do it within the structure of the current PGP, by dyamically managing keys in separate files (e.g. 80,000 files, or condensations into keyrings of say 100 keys) though it would help immensely to hack the key retrieval code. Under PGP 3.0, you'll have libraries to let you do this stuff; until then it's probably not too hard to build a front-end (stealing the non-RSA portions of PGP) that looks at the keys in a file and calls PGP with a request to use the correct keyring file, or some such hackery. Or, of course, you can license RSAREF and integrate the code yourself. Depending on the email volume, it may be cheaper to just license RSA, so you can use better bignum packages like some of the European PGP flavors. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com / billstewart at attmail.com +1-415-442-2215 # http://www.idiom.com/~wcs Pager +1-408-787-1281 From rah at shipwright.com Sat Mar 2 18:09:21 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sun, 3 Mar 1996 10:09:21 +0800 Subject: M A F_i o s Message-ID: At 6:35 PM 3/2/96, Bill Stewart wrote: * "Buckaroo Banzai against the World Crime League".... Onk? ...another BB movie? Did they make another one???? Cheers, Bob (I may have been one of the four people who saw the movie in an actual theatre...) ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From wlkngowl at unix.asb.com Sat Mar 2 19:06:21 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sun, 3 Mar 1996 11:06:21 +0800 Subject: Truelly Random Numbers Message-ID: <199603030243.VAA16849@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Timothy C. May wrote: [..] > Now, is the modulus, n = pq, any more factorable than if a "more > random" source of p and q were used? > > (I am actually asking this as a real question. Does anyone know if > factoring is significantly easier for such not-completely-random > numbers? I would expect that in theory it is, but in practice this is > not a useful point of entry into factoring n. Just a hunch.) > Only if I can have a good enough idea of the non-random method for generating numbers, or if I can find some useful statistical correlations in your numbers. (And then again, what do you mean by "significantly easier"? Knowing 1 bit reduces the work by half, but with orders or thousands of bits, it's not much help.) Whether I can realisitically reproduce or work with that non-random method of key generation is another matter, though. Rob. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTkHYCoZzwIn1bdtAQHdSgGAzgoS4Y1BQuI5hzlsLsfnoKyzVALJD3TR Mm5Dmu/I5N3Rnk9TxNviwLFjKp6Fd35Z =UnWo -----END PGP SIGNATURE----- From jf_avon at citenet.net Sat Mar 2 19:16:17 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Sun, 3 Mar 1996 11:16:17 +0800 Subject: RNG method Message-ID: <9603030304.AB20019@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- I thought of that for a long time. - Use a microphone on your sound card and locate it close to the computer fan. - generate a (relatively short) set of random number, maybe using the PRNG of the computer. - Use the LSB of the sampled sound, the sampling being done at intervals fixed by the serie of numbers generated by the PRNG. - when the numbers generated by the prng are exausted, re-use part of the output stream as a random source of numbers for the sampling interval. - keep doing this up until: 1) you are fed up of looking at RND numbers on your screen 2) you have no use for rnd numbers anymore 3) your hard disk is full 4) your computer cpu is so mixed up that it starts outputting all your PGP encrypted files in Serbo-Croatian cleartext 5) any other reasons deemed reasonable by the computer operator 6) none of the above Whaddyathink of it? Regards to almost all Cyphering Punksters JFA Please note, my new key signature is: 2048 bits key Id: C58ADD0D 1996/03/01 Jean-Francois Avon fingerprint = 52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 But I'll still use my old key for signing for a while. -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMTi0fwOWptJXIUrtAQE2DgP/S8VRX3PbrKHMKl6JJrFvZgZhdhzOk8Am 8qLJzvwjGZ7ll1gZTYT5iLfAEw+03wpy0eS/ohYdlgQ0Xu9AI418uLP6dReQbsjg ndz9/LIaQeOmrZgL1BlAtk9119QmtCdzx59gwwngz1qNYUZNhJ4l10UGz2EWksXI 51Lve+FjKE0= =zdM0 -----END PGP SIGNATURE----- **** OLD KEY: USE ONLY FOR VERIFYING SIGNATURES **** 1024 bits Key ID:57214AED 1995/10/04 Jean-Francois Avon 84 96 76 AE EB 7C AB 15 88 47 87 B0 18 31 74 9F From rich at c2.org Sat Mar 2 20:04:13 1996 From: rich at c2.org (Just Rich) Date: Sun, 3 Mar 1996 12:04:13 +0800 Subject: NYT login In-Reply-To: <199603020315.WAA00485@nrk.com> Message-ID: Rumour has it that there might be a cpunks/cpunks (cypherpunks was taken). -rich On Fri, 1 Mar 1996, David Lesher wrote: > At one point, some kind souls were entering "username: cypherpunks" > logins for all the various "free" www sites. > > Did anyone catch the www.nytimes.com one? If so, what password? > > -- > A host is a host from coast to coast.................wb8foz at nrk.com > & no one will talk to a host that's close........[v].(301) 56-LINUX > Unless the host (that isn't close).........................pob 1433 > is busy, hung or dead....................................20915-1433 From jf_avon at citenet.net Sat Mar 2 20:05:14 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Sun, 3 Mar 1996 12:05:14 +0800 Subject: PGP PRNG seeds? Message-ID: <9603020437.AA09542@cti02.citenet.net> Hi! I tinkered with the switch pgp +makerandom=size output.fil Is there a way to "seed" the PRNG with another file, say , part of an encrypted text file? Thanks JFA From ses at tipper.oit.unc.edu Sat Mar 2 20:07:27 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 3 Mar 1996 12:07:27 +0800 Subject: Win a free Apache-SSL-US Commercial license In-Reply-To: <199603020048.QAA24966@atropos.c2.org> Message-ID: On Fri, 1 Mar 1996 sameer at atropos.c2.org wrote: > See http://apachessl.c2.org/ for more details. Not quite an entry, but am I the only one to pronounce SSL "Cecil" (SEcure Socket layer), to go along with SHTTP as "Shit-p" (nil)? Cecil The C2 Web server? Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From wlkngowl at unix.asb.com Sat Mar 2 20:38:13 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sun, 3 Mar 1996 12:38:13 +0800 Subject: RNG method Message-ID: <199603030424.XAA17463@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Jean-Francois Avon (JFA Technologies, QC, Canada) wrote: > > I thought of that for a long time. > > - Use a microphone on your sound card and locate it close to the > computer fan. It's been thought of before, along with scraping the microphone against the desk. I've been told this works best when first turning the gain up on the soundcard and setting it for stereo input. The raw data and be processed cryptographically (with a cipher or run through a hash). This method will be an option for the NOISE.SYS driver eventually. - --Rob PS - noise049.zip has been uploaded to a few sites today. When I get confirmation I'll announce it... - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTke4SoZzwIn1bdtAQHQ3wF9GsZjk+jbtWrap8sKcSXDQ3n8GVksofBX CaVPqXKiE7CxB41hbo2ftSFqQ+P3XhFX =gdTO -----END PGP SIGNATURE----- From ravage at ssz.com Sat Mar 2 21:19:41 1996 From: ravage at ssz.com (Jim Choate) Date: Sun, 3 Mar 1996 13:19:41 +0800 Subject: RNG method (fwd) Message-ID: <199603030529.XAA03142@einstein.ssz.com> Forwarded message: > Date: Sat, 2 Mar 1996 23:24:04 -0500 > Subject: Re: RNG method > > > > - Use a microphone on your sound card and locate it close to the > > computer fan. > > It's been thought of before, along with scraping the microphone against > the desk. I've been told this works best when first turning the gain up > on the soundcard and setting it for stereo input. > If you use the fan remember in your power supply remember that many of them run directly off the 120 VAC. As a consequence the sound it makes will have a strong 60Hz componant. If you are using a DC bearing fan then there will be a componant in the noise related to the number of balls in the bearing. DC bearingless fans should provide the best white noise provided the bushings are not worn. Once they wear you will be a harmonic related to shaft diameter, shaft length, and the gap between main shaft and bushing. From adam at lighthouse.homeport.org Sat Mar 2 21:20:55 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sun, 3 Mar 1996 13:20:55 +0800 Subject: Jefferson Wheels? Message-ID: <199603030508.AAA18092@homeport.org> Does anyone know where I might buy a Jefferson Wheel cipher? The army version (M-118?) would be fine. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From allyn at allyn.com Sat Mar 2 22:15:17 1996 From: allyn at allyn.com (Mark Allyn 206-860-9454) Date: Sun, 3 Mar 1996 14:15:17 +0800 Subject: Truelly Random Numbers In-Reply-To: <960302142608.202017b7@hobbes.orl.mmc.com> Message-ID: <199603030607.WAA02700@mark.allyn.com> Here is a good idea for random numbers: Take a piece of non conducting board, say about six by six feet. Put electrodes on it; say a pair of electrodes every quarter inch or so across and down. Each pair of electrodes would be connected to logic so that it generates a unique number. When the electrodes are shorted, the number would be generated. Put this contraption out in the rain. As raindrops fall on the board with electrodes, the water would conduct and short the electrodes. Rain falls in a totally random manner. As raindrops hit the electrodes, they would momentarily short and cause a number to be generated. Yout would get a random series of numbers. Now, as it does not rain in the same place all the time, a network of these rain random generators could be set up troughout the land and be hooked up on the Internet. Each one would be sort of a rain random number server. These servers would cooperate. They would notify each other when one has rain raining on it and another one would not. We could have a series of master servers, or dispatcher. The dispatchers would work cooperatively and collectively know which rain random generator has rain raining on it and is generating random numbers. It would be up to the client, who is needing random numbers to access the rain random generators that are operating. All of this could be done in real time using current client server technology. In fact, since it is allways raining in more than one part of the world at any given time, many rain random generator servers would be available at any time. The master servers, or dispatchers, would have a constant running list of active generators. What do you all think? Mark Allyn allyn at allyn.com http://mark.allyn.com http://clearplastic.com From wlkngowl at unix.asb.com Sat Mar 2 22:28:06 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sun, 3 Mar 1996 14:28:06 +0800 Subject: M A F_i o s Message-ID: <199603030247.VAA16881@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Bill Stewart wrote: [..] > The title does remind me somewhat of > "Buckaroo Banzai against the World Crime League".... Hm. Remember the scene where one of his buddies in the film could just decode some military crypto just by staring at it... *sigh* Back to the regularly scheduled noise. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTkIRCoZzwIn1bdtAQFvxAGAyVKXhD4fV6CE0ivluAJTLrAmbimmrzo3 v0MDgt0SYpt29XcV77uiaRMIXSkqtx+o =wlQb -----END PGP SIGNATURE----- From Greg_Rose at sydney.sterling.com Sat Mar 2 22:30:38 1996 From: Greg_Rose at sydney.sterling.com (Greg Rose) Date: Sun, 3 Mar 1996 14:30:38 +0800 Subject: Problems with certificates. Message-ID: [Apologies if this appears twice -- I had a posting problem.] A. Padgett Peterson wrote: Next rage might well be "vanity" PGP keys. While at the moment it is not known how to create a specific match key to a sequence, if you generate enough keys, there will be some interesting sequences found. Possibly some PGP signatures will even be in violation of the CDA (now that should start a rush 8*). That's not quite correct. The part about it not being known, I mean. I created a key: Type bits/keyID Date User ID sec 1024/DEADBEEF 1995/09/28 Prime Rib Lovers sig DEADBEEF Prime Rib Lovers (note: DEADBEEF seems about the most interesting 8-character hex word -- CAFE doesn't seem to go with anything...) And Christopher Drake (http://pobox.com/~netsafe) has mailed out a key which has a company advertisement in its ASCII armor. Hmmm. I thought I kept it around, but I can't find it. Ahhh. There it is. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.i mQCNAjD/mQAAAAEEAP/////NetSafe+PGP+key////We+provide+inexpensive AntiFraud/theft+etc+Security+Software5tGfKREuINIWsQqsLNS+uAneN9M SuMu37f+NU/U2djtxE/b9h4bJ4wb8h3QkBiuTAS1QjpxpxryQzZ10zzGQe8VAAUR tChDaHJpc3RvcGhlciBOLiBEcmFrZSA8TmV0U2FmZUBQb2JveC5jb20+ =SGC/ -----END PGP PUBLIC KEY BLOCK----- Type bits/keyID Date User ID pub 1024/C641EF15 1996/01/19 Christopher N. Drake I still assert there are a bunch of attacks related to producing on-demand keyid's. Greg. Greg Rose INTERNET: greg_rose at sydney.sterling.com Sterling Software VOICE: +61-2-9975 4777 FAX: +61-2-9975 2921 28 Rodborough Rd. http://www.sydney.sterling.com:8080/~ggr/ French's Forest 35 0A 79 7D 5E 21 8D 47 E3 53 75 66 AC FB D9 45 NSW 2086 Australia. co-mod sci.crypt.research, USENIX Director. From Greg_Rose at sydney.sterling.com Sat Mar 2 22:30:47 1996 From: Greg_Rose at sydney.sterling.com (Greg Rose) Date: Sun, 3 Mar 1996 14:30:47 +0800 Subject: Problems with certificates. In-Reply-To: <960301083512.202002a4@hobbes.orl.mmc.com> Message-ID: Next rage might well be "vanity" PGP keys. While at the moment it is not known how to create a specific match key to a sequence, if you generate enough keys, there will be some interesting sequences found. Possibly some PGP signatures will even be in violation of the CDA (now that should start a rush 8*). That's not quite correct. The part about it not being known, I mean. I created a key: Type bits/keyID Date User ID sec 1024/DEADBEEF 1995/09/28 Prime Rib Lovers sig DEADBEEF Prime Rib Lovers (note: DEADBEEF seems about the most interesting 8-character hex word -- CAFE doesn't seem to go with anything...) And Christopher Drake (http://pobox.com/~netsafe) has mailed out a key which has a company advertisement in its ASCII armor. Hmmm. I thought I kept it around, but I can't find it. Ahhh. There it is. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.i mQCNAjD/mQAAAAEEAP/////NetSafe+PGP+key////We+provide+inexpensive AntiFraud/theft+etc+Security+Software5tGfKREuINIWsQqsLNS+uAneN9M SuMu37f+NU/U2djtxE/b9h4bJ4wb8h3QkBiuTAS1QjpxpxryQzZ10zzGQe8VAAUR tChDaHJpc3RvcGhlciBOLiBEcmFrZSA8TmV0U2FmZUBQb2JveC5jb20+ =SGC/ -----END PGP PUBLIC KEY BLOCK----- Type bits/keyID Date User ID pub 1024/C641EF15 1996/01/19 Christopher N. Drake Greg. Greg Rose INTERNET: greg_rose at sydney.sterling.com Sterling Software VOICE: +61-2-9975 4777 FAX: +61-2-9975 2921 28 Rodborough Rd. http://www.sydney.sterling.com:8080/~ggr/ French's Forest 35 0A 79 7D 5E 21 8D 47 E3 53 75 66 AC FB D9 45 NSW 2086 Australia. co-mod sci.crypt.research, USENIX Director. From proff at .suburbia.net Sun Mar 3 00:32:02 1996 From: proff at .suburbia.net (Julian Assange) Date: Sun, 3 Mar 1996 16:32:02 +0800 Subject: (fwd) USA / Australia - Civil Liberty Message-ID: <199603030753.RAA12050@suburbia.net> Path: news.aus.world.net!news.us.world.net!usenet From: tomk at world.net Newsgroups: aus.legal Subject: USA / Australia - Civil Liberty Date: Sun, 03 Mar 96 01:59:02 PDT Organization: (none) Lines: 78 Message-ID: <4hbcu6$jco at news.i.net> NNTP-Posting-Host: portland04.world.net Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Newsreader: NEWTNews & Chameleon -- TCP/IP for MS Windows from NetManage 1 March, 1996 At 1:50 pm today PST in the Federal Court of the USA in the State of Oregon, an Australian national Ms. Amanda Wilson was unfairly incarcerated by Justice Haggerty of the US Federal Court. During her incaceration, she was denied legal counsel, her request to have her embassy contacted was refused and she was informed by the Sherrif of Oregon, that she had no rights until she was transferred to a Federal Jail. This individual was a witness in a civil case and was neither named as the plaintiff nor the defendant. Work that she had performed for the plaintiff under contract was not being paid for by the Plaintiff and Ms. Wilson was not inclined to provide the information without her agreed remuneration. Justice Haggerty then claimed that Ms. Wilson was an agent of Koltai Inc and Thomas P. Kotlai and that her work was not Intellectual Property owned by herself until remunerated. Ms. Wilson claimed that she had evidence that she was acting as an independent agent. Justice Haggertys' response was that "I'm not interested in your evidence". Justice Haggerty ordered the Sherriff to detain Ms. Wilson for Contempt of court. Ms. Wilson then informed the court that she had done nothing wrong and that she was an Australian resident. The sherriff and his assistant then handcuffed and removed Ms. Wilson to the holding cells on level four of the Federal Courthouse in Portland. She requested leave to contact her embassy. This was refused. She requested the right to counsel, this also was refused. She then requested that the sherriffs office contact her parents in Australia to notify them of her arrest. The sherriff refused this request. She was then photographed, finger printed and informed that she would be removed to a jail later that afternoon if she did not comply with the courts order to divulge the passwords giving Ausnet Services Pty. Ltd. free access to her Intelectual Property. Justice Haggerty then visited Ms. Wilson in the holding cells to counsel her. Ms. Wilson requested from Judge Haggerty that she be allowed to contact her father and/or the Australian Embassy. Justice Haggerty declined this request. Ms. Wilson then gave into the pressure applied and gave the passwords required by Justice Haggerty. During her three hours and fifteen minutes of incarceration Ms. Wilson was humiliated with a personal body search. Threatened with transport to a jail in California. Informed that she had no rights and was generally verbally and mentally abused. Under USC 28, 1603, (B)(3) Ms. Wilson is an alien and the US Federal court has no jurisdiction over her. It is the opinion of this individual that the US Federal Court has exceeded its authority and has failed to recognise the civil rights of an Australian National. This file was posted by: Thomas P. Koltai Ex Managing Director of Ausnet Services Pty. Ltd. (http://www/world.net) Mobile: 1-503-260-3666 -- "I mean, after all; you have to consider we're only made out of dust. That's admittedly not much to go on and we shouldn't forget that. But even considering, I mean it's sort of a bad beginning, we're not doing too bad. So I personally have faith that even in this lousy situation we're faced with we can make it. You get me?" - Leo Burlero/PKD +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff at suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff at gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From proff at .suburbia.net Sun Mar 3 00:32:17 1996 From: proff at .suburbia.net (Julian Assange) Date: Sun, 3 Mar 1996 16:32:17 +0800 Subject: (fwd) Re: The police came knocking Message-ID: <199603030743.RAA11722@suburbia.net> Path: news.aus.world.net!news.us.world.net!news.inc.net!trellis.wwnet.com!nntp.coast.net!howland.reston.ans.net!newsfeed.internetmci.com!news.mel.aone.net.au!newshost.pcug.org.au!blchupin!blchupin From: blchupin at pcug.org.au (Basil Chupin) Newsgroups: tip.general,aus.org.efa,aus.legal Subject: Re: The police came knocking Message-ID: <09A420598905 at pcug.org.au> X-Mailer: Osiris v4.1 Registered To Basil Chupin References: <4gisqm$s4c at wabbit.its.uow.edu.au> Date: Sun, 25 Feb 96 17:06:59 +1000 Organization: Back To The Future CBIS, Canberra, Australia Lines: 223 Xref: news.aus.world.net aus.org.efa:1808 aus.legal:2660 In article <4gisqm$s4c at wabbit.its.uow.edu.au> Phil Herring writes: > In article <312beb37.18538395 at newshost.pcug.org.au> Owen Cook, > rcook at pcug.org.au writes: >1. All traffic into and out of Australia passes thru this >building at St Leonards >2. Xty millions of dollars were spent by Telecom and ASIO to >install, secretly, computers in the site. >3. The purpose of the facility was to monitor all traffic thru >keyword searches, originator and destination addressees. > > Erm, no. It's just a version of the "NSA line eater" myth. Aside > from > the fact that there are international links all over the place, > including satellite uplinks and leased phone lines, the plain > truth of > the matter is that the government just doesn't care about the > Internet > all that much. Politically it's of little consequence, and law > enforcement and "intelligence" services have small budgets that > just > don't stretch to this kind of conspiracy. > > On the other hand, the insecurity of email is legendary. ����������������������������������������������� Date : 10 Mar 94 13:11:46 From : Relay To : All Subject : Government Eavesdropping In New Zealand ��������������������������������������������������� * Message originally : From: Relay To : All Date: 10 Mar 94 11:42:35 Area: alt.dcom.telcom * Forwarded by Tech Support using Sphinx! 2.0 The following article was posted to the Student Journalists mailing list (STUMEDIA at UABDPO.BITNET) by Malcolm Hutchinson (malcolmh at waikato.ac.nz). This is an article that appears as the centre feature in our first issue for the year. as the token NZ representative on this list, i thought i would post it to show that the US is not the only country experiencing problems keeping their govt in line when it comes to digital privacy & secure comms. NZ is known around the world for it's anti-nuke stand in the mid- eighties, yet we allow this sort of thing to continue. the waihopai spy base feeds information *directly* to the NSA. it is because of the existance of installations like this that i encourage all my digital friends to take control of their own information and start using strong cryptographic software. PGP is available from any number of anon FTP sites around the world. get it, use it. i apologise if posting an article like this is considered wasting bandwith on this list y'all stay safe mal title: The Biggest Sour Grape in Marlborough At a predetermined signal the two groups of protesters split apart. The group I was in went round the fence to the main gates and started pushing them back and forward making a hell of a racket. The gate was secured in three places. We broke the top padlock and the steel rod holding the gate in the ground. We heard a shout from the other group. They were through the fence. Nine people arrested and many more if we didn't stop our vigorous attack on the main gates. This was it, we were there to do something radical, to make our protest well and truly heard. No-one had breached the huge inner fence of the Waihopai Spybase for years. It was my first protest at Waihopai but not the last. The Waihopai protest just South of Blenheim is an annual event organised by the Anti-Bases Campaign (ABC). Ever since the first survey pegs were planted in the ground in 1987, New Zealand women (originally) and men have protested against the existence of the secretive Waihopai Spybase. Yet despite its colourful history the vast majority of people still don't know it exists. Held from January 27-29 this year's protest was larger than usual. About 80 people (including an unspecified number of university students) from Dunedin to Auckland converged on a makeshift campsite nestled beside the Wairau River to plan what action they would take against the Spybase and all it stands for. The word "spybase" conjures images of undercover cops, secrecy, high security, mystery and murder. While this is a bit dramatic there are similarities. The Waihopai base is run by the Government Communications Security Bureau (GCSB), a discrete organisation which only reports to the prime minister. Hidden in a barren valley deep in the Marlborough outback, the Waihopai base is not something the GCSB wants New Zealanders to know about. Workers at the base aren't allowed to talk about what they do and even their spouses don't know how much they earn. The base has a secret budget and secret objectives. Secrecy is the aim and so far 'they' have been successful. That is until 6.00pm Sunday night of the protest when on TV3 thousands of viewers saw the Waihopai Spybase for the first time. The next day articles were published in Sunday papers, with further articles in major daily papers on the Monday. Supportive comments by Nelson MP John Blincoe added to the debate on a topic usually considered closed. For the first time many New Zealanders became aware that a government agency was spying on our neighbours in the South Pacific and giving that information straight to the United States. What is a Spybase? A more official name for the Spybase is Satellite Communications Station. This sounds very innocent but there's no escaping the fact the base invades the privacy of thousands of people, businesses governments and other organisations throughout the South Pacific without their consent. The information gleamed is not meant for the GCSB or the US, that's why it's called spying. The base consists of an 18 metre receiving dish covered by a huge white dome, an operations building and workshop, all protected by a 14ft security fence backed by another electric fence, security cameras and floodlights. The base monitors communications transmitted via satellite: private and commercial telephone, fax, e-mail, telex and telegrams. These messages are scanned for key words by computer. The information collected is then relayed to the GCSB headquarters in the Freyberg building in Wellington. Useful information is then sent to the United States National Security Agency or the larger Spybase in Geraldton, Australia. Why protest? "The Waihopai Spybase uses your money to invade your privacy for other countries' benefit?" This statement taken from an Anti-Bases Campaign pamphlet about the base sums up the general reason why people are motivated enough to protest, and to be arrested. In the past, politicians like David Lange claimed the Waihopai base will give New Zealand more independence in intelligence matters and that the information would be under New Zealand control. However a document obtained from the US Navy by peace researchers last year has confirmed long held suspicions that the GCSB passes the intelligence collected at Waihopai to the powerful US National Security Agency. This evidence completely contradicts the claims made by New Zealand politicians. What's more, according to British investigative journalist, Duncan Campbell, the Waihopai Spybase is part of a world wide network of spybases monitoring satellite communications for the benefit of the NSA. What really sticks in the throats of those who know about the Waihopai Spybase is that despite the fact that the information is given to the US, New Zealand pays for it. Based on the costs of similar bases in other countries, the Anti-Bases Campaign estimates that the base cost $20 million to set up and up to $100 million so far. Protesters ask why should we be paying for this 'service' especially when we weren't even told about it. The Waihopai Spybase was established without the consent of the New Zealand people and operates without the permission of the Pacific countries who's sovereignty it intrudes on. The Spybase is part of a reliance on military power and cold war politics which reinforces the nuclear powers domination of the globe. Instead of building relationships with our neighbours based on trust, cooperation and peace we are furthering the interests of oppressive military alliances by the world super powers. Under international law it is in fact illegal to intercept international communications. The activities of the Waihopai Spybase contravene the International Tele-Communications Convention to which NZ has agreed. It is also illegal under NZ law to act on such information. The question we must ask ourselves is "Do we want New Zealand to participate in this misuse of technology?" "Do we want to be consulted before we enter into secret military alliances with the super powers? Would we rather the money spent on spying was spent on education or health? Protesters at Waihopai demand a Parliamentary inquiry into the activities of the GCSB, and that the activities of this organisation be subject to review by the judicial system. We also demand the closure of the Waihopai Spybase and the redirection of the money spent on its operations to be put toward a peaceful future. Until this happens we will continue to protest at Waihopai. I didn't try to be unbiased in this article. For a start I was actively protesting the base myself. It is also difficult to get another side to the story when politicians won't talk about it. The head of the GCSB even refused to answer MP's questions in Parliament about the Spybase. But secrets never last forever and thanks to the New Zealand peace movement at least some of the truth is becoming public. The more people who demand knowledge of the Spybase and accountability for its operations, the more likely politicians will take notice. Already Nelson MP John Blincoe (Labour) has come out in support of the Waihopai protest. In the Christchurch Press Blincoe said international circumstances had changed and it was time for the "cloud of secrecy" over the base to be lifted. "The public is entitled to know what is being done from its own soil," said Blincoe. "At the very least there should be Parliamentary scrutiny of Waihopai and the other listening station, Tangimoana, near Palmerston North." Yes there are other spybases, of different sorts, but did you know about them? I find it unnerving to think people could be listening to my phone conversations, that foreign spy networks are operating through New Zealand and I am helping finance something I don't believe in. But then we don't have to like it and nor do we have to accept it. It is our right to question and protest. To find out more information about Waihopai and other bases in New Zealand write to the Anti-Bases Campaign, PO Box 9314, Wellington. [NEW ZEALAND] Paul Smith wc 1345 ********************************************************* Malcolm Hutchinson internet: malcolmh at waikato.ac.nz Editor: NEXUS 1994 The Waikato Students' Union Te Wharae Wananga O Waikato Hamilton, New Zealand PGP Public Key available on request ********************************************************* -- Nigel Allen ae446 at freenet.carleton.ca ---------------------------------------------------------- Basil Chupin Internet: blchupin at pcug.org.au Fidonet: 3.620.269.0 +61-6-285-2353 XLTNet: 370.100.1.0 +61-6-285-2353 ---------------------------------------------------------- -- "I mean, after all; you have to consider we're only made out of dust. That's admittedly not much to go on and we shouldn't forget that. But even considering, I mean it's sort of a bad beginning, we're not doing too bad. So I personally have faith that even in this lousy situation we're faced with we can make it. You get me?" - Leo Burlero/PKD +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff at suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff at gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From johan at eniac.campus.luth.se Sun Mar 3 00:58:59 1996 From: johan at eniac.campus.luth.se (Johan Sandberg) Date: Sun, 3 Mar 1996 16:58:59 +0800 Subject: Cypherpunk remailer In-Reply-To: <199603010836.AAA29132@ix7.ix.netcom.com> Message-ID: <1050.6634T999T1911@eniac.campus.luth.se> >At 07:24 PM 2/29/96 +0100, you wrote: >>>The mixmaster remailers require special client software on your machine. >> >>What special software? What will the client do? >It's "The Mixmaster Client Software". Mixmaster is a relatively complex >system that breaks up the message into encrypted pieces that get sent >separately to a destination mixmaster, which decrypts and reassembles the >pieces and sends the message on to the final destination. It's more secure, >partly because all the transmissions are encyrpted, and partly because it's >much harder to do traffic analysis on a network of indentical-sized chunks >floating around than on messages with distinct sizes that you can watch. >I think the client only runs on Unix, or at least doesn't run on DOS, >though there's some porting work being done, and you can probably find >it on one of the Netherlands remailer sites. Ok.. that explains it! But If I really need to be that sure of not being tracked down I could use the Mixmaster on my unix shell account! From EALLENSMITH at ocelot.Rutgers.EDU Sun Mar 3 00:59:07 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 3 Mar 1996 16:59:07 +0800 Subject: Edited Edupage, 29 Feb 1996 Message-ID: <01I1U06TWSP2AKTQC0@mbcl.rutgers.edu> From: IN%"educom at elanor.oit.unc.edu" 1-MAR-1996 00:53:05.93 >***************************************************************** >Edupage, 29 February 1996. Edupage, a summary of news items on information >technology, is provided three times each week as a service by Educom, >a Washington, D.C.-based consortium of leading colleges and universities >seeking to transform education through the use of information technology. >***************************************************************** The below has some relevance for the discussion on firewalls vs encryption. It seems to give evidence for the needed solution being either firewalls and encryption (external _and_ internal) or encryption alone. >NO SAFETY ON THE NET >A recent survey of businesses found nearly one in four are staying away from >the Internet because they worry about electronic security breaches. For >instance, Merrill Lynch refuses to use the Net for any "value-bearing" >business and has doubts about allowing customers to link up via the >Internet. Meanwhile, if your company uses an Intranet, you're not immune to >security problems -- experts estimate that as much as 80% of all security >losses are committed by company insiders. The technical staff manager at >Bell Labs notes: "Our firewall keeps the bad guys out. But you can't say >there aren't bad guys inside the company." (Information Week 19 Feb 96 p34) The below is worrisome; I am willing to bet that the European governments might try to require it, and that the US might follow suit if the CDA gets tossed out (analogous to the V-chip). I'll send a further message after I've analyzed the rating system in question a bit more. >SELF-PATROLLING THE WEB >The World Wide Web Consortium is pushing the Web page rating system that it >developed in cooperation with the Platform for Internet Content Selection, a >group of 22 online firms. Operators at about 20,000 Web sites have already >coded themselves using the Internet Relay System, which is similar to the >rating system for films. To rate your Web site, go to the SafeSurf site at >< http://www.safesurf.com/ > and fill out the form that helps them come up >with a rating. PICS members plan to pitch the system to European >governments in an effort to avoid continental content restrictions. >(Investor's Business Daily 28 Feb 96 A6) >Edupage is written by John Gehl (gehl at educom.edu) & Suzanne Douglas >(douglas at educom.edu). Voice: 404-371-1853, Fax: 404-371-8057. >Technical support is provided by the Office of Information Technology, >University of North Carolina at Chapel Hill. >*************************************************************** >EDUPAGE is what you've just finished reading. To subscribe to Edupage: send >a message to: listproc at educom.unc.edu and in the body of the message type: >subscribe edupage Thomas Alva Edison (assuming that your name is Thomas Alva >Edison; if it's not, substitute your own name). ... To cancel, send a >message to: listproc at educom.unc.edu and in the body of the message type: >unsubscribe edupage. (Subscription problems? Send mail to >educom at educom.unc.edu.) From wb8foz at nrk.com Sun Mar 3 02:53:47 1996 From: wb8foz at nrk.com (David Lesher) Date: Sun, 3 Mar 1996 18:53:47 +0800 Subject: NYT login Message-ID: <199603020315.WAA00485@nrk.com> At one point, some kind souls were entering "username: cypherpunks" logins for all the various "free" www sites. Did anyone catch the www.nytimes.com one? If so, what password? -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From steve at aztech.net Sun Mar 3 03:52:35 1996 From: steve at aztech.net (Steve Gibbons) Date: Sun, 3 Mar 1996 19:52:35 +0800 Subject: Win a free Apache-SSL-US Commercial license Message-ID: <0099EB61.3A09B480.1616@aztech.net> In Article: , Simon Spero wrote: # On Fri, 1 Mar 1996 sameer at atropos.c2.org wrote: # > See http://apachessl.c2.org/ for more details. # Not quite an entry, but am I the only one to pronounce SSL "Cecil" # (SEcure Socket layer), to go along with SHTTP as "Shit-p" (nil)? # Cecil The C2 Web server? The word that always springs to my mind is "sessile." (Granted, I'm a pessimist, at heart... ;) -- Steve at AZTech.Net From wlkngowl at unix.asb.com Sun Mar 3 07:10:53 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sun, 3 Mar 1996 23:10:53 +0800 Subject: PGP PRNG seeds? Message-ID: <199603020745.CAA11593@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Jean-Francois Avon (JFA Technologies, QC, Canada) wrote: > I tinkered with the switch > pgp +makerandom=size output.fil > > Is there a way to "seed" the PRNG with another file, say , part of an > encrypted text file? Copy the first 408 bytes of that file to the randseed.bin file in your pgp directory. (I'd save the original randseed.bin file or use a good RNG to generate a new one when you're done). - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTf8qyoZzwIn1bdtAQHrZQF/dM8RgYDEB+pTSmdy9HSIi38YKy9LG9FE yBZtka9z28A2UyVvi37ijP8DrcOYg4zI =duUA -----END PGP SIGNATURE----- From mark at unicorn.com Sun Mar 3 07:11:47 1996 From: mark at unicorn.com (Mark Grant, M.A. (Oxon)) Date: Sun, 3 Mar 1996 23:11:47 +0800 Subject: Anonymous Web Browsing Message-ID: On Fri, 1 Mar 1996, Timothy C. May wrote: > These are "web proxies," and searching on this should produce some > information to answer your questions. There's a problem with that. I've noticed several pages recently with hidden mailto: links that aren't marked as such. So you can be happily browsing away through a web proxy only to click on a link and have your real id mailed to the site's owners. As people have mentioned, this is even worse with Javascript. Note to Netscape people: Is it possible to have an option that will *always* pop up a mail window and request confirmation before mail is sent out? Or disable mailto altogether? It would be a lot easier than binary editing the executable to remove all the mailto strings... Or does it exist? I can't find it. Mark From jamesd at echeque.com Sun Mar 3 07:13:43 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sun, 3 Mar 1996 23:13:43 +0800 Subject: Problems with certificates. Message-ID: <199603020757.XAA18751@dns1.noc.best.net> At 08:35 AM 3/1/96 -0500, A. Padgett Peterson P.E. Information Security wrote: >Today, each person generates their own PGP key. While it is unlikely that >any two will match, it is likely that at some point some two will match >(see matching birthdays in a bar - number is less than you would think). If if we colonized every planet in the galaxy, and every planet had a trillion people, and every single person on every planet generated a billion keys a second for a billion billion years, not one pair would match, assuming they were generated from truly random seeds. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From olcay at libtech.com Sun Mar 3 07:13:47 1996 From: olcay at libtech.com (Olcay Cirit) Date: Sun, 3 Mar 1996 23:13:47 +0800 Subject: New PRNG method! Message-ID: <199603021656.LAA13644@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Hello, All! I was just thinking about how to generate random numbers, when I hit upon an interesting idea: If the internet is so huge and complex, why not, say, use the least significant bits of ping times from random internet hosts as seeds for a PRNG? (Practical Random Number Gen.) You could then break the resulting binary value into 128-bit blocks and modulus/xor each with a stream of random numbers taken from a keyboard timing. After all this, you could wash it with a secure symmetric cryptosystem such as idea in CBC mode. Any thoughts, comments? -olcay - -- "For he who lives more lives than one, |) Olcay Cirit -- olcay at libtech.com more deaths than one must die" (| http://www.libtech.com/olo2.html - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTh9pCoZzwIn1bdtAQGuDAGA1QM1KyGQ2i6n9LLF00HrVn7OvBftesA9 +Jsu4W3yZothdL1pFQLt2v5l9mjgTspW =2x/g -----END PGP SIGNATURE----- From tcmay at got.net Sun Mar 3 07:16:03 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 3 Mar 1996 23:16:03 +0800 Subject: Anonymous Web Browsing Message-ID: At 5:24 AM 3/2/96, dwhite at pris.bc.ca wrote: > Hi guys..... I'm new here and I don't have the same technical >expertise as I am witnessing with most of the other posters here. > My question is this: Would it be possible to create a web site that >would function along the same lines as remailers do? Something that would >allow a person to browse anonymously. So lets say I surfed into a These are "web proxies," and searching on this should produce some information to answer your questions. Most of us, I think, are not using them. Your intuitions are correct, that protection steps are needed. The technology is developing, but the perceived need (anonymous browsing) is probably less than the perceived need for anonymous e-mail. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sun Mar 3 07:16:07 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 3 Mar 1996 23:16:07 +0800 Subject: Cryptanalysis Message-ID: At 7:44 AM 3/2/96, Alan Olsen wrote: >My mistake... The publication I was thinking of was "the Journal of >Cryptology". They reference Springer-Verlag New York Inc. as the source for >back issues, but there is no listing on the linked web page for that journal >and the search engine returns nothing for that journal. (They do have a few >other things of interest however...) One gets the "Journal of Cryptology" automatically by attending the Crypto Conference (at least this was so in the past). I can't see that it carries much that the "Crypto" and "Eurocrypt" Proceedings carry (though Chaum's "Dining Cryptographers" paper was in Volume I, Number 1, circa 1988-89). "Cryptologia" is a much different thing. Neither is necessary for the disposing of snake oil products, however. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From alano at teleport.com Sun Mar 3 07:16:42 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 3 Mar 1996 23:16:42 +0800 Subject: Cryptanalysis Message-ID: <2.2.32.19960302074457.008c6a08@mail.teleport.com> At 11:11 PM 3/1/96 -0800, Timothy C. May wrote: >At 6:52 AM 3/2/96, Alan Olsen wrote: > >>The author has failed to call me back. I do have some serious concerns >>about the code. (There is not a single XOR used, except to clear >>registers!) I am starting to suspect that it is based on a mathematical >>progression based on the numbers 40, 28, 36. I need to spend a bit of time > ^^^^^^^^^^ >Ah, note that the magic key, 42, is not included. Coincidence, or stupidity? Actually it is an obscure reference to a movie called "Our Man Flint". It was the basis of the code used in the movie. >Alan, there is not enough time in the universe to waste it on those who >will not learn even the basics. The "author," who I had understood to be a >friend of yours (though apparently a more distant relationship is >involved), is apparently developing something John Dee would have been >proud of. He is more aquaintence than friend... Someone who is a close friend asked me to get involved. As for the other reasons for asking for the references, it is more a matter of personal curiosity. I expect his project to fail anyways for reasons i have already stated... --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon "I, Caligula Clinton... In the name of the Senate and the people of Rome!" - Bill Clinton signing the CDA with the First Amendment bent over. From alano at teleport.com Sun Mar 3 07:16:57 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 3 Mar 1996 23:16:57 +0800 Subject: Cryptanalysis Message-ID: <2.2.32.19960302074459.008cf148@mail.teleport.com> At 11:11 PM 3/1/96 -0800, Timothy C. May wrote: >>>* The journal "Cryptologia" is largely devoted to amateur cryptanalysis. >> >>The web info for back issues listed a web page from a publisher that had no >>listing for them on the server. I will be sending mail to get more info... > >Last I checked, Tony Patti was still the editor. Not all things are on the >Web in serious ways, obviously. I had no problems finding copies in my >local university library (UC Santa Cruz), but it was several years ago that >I last checked (conventional cryptanalysis not being very germane and all). >Reed College might have copies. My mistake... The publication I was thinking of was "the Journal of Cryptology". They reference Springer-Verlag New York Inc. as the source for back issues, but there is no listing on the linked web page for that journal and the search engine returns nothing for that journal. (They do have a few other things of interest however...) The time spent was not a loss... I found a number of interesting things on the web and recieved a number of pointers to books I was not aware of and are not listed in any of the FAQs. The best site I found was at: http://mnementh.cs.adfa.oz.au/htbin/bib_lpb It is for Lawries Cryptography Bibliography. It contains a search engine to a large listing of crypto articles. Worth checking out. --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon "I, Caligula Clinton... In the name of the Senate and the people of Rome!" - Bill Clinton signing the CDA with the First Amendment bent over. From alano at teleport.com Sun Mar 3 07:17:19 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 3 Mar 1996 23:17:19 +0800 Subject: Cryptanalysis Message-ID: <2.2.32.19960302065210.009574b4@mail.teleport.com> At 03:55 PM 2/29/96 -0800, Timothy C. May wrote: >There are several places to look: Thanks for the sources. More money is going to get dumped into cryptobooks soon. (I am amazed how little exists on the web on the topic.) I had seen a few of the books at a local bookstore, but I was uncertain of their quality. (They also had a number of snake-oil crypto books.) >However, these books are based on work done in WWII and the following >decade(s), so the stuff is pretty dated. Still, nearly any "snake oil >crypto" system, such as it sounds like your friend is building, will likely >be far weaker than the ciphers the NSA was attacking back in the early >days. The author has failed to call me back. I do have some serious concerns about the code. (There is not a single XOR used, except to clear registers!) I am starting to suspect that it is based on a mathematical progression based on the numbers 40, 28, 36. I need to spend a bit of time on the code with a debugger to find out just where that segment of code is located. (Should not take too long... Just have to make the time.) >* The journal "Cryptologia" is largely devoted to amateur cryptanalysis. The web info for back issues listed a web page from a publisher that had no listing for them on the server. I will be sending mail to get more info... >>The Cyphernomicon has a couple of paragraphs, but nothing on >>techniques or pointers to other references. RSA's FAQ has >>little to nothing as well. A web search turned up little >>useful. Most of the other references I have found have been for >>current cyphers, but next to nothing about breaking them. > >There are very good reasons to say little about "conventional >cryptanalysis": it just doesn't matter much with modern ciphers, such as >public key systems. Modern ciphers don't fall to conventional attacks based >on word frequency, pattern analysis, etc. Still an interesting topic... >Your friend is on a hopeless task. If he doesn't understand just how >hopeless it is to develop a homegrown, conventional cipher then he's >certainly not likely to take the time to become a skilled amateur >cryptanalyst. I am trying to convince him of the futility of the task. (It is hard as his ego keeps getting in the way.) I just want to give him reasons why it is weak and not just glittering generalities. Thanks again for the book references! --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon "I, Caligula Clinton... In the name of the Senate and the people of Rome!" - Bill Clinton signing the CDA with the First Amendment bent over. From nobody at REPLAY.COM Sun Mar 3 07:18:39 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sun, 3 Mar 1996 23:18:39 +0800 Subject: Netcom and Credit Cards Message-ID: <199603031503.KAA20008@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- > The "credit card numbers were stolen" point, that I believe Ed Carp was > referring to, had to do with the Mitnick affair, and is very old news. The fact that they had been stolen was mentioned in an edition of 2600 6 months before the Mitnick saga. Netcom had been told about the security breaches many times, but refused to acknowledge that their site was insecure. It was this arrogance that pissed people off more than their insecurity. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTm0vyoZzwIn1bdtAQFHgQGA2lxrjz1dzFmNmveG6yIhdc9xC3ghDr4h Q12sN3g9/s7uof66Q+bVBpIxsqbeJM0s =JckI -----END PGP SIGNATURE----- From gary at kampai.euronet.nl Sun Mar 3 07:29:30 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Sun, 3 Mar 1996 23:29:30 +0800 Subject: Truelly Random Numbers Message-ID: <199603031511.KAA20026@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Timothy C May wrote: > In some PK code I did several years ago in Mathematica, the primes for the > RSA modulus were found by picking a "random" (more on this later) starting > point and then counting up from there, testing for primality (actually, > pseudoprimality, technically). As one would expect, primes are found fairly > quickly. Surely the process of counting up until you get a prime means that the chances of getting certain primes are greater than others (eg. 17 is more likely than 19) ? Gary - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTm2jCoZzwIn1bdtAQEIOwGAg9YkxQXKKS07ZVBvEfzTRaNcxMnZDUYa sfyzl2mr7UZ94AEoVyWgcsYQXvuFG1QK =fOGq -----END PGP SIGNATURE----- From nobody at REPLAY.COM Sun Mar 3 08:12:31 1996 From: nobody at REPLAY.COM (Anonymous) Date: Mon, 4 Mar 1996 00:12:31 +0800 Subject: Assassination Politics 9! Message-ID: <199603031557.KAA20256@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- On Sun Mar 3 1996, Just Rich wrote: : On Sat, 2 Mar 1996, Black Unicorn wrote: : : > On Wed, 28 Feb 1996, jim bell wrote: : > : > > "Assassination Politics" Part 9, by Jim Bell, February 27, 1996 : > > : > > For about a year I have been considering the implications of "Assassination : > > Politics," and for more than six months I've been sharing the subject and : > > my musings with you, the interested reader. : > ^^^^^^^^^^^^^^^^^^^^^^^^^^ : > You're pushing it here. : : No he's not. "Reader" is singular, and Jim is on cypherpunks. Just because you two aren't interested, doesn't mean others aren't. Work is actually in progress in implementing such a system. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTnBWSoZzwIn1bdtAQF1zQF7BuwNLQ+C6ql4gUQi5FIaPmdpudvVHKjE K+HLZRrkUm7ziPXq0tGWecuBJ3ucD6lw =628g -----END PGP SIGNATURE----- From jya at pipeline.com Sun Mar 3 08:44:20 1996 From: jya at pipeline.com (John Young) Date: Mon, 4 Mar 1996 00:44:20 +0800 Subject: MTM_moi Message-ID: <199603031629.LAA01546@pipe1.nyc.pipeline.com> EcoMist, March 2, 1996: "Many people believe that the Internet will make middlemen extinct. It is more likely to help them thrive." The Net's fans argue that it allows consumers to bypass intermediaries while increasing their choices and finding better bargains. One influential proponent of this idea is Bill Gates. Compelling as they seem, however, these arguments do not prove their case. Hal Varian, an economist at the UC Berkeley, claims there will be greater competition among intermediaries, and maybe many more of them. Instead of competing on the basis of inside information, those agents will compete by adding value in other ways. The Internet will put some intermediaries out of business, but it will create more work for others. And among these will be not only suppliers of familiar services, but also a new breed monitoring Internet sites, collecting news and information, and repackaging it -- folk, in other words, like Mr Gates. MTM_moi From mark at unicorn.com Sun Mar 3 09:03:52 1996 From: mark at unicorn.com (Mark Grant, M.A. (Oxon)) Date: Mon, 4 Mar 1996 01:03:52 +0800 Subject: Anonymous Web Browsers Message-ID: On Sat, 2 Mar 1996, A. Padgett Peterson P.E. Information Security wrote: [Netscape mailto] > Disabling is easy, just do not specify a mail server (or better, one that > will refuse mail) in "options/preferences/mail and news". Netscape (at least > 1.1n) initiates a port 25 connection to the designated server to send mail. Tried that. Doesn't work with 2.0 on SunOS, it just connects to localhost instead... Mark From owner-cypherpunks at toad.com Sun Mar 3 09:20:22 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Mon, 4 Mar 1996 01:20:22 +0800 Subject: No Subject Message-ID: Applied Crypto 2nd Edition - page 334-335. Brief stuff: Block Cypher (symetrical), 64 bit key, 64 bit block size "The S-boxes are implemenation dependent, but not key dependent." resistant to differential and linear cryptanalysis "Northern Telecom is using CAST in their Entrust security software package for Macintoshes, PCs, and UNIX workstations. The particular S-boxes they chose are not public. The Candadian government is evaluating CAST as a new encryption standard. CAST is patent pending." If you don't have the book - GET IT! ;-) Dan > From: "Stephen A. Gutknecht" > To: "'cypherpunks at toad.com'" > Subject: RE: Nortel "Entrust" > > I too would like to see an open discussion on this. Microsoft uses this for > their new Exchange Server client/server email product.... > > ---------- > From: Jonathon Fletcher[SMTP:jonathon at japan.sbi.com] > Sent: Friday, March 01, 1996 10:17 AM > To: cypherpunks at toad.com > Subject: Nortel "Entrust" > > > Can anyone tell me anything about a product called "Entrust", by Nortel > (Northern Telecom). The notes talk about the software using DES ("which > employs a 56-bit key") so I guess it's single DES, not triple DES. It also > mentions a proprietary algorithm called CAST. > > Is this worthy of further investigation, or is it suspect ? What is > CAST, and would it be classed as snake oil ? > ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From PADGETT at hobbes.orl.mmc.com Sun Mar 3 09:45:22 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Mon, 4 Mar 1996 01:45:22 +0800 Subject: Duress Message-ID: <960303121209.2020214e@hobbes.orl.mmc.com> >Ms. Wilson then gave into the pressure applied and gave >the passwords required by Justice Haggerty. Those of you who follow FIREWALLS may recall that I premote the use of "minefields" on networks, machines that should never be accessed and will trigger an alarm/response on any access. Some years ago I wrote a spec for cryptographic securing of notebooks/ E-Mail that included a "duress" capability: a "password" that, when entered would appear to be properly accepted but would report an error on retrieval. Optional was to be overwriting of any material whose access was attempted. For some time people have been puzzled when I have said that good systems protection will increase the risks to the *people* involved just as good locks on cars led to carjacking. Warmly, Padgett From jya at pipeline.com Sun Mar 3 09:50:12 1996 From: jya at pipeline.com (John Young) Date: Mon, 4 Mar 1996 01:50:12 +0800 Subject: Assassination Politics 9! Message-ID: <199603031713.MAA04645@pipe1.nyc.pipeline.com> On Mar 03, 1996 10:57:14, 'nobody at REPLAY.COM (Anonymous)' wrote: >Just because you two aren't interested, doesn't mean others aren't. >Work is actually in progress in implementing such a system. The Economist of March 2 has a cover story on state, church and private terrorism, the effectiveness and failures of each, the arguments and apologies, the savages and the victims, the lucrative concocting of imaginary enemies -- military, religious, political, personal. It's conclusions are ... well, have a read and dread how the Demon Trio of state, church and private super-righteous sub-humans will murder you and your loved ones next to fulfill their blind ambitions. From warlord at MIT.EDU Sun Mar 3 10:06:16 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Mon, 4 Mar 1996 02:06:16 +0800 Subject: A brief comparison of email encryption protocols In-Reply-To: <199602292001.PAA18761@jekyll.piermont.com> Message-ID: <199602292054.PAA17361@toxicwaste.media.mit.edu> > I think it would be valuable if signature formats specified not only > an arbitrary key-id but a DNSable string or URL to retrieve the > certificate responsible for the signature. One of the things we've > learned from PGP is the difficulty of dealing with random numbers as > key ids. In this, I'm not sure we shouldn't be including better lookup > mechanisms. This is not to say that meaning should be assigned to a > lookup string beyond its saying where to find the key. This is something that I've spoken to Phil about at length, and I've been trying to devise solutions. The problem is how to offset the "hint" and the size of the signature. You want the signature to contain some informatin that hints at the location of the key. On the other hand, you dont want to bloat the signature in doing this. So, there needs to be a compromise, some shorthand method to describe the hint. One solution is to provide a "keyserver" type and then some string that says which "keyserver" to use. For example, if there is a DNS-style keyserver deplyed, I could put '1,"mit.edu"' in all my signatures, if we assume that '1' is the DNS-style keyserver code. I'm sure there are other possible solutions as well, and any real suggestions are welcome. -derek From LibertyWMA at aol.com Sun Mar 3 11:30:37 1996 From: LibertyWMA at aol.com (LibertyWMA at aol.com) Date: Mon, 4 Mar 1996 03:30:37 +0800 Subject: Electronic Freedom press release Message-ID: <960303135004_436931843@mail04.mail.aol.com> ----------------------------------------------- NEWS FROM THE MASSACHUSETTS LIBERTARIAN ASSOCIATION ----------------------------------------------- For Immediate Release For Additional Information John Brickner Electronic Outreach Director Massachusetts Libertarian Association LibertyWMA at aol.com ---------------------------------------------------- Phillies Endorses Electronic Freedom George Phillies, Libertarian Party candidate for the U. S. Senate in Massachusetts, today condemned the so-called Communications Decency Act -- the Internet Censorship Act --and called for its immediate repeal. Phillies, a resident of Worcester, will face incumbent Senator John Kerry and Governor William Weld in the fall election. He further called for elimination of controls that are strangling our computer export industry. Phillies explained his stand on Electronic Freedoms: 'There is no freedom more fundamental than freedom of speech, and electronic speech is speech. When Congress passes a law against undefined 'indecent' speech, it threatens all speech. When Congress extended the Comstock Law to electronic media, it forbade discussion of abortion by pro-life as well as pro-choice supporters. Of course, the Clinton Justice Department says it won't enforce the Comstock Act. But what will happen in 1997 if the Buchanan Justice Department replaces the Clinton Justice Department? Export restrictions on software are hurting the computer industry. Let us have a reality check here. PGP and other strong encryption algorithms are freely available in Europa, Asia, and Africa. The only companies being hurt by export restrictions on software are American companies. The only people being hurt by export restrictions are American programmers and manufacturers. Export restrictions on encryption and other software are hurting us, while stopping no one from encrypting their data. The Libertarian Party supports free trade in computer software, and so do I! Export restrictions on computer hardware are even worse, because those restrictions are a de facto subsidy from the U.S. government to foreign hardware producers. When a foreign producer can manufacture a high power computer, and an American producer cannot export one to compete in the free market, it is the foreign producer who profits, and American designers, workers, and shareholders who takes it in the chin. We have enough challenges from foreign competition now; we don't need our American government helping our foreign competitors. I have long supported electronic speech and publication as Constitutionally protected forms of speech and press. When the Secret Service raided Steve Jackson Games to suppress publication of 'Hacker' I immediately wrote Congress to protest. I argued 200 hundred years ago, King George's Hessian mercenaries raided colonial printers to scattered their typecases; now, Federal agents destroyed electronic font files. The physical format of the type was different, but the act was the same. 30 years ago, Russian police raided homes of Russian dissidents, destroying hand-typed samizdat; now, Federal agents destroyed magnetically-stored manuscripts of a game. The physical format of the manuscript was the different, but the act was the same. In the end, of course, word went out across the Net -- Justice was served. Steve Jackson had won his lawsuit. 'Finally, I remind all computer users, programmers, and designers: Liberty is indivisible! By standing together to protect all Constitutional Rights, not just the ones closest and dearest to our hearts, we make every Right safer. We all need to support the whole Bill of Rights, not just the parts that liberals or Republicans find convenient. Support the whole Bill of Rights. Support Your Electronic Freedom. Register and vote Libertarian. --------------------------30---------------- Background information The Libertarian Party is one of Massachusetts' three legally-recognized major political parties. Libertarians stand in the dynamic center of the political spectrum: conservative on fiscal issues, pro-freedom on social issues. To place candidates before the voters, Libertarians must satisfy precisely the same laws that will allow Democrats and Republicans to put Kerry and Weld on the ballot. In 1994, a Libertarian running for statewide office in Massachusetts received over 3% of the vote, more than the difference between Kerry and Weld in a recent poll. ------------------------------------------ For Additional Information: Contact the Candidate Himself: George Phillies Massachusetts Libertarian Association 87-6 Park Avenue Worcester MA 01605 508-831-5334 (w) (Yes, he has a real job.) 508-754-1859 (h) phillies at wpi.edu --------------------30--------------------------- Candidate Biographical Data George Phillies was born July 23, 1947 in Buffalo, New York, first son of Eustace G. Phillies, M.D.(deceased) and Clara Phillies. Phillies grew up in Kenmore and Williamsville, New York, finished as salutatorian at the Williamsville Central High School [now Williamsville North], and came to M.I.T. in Cambridge, Massachusetts. While at MIT, Phillies earned degrees of Bachelor of Science in physics and in life sciences, as well as Master of Science and (in 1973) Doctor of Science degrees in physics. Phillies then joined the Harvard-MIT Health Sciences and Technology program as a researcher. In 1971, Phillies joined the United States Army Reserves, eventually rising to the rank of Specialist, 5th Class, in a Boston unit, the 338th Medical Detachment; he received an honorable discharge in 1977. In 1975, Phillies moved to California, working as a postdoctoral fellow in the U.C.L.A. Chemistry department and living in Santa Monica. Phillies in 1978 moved to Ann Arbor, Michigan, where he was employed as an Assistant Professor of Chemistry at the University of Michigan. In 1985, after declining alternatives at nationally-known schools, Phillies moved to the prestigious Worcester Polytechnic Institute, where he rose to the rank of Professor in the Department of Physics. Phillies is recognized internationally for his scientific studies of light scattering, soaps, and polymer solutions. Phillies, 48, never married, rents a townhouse in Worcester, Massachusetts, a block from the WPI Campus. In 1994, the Libertarian Party gained major-party status in Massachusetts. Phillies has participated actively in Libertarian Party organizing efforts in Central and Western Massachusetts. In 1996, he was elected Executive Director of the Massachusetts Libertarian Association. The Bill of Rights: "I support the whole Bill of Rights, not just the convenient parts. I support the freedom of unpopular speech, the freedom to practice uncommon religions, freedom for consenting adults in the privacy of their homes, freedom of privacy via exportable strong encryption." ------------------------------------------------ From bruce at aracnet.com Sun Mar 3 11:42:52 1996 From: bruce at aracnet.com (Bruce Baugh) Date: Mon, 4 Mar 1996 03:42:52 +0800 Subject: Mainstreaming PGP on Usenet Message-ID: <2.2.32.19960303191053.00697678@mail.aracnet.com> I'm surprised nobody has brought this up before.... FIRST CALL FOR VOTES (of 2) moderated group soc.culture.russian.moderated 6. Individuals in the database of known readers may post freely to the group, subject to the conditions in sections 1-4 above. If need arises, the robomoderator may perform PGP verification of the identity of the known reader and, if the reader requests so, automatically reject all the submissions from the reader without a valid PGP signature. -- Bruce Baugh bruce at aracnet.com http://www.aracnet.com/~bruce From tcmay at got.net Sun Mar 3 11:44:40 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 4 Mar 1996 03:44:40 +0800 Subject: Truelly Random Numbers Message-ID: At 3:11 PM 3/3/96, Gary Howland wrote: >Timothy C May wrote: > >> In some PK code I did several years ago in Mathematica, the primes for the >> RSA modulus were found by picking a "random" (more on this later) starting >> point and then counting up from there, testing for primality (actually, >> pseudoprimality, technically). As one would expect, primes are found fairly >> quickly. > >Surely the process of counting up until you get a prime means >that the chances of getting certain primes are greater than >others (eg. 17 is more likely than 19) ? ??? I think you are misunderstanding the point. The count doesn't start at 0, if this is your point...that would be a lot worse than some primes more common than other, that would mean everyone uses the same prime, e.g., "2." Rather, one picks a suitably random number, such as "836480166228153153328299.....845082582622308645" (lots of digits) and tests it for primality (pseudoprimality). For a several hundred digit number, only about a one percent chance or less that it's prime. So, one iterates upward or downward by two (one first makes sure it's odd, as it must be to be a possible prime). Sure, the first prime reached is "more likely" to be selected than the second or third or nth prime reached, but so what? No outsider knows the seed value, which is where all of the security resides. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jamesd at echeque.com Sun Mar 3 11:48:33 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 4 Mar 1996 03:48:33 +0800 Subject: Truelly Random Numbers Message-ID: <199603031913.LAA02889@mail1.best.com> At 10:11 AM 3/3/96 -0500, Gary Howland wrote: >Surely the process of counting up until you get a prime means >that the chances of getting certain primes are greater than >others (eg. 17 is more likely than 19) ? In order to use this information, one would need to determine the number of primes in the vicinity of a potential prime factor. This costs more than actually checking for the factor, hence is not useful. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From burma at alpha.c2.org Sun Mar 3 12:10:14 1996 From: burma at alpha.c2.org (burma at alpha.c2.org) Date: Mon, 4 Mar 1996 04:10:14 +0800 Subject: No Subject Message-ID: <199603031926.LAA14487@dns2.noc.best.net> Hello Everyone! I'm trying to help my friend. He doesn't have his own computer. He uses and abuses the school computers. Here is the problem the guy has. Read on! I don't know if any of you have problem with scrolling through the BurmaNet News article recently. It freezes my VT100 screen and give me KBD LOCKED errors at certain spot. It also freezes the xterm window. It turn out that the file contains non-printable ( invisible ) charecters, dc3, to be exact, which screw up something. Below is the octal dump of the BurmaNet content on a unix box. Note the 'dc3' charecter right before "The definition often the ..." on line 4300 and 6700. If any of you are having similar problem please drop me a note. From merriman at arn.net Sun Mar 3 12:12:15 1996 From: merriman at arn.net (David K. Merriman) Date: Mon, 4 Mar 1996 04:12:15 +0800 Subject: cryptography Message-ID: <2.2.32.19960303072715.006ac3c0@arn.net> -----BEGIN PGP SIGNED MESSAGE----- Response to Freedom Now! program on PBS, regarding expanding use of cryptography by individuals. - ----------------------------------------------------------- Unfortunately, the NSA representative (Mr. Baker?) on today's (3/3/96) show neglected to mention that the Clinton administration called for the introduction of the Clipper chip in *all* phones, NOT just those used by the government. This may be readily verified online via the archives at the EFF (http://www.eff.org), EPIC (http://www.epic.org), and even the White House' (http://www.whitehouse.gov) own ftp-able copies of the President's speeches. Also missed was the fact that the Clipper chip would readily permit the implementation of what is called "traffic analysis" - knowing who spoke with whom, regardless of content. Traffic analysis data could readily be misinterpreted. If I were to make a dozen calls to a KKK office, traffic analysis would show such; it would *not* indicate whether the calls were in support of, or opposition to, the KKK's existence. I found 'interesting' the NSA representative's emphasis of the fact that with the introduction of the automobile, the government's response was licensing and requirements for absolute identification. Extending that response, and the extensive licensing and identification procedures used to (legally) acquire (legal) firearms, to the use of cryptography and communications: are we going to see licensed telephones? Are we going to be obliged to present a National ID card before being able to use a public pay phone? Somehow, I have trouble equating a submachine gun to a Princess phone... but then, I'm not a (probably justifiably so) paranoid government official. David K. Merriman merriman at arn.net -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMTks9MVrTvyYOzAZAQF+tQP/Z1WQQ5lA04Lkt1e4pDM6x/MA113+LuAQ DnKSSy50778cblcW44IimEkeWvxAQ/ee4FYtDlDvpxVgCXJc9ARUdawpZ0eFoCON 5nQ1VixVUMhmMrZYUrx1MFmacvgYDfkqXS7QEHmkrQzvZTKsjM67gs2VKCUhJm0D p54R34ooaKM= =1HPq -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> For privacy tools: http://www.geocities.com/capitolhill/1148 From merriman at arn.net Sun Mar 3 12:29:20 1996 From: merriman at arn.net (David K. Merriman) Date: Mon, 4 Mar 1996 04:29:20 +0800 Subject: remailer, web site, listserve Message-ID: <2.2.32.19960303075227.0069b230@arn.net> -----BEGIN PGP SIGNED MESSAGE----- I and a partner are expecting to be online by the 8th of March with a commercial web server (shellback.com). As part of this presence, I am working on hacking together a program to interface with the SLMail95 (yes, it will be running on a Win95 machine :-) email server to allow operation as a remailer. Initially, I anticipate that it will be a fairly 'dumb' remailer, offering only remailing, reordering, and PGP encryption. Additional CP-style features will be added as my time to implement them permits. I am offering to maintain an initially limited archives of CP materials and a listserve host (if needed/wanted). I am also actively soliciting (via email to me personally, please, and forgive me if I don't acknowledge it) pointers and materials (files, documents, etc) to include on the site. I have the PGP files from the CP ftp site (before it got 'lost' again), but anything else is *most* welcome. We will also be offering anonymous email accounts for $5/month. Following is the PGP key for the remailer we'll be operating (remailer at shellback.com). I want to emphasize that the remailer will *not* keep *any* kind of logs. Bad headers, bounces, or anything else not processed on the first go-through will simply fall into the bitbucket for electron recycling. Since I'll be the postmaster/webmaster, I can say that with no small measure of confidence :-) - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzE0kfEAAAEEALf5sIOqMfEAFi3geJ6aofyaCRy1ZJt8D91QBqPPeU1X3ond BoIcEcfaMf7s3cOBaiEl7rKFMYqEpL08G7FFelQxc1WRvsR5XtTN+xFB3j0RPNON vMxju5j6anjPVb2RMnowSYqNKUWIEYd4Soa7L+ZWpaHgLSGkhb6Ex2tu6LdpAAUR tCFSZW1haWxlciA8cmVtYWlsZXJAc2hlbGxiYWNrLmNvbT6JAJUDBRAxNJK/xWtO /Jg7MBkBAfiVBACk6dDtebwemmY2+nxK+WD46a0Uj/lwpXLGzJvixdYGo4mwYG2/ LUw/23xBNxLIvPCFR8Qvt9zguyPdMWAp07I64ZlL6yv9Co3DETtTLB8wBdPce6Wx CLswIWAQ3MSLOmgVB35TzOYrYf5RzYtNKktCl3YDa9mxV4sug9xAx5uxvw== =9EvL - -----END PGP PUBLIC KEY BLOCK----- We return you now to your regularly scheduled anarchy..... Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMTkzSsVrTvyYOzAZAQGVxQP/cFSgADQRFs58aTRv9FmzVFKK5xP4Ew2T lFajc73ltr0u6qa3luCfZKUqhG93REt8KXqzj2j65i+wrSKzs10DN2N75dEfRHO9 oGm0ka82eTmY+NXLLuNn1THw0+J8EsH9itQD0H4IzEWFkqUYq/C8pEtARF8LCt3V oKN1V/E6zPs= =sfA+ -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> For privacy tools: http://www.geocities.com/capitolhill/1148 From dlv at bwalk.dm.com Sun Mar 3 13:26:58 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 4 Mar 1996 05:26:58 +0800 Subject: Duress In-Reply-To: <960303121209.2020214e@hobbes.orl.mmc.com> Message-ID: "A. Padgett Peterson P.E. Information Security" writes: > Those of you who follow FIREWALLS may recall that I premote the use of > "minefields" on networks, machines that should never be accessed and will > trigger an alarm/response on any access. > > Some years ago I wrote a spec for cryptographic securing of notebooks/ > E-Mail that included a "duress" capability: a "password" that, when > entered would appear to be properly accepted but would report an error > on retrieval. Optional was to be overwriting of any material whose access > was attempted. As a side remark, every burglar alarm connected to a phone that I've ever seen has this feature: a code that one can type under duress that will both turn off the alarm and call for help. I wonder how many users will remember this code when under duress. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From unicorn at schloss.li Sun Mar 3 13:33:12 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 4 Mar 1996 05:33:12 +0800 Subject: your mail In-Reply-To: <199603031418.JAA09675@black-ice.gateway.com> Message-ID: On Sun, 3 Mar 1996, Anonymous Remail Service wrote: [...] > >I attended last weeks "Information, National Policies, and International > >Infrastructure" Symposium at Harvard Law School, organized by the Global > >Information Infrastructure Commission, the Kennedy School and the > >Institute for Information Technology Law & Policy of Harvard Law School. > > > >During the presentation by Paul Strassmann, National Defense University > >and William Marlow, Science Applications International Corporation, > >entitled "Anonymous Remailers as Risk-Free International Infoterrorists" > >the questions was raised from audience (Professor Chaarles Nesson, > >Harvard LAw School) - in a rather extended debate - whether the CIA and > >similar government agencies are involved in running anonymous remailers > >as this would be a perfect target to scan possibly illegal messages. > > > >Both presenters explicitly acknowledged that a number of anonymous > >remnailers in the US are run by government agencies scanning traffic. > >Marlow said that the government runs at least a dozen remailers and that > >the most popular remailers in France and Germany are run by the > >respective government agencies in these countries. In addition they > >mentioned that the NSA has successfully developed systems to break > >encrypted messages below 1000 bit of key length and strongly suggested > >to use at least 1024 bit keys. They said that they semselves use 1024 > >bit keys. [...] > >Viktor Mayer-Schoenberger > >Information Law Project > >Austrian Institute for Legal Policy > Groundfog at alpha.c2.org What this demonstrates, regardless of the legitimacy of the claim, is the need for a web of trust that does more than estlablish the link between key and user, but one that distributes reputation capital. The ability to assign reputation to remailers via digital signature is going to be of increasing importance, as is the use of larger keys by remail-operators. Are there any grassroots projects on the table to address the former problem? --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From merriman at arn.net Sun Mar 3 13:40:12 1996 From: merriman at arn.net (David K. Merriman) Date: Mon, 4 Mar 1996 05:40:12 +0800 Subject: Duress Message-ID: <2.2.32.19960303090718.006a7d38@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 02:49 PM 03/3/96 EST, dlv at bwalk.dm.com (Dr. Dimitri Vulis) wrote: >"A. Padgett Peterson P.E. Information Security" writes: >> Those of you who follow FIREWALLS may recall that I premote the use of >> "minefields" on networks, machines that should never be accessed and will >> trigger an alarm/response on any access. >> >> Some years ago I wrote a spec for cryptographic securing of notebooks/ >> E-Mail that included a "duress" capability: a "password" that, when >> entered would appear to be properly accepted but would report an error >> on retrieval. Optional was to be overwriting of any material whose access >> was attempted. > >As a side remark, every burglar alarm connected to a phone that I've ever seen >has this feature: a code that one can type under duress that will both turn >off the alarm and call for help. I wonder how many users will remember this >code when under duress. > Many (if not most) alarm companies make the duress code the *reverse* of the normal code. Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMTlEzsVrTvyYOzAZAQG9sAQAjfAQP6pEReh/vzx/dsJKU987FOMbqWgV Ik/NtzW7fRRzVYmruribT1ZtPQAcPTkdORZC22xHvk82E/m9Awv9q6Zhkbd29/TQ kcLQ42G3ddcUMA7EWtWtP231tofnyQtM5M7KRdIkKyT7oZdyXgjP42mysjGNDHAy wv2VcfiPwPQ= =fc6C -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> For privacy tools: http://www.geocities.com/capitolhill/1148 From hallam at w3.org Sun Mar 3 14:08:08 1996 From: hallam at w3.org (Phillip M. Hallam-Baker) Date: Mon, 4 Mar 1996 06:08:08 +0800 Subject: NYT login Message-ID: <199603032135.QAA21850@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Just Rich wrote: > > Rumour has it that there might be a cpunks/cpunks (cypherpunks was taken). This brings up an interesting prtoblem which I have been trying to solve. How can we fund content providers on the Web while not compromising privacy? Early on I targeted political and governmental sites as likely users of the Web. This also reflected a personal belief that I have in open government. What I did not anticipate was the speed with which the mainstream press started appearing on the Web. In part this was due to the Whitehouse server which has legitimized the Web in many corporated boardrooms. There is a problem though, nobody has a fully convincing revenue model yet. This will have to chage if sites like the NYT are going to stay online. Ideally I would like these sites to be free to the readers because it helps break down international chauvnism and petty minded nationalism. I believe that the significant number of trans-national relationships forged over the internet have lead to a significant shift in support for French Nuclear testing for example. Ten years ago many French supported terrorism such as the sinking of the Rainbow warrior in persuit of this policy, this time round there has been much less support for the government posistion. The challenge therefore is to find a means by which NYT etc can pay their staffs. Advertising is an obvious mechanism but here there is a problem. Advertisers need to know what they are receiving by way of value for money. Don't believe the stories of $50K per month advertising charges, many of these prices are very heavily discounted. $50K is what advertisers are willing to pay once they know for sure the Web works for them. If we apply traditional advertising logic it would be necessary to use very intrusive methods to discover how effective the Web is. This is not necessarily the case on the Web since it is an interactive medium. As Jock Gill pointed out at a recent conference we organised, instead of targetting customers the Web permits a participatory process which may be far more profitable for big name brands, allowing them to establish the high value long term relationships they really want. So the question is how can we square the circle? I have no problem telling the NYT's advertisers that NYT have a reader who is in the high tech goodies purchasingcategory. I have a serious problem allowing the government to know that I read the NYT, remember that in many countries that could lead to getting you arrested. I also think we need to be cautious about comapnies collecting similar information. Imagine for a moment that the US elected a fascist president opposed to "left wing intellectuals". It would be a bad thing if he could obtain a list of likely left wing intellectuals compiled from readership of various magazines, visiting of left wing Web sites etc. This is a live issue in Holland where no phone records are kept because stored records were used by the NAZIs when they were invaded to find out who was talking to whom. Some Ideas I had: 1) An anonymous session identifier generated by the browser constructed in a cryptographically secure manner so as to prevent linkage across sites. This would allow NYTs to find out that a reader had moved from the sports section to the politics section within the site but not to track them from the NYT to Time Warner. 2) A privacy code of conduct. Sites adhering to this code would be alowed to display a trademarked icon on their pages. This code would cover items such as not selling log files not maintaining online records of identity. There are many people who are willing to put in the effort to make the Web a place where people can interact in privacy. I know very senior people in very large companies who are as concerned as many cypherpunks on this issue. The point is that we need to come up with a scheme which addresses their legitimate business needs and protects privacy. Otherwise the market will decide and it does not care much about privacy. I have written up some working drafts. You can get them from the IETF in ascii text or via the web as W3c working drafts http://w3.org/ Phill Hallam-Baker - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMToQuyoZzwIn1bdtAQFSZgGAwMeBfDr4g3yBclG08m6f8K2Ml1Gv07i1 L5wybpz4/8o4Gy7/P3UUP+82IcEpgGrl =hUU/ -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Sun Mar 3 14:14:01 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 4 Mar 1996 06:14:01 +0800 Subject: A brief comparison of email encryption protocols Message-ID: <199603030038.QAA06274@ix2.ix.netcom.com> At 09:01 AM 2/29/96 -0800, Laurence Lundblade wrote: .....CME wrote.... >>Like X.509, my certs have an Issuing-name and a Subject-name -- but >>they're both cryptographic hashes of public keys. You can take a portion >>of those hashes [e.g., low order 12 bits] and use it to index a hash table >>of certificates or keys. The cert is more general than X.509 -- that is, ...... >Isn't using a hash as the identifier replicating the key distribution >problem that PGP has or are you including some other data that can be used >to look up the cert? I think a problem occurs when you have 20 billion of >these certs (two for every person in the year 2010 or such). A simple hash >into a table isn't going to cut it because you a single database (with >replication?) isn't going to be possible. Some hierarchical lookup like >DNS is going to be needed. The look ups are needed to check for revocation. There's a name collision on the word "hash" here. Carl was using both hashes in the same sentence. A "cryptographic hash" is a strongly one-way mapping from an input string (in this case a public key) to a number. A hash table is a data structure that uses a mapping from an input string to a number to decide where to put things. An MD5 cryptographic hash function used on PGP public keys (e.g. to get the fingerprint) is 64 bits long, so there may be a few collisions if there are 2**34 keys out there; if things scale to that point, PGP 4.1.3 need to use SHA for fingerprints instead (or in addition). Carl is proposing using a hash table (indexed by a hash-table hash of the cryptographic hash) to store public keys; that's a separate problem, though of course if you want to store 20 billion keys in one place, there are better data structures than simple hash tables. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com / billstewart at attmail.com +1-415-442-2215 # http://www.idiom.com/~wcs Pager +1-408-787-1281 From hallam at w3.org Sun Mar 3 14:15:48 1996 From: hallam at w3.org (Phillip M. Hallam-Baker) Date: Mon, 4 Mar 1996 06:15:48 +0800 Subject: Netcom and Credit Cards Message-ID: <199603032140.QAA21879@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Anonymous wrote: > > The "credit card numbers were stolen" point, that I believe Ed Carp was > > referring to, had to do with the Mitnick affair, and is very old news. > > The fact that they had been stolen was mentioned in an edition of 2600 > 6 months before the Mitnick saga. Netcom had been told about the > security breaches many times, but refused to acknowledge that their > site was insecure. It was this arrogance that pissed people off > more than their insecurity. As someone who was involved in the recent iKP / SEPP /STT / --> SET event I would like to point out that it was the storage of CC numbers in databases connected to the Internet which was the primary concern of credit card companies. Sending credit card numbers across the internet in the clear was to an extent a side issue. Clearly if the merchant was nopt going to be able to store the number the number would have to not be received in cleartext by the merchant. Phill - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMToR2yoZzwIn1bdtAQEBDAF+Mgb3VluBwhqkjIgPCJ5YurkDWWm9MRwg RJoqXdalTBmM20ldY5qddiuTGoxni4ac =9L/X -----END PGP SIGNATURE----- From froomkin at law.miami.edu Sun Mar 3 14:34:44 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Mon, 4 Mar 1996 06:34:44 +0800 Subject: (fwd) USA / Australia - Civil Liberty In-Reply-To: <199603030753.RAA12050@suburbia.net> Message-ID: The following concerns a fragment from a message that seems to have been posted to "aus.legal" and to c'punx. Please feel free to forward to aus.legal if you have access to that group. On Sun, 3 Mar 1996, Julian Assange wrote: > > Under USC 28, 1603, (B)(3) Ms. Wilson is an alien and the US > Federal court has no jurisdiction over her. Highly dubious. The court has full jurisdiction over all non-ambassadors in its jurisidiction. Whatever passport they may hold. The cited text relates to the immunity of foreign states and their ambassadors and their political subdvisions. It is not an exemption for all tourists, foreign workers or the like. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's not warm here today. From rich at c2.org Sun Mar 3 14:44:34 1996 From: rich at c2.org (Just Rich) Date: Mon, 4 Mar 1996 06:44:34 +0800 Subject: Mainstreaming PGP on Usenet In-Reply-To: <2.2.32.19960303191053.00697678@mail.aracnet.com> Message-ID: comp.os.ms-windows.announce will also start using PGPMoose when I get around to it, probably today. See http://www.sydney.sterling.com:8080/~ggr/pgpmoose.html -rich win-request at metrics.com On Sun, 3 Mar 1996, Bruce Baugh wrote: > I'm surprised nobody has brought this up before.... > > FIRST CALL FOR VOTES (of 2) > moderated group soc.culture.russian.moderated > > > > 6. Individuals in the database of known readers may post freely to > the group, subject to the conditions in sections 1-4 above. If need > arises, the robomoderator may perform PGP verification of the > identity of the known reader and, if the reader requests so, > automatically reject all the submissions from the reader without > a valid PGP signature. > > -- > Bruce Baugh > bruce at aracnet.com > http://www.aracnet.com/~bruce From jcaldwel at iquest.net Sun Mar 3 15:11:54 1996 From: jcaldwel at iquest.net (James Caldwell) Date: Mon, 4 Mar 1996 07:11:54 +0800 Subject: (Fwd) Gov't run anon servers Message-ID: This states that some anonymous remailers are run by various gov't and that encryption keys up to 1000 bits are crackable. Whether this is true or disinformation, you are using a 1024 bit key and all your messages through anonymous remailers are encrypted aren't they? Also note that while later versions of PGP are capable of larger keys, that these versions of PGP are not known to be secure. PGP 2.3a is the last version released prior to gov't interference. PGP 2.3a will do 1264 bit keys if you enter 1264 in the box instead of the number it askes for when if asks for the type of key security you want. ------- Forwarded Message Follows ------- alt.privacy.anon-server,alt.anonymous.messages,alt.anonymous, talk.politics.crypto,alt.politics.org.covert,alt.politics.org.nsa,alt.politics.datahighway, alt.culture.internet,alt.culture.usenet,alt.cyberspace,alt.conspiracy From: an366601 at anon.penet.fi (** CRAM **) Date: Sun, 3 Mar 1996 13:15:55 UTC Subject: Strassman & Marlow comment on NSA/remailers Forwarded message: >From ausman at wired.com Tue Feb 6 01:42:13 1996 Message-Id: <199602060109.RAA09056 at wired.com> To: sameer at CSUA.Berkeley.EDU Subject: has this been on cypherpunks? Date: Mon, 05 Feb 1996 17:09:17 -0800 From: Jim Ausman Received: (from daemon at localhost) by wired.com (8.7.3/8.7.3) id QAA27559 for pork-list; Mon, 5 Feb 1996 16:13:51 -0800 (PST) Received: from [204.62.132.47] (mckinley.wired.com [204.62.132.47]) by wired.com (8.7.3/8.7.3) with SMTP id QAA27543 for ; Mon, 5 Feb 1996 16:13:43 -0800 (PST) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Mon, 5 Feb 1996 16:14:37 -0800 To: pork at wired.com From: kate at hotwired.com (Kate McKinley) Subject: CIA and you Sender: owner-pork at hotwired.com Precedence: bulk Status: O >Sorry to send this through the "help email address" but I couldn't find >your news email address. >I attended last weeks "Information, National Policies, and International >Infrastructure" Symposium at Harvard Law School, organized by the Global >Information Infrastructure Commission, the Kennedy School and the >Institute for Information Technology Law & Policy of Harvard Law School. >During the presentation by Paul Strassmann, National Defense University >and William Marlow, Science Applications International Corporation, >entitled "Anonymous Remailers as Risk-Free International Infoterrorists" >the questions was raised from audience (Professor Chaarles Nesson, >Harvard LAw School) - in a rather extended debate - whether the CIA and >similar government agencies are involved in running anonymous remailers >as this would be a perfect target to scan possibly illegal messages. >Both presenters explicitly acknowledged that a number of anonymous >remnailers in the US are run by government agencies scanning traffic. >Marlow said that the government runs at least a dozen remailers and that >the most popular remailers in France and Germany are run by the >respective government agencies in these countries. In addition they >mentioned that the NSA has successfully developed systems to break >encrypted messages below 1000 bit of key length and strongly suggested >to use at least 1024 bit keys. They said that they semselves use 1024 >bit keys. >I ask Marlos afterwards if these comments were off or on record, he >paused then said that he can be quoted. >So I thought I pass that on. It seems interesting enough, don't you >think? >Best >Viktor Mayer-Schoenberger >Information Law Project >Austrian Institute for Legal Policy Kate McKinley kate at hotwired.com CAVE CANUM \ \ \ \ \ \ \ \ \ | / / / / / / / / / / _______ ________ _____ _____ _____ /// \\\ ||| \\\ /// \\\ |||\\\///||| ||| ~~ ||| /// ||| ||| ||| \\// ||| ||| __ |||~~~\\\ |||~~~||| ||| ~~ ||| \\\ /// ||| \\\ ||| ||| ||| ||| ~~~~~~~ ~~~ ~~~ ~~~ ~~~ ~~~ ~~~ / / / / / / / / / | \ \ \ \ \ \ \ \ \ \ C y b e r s p a t i a l R e a l i t y A d v a n c e m e n t M o v e m e n t --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi Yet she became more and more promiscuous as she recalled the days of her youth, when she was a prostitute in Egypt. There she lusted after her lovers, whose genitals were like those of donkeys and whose emissions were like that of horses. So you longed for the lewdness of your youth, when in Egypt your bosom was caressed and your young breasts fondled. Ezekiel 23:19-21 Fight the Communications Decency Act or suffer not being able to transmit the Bible online. http://www.cdt.org/ I like cats, probably more than I should. They are cute, cuddly and kill things and then lay them at my feet in tribute. From electro at newwave.net Sun Mar 3 15:33:07 1996 From: electro at newwave.net (electro) Date: Mon, 4 Mar 1996 07:33:07 +0800 Subject: Any Ideas?? Message-ID: <199603032256.RAA29581@ns.newwave.net> Hello im new to this mailing list and I have seen alot of talk about re-mailers. I run my schools netconnection (it was just a Win 3.11 Computer before i got there) And I have installed Linux 1.2.8 (Slackware 2.3) (T-1 Connect!!!) I want to setup as mutch anonmized stuff (It whould all be free) that I can find. I have wrote shell scripts that let you ftp stuff and then download it by zmodem. But i havent benable to find WWW Baised Remailer Software or The software that anon.pennet.fi uses (not sure the name for it) If you have any ideas, or Places where I can find this software. Please e-mail me From mlove at olywa.net Sun Mar 3 15:55:50 1996 From: mlove at olywa.net (Matt Love) Date: Mon, 4 Mar 1996 07:55:50 +0800 Subject: Leslie Fish address? Message-ID: <19960303231302714.AAA296@[205.163.58.206]> Do you know of an e-mail address for Leslie Fish? m From frantz at netcom.com Sun Mar 3 15:56:53 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 4 Mar 1996 07:56:53 +0800 Subject: Duress Message-ID: <199603032311.PAA16326@netcom7.netcom.com> At 2:49 PM 3/3/96 -0500, Dr. Dimitri Vulis wrote: >As a side remark, every burglar alarm connected to a phone that I've ever seen >has this feature: a code that one can type under duress that will both turn >off the alarm and call for help. I wonder how many users will remember this >code when under duress. The air-transport system has had a Hijack transponder code for years. The pilot dials it into the air traffic system radar transponder when the plane is hijacked. However there is a problem. One of the private pilot magazines reported that a small plane operator used the code (because his airplane was, in fact, being hijacked). When he landed the airplane, it was surrounded by LEA, and in the ensuing gun battle, everyone on the airplane died. The went on to say that the safety of the passengers and airplane are the pilot's primary responsibility and that pilots should consider this incident when deciding to use the code. Duress codes need to be designed to minimized the chance of such responses when they are used. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From unicorn at schloss.li Sun Mar 3 16:18:38 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 4 Mar 1996 08:18:38 +0800 Subject: Duress In-Reply-To: <2.2.32.19960303090718.006a7d38@arn.net> Message-ID: On Sun, 3 Mar 1996, David K. Merriman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > >As a side remark, every burglar alarm connected to a phone that I've ever seen > >has this feature: a code that one can type under duress that will both turn > >off the alarm and call for help. I wonder how many users will remember this > >code when under duress. > > > > Many (if not most) alarm companies make the duress code the *reverse* of the normal code. This might backfire in the case of self-destructing data. If the attacker backs up the data, and enters the duress code, the real code is easy to guess the second time around. > > Dave Merriman > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBMTlEzsVrTvyYOzAZAQG9sAQAjfAQP6pEReh/vzx/dsJKU987FOMbqWgV > Ik/NtzW7fRRzVYmruribT1ZtPQAcPTkdORZC22xHvk82E/m9Awv9q6Zhkbd29/TQ > kcLQ42G3ddcUMA7EWtWtP231tofnyQtM5M7KRdIkKyT7oZdyXgjP42mysjGNDHAy > wv2VcfiPwPQ= > =fc6C > -----END PGP SIGNATURE----- > ------------------------------------------------------------- > "Giving money and power to government is like giving > whiskey and car keys to teenage boys." > P. J. O'Rourke (b. 1947), U.S. journalist. > <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> > For privacy tools: http://www.geocities.com/capitolhill/1148 > > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From wlkngowl at unix.asb.com Sun Mar 3 16:19:19 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Mon, 4 Mar 1996 08:19:19 +0800 Subject: Crypto Export Legislation? Message-ID: <199603032329.SAA22483@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- I took a look at the text of the bill. There was a line in it making it a crime to use crypto in a way that obstructs a federal investigation. While understandable, this is too vague... it could easily be interpreted (IMO) as any strong crypto without escrow of some kind. Anyone else feel this way about that line in the bill? - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTorUyoZzwIn1bdtAQEWJgGA1KdA1HtbX9L0U22rBLKFouIQHQniAdA3 lvimml/i+Z/KmYSmHGqkGBwCb1hAfSxc =E2ZA -----END PGP SIGNATURE----- From rich at c2.org Sun Mar 3 16:33:13 1996 From: rich at c2.org (Just Rich) Date: Mon, 4 Mar 1996 08:33:13 +0800 Subject: Interesting Identity Hacking Experiment: www.switchboard.com Message-ID: http://www.switchboard.com/ is a white pages directory. Basically, it's the Database America CD-ROM on the Web. The difference is, it's writeable, and free. Pretty cool. I don't think it was wise for them to allow anyone with an email address to change anyone else's white pages entry, though. Can anyone think of a prominent politician who would be in the phone book? The freeform "more information" field is just asking to be used. Potentially interesting applications for anonymous web proxies and secure pseudonym servers. At least they don't make direct changes to the database -- I'd guess they only set a flag to look in the separate user-supplied file. I.e., I changed my entry, then hit "unregister," and all the original information returned immediately. -rich From ses at tipper.oit.unc.edu Sun Mar 3 17:06:31 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 4 Mar 1996 09:06:31 +0800 Subject: Leslie Fish address? In-Reply-To: <19960303231302714.AAA296@[205.163.58.206]> Message-ID: On Sun, 3 Mar 1996, Matt Love wrote: > > Do you know of an e-mail address for Leslie Fish? try asking on alt.music.filk; obcrypto: Has anybody tried setting RSA or DH to music; then trying to export a recording, espeically if the tpae can be understood by a voice recognition system? That would make t-shirts look sensible --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From unicorn at schloss.li Sun Mar 3 17:27:25 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 4 Mar 1996 09:27:25 +0800 Subject: Duress In-Reply-To: <199603032311.PAA16326@netcom7.netcom.com> Message-ID: On Sun, 3 Mar 1996, Bill Frantz wrote: > At 2:49 PM 3/3/96 -0500, Dr. Dimitri Vulis wrote: > > >As a side remark, every burglar alarm connected to a phone that I've ever seen > >has this feature: a code that one can type under duress that will both turn > >off the alarm and call for help. I wonder how many users will remember this > >code when under duress. > > The air-transport system has had a Hijack transponder code for years. The > pilot dials it into the air traffic system radar transponder when the plane > is hijacked. Of course, all smart air piracy buffs know the transponder code is 7600, and refuse to allow the pilots to use it. > However there is a problem. > > One of the private pilot magazines reported that a small plane operator > used the code (because his airplane was, in fact, being hijacked). When he > landed the airplane, it was surrounded by LEA, and in the ensuing gun > battle, everyone on the airplane died. The went on to say that the safety > of the passengers and airplane are the pilot's primary responsibility and > that pilots should consider this incident when deciding to use the code. > > Duress codes need to be designed to minimized the chance of such responses > when they are used. > > Regards - Bill > > > ------------------------------------------------------------------------ > Bill Frantz | The CDA means | Periwinkle -- Computer Consulting > (408)356-8506 | lost jobs and | 16345 Englewood Ave. > frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA > > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From sj at io.com Sun Mar 3 18:09:55 1996 From: sj at io.com (Steve Jackson) Date: Mon, 4 Mar 1996 10:09:55 +0800 Subject: Electronic Freedom press release Message-ID: At 1:50 PM 3/3/96, LibertyWMA at aol.com wrote: (quoting George Phillies) > When the Secret >Service raided Steve Jackson Games to suppress publication of 'Hacker' I >immediately wrote Congress to protest. Serious distortion of the facts. "Hacker" was published as a reaction to the raid; it was not the target of the raid. The book you are thinking about is GURPS CYBERPUNK, which the Secret Service encouraged us to believe was the object of the raid, but testimony at the trial indicated that that was not the case. The SS was ignorantly indifferent to free speech and publisher's rights, rather than taking direct aim at them. See www.io.com/SS/ for more information. Our case was a victory, but if it is cited in support of irrelevancies, it has no more meaning than if it is forgotten completely. Steve Jackson, sj at io.com - this will do till I fix my .sig file . . . From alanh at infi.net Sun Mar 3 18:25:43 1996 From: alanh at infi.net (Alan Horowitz) Date: Mon, 4 Mar 1996 10:25:43 +0800 Subject: NYT login In-Reply-To: <199603032135.QAA21850@bb.hks.net> Message-ID: The tobacco companies need a forum. And they are used to spending big bucks on sponsoring things. From tony at secapl.com Sun Mar 3 19:09:56 1996 From: tony at secapl.com (Tony Iannotti) Date: Mon, 4 Mar 1996 11:09:56 +0800 Subject: Anonymous Web Browsing In-Reply-To: <199603030038.QAA06256@ix2.ix.netcom.com> Message-ID: I think the simplest solution is to not use Netscape for mail. Don't put your address in there in the first place. On Sat, 2 Mar 1996, Bill Stewart wrote: > >Note to Netscape people: Is it possible to have an option that will *always* > >pop up a mail window and request confirmation before mail is sent out? Or > >disable mailto altogether? It would be a lot easier than binary editing > >the executable to remove all the mailto strings... > > At least in the Windows version, you can set the SMTP server you > want to use for your outgoing mail. So you could do a proxy email server > that listens for SMTP and pops up confirmations for outgoing traffic. > For the moment, you'd probably have to write your own, but the new > Winsock Remailer probably has the code you need to do most of the work, > and you'd only have to add some GUI buttons and whistles. > > #-- > # Thanks; Bill > # Bill Stewart, stewarts at ix.netcom.com / billstewart at attmail.com +1-415-442-2215 > # http://www.idiom.com/~wcs Pager +1-408-787-1281 > > From PADGETT at hobbes.orl.mmc.com Sun Mar 3 19:16:59 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Mon, 4 Mar 1996 11:16:59 +0800 Subject: Third Generation Problems Message-ID: <960303193329.2020177f@hobbes.orl.mmc.com> Bill rites: >Duress codes need to be designed to minimized the chance of such responses >when they are used. Absolutely but is a third generation problem: First generation: being able to protect the information (encryption) Second Generation: being able to respond to risks (duress) incurred by the first generation solution (duress codes) Third Generation: being able to respond to risks incurred by using the second generation response (using the duress codes). Is nice to plan for each up front but often the succeding generation risks only become apparent after living with the preceeding generation solution for a while. This should not prevent anyone from implementing the first because of what *might* happen in the second. "Doing nothing" is a sound solution only for politicians. Besides the purpose of "duress codes" is not just to provide an avenue for use in case of threat, it is also to deter the threat in the first place by reducing the "win" probability for those who might issue the threat. (previously mentioned a very real consideration for the fifth amendment. will not repeat.) Warmly, Padgett From tcmay at got.net Sun Mar 3 19:32:41 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 4 Mar 1996 11:32:41 +0800 Subject: Destroying the Internet in order to save the Internet Message-ID: WARNING: If you are under 18, do not read or download this message! You have been warned, and I take no further responsibility for your actions. It has become necessary under the Communications Decency Act to make this warning. Furthermore, quoted material may also contain material, so censorship of certain words and ideas may be necessary. At 11:14 PM 3/3/96, Bill Frantz wrote: >One of the private pilot magazines reported that a small plane operator >used the code (because his airplane was, in fact, being hijacked). When he >landed the airplane, it was surrounded by LEA, and in the ensuing gun >battle, everyone on the airplane died. The went on to say that the safety ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The pilot was flying an airplane. Airplanes are often used to transport drugs. Sometimes you have to destroy the village in order to to save the village. (A lesson being used by those who realize we have to destroy free speech in order to save free speech, and to destroy the Internet in order to save the Internet. Blair House is aptly named.) --Alan Smithee From vznuri at netcom.com Sun Mar 3 19:34:04 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 4 Mar 1996 11:34:04 +0800 Subject: book idea: info terrorism/espionage etc. Message-ID: <199603040045.QAA24345@netcom5.netcom.com> hey, I understand a sequel to Puzzle Palace by Bamford and someone else is due to be published soon. is this correct? when is the due date? has anyone heard about this? I've been seeing a lot of early lead articles from other reporters, such as a GNN article awhile ago, and an assertion that the NSA is working with the GCHQ to monitor American citizens. I was just thinking what an interesting book this could be. if it doesn't cover the ideas of "information terrorism" that are hinted in e.g. Strassman's remailer paper, it seems this is a vacuum that could be filled with a very significant/interesting tome by someone. I hope Levy's cryptography book covers some of these areas too. I would like to just see one entire chapter dedicated to the way the spooks seem to be doing a "bait and switch" now that the cold war is over, with economic espionage and all that. easily an entire book could be dedicated to this subject. I've seen a lot of editorials on reforming the spook apparatus, and it seems now is the prime moment for some very influential books to come out to influence future policy ideas. From not-for-mail at gate.overcom.com Sun Mar 3 19:34:33 1996 From: not-for-mail at gate.overcom.com (not-for-mail at gate.overcom.com) Date: Mon, 4 Mar 1996 11:34:33 +0800 Subject: hjhf Message-ID: <4hdeb3$1qu@gate.overcom.com> dhjdf dfhj dhj From usenet at gate.overcom.com Sun Mar 3 19:42:48 1996 From: usenet at gate.overcom.com (usenet at gate.overcom.com) Date: Mon, 4 Mar 1996 11:42:48 +0800 Subject: blah Message-ID: <4hdcko$1f8@gate.overcom.com> sdfjhs sdjhsfj From WlkngOwl at UNiX.asb.com Sun Mar 3 19:48:40 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Mon, 4 Mar 1996 11:48:40 +0800 Subject: (Fwd) White House mail bomb protest? Message-ID: <199603040145.UAA04626@UNiX.asb.com> In regards to the few messages about mailbombing the prez's box... ------- Forwarded Message Follows ------- |From jms at tennis.opus1.com Sun Feb 11 06:57:22 1996 |From: jms at tennis.opus1.com (Joel M Snyder, writing fool) |Subject: High mail volumes at whitehouse.gov |Newsgroups: comp.mail.misc,comp.security.misc,news.admin.net-abuse.misc |Date: 9 Feb 96 16:03:20 -0700 |Organization: Opus One, Tucson, Arizona |Message-ID: <1996Feb9.160320.495 at tennis.opus1.com> Folks: Good day. By way of introduction, I'm the consultant who did the "anti-mailstorm/anti-mailbomb" software that runs on the MX host for WHITEHOUSE.GOV. Now that the Telecom. Act of 1996 has been signed, the volume of mail through WHITEHOUSE.GOV has gone up significantly. For example, there were about 85,000 lines in the mail log file yesterday. Most of that is just people who want to express their opinion. However, several misguided individuals have decided that they want to throw a monkey wrench into the works by storming the President's email. I'm writing this to let any system administrators out there know that you may find mail from your site to WHITEHOUSE.GOV is not moving very quickly. This is normal; it's a sign that the automatic protections of that system have kicked in. Without going into details, if too many messages come from a single site, the mail handler will throttle back accepting messages. Eventually, though, the mail will be accepted for delivery. If you have legitimate mail, it will eventually get through (many messages from the same correspondent will be flushed without acknowledgement). However, correspondents who were used to getting a reply within seconds telling them that their message was accepted may see a substantial delay. Finally, if any users on your site have any delusions about the effect of a mail bomb or storm of mail, let me help you dispel them: (1) no one important enough to make a difference will be affected or know or care; (2) if the messages are nasty or threatening enough, someone equally nasty may come and visit; (3) what you'll succeed most in doing is ruining the weekends and/or days of underpaid civil servants as well as wasting federal tax dollars. Please feel free to redistribute this or use parts of it in your motd. Joel Snyder (jms at opus1.com) PS: I don't read these newsgroups and am spending most of the weekend trying to make sure that the mail system doesn't melt down anyway, so if there is discussion on this, I won't see it. --------- end forwarded mesage ------------- Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From unicorn at schloss.li Sun Mar 3 19:48:52 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 4 Mar 1996 11:48:52 +0800 Subject: Duress In-Reply-To: Message-ID: On Sun, 3 Mar 1996, Black Unicorn wrote: > Of course, all smart air piracy buffs know the transponder code is 7600, > and refuse to allow the pilots to use it. Typo on my part. This should, of course, read 7500. > --- > My prefered and soon to be permanent e-mail address: unicorn at schloss.li > "In fact, had Bancroft not existed, potestas scientiae in usu est > Franklin might have had to invent him." in nihilum nil posse reverti > 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From dlv at bwalk.dm.com Sun Mar 3 20:00:59 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 4 Mar 1996 12:00:59 +0800 Subject: Mainstreaming PGP on Usenet In-Reply-To: <2.2.32.19960303191053.00697678@mail.aracnet.com> Message-ID: Bruce Baugh writes: > I'm surprised nobody has brought this up before.... > > FIRST CALL FOR VOTES (of 2) > moderated group soc.culture.russian.moderated > > > > 6. Individuals in the database of known readers may post freely to > the group, subject to the conditions in sections 1-4 above. If need > arises, the robomoderator may perform PGP verification of the > identity of the known reader and, if the reader requests so, > automatically reject all the submissions from the reader without > a valid PGP signature. Igor Chudov, who coded the robomoderator, reads Cypherpunks, and is known to appreciate and use good suggestions. One issue that hasn't been addressed by the s.c.r.m robomod is the possibility of persistent nyms: that is, Alice D. Nonymous somehow makes her public key known to the robomod; and later if someone submits an article via some anon remailer claiming to be hers, it would be rejected if the signature doesn't check. Of course, her true submissions would be accepted from any remailer. How could such protocol be implemented? (Of course, some people have what they believe to be valid reasons not to use PGP.) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From tcmay at got.net Sun Mar 3 20:38:35 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 4 Mar 1996 12:38:35 +0800 Subject: FW: Communications Decency Act (hee-hee) Message-ID: WARNING: If you are under 18, do not read or download this message! Please delete this message NOW and do not either archive it or pass it on. You have been warned, and I can take no further responsibility for your actions. It has become necessary under the Communications Decency Act to make this warning. Regrettably, my political views and financial condition make me a potential target for prosecutors seeking to "set an example" as well as to collect the $500,000 penalties for proving a violation of the CDA. Hence my caution. Furthermore, quoted material may also contain putatively indecent material, as the CDA makes much of ordinary speech a felony if communicated by means of computer, so censorship of certain words and ideas may be necessary. At 2:54 AM 3/4/96, blanc wrote: >Scott Adams, the author of Dilbert, contributes this to the debate: >>From now on, whenever I get the urge to use an offensive word in e-mail I >will substitute the name of an offensive politician. I urge you to do >the same. > >The beauty of this approach is that they can't easily ban these new >naughty words without changing their own names. I know I could get in >trouble for suggesting such a thing, but I don't give a [exonized] >what they think. And if they don't like it they can come over here and >[exonized]. This is of course an old idea. Regrettably, the CDA is not based on a simple bright line test invovling the "Seven [exonized] Words," immortalized in the FCC--Carlin--Pacifica case. Rather, "indecent" is broadly interpreted to mean essentially whatever a prosecutor can convince a panel of bluenosed citizens is indecent. In particular, the examples Blanc includes, which I have exonized to protect myself from having to pay up to $500,000 in fines (and wouldn't you guess that they'd love to make an example out of me...and collect from me!), are still likely to be considered "indecent," as the allusions about what Gingrich can do are still clear. Welcome to the Fourth Reich. --Alan Smithee, for obvious reasons Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From olcay at libtech.com Sun Mar 3 21:00:52 1996 From: olcay at libtech.com (Olcay Cirit) Date: Mon, 4 Mar 1996 13:00:52 +0800 Subject: Request Comments: Transpose/XOR Hash Message-ID: <199603040416.XAA23922@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Hi! I'm working on a cipher that utilizes Cipher Block Chaining and One-way hashing to create a sequence of pseudo-random numbers to XOR against a plaintext. I'd like to know if anyone has comments regarding the hash method I came up with. It is a combination of Transposition and XORing. Basically, it works like this: Let's say K is the 8 character key that will be hashed. There are two binary accumulators M and L, which store the Most and Least significant bits in each byte of K. After M and L are both 8 bits long, they are XORed together and the resulting value replaces byte N in the Key. This is repeated 8 times, and each time, N is incremented by one. Any thoughts, comments? -olcay - -- "For he who lives more lives than one, |) Olcay Cirit -- olcay at libtech.com more deaths than one must die" (| http://www.libtech.com/olo2.html - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTpumyoZzwIn1bdtAQHnqAGA2CzuLVpiPdRQ84MuC8aBxy7vcIZsujLr 85hGcVoknfAujjXFoy7KOxGQrZt3RorK =jQ7w -----END PGP SIGNATURE----- From nobody at REPLAY.COM Sun Mar 3 21:35:28 1996 From: nobody at REPLAY.COM (Anonymous) Date: Mon, 4 Mar 1996 13:35:28 +0800 Subject: Netcom and Credit Cards Message-ID: <199603031722.SAA21685@utopia.hacktic.nl> "If someone's hacked our systems, we'd certainly like to know about it, although it's very doubtful; more likely, this just someone trying to make you nervous" - Netcom admin, 2600, Summer 1994 "Recent reports indicate that Netcom's credit file, stored online and containing information on all their customers, has been compromised" - 2600 Magazine, Autumn 1994 Netcom claim Mitnick broke in during xmas 94, when the reality is that every half decent hacker had already been there. Netcom are an INTERNET PROVIDER!!! You would expect them to know a thing or two about security. But then again, even security samurais have problems setting up firewalls :-) From dlv at bwalk.dm.com Sun Mar 3 21:50:01 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 4 Mar 1996 13:50:01 +0800 Subject: Mainstreaming PGP on Usenet In-Reply-To: Message-ID: Just Rich writes: > comp.os.ms-windows.announce will also start using PGPMoose when I get > around to it, probably today. All moderated newsgroups should use it. However the robomoderator that Igor Chudov wrote uses digital signatures to authenticate _posters as follows: there's a "white list" (as opposed to "black list") of trusted posters whose submissions will be approved and posted automatically, without going through any moderator. A person on the "white list" can request that the robomod check his signature and not post it if the submission may be a forged e-mail. I strongly urged Igor to make digital signatures mandatory for "white list" membership, but he argued that a lot of likely posters lack the brains to use PGP. The robomod will look at things like "Received" lines in the e-mailed submission to try and detect forgeries. While at it, here's a pre-filled ballot. Just add your name and e-mail it to russian-vote at netagw.com. ===== BEGINNING OF BALLOT: Delete everything BEFORE this line ===== ------------------------------------------------------------------- soc.culture.russian.moderated Ballot (Do not remove this marker!) ------------------------------------------------------------------- Please provide your real name, or your vote may be rejected. Place ONLY your name (ie. do NOT include your e-mail address or any other information; ONLY your name) on the next line beside "Voter name:". Voter name: ------------------------------------------------------------------- Insert YES, NO, ABSTAIN, or CANCEL inside the brackets for each newsgroup listed below (do not delete the newsgroup name): Your Vote Newsgroup --------- --------- [ YES ] soc.culture.russian.moderated (moderated) ------------------------------------------------------------------- ===== END OF BALLOT: Delete everything AFTER this line ============ Vote YES to see how a robomoderator that uses PGP works out. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From electro at newwave.net Sun Mar 3 22:42:48 1996 From: electro at newwave.net (electro) Date: Mon, 4 Mar 1996 14:42:48 +0800 Subject: Truelly Random Numbers Message-ID: <199603040141.UAA01565@ns.newwave.net> At 06:16 PM 3/3/96 -0500, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >Mark Allyn 206-860-9454 wrote: >[..] >> Take a piece of non conducting board, say about six by six >> feet. Put electrodes on it; say a pair of electrodes every >> quarter inch or so across and down. >> >> Each pair of electrodes would be connected to logic so that >> it generates a unique number. When the electrodes are shorted, >> the number would be generated. > >Quite elaborate. And unless you live in a rainy part of the world, not >very useful. > >Better off using those contraptions where little steel balls fall around >the electrodes. There's some entropy there... but still, it's too >elaborate for RNG generation. >- --- Well how about putting a 'noise meter' in place of the 'rain sensor' and then just hang it out the window or any place that has some noise. From jpp at software.net Sun Mar 3 23:04:21 1996 From: jpp at software.net (John Pettitt) Date: Mon, 4 Mar 1996 15:04:21 +0800 Subject: Looking for code to run an encrypted mailing list Message-ID: <2.2.32.19960304053309.00bd5ec8@mail.software.net> I'd like to run an encrypted mailing list - the model I'm linking of is this .. Poster cryptes mail with pgp using list exploder key. List exploder decrypts mail and recrypts with keys for all current list members and then sends the mail. [I don't want all the list members to need to know every other list members public key] Before I lanch into hacking majordomo - has anybody done this already or somthing like it ? John -- John Pettitt email: jpettitt at well.sf.ca.us (home) jpp at software.net (work) From cp at proust.suba.com Sun Mar 3 23:06:30 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Mon, 4 Mar 1996 15:06:30 +0800 Subject: your mail In-Reply-To: <199603040440.FAA28574@utopia.hacktic.nl> Message-ID: <199603040533.XAA07799@proust.suba.com> There's an obvious solution to this problem. Run a public remailer, and route your traffic through your own site. From tcmay at got.net Sun Mar 3 23:07:46 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 4 Mar 1996 15:07:46 +0800 Subject: FUD about Remailers--the Strassman/Marlow "Revelations" Message-ID: I didn't imagine that people would take the off-the-wall assertions here seriously, but "Anonymous" seems quite worried, so some comments can't hurt. At 4:40 AM 3/4/96, Anonymous wrote: > >>Both presenters explicitly acknowledged that a number of anonymous >>remnailers in the US are run by government agencies scanning traffic. >>Marlow said that the government runs at least a dozen remailers and that >>the most popular remailers in France and Germany are run by the >>respective government agencies in these countries. In addition they Oh really? And just which remailers are in France and Germany? (Raph's list doesn't show any ".de" or ".fr" sites, at least that I could see. It's possible that a site or two exists in France or Germany, but I'm skeptical. And certainly the "the most popular remailers in France and Germany" is an odd comment.) There are of course remailers in the Netherlands (Hacktic, for example), and Julf's site in Finland. Perhaps Marlow mistook these countries for France and Germany? In any case, the claim that the few sites in Europe are "at least a dozen remailers" and that they are run by the intelligence agencies of France and Germany is specious. I consider it unlikely that the remailer operators are working for the spooks. (Something to consider in the future, and even to be thoughtful about now. But unlikely at this time, with the current players, for various reasons.) Further, as with other recent comments we've seen, the authors seem to misunderstand the nature of chained remailers. These errors, plus the apparently slapdash way the article was cut-and-pasted together (from the Web pages of others, usually without acknowledgement), plus the scare tactic tone, makes me dismiss the entire "paper." >>mentioned that the NSA has successfully developed systems to break >>encrypted messages below 1000 bit of key length and strongly suggested >>to use at least 1024 bit keys. They said that they semselves use 1024 >>bit keys. As others have also noted, just FUD to confuse and scare. > I don't know about everyone else, but I consider this, if true, to be a >MAJOR worry. It never ceases to amaze me how lightly the government takes >lying to the people. Unfortunately I don't have the contacts or resources >to do any further investigation, I hope this thread is resolved one way or >another soon. > >nobody at unimportant "Investigation" can be done by doing what I just did: looking for these supposed "dozens" of the "most popular" remailer sites, looking for them in France or Germany, and not finding them. (Maybe they're secret, known only to CIA, SDECE, and BND operatives? The operative word being "paranoid.") --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From blancw at accessone.com Sun Mar 3 23:12:02 1996 From: blancw at accessone.com (blanc) Date: Mon, 4 Mar 1996 15:12:02 +0800 Subject: FW: Communications Decency Act (hee-hee) Message-ID: <01BB094A.D39E08C0@blancw.accessone.com> From: Timothy C. May This is of course an old idea. Regrettably, the CDA is not based on a simple bright line test invovling the "Seven [exonized] Words," immortalized in the FCC--Carlin--Pacifica case. Rather, "indecent" is broadly interpreted to mean essentially whatever a prosecutor can convince a panel of bluenosed citizens is indecent. .................................................................... Well, if you were prosecuted, you could always explain what it means to kiss your "Gingrich" by pointing to any part of your body you choose. Of course they would be indicating, by their accusations, that they know enough about indecency to become suspicious over the resemblance.... (such sensitive people) .. Blanc From unicorn at schloss.li Sun Mar 3 23:29:50 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 4 Mar 1996 15:29:50 +0800 Subject: Duress Message-ID: <199603040535.VAA25193@netcom7.netcom.com> On Sun, 3 Mar 1996, Bill Frantz wrote: > >Of course, all smart air piracy buffs know the transponder code is 7600, > >and refuse to allow the pilots to use it. > > It changes from time to time. Of course subscribing to an IFR chart > service will keep you up-to-date with the changes. You should forward this to the list. > > Regards - Bill > > > ------------------------------------------------------------------------ > Bill Frantz | The CDA means | Periwinkle -- Computer Consulting > (408)356-8506 | lost jobs and | 16345 Englewood Ave. > frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA > > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From unicorn at schloss.li Sun Mar 3 23:55:12 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 4 Mar 1996 15:55:12 +0800 Subject: Looking for code to run an encrypted mailing list In-Reply-To: <2.2.32.19960304053309.00bd5ec8@mail.software.net> Message-ID: On Sun, 3 Mar 1996, John Pettitt wrote: > I'd like to run an encrypted mailing list - the model I'm linking of is this .. > > Poster cryptes mail with pgp using list exploder key. List exploder decrypts > mail and recrypts with keys for all current list members and then sends the > mail. > > [I don't want all the list members to need to know every other list members > public key] > > Before I lanch into hacking majordomo - has anybody done this already or > somthing like it ? Someone asked this a little while ago. I don't recall if there was an answer. I hope so, I'd be interested too. > > John > -- > John Pettitt > email: jpettitt at well.sf.ca.us (home) > jpp at software.net (work) > > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From cmca at alpha.c2.org Sun Mar 3 23:58:06 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Mon, 4 Mar 1996 15:58:06 +0800 Subject: Remailers run by spooks In-Reply-To: <199603040511.AAA24235@bb.hks.net> Message-ID: <199603040655.WAA18580@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: Just Rich ] [cc: cypherpunks at toad.com] [Subject: Re: Remailers run by spooks ] [In-reply-to: Your message of Mon, 04 Mar 96 00:11:09 EST.] <199603040511.AAA24235 at bb.hks.net> >However, I also have no doubt that Strassmann and Marlow are spreading >disinformation and exaggerating their capabilities in an attempt to break >the web of trust and incite a witch hunt. It won't work. The answer in any >case is more use of remailers, not less. Just turn up the noise level. >You already know that nothing is 100% secure, but you do what you can. >It's a war of attrition. I agree with turning up the noise level. For a few weeks now I've been using the following script: #!/bin/ksh while sleep `roll 1 7 1`000 do roll 1 10000 `roll 1 200 1` | "a chain of remailers back to me" done I've deleted the actual command to do the remailing, since it is homegrown. Back at this end, I recognise the incoming mail and throw it away. So I never get to see it, but there is a steady stream of encrypted traffic both in and out. The "roll" command, by the way, is a perl script I picked up off the net, and it is very handy to have around: #!/usr/bin/perl $low = $ARGV[0]; $high = $ARGV[1]; $count = $ARGV[2]; $high = $high - $low + 1; # seed the random process, and generate a few to be thrown away. srand($$+time); for ($i = rand(1000)/50; $i >= 0; --$i) { rand(1000); } # generate for ($i = 0; $i < $count; ++$i) { $v = int(rand($high)) + $low; print $v, "\n"; } Chris McAuliffe (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMTqKi4HskC9sh/+lAQGZigQAjOcE1xU08shVqA/8wdnworQVKr9nHSCh xZEa5N6pBnV6rxvLJYC8QZMkYj/OcUzyZDUg10unqBLDjtgChSBhG61F/V5RWNOc X4IuTJAt1sIxplT6UU3OvLo7AaaNdSgz886X/M4ssnlIubOo7b+jNlxccMLr7PKK FYuLndXjspg= =knru -----END PGP SIGNATURE----- From hayden at krypton.mankato.msus.edu Mon Mar 4 18:50:19 1996 From: hayden at krypton.mankato.msus.edu (Robert A. Hayden) Date: Mon, 4 Mar 96 18:50:19 PST Subject: [BABBLE] Like a Rolling Stone Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I just got off the phone with a writer from Rolling Stone magazine. They are going to be doing an article about the Geek Code. Isn't that just groovy? Maybe they'll let me be on the cover and I can do one of those Howard Stern nude things..... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: PGP Signed with PineSign 2.2 iQCVAwUBMTuPhjokqlyVGmCFAQGzoAQAqdHYz6tMEPlu/4n/nsrYO/eIz96K/ZSJ 44Gzehrtrlw0zg6rpdWab7BzbCapjqJEgnupRsGRVzlQ449LYLVZ2KIHwMfK5zFe 0hS57USj1ShQyqeNv6K2qGmH38n5/U6oAgnpXo8LPBWgkN9zxBI04hiBtoeQrnak UCfeg31EmWU= =Vq8N -----END PGP SIGNATURE----- ____ Robert A. Hayden <=> hayden at krypton.mankato.msus.edu \ /__ Finger for Geek Code Info <=> Finger for PGP Public Key \/ / -=-=-=-=-=- -=-=-=-=-=- \/ http://krypton.mankato.msus.edu/~hayden/Welcome.html -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GED/J d-- s:++>: a-- C++(++++)$ ULUO++ P+>+++ L++ !E---- W+(---) N+++ o+ K+++ w+(---) O- M+$>++ V-- PS++(+++)>$ PE++(+)>$ Y++ PGP++ t- 5+++ X++ R+++>$ tv+ b+ DI+++ D+++ G+++++>$ e++$>++++ h r-- y+** ------END GEEK CODE BLOCK------ From tcmay at got.net Mon Mar 4 19:38:43 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 4 Mar 96 19:38:43 PST Subject: Bombings, Surveillance, and Free Societies Message-ID: At 1:28 AM 3/5/96, Phillip M. Hallam-Baker wrote: >Timothy C. May wrote: > >>The Red Brigade in Italy sought a fascist crackdown, and >> the "strategy of tension" is common. (And even revolutionists of crypto >> anarchist persuasion often think laws like the CDA are good in the long >> run, by undermining respect for authority and triggering more extreme >> reactions....) > >It is important to note in this regard that the worst bombing in Italy was >the Bologna station bombing, now decisively linked to right wing facist >groups the involvment in which of ex-prime minister Adreotti is shortly to >be examined in a criminal trial. The point being that the extreemists play >into each others hands. Yes, it is hard to know even which side is pulling the strings. The WW2 Italian fascist commando leader, Otto Skorzeny, not only rescued Mussolini from a ski chalet, he also helped set up the PLO in the 1960s, and consulted for the OSS, CIA, and such. (There is much more to say about this, and about the role of the early NSA in such affairs. However, continuing down this path will produce the inevitable perrygrams from the acerbic Mr. Metzger demanding "What does this have to [whatever my current interest is]?")) >> -- expect the various laws about "talking about explosives on the Net" to >> be used to clamp down on various fringe groups > >Hang on here, some of those groups are actively conspiring to commit >terrorist acts. If someone sends a message saying "lets plant a bomb >under a federal building, that will show them" I'm not worried if the >govt. decides to arrest a few people. There is a border between free >speech and conspiracy to murder which some people have crossed. I don't buy this. I said "talking about explosives on the Net," not openly conspiring to plant bombs in federal buildings. A big difference. (Not that I am aware of the OKC bombers discussing their plans on the Usenet.) >> I predict that it will take about 5 more major bombings in European and >> American cities to trigger substantive changes in laws. > >Generally it takes two. The legislation is written after the first and >then staled until being passed on the second. I am sandbagging by saying "5." I wasn't referring to 5 in, say, the U.S., but to 5 or so "horrific" bombs in Western countries, plus Israel. A second Oklahoma City-type bombing may be enough, a Sarin attack that kills 1,000 will almost surely be enough. (In the bigger scheme of things, the 150-200 or so who died in OKC are a drop in the bucket, and I wouldn't advocate _any_ new surveillance laws for them...putting a day care center in a soft target demonstrates the callousness of the Feds.) >> Personally, while I feel sorry for the dead in Israel, I think anyone who >> moves to a small desert state surrounded on all sides by Arabs who want >> their land back is asking for trouble. > >A point to consider is that there are many Isralis born in Israel who have no >other home. These people did not ask to be born in the middle of a desert >state. As with the Irish problem it is easy to solve if one could change >the past. The fundamental problem being that the wrong side won at Hastings. Let me use the language Bill Stewart used a while back, language which skirts the issue of "right" and "wrong" even more neatly than I did (when I said the Jews were "asking for trouble"): "If a religious group uses force to expel the current occupants of a desert region, and expels them to just beyond their borders, it is "unsurprising" that those expelled, and their children, and their children's children, will swear a blood oath to drive the group into the sea." Put another way, I will not be "surprised" to wake up one morning and hear on CNN that Tel Aviv has been vaporized in a nuclear explosion. Nor will I be surprised to similarly learn that Damascus has been vaporized, and so on. Being an atheist, I treat all religious mystics as suspect. When a bunch of people leave London and Chicago and Paris to live in the desert, surrounded by sworn enemies with nuclear capabilities, I think whatever happens to them is...."unsurprising." I hope this makes my outlook clearer. (And Cypherpunks should fully understand that information-trading systems and unbreakably encryption--the very technologies we so ardently are pushing--make certain actions even less "surprising" than might otherwise be the case. Think of it as evolution in action.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From a.brown at nexor.co.uk Mon Mar 4 04:06:19 1996 From: a.brown at nexor.co.uk (Andy Brown) Date: Mon, 4 Mar 1996 20:06:19 +0800 Subject: Is there any work on entropy-lowering schemes? In-Reply-To: <199603040206.SAA07584@ix14.ix.netcom.com> Message-ID: <313AD43B.4A68@nexor.co.uk> Bill Stewart wrote: > Peter Wayner's work on Mimic Functions does just this sort of thing. > You can describe a grammar, feed it random bits, and generate output that > has the right statistics and can be reversed to get the original bits. > His paper was on cs.cornell.edu a few years ago; don't know where > to find it now. If anyone finds out where Mimic has moved to I'd be very interested. Thanks, - Andy From ses at tipper.oit.unc.edu Mon Mar 4 04:16:38 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Mon, 4 Mar 1996 20:16:38 +0800 Subject: Teach the children well... Message-ID: I got the latest copy of the latest ComputerWare catalog (they're a big mac dealer). Up front, in there list of new releases was something that looked fun; --- Top Secret Decoder (CD-ROM) Ages 8-12 Mysterious, marvelous, mind-stretching software for kids who love creating and cracking secret codes. Kids'll sharpen their critical-thinking skills and earn top-otc secret agent credentials. Includes 300 code-cracking challenges, spectacular printing, plus 10 difficulty levels. $39.99 Houghton Mifflin Interactive ----- There is no truth to the rumours that they are POTP or IPG licencees. If you beat level 10, an animated Jim Bizdos comes out and does a little dance Take a copy along when you do your visit for NetDay Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From jya at pipeline.com Mon Mar 4 06:45:25 1996 From: jya at pipeline.com (John Young) Date: Mon, 4 Mar 1996 22:45:25 +0800 Subject: NYT on Crypto Bills Message-ID: <199603041358.IAA23170@pipe1.nyc.pipeline.com> The New York Times, March 4, 1996, p. D4. Compromise Bills Due on Data Encryption Industry Opponents and Civil Libertarians Are Lukewarm, at Best By John Markoff Legislation will be introduced in the House and the Senate tomorrow in an effort to break the deadlock between the computer industry and the Clinton Administration over the control and export of software and hardware used to scramble electronic data. So far, though, the proposed measures have received only cautious endorsement from industry executives, while civil-liberties and privacy groups say they are worried that the bills would enable the Government to decode scrambled transmissions. Senator Patrick J. Leahy, Democrat of Vermont, and Representative Bob Goodlatte, Republican of Virginia, plan to introduce similar bills that affirm the right of Americans to use any type of data-coding equipment without restriction and prohibit the mandatory use of special keys that would allow law-enforcement agencies to read scrambled data. Their bills would also make it a crime to use encryption technology in committing a crime and would permit the export of data-coding software and hardware if similar technology was available from a foreign supplier. Data-coding, or encryption, technology is based on mathematical formulas that rely on the immense computing challenge inherent in factoring large numbers. Until recently, such technology was largely used by military and intelligence organizations and by some corporations like banks. As electronic mail and commerce have become increasingly accessible, however, the technology has become more controversial. In April 1993, the Clinton Administration proposed a national data-encryption standard known as Clipper, based on a system that would have made it possible for law-enforcement agencies, if authorized by a court, to decode private voice and data communications. The Clipper initiative has been strongly opposed by industry executives and privacy advocates. They argue that reliable coding technology is essential for commerce and privacy protection on the Internet. They also say that strict export rules are increasingly hindering the ability of United States corporations to compete with foreign suppliers. The proposed legislation would ease some current restrictions on the exporting of data-coding systems, but civil libertarians still see areas of concern. "The bills relax export controls, which is clearly a step in the right direction," conceded Marc Rotenberg, director of the Electronic Privacy Information Center, a Washington research and policy organization. But the negatives, he said, were that the bills opened the door to Government access to private transactions "and criminalize the use of cryptography when it is used to perpetrate a crime." Industry officials said they expected the legislation to stir little enthusiasm from corporate users. "Corporate America is absolutely unwilling to give a third party control of their data," said Jim Bidzos, chief executive of RSA Data Security, a maker of encryption software based in Redwood City, Calif. [End] From qut at netcom.com Mon Mar 4 06:51:24 1996 From: qut at netcom.com (Dave Harman) Date: Mon, 4 Mar 1996 22:51:24 +0800 Subject: Duress In-Reply-To: <199603032311.PAA16326@netcom7.netcom.com> Message-ID: <199603041403.GAA10958@netcom9.netcom.com> > > At 2:49 PM 3/3/96 -0500, Dr. Dimitri Vulis wrote: > > >As a side remark, every burglar alarm connected to a phone that I've ever seen > >has this feature: a code that one can type under duress that will both turn > >off the alarm and call for help. I wonder how many users will remember this > >code when under duress. > > The air-transport system has had a Hijack transponder code for years. The > pilot dials it into the air traffic system radar transponder when the plane > is hijacked. However there is a problem. > > One of the private pilot magazines reported that a small plane operator > used the code (because his airplane was, in fact, being hijacked). When he > landed the airplane, it was surrounded by LEA, and in the ensuing gun > battle, everyone on the airplane died. The went on to say that the safety > of the passengers and airplane are the pilot's primary responsibility and > that pilots should consider this incident when deciding to use the code. Sorry, but what's LEA stand for? > Duress codes need to be designed to minimized the chance of such responses > when they are used. > > Regards - Bill > > > ------------------------------------------------------------------------ > Bill Frantz | The CDA means | Periwinkle -- Computer Consulting > (408)356-8506 | lost jobs and | 16345 Englewood Ave. > frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA > > > -- Have you ever taken pride in and cultivated a wrongness? From mixmaster at vishnu.alias.net Mon Mar 4 08:14:18 1996 From: mixmaster at vishnu.alias.net (Mr. Boffo) Date: Tue, 5 Mar 1996 00:14:18 +0800 Subject: None Message-ID: <199603041230.GAA23615@vishnu.alias.net> >>>>> "Black" == Black Unicorn writes: Black> On Sun, 3 Mar 1996, John Pettitt wrote: >> I'd like to run an encrypted mailing list - the model I'm >> linking of is this .. >> >> Poster cryptes mail with pgp using list exploder key. List >> exploder decrypts mail and recrypts with keys for all current >> list members and then sends the mail. >> >> [I don't want all the list members to need to know every other >> list members public key] >> >> Before I lanch into hacking majordomo - has anybody done this >> already or somthing like it ? Black> Someone asked this a little while ago. I don't recall if Black> there was an answer. I hope so, I'd be interested too. Check out the Web Page at www.alias.net. There is an entry on PGPdomo. From raph at CS.Berkeley.EDU Mon Mar 4 09:26:49 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Tue, 5 Mar 1996 01:26:49 +0800 Subject: List of reliable remailers Message-ID: <199603041450.GAA07669@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail, which is available at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/premail/premail-0.33a.tar.gz For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = " cpunk pgp hash ksub ek"; $remailer{"vishnu"} = " cpunk mix pgp hash latent cut ek ksub reord"; $remailer{"robo"} = " cpunk hash mix"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"wmono"} = " cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = " cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ek ksub"; $remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = " cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = " cpunk pgp hash latent cut ?"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'gondonym'} = ' alpha pgp'; $remailer{'nymrod'} = ' alpha pgp'; $remailer{"lead"} = " cpunk pgp hash latent cut ek"; $remailer{"treehole"} = " cpunk pgp hash latent cut ek"; $remailer{"nemesis"} = " cpunk pgp hash latent cut"; $remailer{"exon"} = " cpunk pgp hash latent cut ek"; $remailer{"vegas"} = " cpunk pgp hash latent cut"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo hroller alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) (vishnu spook wmono) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 4 Mar 96 6:48:59 PST remailer email address history latency uptime ----------------------------------------------------------------------- nymrod nymrod at nym.alias.net **+-*+***+*# 10:33 99.99% vegas remailer at vegas.gateway.com **#+***#+### 3:24 99.99% ecafe cpunk at remail.ecafe.org ############ :18 99.97% treehole remailer at mockingbird.alias.net +-+-----+--+ 2:02:33 99.96% hacktic remailer at utopia.hacktic.nl *********+** 8:08 99.95% gondonym alias at nym.gondolin.org ------------ 3:27:17 99.94% replay remailer at replay.com ****+**+**** 5:07 99.91% portal hfinney at shell.portal.com ###* +*--##+ 25:24 99.87% gondolin mix at remail.gondolin.org -----+------ 3:27:40 99.77% alpha alias at alpha.c2.org *-+*+++ +.-+ 58:19 99.76% exon remailer at remailer.nl.com *+* .+*----+ 46:22 99.75% vishnu mixmaster at vishnu.alias.net -+-**** -** 32:44 99.70% c2 remail at c2.org +-*-++++ -* 39:23 99.66% flame remailer at flame.alias.net ----------- 2:31:41 99.57% tjava remailer at tjava.com #*-#######*# 3:08 99.19% extropia remail at extropia.wimsey.com ----___.+- 24:11:30 99.18% nemesis remailer at meaning.com *-*+*-*** -* 24:02 98.98% penet anon at anon.penet.fi .-.---... 23:23:07 97.58% shinobi remailer at shinobi.alias.net +*****+* ## 25:06 90.76% lead mix at zifi.genetics.utah.edu +++++++ +-+ 37:47 90.28% alumni hal at alumni.caltech.edu #- ## 22:41 80.89% mix mixmaster at remail.obscura.com ..---+ 5:31:48 34.72% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From nobody at vegas.gateway.com Mon Mar 4 09:40:38 1996 From: nobody at vegas.gateway.com (Anonymous Remail Service) Date: Tue, 5 Mar 1996 01:40:38 +0800 Subject: No Subject Message-ID: <199603031418.JAA09675@black-ice.gateway.com> Thought that this was worth reposting: >I attended last weeks "Information, National Policies, and International >Infrastructure" Symposium at Harvard Law School, organized by the Global >Information Infrastructure Commission, the Kennedy School and the >Institute for Information Technology Law & Policy of Harvard Law School. > >During the presentation by Paul Strassmann, National Defense University >and William Marlow, Science Applications International Corporation, >entitled "Anonymous Remailers as Risk-Free International Infoterrorists" >the questions was raised from audience (Professor Chaarles Nesson, >Harvard LAw School) - in a rather extended debate - whether the CIA and >similar government agencies are involved in running anonymous remailers >as this would be a perfect target to scan possibly illegal messages. > >Both presenters explicitly acknowledged that a number of anonymous >remnailers in the US are run by government agencies scanning traffic. >Marlow said that the government runs at least a dozen remailers and that >the most popular remailers in France and Germany are run by the >respective government agencies in these countries. In addition they >mentioned that the NSA has successfully developed systems to break >encrypted messages below 1000 bit of key length and strongly suggested >to use at least 1024 bit keys. They said that they semselves use 1024 >bit keys. > >I ask Marlos afterwards if these comments were off or on record, he >paused then said that he can be quoted. > >So I thought I pass that on. It seems interesting enough, don't you >think? > >Best > >Viktor Mayer-Schoenberger >Information Law Project >Austrian Institute for Legal Policy > Groundfog at alpha.c2.org From adam at lighthouse.homeport.org Mon Mar 4 10:12:22 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 5 Mar 1996 02:12:22 +0800 Subject: NYT on Crypto Bills In-Reply-To: <199603041358.IAA23170@pipe1.nyc.pipeline.com> Message-ID: <199603041509.KAA02654@homeport.org> Markoff shouyld know better than this. There is a long history of business use of codes & ciphers, going back hundereds of years, and durring the heyday of the telegraph, there were fair size companies that created codebooks with (locally configurable) superencipherment systems for the market. Adam John Young wrote: | Compromise Bills Due on Data Encryption | Industry Opponents and Civil Libertarians Are Lukewarm, | at Best | By John Markoff | Data-coding, or encryption, technology is based on | mathematical formulas that rely on the immense computing | challenge inherent in factoring large numbers. Until | recently, such technology was largely used by military and | intelligence organizations and by some corporations like | banks. As electronic mail and commerce have become | increasingly accessible, however, the technology has become | more controversial. -- "It is seldom that liberty of any kind is lost all at once." -Hume From warlord at MIT.EDU Mon Mar 4 11:06:21 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Tue, 5 Mar 1996 03:06:21 +0800 Subject: Problems with certificates. In-Reply-To: <199603022121.NAA10418@ix8.ix.netcom.com> Message-ID: <199603041635.LAA08126@toxicwaste.media.mit.edu> Just a quick clarification... > PGP KeyIDs are 8 hexes long (formerly 6), and there have been some natural > collisions and it's easy to manufacture them. On the other hand, > the MD5 hash used for key fingerprints is 128 bits long, and > cryptographically strong. The printable part of the keyid is 8 hexes long. The internal keyID that PGP uses for choosing keys is actually 8 bytes, not 8 hexes. Besides, its not the length that matters, but the security. -derek From jya at pipeline.com Mon Mar 4 11:06:26 1996 From: jya at pipeline.com (John Young) Date: Tue, 5 Mar 1996 03:06:26 +0800 Subject: PAB_lum Message-ID: <199603041651.LAA12043@pipe1.nyc.pipeline.com> 3-4-96. WSJ: "U.S. Commission Recommends Staff Cuts at Intelligence Agencies." The most numerous cuts would be at the CIA, DIA and NSA. Former Sen. Warren Rudman said the super-secret NSA, which conducts various forms of electronic eavesdropping abroad, was most in need of a cut that could provide money for new computer-related technology and bring in people with new technical skills. 3-3-96. NYT: "Spy Pablum." [Editorial] After a year of study and high public expectations, the commission stepped up to this promising moment with all the spine of a rag doll. There is nothing radical about its report, which is precisely its problem. When it comes to the larger picture of just what kind of intelligence network America needs now that the cold war is over, and whether some agencies ought to be combined or eliminated altogether, the commission lacks imagination and courage. PAB_lum From pcw at access.digex.net Mon Mar 4 11:14:02 1996 From: pcw at access.digex.net (Peter Wayner) Date: Tue, 5 Mar 1996 03:14:02 +0800 Subject: NYT on Crypto Bills Message-ID: Well, my first objection is that this law could become something like mail fraud. If the term "data coding" is used, it should be carefully defined. After all, this letter is coded in ASCII. My voice communications are digitized and coded by some algorithm defined by the phone company. -Peter From owner-cypherpunks at toad.com Mon Mar 4 11:39:33 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Tue, 5 Mar 1996 03:39:33 +0800 Subject: No Subject Message-ID: Adam Shostack writes: > > In suggesting key:// urls, I (without commenting) placed a path of > /s/telnetd/ in a URL. I was considering that a telnetd might need > many keys and associated documents, all of which could be found in a > directory. > > gateway's master telnetd public key. > daily keys > policy statements about who may connect, or how > etc > > I expect that we could extend the syntax in such a way that a URL > could contain most of the data we need. Thus, the default document > might be a 'cert of the day,' with possibly with references within the > certificate to the master telnetd key, the hosts master key. > > To expand, I was thinking of: > > key://foo.bar.com/{u,s,h,d}/family/instance While that would be useful in a lot of cases, I would hope that all that path gunk wouldn't be required.... most people would have one key, at least initially, and so a simple key://foo.bar.com/username/key.asc would be enough for them. I wouldn't want to prevent people from using your system, in fact it's a good idea. I just don't think that it should be required, just recommended. Something else to add would be a specifier for the type of key, i.e. key://slack.lne.com/pgp/ericm/key.asc The reason for the keytype specifier is obvious, so that the system can support more than just PGP keys. The problem with the above example is that the 'pgp' part is imbedded in the path. Since the apps that read these key URLS need to know which ones are for PGP and which for DH or DSS or whatever, the keytype specifier needs to be in a standard location in the URL. Suggestions? maybe key:/pgp/slack.lne.com/ericm/key/asc? Finally, a question: should the keyserver be able to serve keys in a way that is secure from a MITM attack, or can it depend on the certificate chain in the key certificate itself to validate the key certificate? I think it can, but I am not sure, so perhaps someone smarter than I can explain why, or why not. The attraction is obvious, if the key server doesn't have to validate the keys it serves, the whole problem of distributed key servers becomes much easier. -- Eric Murray ericm at lne.com ericm at motorcycle.com http://www.lne.com/ericm PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF From mike at fionn.lbl.gov Mon Mar 4 12:27:59 1996 From: mike at fionn.lbl.gov (Michael Helm) Date: Tue, 5 Mar 1996 04:27:59 +0800 Subject: NYT on Crypto Bills In-Reply-To: Message-ID: <199603041810.KAA07446@fionn.lbl.gov> On Mar 4, 3:09pm, Adam Shostack wrote: > Markoff shouyld know better than this. There is a long > history of business use of codes & ciphers, going back hundereds of > years, and durring the heyday of the telegraph, there were fair size > companies that created codebooks with (locally configurable) > superencipherment systems for the market. I thought that, for the most part, the telegraph systems described above were to reduce cable charges (1 code word instead of a 15-word sentence, a huge savings in those days). Maybe it's the use to which the encoding's put that's controversial, not the (idea of) encoding itself. From hfinney at shell.portal.com Mon Mar 4 13:37:10 1996 From: hfinney at shell.portal.com (Hal) Date: Tue, 5 Mar 1996 05:37:10 +0800 Subject: (Fwd) Gov't run anon servers Message-ID: <199603041852.KAA01295@jobe.shell.portal.com> I have run two remailers for about three years now, and I have never been contacted in any way by law enforcement or government people in relation to the operation of the remailers, or of any mail which has been sent through them. I get a fair number of complaints by private individuals, but I have never heard anything from the government. However, if I were a computer-savvy law enforcement agent, and I wanted to track messages through one of my remailers, I would try a technological approach. I would first break the key for my remailer. That is trivial. The passphrase is in PLAINTEXT in the script file which runs the remailer!. It has to be. That is true of all automated remailers. Anyone who can break into the remailer server and acquire root permission can find the remailer secret key. My keys have been unchanged for three years. Surely some enterprising hackers have stolen the keys by now. (That is why my keys are only < 512 bits.) Then the LEA has to insert mail-monitoring software somewhere either in the remailer system or on some connection to it. That is probably more difficult and may require cooperation from a system manager somewhere. I don't really know how hard it would be. But breaking the key is the easy part. Hal From pcw at access.digex.net Mon Mar 4 14:09:25 1996 From: pcw at access.digex.net (Peter Wayner) Date: Tue, 5 Mar 1996 06:09:25 +0800 Subject: NYT on Crypto Bills Message-ID: >On Mar 4, 3:09pm, Adam Shostack wrote: >> Markoff shouyld know better than this. There is a long >> history of business use of codes & ciphers, going back >>hundereds of >> years, and durring the heyday of the telegraph, there were >>fair size >> companies that created codebooks with (locally configurable) >> superencipherment systems for the market. > >I thought that, for the most part, the telegraph systems described >above were to reduce cable charges (1 code word instead of a >15-word >sentence, a huge savings in those days). Maybe it's the use to >which >the encoding's put that's controversial, not the (idea of) encoding >itself. Yes, this is true, but the government still spent plenty of time getting a library of the standard libraries of commercial codes. There are books and books about these codes. Naturally, some were more oriented toward secrecy. Others were just so obscure that you needed the code dictionary to understand them. From sunder at amanda.dorsai.org Mon Mar 4 14:33:31 1996 From: sunder at amanda.dorsai.org (Ray Arachelian) Date: Tue, 5 Mar 1996 06:33:31 +0800 Subject: Chaff in the Channel (Stealth PGP work) In-Reply-To: <9603021720.AA04821@outland> Message-ID: On Sat, 2 Mar 1996, Mike Fletcher wrote: > Just a stab, but maybe this might work: Get two picures of > with both at minimum sufficient size to carry the message. Use the > lsb's (or any bit for that matter) of the second image to XOR with the > message before stego'ing (L'eggo my S'tego :) into the first. Of course > you'ld have to arrange which bit in the pad image will be used, how to > associate the images, etc. before hand. This is horrible. If you have to ship the original untouched picture to someone, the man in the middle attack will work, furthermore, the image you use is likely already out there and when you ship the modified version to XOR, the man in the middle will be able to get the two. Basically your idea gets back to the original key distribution problem that PK schemes have solved... if you have to use a secure channel to send a passphrase along, why not use that same channel for the message as well? There are other ways to do this and NOT have it detected. See my WNS210.ZIP package. :^) (Shameless, plug, but hey, better secure than sorry.) Now if I can find a way to get WNStorm to be somehow mind-melded with PGP and produce a public key Stego system, that would be worth the trouble. :) ========================================================================== + ^ + | Ray Arachelian |Emptiness is loneliness, and loneliness| _ |> \|/ |sunder at dorsai.org|is cleanliness and cleanliness is god-| \ | <--+-->| |liness and god is empty, just like me,| \| /|\ | Just Say |intoxicated with the maddness, I'm in| <|\ + v + | "No" to the NSA!|love with my sadness. (Pumpkins/Zero)| <| n ===================http://www.dorsai.org/~sunder/========================= [This Bible excerpt awaiting review under the Communications Decency Act] And then Lot said, "I have some mighty fine young virgin daughters. Why don't you boys just come on in and do em right here in my house - I'll just watch!"....Later, up in the mountains, the younger daughter said. "Dad's getting old. I say we should do him." So the two daughters got him drunk and did him all that night. Sure enough, Dad got em pregnant....Onan really hated the idea of doing his brother's wife and getting her pregnant while his brother got all the credit, so he whacked off first....Remember, it's not a good idea to have sex with your sister, your brother, your parents, your pet dog, or the farm animals. [excerpts from the Old Testament, Modern Vernacular Translation, TCM, 1996] From jf_avon at citenet.net Mon Mar 4 14:37:23 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Tue, 5 Mar 1996 06:37:23 +0800 Subject: Duress Message-ID: <9603041922.AB05321@cti02.citenet.net> The transponder analogy might not be very accurate. When you fly in a controled airspace, the *controller* asks you to dial in certain digits on the transponder. If you do not dial them in, the controller will start harrassing you for doing it and for not complying and for entering airspace while unauthorized. You have to do it. depending on cockpit configuration, the hijacker might very well have no choice but to let the pilot do it. In any case, this is a situation where there are 3 persons involved (hijacker, pilot and controller) vs 2 in the duress case I would guess that most hijacks gets disclosed before they land because there are so many ways that the pilot could stego a help message in the flow of the numbers that are exchanged btwn him and the ground. JFA **** OLD KEY: USE ONLY FOR VERIFYING SIGNATURES **** 1024 bits Key ID:57214AED 1995/10/04 Jean-Francois Avon 84 96 76 AE EB 7C AB 15 88 47 87 B0 18 31 74 9F From jim at bilbo.suite.com Mon Mar 4 15:05:39 1996 From: jim at bilbo.suite.com (Jim Miller) Date: Tue, 5 Mar 1996 07:05:39 +0800 Subject: art-stego Message-ID: <9603041921.AA08825@bilbo.suite.com> The recent discussion "Chaff in the Channel" got me thinking about an alternative to hiding random bit streams in picture files. The goal of steganography, as I see it, is to provide plausible deniability. The problem with hiding bit streams is that you can never be sure if the opponent has developed an analysis technique to prove a particular file contains a suspicious bit pattern. The alternative to hiding bit streams is to not hide them. Use them to generate pretty pictures. For example, modify a fractal image generator to accept a bit stream as input. Use the bit settings to influence the values used to iterate the fractal function. You don't have to use fractals, any function that produces pretty pictures would probably work as long as there was a way to extract the bit stream from the final picture. Brute force would probably work fast enough for humans. One possibility is a screen saver that produces an "infinite" variety of pretty pictures by generating a pseudo-random bit stream and using it to help generate the next background picture. Occasionally, the picture might be so cool you will want to send it your friends or post it on the Net or just keep it around to look at. The goal is to create an innocent reason for passing around unique images that contain random bit streams so we don't have to worry if somebody finds the bit stream. If you live in a country that doesn't outlaw abstract art you have plausible deniability. Jim_Miller at suite.com From frantz at netcom.com Mon Mar 4 15:17:25 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 5 Mar 1996 07:17:25 +0800 Subject: Duress Message-ID: <199603042021.MAA25616@netcom7.netcom.com> At 2:14 PM 3/4/96 -0500, jf_avon at citenet.net (Jean-Francois Avon (JFA Technologies, QC, wrote: >The transponder analogy might not be very accurate. > >When you fly in a controled airspace, the *controller* asks you to >dial in certain digits on the transponder. The analogy may be reaching its elastic limit although you can use those transponder codes when flying VFR, not in radio contact. What I really wanted to suggest is that we try to design (when we can) to minimize the possibility of bad things happening to people who use duress codes. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From tcmay at got.net Mon Mar 4 15:24:33 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 5 Mar 1996 07:24:33 +0800 Subject: Bombings, Surveillance, and Free Societies Message-ID: The recent bombings and similar events in public places in Israel (Hamas), England (IRA), Japan (subway gas attack), and the U.S. (Oklahoma City) are triggering calls for increased communications surveillance. Often the first bombing is insufficient to trigger increased steps...but later events push states to take stronger steps. (In the U.S., for example, the OKC bombing was headline news for more than a week, but resulted in no lasting changes affecting most of us, despite the hysteria about the need to outlaw "militias" and "white supremacist" groups. A second or third such bombing would likely produce new legislation of a serious sort. This is the thrust of my article.) Revolutionary theory says of course that this increased clampdown is a desired effect of terrorist bombings and attacks. Fear and doubt. Revolutionary ends rarely happen by slow, incremental movement. Hundreds of examples, from the original "bomb-throwing anarchists" to the modern mix of terrorist bands. The Red Brigade in Italy sought a fascist crackdown, and the "strategy of tension" is common. (And even revolutionists of crypto anarchist persuasion often think laws like the CDA are good in the long run, by undermining respect for authority and triggering more extreme reactions....) CNN is reporting that U.S. intelligence agencies will share technology for communications intercepts with the Israelis (more so than they already have been doing. Maybe the "U.S.S. Liberty" will be anchored off of Haifa on a permanent basis. The implications for cryptography? -- expect increased support for a "New World Order" to restrict non-governmental access to strong crypto (via key escrow measures) -- expect the various laws about "talking about explosives on the Net" to be used to clamp down on various fringe groups -- expect "national security" to become a bigger part of the political debate -- expect more and bigger bombings, as the groups thinking about bombings see how productive they are in accomplishing policy goals (such as ending peace talks, triggering police state actions, etc.) The inescapable fact is that free societies have numerous "soft targets" than cannot be defended against such bombing attacks. Various public places are "Schelling points" for attacks: crowded streets in Bogota, Tel Aviv, New York, London, Paris. Ditto for subways, buses, government buildings, sports arenas, etc. (The 99+% of us who are not in these areas at any given time are pretty safe, actually.) I predict that it will take about 5 more major bombings in European and American cities to trigger substantive changes in laws. If we look at how easily the Communiations Decency Act (and the Wiretap Act, and similar laws) sailed through Congress, I foresee serious terrorist activity as triggering far-reaching restrictions on communications privacy, on non-governmental use of encryption, and on what may be talked about openly on the Net. (Yes, I'm aware that there's a thing called the "First Amendment," lest you lawyers point out to me that such prior restraints will never fly. Well, how has the First Amendment stopped the government from restricting what I can say about medicine, what abortion advice I can give, the "dirty words" I choose to use, the supposedly libelous and slanderous things I can say, etc.? Granted, these are not cases of prior restraint, but of actions taken after the fact, via criminal and civil actions. Not much difference so far as I can see.) Personally, while I feel sorry for the dead in Israel, I think anyone who moves to a small desert state surrounded on all sides by Arabs who want their land back is asking for trouble. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dlv at bwalk.dm.com Mon Mar 4 15:41:45 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 5 Mar 1996 07:41:45 +0800 Subject: (Fwd) White House mail bomb protest? In-Reply-To: Message-ID: > Good day. By way of introduction, I'm the consultant who did the > "anti-mailstorm/anti-mailbomb" software that runs on the MX host for > WHITEHOUSE.GOV. ... I used to correspond with JMS a while back. He's a cool dude. Funny that he'd be doing something for Klinton now. I'm sure that if JMS put up a piece of software, it's hard to circumvent. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From rich at c2.org Mon Mar 4 15:54:08 1996 From: rich at c2.org (Just Rich) Date: Tue, 5 Mar 1996 07:54:08 +0800 Subject: Mainstreaming PGP on Usenet In-Reply-To: <199603040500.XAA06840@manifold.algebra.com> Message-ID: On Sun, 3 Mar 1996 ichudov at algebra.com wrote: > Dr. Dimitri Vulis wrote: ... > > Igor Chudov, who coded the robomoderator, reads Cypherpunks, and > > is known to appreciate and use good suggestions. > > Indeed. If you indicate your interest, I can post here a more or less > full description of the robomoderator, how it implements secure > exchange between itself and human moderators, verifies submissions, > and signs approved articles for posting (it uses PMApp by Greg Rose). It sounded cool (as heard on the moderator's list), but too complex for my needs, and I think it required some stuff I don't have. Of course, for a higher-traffic group, it's worth it. I don't see a way around the problem. ... > > (Of course, some people have what they believe to be valid reasons not > > to use PGP.) > > Sorry if this question will provoke a mini flamewar, but what are > such reasons? 1. If you're like me and you habitually read your mail online on a host on the Internet, no matter how secure, then that's a security risk. Of course one could, and many people do, create multiple PGP keys, one for casual authentication and encryption online, and another held in check for stuff that needs to be secure. I just don't bother with a "10% secure" key for cpunks and casual mail, though I do sign most of my Usenet posts. 2. If you send a PGP-signed message to a non-PGP-aware list, there will be questions, and sometimes ridicule. Sometimes this is an opportunity for education, sometimes it's just not worth the trouble. 3. Using PGP may attract the unwelcome attention of hostile local or foreign governments, or possibly other armed thugs. 4. "It's too hard." -rich From rich at c2.org Mon Mar 4 15:57:39 1996 From: rich at c2.org (Just Rich) Date: Tue, 5 Mar 1996 07:57:39 +0800 Subject: Remailers run by spooks Message-ID: <199603040511.AAA24235@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- On Mon, 4 Mar 1996, Anonymous (or so he thinks!) wrote: > >Both presenters explicitly acknowledged that a number of anonymous > >remnailers in the US are run by government agencies scanning traffic. > >Marlow said that the government runs at least a dozen remailers and that > >the most popular remailers in France and Germany are run by the > >respective government agencies in these countries. In addition they > >mentioned that the NSA has successfully developed systems to break > >encrypted messages below 1000 bit of key length and strongly suggested > >to use at least 1024 bit keys. They said that they semselves use 1024 > >bit keys. > > I don't know about everyone else, but I consider this, if true, to be a > MAJOR worry. It never ceases to amaze me how lightly the government takes > lying to the people. Unfortunately I don't have the contacts or resources > to do any further investigation, I hope this thread is resolved one way or > another soon. Yeah, didn't you know that Sameer was on the CIA payroll? How do you think he paid for his new Ferrari? I have no doubt that the CIA can break 1000-bit keys on a case-by-case basis, *if they decide to allocate the resources*. I think it's possible that some remailers are run by spooks. However, I seriously doubt that anyone is breaking stuff routinely, and I think the web of trust is pretty good. Of course, the CIA had Ames... the reverse could easily be true. However, I also have no doubt that Strassmann and Marlow are spreading disinformation and exaggerating their capabilities in an attempt to break the web of trust and incite a witch hunt. It won't work. The answer in any case is more use of remailers, not less. Just turn up the noise level. You already know that nothing is 100% secure, but you do what you can. It's a war of attrition. - -rich - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTp7ayoZzwIn1bdtAQFJXgGAg8I4+IwZYrDI46bMj2nED+Dh0AeoMJVs PP10Ui5u46sXDAUjpMzJSwv5EqdIOEKy =611k -----END PGP SIGNATURE----- From ichudov at algebra.com Mon Mar 4 15:57:54 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Tue, 5 Mar 1996 07:57:54 +0800 Subject: Mainstreaming PGP on Usenet In-Reply-To: Message-ID: <199603040500.XAA06840@manifold.algebra.com> -----BEGIN PGP SIGNED MESSAGE----- To: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Cc: cypherpunks at toad.com Subject: Re: Mainstreaming PGP on Usenet Dr. Dimitri Vulis wrote: > Bruce Baugh writes: > > I'm surprised nobody has brought this up before.... > > FIRST CALL FOR VOTES (of 2) > > moderated group soc.culture.russian.moderated > > > > > > > > 6. Individuals in the database of known readers may post freely to > > the group, subject to the conditions in sections 1-4 above. If need > > arises, the robomoderator may perform PGP verification of the > > identity of the known reader and, if the reader requests so, > > automatically reject all the submissions from the reader without > > a valid PGP signature. > > Igor Chudov, who coded the robomoderator, reads Cypherpunks, and > is known to appreciate and use good suggestions. Indeed. If you indicate your interest, I can post here a more or less full description of the robomoderator, how it implements secure exchange between itself and human moderators, verifies submissions, and signs approved articles for posting (it uses PMApp by Greg Rose). Your criticisms will be most welcome. > One issue that hasn't been addressed by the s.c.r.m robomod is the > possibility of persistent nyms: that is, Alice D. Nonymous somehow makes > her public key known to the robomod; and later if someone submits an article > via some anon remailer claiming to be hers, it would be rejected if the > signature doesn't check. Of course, her true submissions would be accepted > from any remailer. How could such protocol be implemented? We see no problem with user posting under pseudonyms, as long as they do not try to pretend to be other real people and do not constantly mutate, and submit their messages to the robomoderator for consideration. > (Of course, some people have what they believe to be valid reasons not > to use PGP.) Sorry if this question will provoke a mini flamewar, but what are such reasons? - Igor. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMTp458JFmFyXKPzRAQEbQAP8CAtCiNm9h7pijz4+qrm6FFGRBDjsqvZb RkgFetA01oEONdp+RW3NP6GBY1zeNg7+HahfoavNPhASwBl230hLni1fEW5pL75o J5v5yNCYT4/N1aVfchoo50kjXv+KqvRyjr5YNxVmd/IFKokSV1w9ASfdXVk/7uDB Ep1n1jmP4OQ= =EQOd -----END PGP SIGNATURE----- From jimbell at pacifier.com Mon Mar 4 16:33:57 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 5 Mar 1996 08:33:57 +0800 Subject: (Fwd) Gov't run anon servers Message-ID: At 10:52 AM 3/4/96 -0800, Hal wrote: >However, if I were a computer-savvy law enforcement agent, and I wanted >to track messages through one of my remailers, I would try a >technological approach. I would first break the key for my remailer. >That is trivial. The passphrase is in PLAINTEXT in the script file >which runs the remailer!. It has to be. That is true of all automated >remailers. Maybe I just don't know much about automated remailers, but I don't understand why you said that the passphrase "has to be" in plaintext in the script file. I find this hard to believe. While I am far from an expert on cryptographic matters, I would assume that any received attempt at a password could be securely hashed (128 bits?) and compared with a pre-stored hash value. If it's the same, it's assumed that the password was correct. What's wrong with this? From jya at pipeline.com Mon Mar 4 16:48:14 1996 From: jya at pipeline.com (John Young) Date: Tue, 5 Mar 1996 08:48:14 +0800 Subject: Report on Privacy Enhancing Message-ID: <199603042134.QAA02905@pipe2.nyc.pipeline.com> Does anyone how to get a copy of the report on "privacy enhancing technologies - the path to anonymity" cited in this paper from the Canberra/OECD conference on Feb 7-8: http://www.nla.gov.au/gii/oconnor.html Issues Facing Government : Meeting Public Concerns Kevin O'Connor Privacy Commissioner, Australia [Giant snip] In my own sphere of activity, there is some discussion taking place over the potential of new technologies and applications to assist with privacy protection. A recent report from the Dutch and Ontario Privacy Commissioners entitled Privacy enhancing technologies - the path to anonymity, offers some intriguing suggestions about the potential of public key cryptography for use in digital signatures to act as 'identity protectors' - allowing transactions to be completed and accounted for without the true identity of the participants needing to be known. While there are some obvious concerns about such technologies from a law enforcement perspective, which we have already heard about from the previous speaker, these should not be insuperable obstacles. On the other hand, the registration of digital signatures and public keys, with sufficient integrity to gain commercial and governmental confidence, itself raises additional privacy concerns. The complex issues involved are only just starting to be addressed. ... ----- Encouragingly, another paper by Matthew Bowcock http://www.nla.gov.au/gii/bowcock.html states: [Big snip] Controls on Encryption Technology There has been much heated debate worldwide about restrictions on the use of encryption technology, so that law enforcement and national security agencies can continue to intercept communications. Two questions are worth asking in this debate. Firstly, is interception of private communications a governmental right, which must therefore be protected in the face of technological change, or is it an accidental consequence of the weaknesses of the communication techniques that we have been using? I would argue that it is the latter and that there is no community obligation to protect it. Secondly, is a country better served by a vibrant, efficient, electronic economy, using trusted secure communication techniques for its day to day business, or by attempting to reduce organised crime by restricting use of technology? So far, much of the opposition to restrictions on the use of encryption technology has centred around a right to privacy and civil libertarian issues. Perhaps, instead, we need to quantify the opportunity cost, in economic terms, of delayed and lower levels of adoption of electronic commerce by the business community because the security mechanisms are not sufficiently trustworthy. It may be that the cost to the economy of restricting the use of encryption technology outweighs the benefits to the community. ... From tbyfield at panix.com Mon Mar 4 17:21:24 1996 From: tbyfield at panix.com (t byfield) Date: Tue, 5 Mar 1996 09:21:24 +0800 Subject: [NOISE] Re: Bombings, Surveillance, and Free Societies Message-ID: [This post is 100% free of remarks defending actions of the state of Israel.] At 12:51 PM 3/4/96, Timothy C. May wrote: >Personally, while I feel sorry for the dead in Israel, I think anyone who >moves to a small desert state surrounded on all sides by Arabs who want ^^^^^^^^ >their land back is asking for trouble. Like someone who crosses the road without looking both ways is asking for trouble? O necessity, we worship at your altar. Some folks--in fact, most Israelis--were born in Israel. The rest of your remarks about "a...state surrounded on all sides by Arabs who want their land back" doesn't exactly describe the Palestinians' relations with denizens of neighboring territories prior to the rise of Zionism, or even since, for that matter. Ted From unicorn at schloss.li Mon Mar 4 18:27:40 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 5 Mar 1996 10:27:40 +0800 Subject: (Fwd) White House mail bomb protest? In-Reply-To: <199603040145.UAA04626@UNiX.asb.com> Message-ID: On Sun, 3 Mar 1996, Deranged Mutant wrote: > In regards to the few messages about mailbombing the prez's box... > Folks: > > Good day. By way of introduction, I'm the consultant who did the > "anti-mailstorm/anti-mailbomb" software that runs on the MX host for > WHITEHOUSE.GOV. Now that the Telecom. Act of 1996 has been signed, > the volume of mail through WHITEHOUSE.GOV has gone up significantly. > For example, there were about 85,000 lines in the mail log file yesterday. [...] > Without going into details, if too many messages come from a single site, > the mail handler will throttle back accepting messages. Not only did he go into details, he gave away the show. --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From tcmay at got.net Mon Mar 4 18:59:32 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 5 Mar 1996 10:59:32 +0800 Subject: (Fwd) Gov't run anon servers Message-ID: At 9:10 PM 3/4/96, jim bell wrote: >At 10:52 AM 3/4/96 -0800, Hal wrote: >>That is trivial. The passphrase is in PLAINTEXT in the script file >>which runs the remailer!. It has to be. That is true of all automated >>remailers. > >Maybe I just don't know much about automated remailers, but I don't >understand why you said that the passphrase "has to be" in plaintext in the >script file. I find this hard to believe. While I am far from an expert on >cryptographic matters, I would assume that any received attempt at a >password could be securely hashed (128 bits?) and compared with a pre-stored >hash value. If it's the same, it's assumed that the password was correct. The "passphrase" is not for access to the remailer, but so that the remailer can itself decrypt incoming messages encrypted to its public key. An automated remailer is like a little guy sitting at the machine, taking in incoming messages, decrypting the ones that are addressed to him, and taking furhter actions. In Chaum's hardware-based "digital mix," the scripts, etc., for this are stored in tamper-resistant hardware, making the attack Hal describes much harder. (Chaum was thinking that mixes needed hardware security about 15 years ago.) Unix-based remailers, and the like, don't rely on secure hardware. We've talked about possible hardware security measures, even those that only rely on physical box security. A box that does decryption, mixing, readdressing, etc., without being part of a Unix file system/network, could be a useful "Mom and Pop remailer" (the idea being that small shop owners, "Mom and Pop," could set this up, collect a little bit of spare change as a remailing fee, and not even have access to the internal state of the machine themselves. At a Cypherpunks meeting a couple of years ago we spent some time brainstorming this. It seemed plausible that a small outfit could make such "remailer boxes" and sell them cheaply. (Hardware prices have plunged even further.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From alex at proust.suba.com Mon Mar 4 19:09:30 1996 From: alex at proust.suba.com (Alex Strasheim) Date: Tue, 5 Mar 1996 11:09:30 +0800 Subject: new mixmaster remailer Message-ID: <199603042243.QAA09874@proust.suba.com> I've set up a mixmaster remailer at nsa at omaha.com. Here's the key: =-=-=-=-=-=-=-=-=-=-=-= omaha nsa at omaha.com c20bfad8d66b43448ca3bdcfa794e244 2.0b11 -----Begin Mix Key----- c20bfad8d66b43448ca3bdcfa794e244 258 AATNlQZx/gSC34PBLJNNmrBzo3m8CE6/kvCTscQ7 ciuhKGUM7vPGtiAXQiueFyDSUqh24L5dWaX2CWrm +Z0dsmJTYSulrrtS6/kFO1Qnl5TPrPcWl+BgBT4M mBWQKip4rw+hn8gfXyS+b7gd0JqW/ajlKGAchGxw NsuDVbpEL3ncVwAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- -- Alex Strasheim, alex at proust.suba.com From jrochkin at cs.oberlin.edu Mon Mar 4 20:10:10 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Tue, 5 Mar 1996 12:10:10 +0800 Subject: art-stego Message-ID: At 7:18 PM 03/04/96, Jim Miller wrote: >The recent discussion "Chaff in the Channel" got me thinking about an >alternative to hiding random bit streams in picture files. The goal of >steganography, as I see it, is to provide plausible deniability. The >problem with hiding bit streams is that you can never be sure if the >opponent has developed an analysis technique to prove a particular file >contains a suspicious bit pattern. The way I understand steganography working, you would use it to hide mathematically random data. Mainly encrypted data. Like a PGP encrypted message, but with all PGP headers and other non-random data removed. Photos are a great medium for steganography, since they already contain noise of various sorts. So a good steganography algorithm (which I understand exists) merely changes the values of the noise so that it now encodes your (random) message. So there's no way to look for "suspicious bit patterns", and even if you use a publically available stego program to encode your data, and they use the same program to unstego your data, all they wind up with is a random bit stream, and they have no way of telling if it's just noise in the picture or your PGP encrypted message. So you already have all the plausible deniability you need, and I don't see how Jim's method is an improvement. Of course, if they have methods to crack PGP encrypted messages, and they use it on yours even without being sure it is an encyrypted message, and eventually wind up with a clear text message, well, then they've got your clear text message. And you are unlikely to be able to claim that it's just a coincidence they managed to extract several paragraphs about laundering money in bermuda from the GIF or orca the killer whale. But this is true of any stego method--if they can manage to get a cleartext message out of it, plausible deniability is unlikely to get you far. Am I wrong about any of the above? From dlv at bwalk.dm.com Mon Mar 4 21:08:28 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 5 Mar 1996 13:08:28 +0800 Subject: Mainstreaming PGP on Usenet In-Reply-To: <199603040500.XAA06840@manifold.algebra.com> Message-ID: <3JJakD38w165w@bwalk.dm.com> ichudov at algebra.com (Igor Chudov @ home) writes: > Dr. Dimitri Vulis wrote: ... > > One issue that hasn't been addressed by the s.c.r.m robomod is the > > possibility of persistent nyms: that is, Alice D. Nonymous somehow makes > > her public key known to the robomod; and later if someone submits an articl > > via some anon remailer claiming to be hers, it would be rejected if the > > signature doesn't check. Of course, her true submissions would be accepted > > from any remailer. How could such protocol be implemented? > > We see no problem with user posting under pseudonyms, as long as they do > not try to pretend to be other real people and do not constantly mutate, > and submit their messages to the robomoderator for consideration. On the contrary, I was thinking of a situation when a person is posting through an anonymous remailer, yet wishes to establish a persistent nym that can't be impersonated. E.g., someone may submit articles via remailers (different every time) and have a signature 'Alice D. N.'; what's to prevent someone else from submitting an article and also signing it 'Alice D. N.'? I was thinking of allowing the user to add a 'From: ' in the first paragraph of the PGP-signed block. To establish the nym, Alice would first post her public key under the name of Alice; then she would post things like From: remailer at somewhere -- begin pgp signed msg From: Alice ... This would also address the problem of someone's misconfigured system where his submissions appear to come from moron at camelot.ptu.edu or moron at pendragon.ptu.edu or some other random hostname. P.S. So, when are you setting up your own mixmaster remailer, Igor? :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From adam at lighthouse.homeport.org Mon Mar 4 21:21:50 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 5 Mar 1996 13:21:50 +0800 Subject: A brief comparison of email encryption protocols In-Reply-To: <203602070728.XAA19559@slack.lne.com> Message-ID: <199603050218.VAA05146@homeport.org> Eric Murray wrote: | Adam Shostack writes: | > | > Leaving it out may be ok because we can define a standard location by | > key type: | > | > key://slack.lne.com/~ericm/key.asc | > key://slack.lne.com/~ericm/key.x509 | > | > key://slack.lne.com/~ericm/x509/key.cert | > key://slack.lne.com/~ericm/pgp/key.asc | > | > I have no objection to defining a shorter URL, but would want some | > indicator that we're in user space, not host/domain/realm space. A | > ~username serves that purpose as well as /u/ and is a more common | > usage. | | Ok. Sounds good, for user-maintained keys like PGP anyhow. | More hierarchical keys, like X.509, could be maintained | by a CA that also maintains the server... some people who | could use encryption don't know, and don't want to know, enough | about it to even be willing to hold their own certificates. They | want it to "just work". I think that this scheme should be flexable | enough to be able to support a CA maintaining user's certificates | for them. Note that this doesn't mean that the CA/key server | would know the keys, i.e. this should not support GAK*. Having keys placed in a namespace defiend by a user does not mean the user needs to make the key available, only that the key can be found there. Nothing says we can't have key://keys.verisign.com/~ericm if they issue keys in some space that maps into user names. | > My last comment is that if we define a URN scheme for keys, we should | > force a dependable structure on it, so that its predictable where to | > find a users PGP key from an email address, without having to check 6 | > locations. Nothing is there now, we should require order to make | > everyones life easier. | | Along those lines, I was envisioning adding a KEY RR type to | DNS, and using it to maintain pointers to keyservers. [...] | This sounds so obvious that I'm sure that I'm not the first | or even the tenth person to think of it, and in fact I | see a KEY RR type defined in the BIND 4.9.3BETA17 source. But | there's just a type there, nothing else to support it. | Anyone know what it's for? Donald Eastlake is writing the spec for storing keys in nameservers. Its in the process of moving to draft standard; there will probably be something about it after LA. I think its: ftp://ds.internic.net/draft-ietf-dnssec-secext-09.txt Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From tbyfield at panix.com Mon Mar 4 21:28:38 1996 From: tbyfield at panix.com (t byfield) Date: Tue, 5 Mar 1996 13:28:38 +0800 Subject: Remailers run by spooks Message-ID: At 12:11 AM 3/4/96, Just Rich wrote: >However, I also have no doubt that Strassmann and Marlow are spreading >disinformation and exaggerating their capabilities in an attempt to break >the web of trust and incite a witch hunt. It won't work. The answer in any >case is more use of remailers, not less. Just turn up the noise level. >You already know that nothing is 100% secure, but you do what you can. >It's a war of attrition. Only the shadow and a few bureaucrats know whether spooks have infiltrated the remailer operators' web of trust. I'd imagine the payoff in suggesting the possibility would lie in breeding mistrust not among operators but, rather, among potential users: diminishing the use and propagation of remailers would lower the overall noise level, making case-by-case interception and cracking that much more manageable. But this hall-of-mirrors speculation is really just misguided FUD: improving protocols, more remailers, and expanding webs of trust are the prize to keep our eyes on. Ted From stewarts at ix.netcom.com Mon Mar 4 21:29:44 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 5 Mar 1996 13:29:44 +0800 Subject: A brief comparison of email encryption protocols Message-ID: <199603040715.XAA13853@ix7.ix.netcom.com> At 08:03 AM 3/1/96 -0800, Eric Murray wrote: >Suggestions? maybe key:/pgp/slack.lne.com/ericm/key/asc? >Finally, a question: should the keyserver be able to serve >keys in a way that is secure from a MITM attack, or can it depend >on the certificate chain in the key certificate itself to >validate the key certificate? I think it can, but I am not >sure, so perhaps someone smarter than I can explain why, or why not. Web of trust is clearly the way to go, but it helps to have both. 1) You need Web of Trust anyway 2) You may have multiple signatures, by people other than the keyserver; issues like "Company X Authorizes Key NNN for purchase up to $D" are outside the scope of keyservers. 3) If the keyserver managers _want_ to sign the key, they can. 4) It's much more convenient to run a non-trusted keyserver; there's a lot less security paranoia required, and enough less work that more people will run them. On the other hand, sending signed responses from the keyserver is clearly valuable. The big MITM risk is for revoked keys; the MITM may be able to block transmission of the revocation notice or, for Certificate Revocation List models like X.509, the CRL, and send an old key. Having the MITM sign and timestamp the response reduces the risk that an old self-revoked key will get through. From ichudov at algebra.com Mon Mar 4 21:31:56 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Tue, 5 Mar 1996 13:31:56 +0800 Subject: Mainstreaming PGP on Usenet In-Reply-To: Message-ID: <199603040605.AAA07118@manifold.algebra.com> -----BEGIN PGP SIGNED MESSAGE----- To: cypherpunks at toad.com Subject: Re: Mainstreaming PGP on Usenet Dr. Dimitri Vulis wrote: > > Just Rich writes: > > comp.os.ms-windows.announce will also start using PGPMoose when I get > > around to it, probably today. > > All moderated newsgroups should use it. > > However the robomoderator that Igor Chudov wrote uses digital signatures to > authenticate _posters as follows: there's a "white list" (as opposed to "black > list") of trusted posters whose submissions will be approved and posted > automatically, without going through any moderator. A person on the "white > list" can request that the robomod check his signature and not post it if the > submission may be a forged e-mail. I strongly urged Igor to make digital > signatures mandatory for "white list" membership, but he argued that a lot of > likely posters lack the brains to use PGP. The robomod will look at things like > "Received" lines in the e-mailed submission to try and detect forgeries. This is not exactly correct. The check for white list will be there exactly as you specified. It will have a toggle switch, so that we can turn it on and off, depending on how badly we are hit with forgeries. > > While at it, here's a pre-filled ballot. Just add your name and e-mail it > to russian-vote at netagw.com. > Please do NOT use this pre-filled ballot to vote (although of course I would be pleased with cypherpunks helping to let such an experiment go). According to voting rules, you have to vote only in response to the full CFV posted to news.groups. If you do not have access to news or your news system expired the CFV already, you can retrieve the CFV (containing the rationale, charter and the ballot) by sending email to russian-cfv-request at netagw.com. Body of your message will be ignored. All votes that use pre-filled ballots are invalid. - Igor. - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMTqH5cJFmFyXKPzRAQGYVQQAktT4DYcIcDCV9CSWK+BYGPGS9S609m59 whde9eCtG7d6XRUdnAlZnJQ/sqr/TXVtpfTfGYTZJnD0HYOO0INq7+jN7qHs/7ue KKQMAHM0mi9njEsKUP1cFvn+h68UNDSlH9zrjuMgLZvPxHcal+Wg0gAT9MBsO3xs 4HG2DcpBTSo= =JUnd - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMTqIK8JFmFyXKPzRAQFRFwQAk7/feGthnWXKKJIH8m4XTRbfW0wT1dmI GazD0DSLU2Yy/L31QeIA2wdXqxHRIv15SXqv4/rdRnpbbRnxEmIO3jzZmRjvjWTK +wXO/kDrlmiiO+QCmg6jQs8BD4Mk4wNkqwsgUhxLnX9z6nwRA3KUqpOMp8Y45HRT aFyQV5SYByg= =cTQ0 -----END PGP SIGNATURE----- From eman at netcom.com Mon Mar 4 21:54:57 1996 From: eman at netcom.com (Emanuel Barros) Date: Tue, 5 Mar 1996 13:54:57 +0800 Subject: NetDay96 (fwd) Message-ID: I apologize for those that are out of California, but other wise please consider helping. This is a very worth while cause. This will bring us much closer to educating all the children in our schools about what's going on on the internet. TIA eman at netcom.com ---------- Forwarded message ---------- >On NetDay96, March 9, 1996, a hundred thousand volunteers in >California >will go to twelve thousand schools in California, and install the same >Category 5 wire we use in all California business local area networks. >We will connect five classrooms and the library to a central closet, >in >preparation for connection to the Internet. This is a barnraising, a >kickstart for networking in the schools. > >Every high tech employee in California should be involved. Every >contractor for a high tech company should be involved. Anyone -- >employee, customer, or supplier -- that you can think of who believes >linking our children to the Internet is a good idea should be >involved. > >What do you do? Go to www.netday96.com, find a school, and volunteer >to >help put that school on the Internet on March 9. Go to that school on >Saturday, March 9, and help ten other people pull wire from five >classrooms and a library or computer lab to a central closet -- you >don't >need any particular expertise. That's it. You can choose a school >from >the twelve thousand home pages created on a server at the Well: >www.netday96.com. All schools, private or public, are there; if it >has >more than ten children in a classroom, it's a school -- if you don't >see >your school, mail netday at kqed.org and NetDay will put up a home page >for >you. > >As NetDay approaches, you will see pages go up for every company in >California supporting NetDay, together with the count of participants >from >each company. > >We're jumpstarting the schools. Our goal is to bring every school in >California past the first barrier to access: interior wiring. We then >use the new capability in the schools to persuade the carriers to >provide >Internet access. And it's working. > >We now have commitments from MCI, Netcom, and ATT to provide free >dialup >a ccess to the Internet for every school in California. Higher >bandwidth >will come next. > >We've talked the vendors into creating NetDay Kits that they will ship >directly to the schools. A standard kit, with two to three thousand >feet >of Cat 5 wire, jacks, a 24-way patch panel, connectors, and cable ties >will cost between $350 and $500. Pacific Bell is sponsoring 1,000 >kits. >Small electrical contractors are sponsoring two or three schools. >Individual parents are sponsoring schools. You can. Your district >office >can. All details are at the NetDay web site: www.netday96.com. > >Please sign up now. > >Our first need is to show a groundswell of volunteers. We announced >NetDay in San Francisco on January 19, at a school wired by Sun and >3Com >employees on Volunteer Day in November. Vice President Gore arrived to >praise the volunteers, and thank all California high-technology >companies >participating in NetDay. Volunteering has taken off, but we need to >reach >ten thousand in the next week or two. > >Please volunteer today. > >This Web site is the first use of the World Wide Web to organize a >mass >volunteer event. Please help make it a success. > >Please mail this request to anyone on your mailing lists. Please ask >all >webmasters to put a pointer to www.netday96.com on their home page. >We >are organizing this in a totally decentralized way, using the Web. >This >is the first time this has been tried, and I believe the Net can do >it. > >We can do it. From PADGETT at hobbes.orl.mmc.com Mon Mar 4 23:38:54 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Tue, 5 Mar 1996 15:38:54 +0800 Subject: Validating credit cards Message-ID: <960303192137.2020177f@hobbes.orl.mmc.com> Actually can think of several phleneomum that would satisfy but first need to separate transactions into relating to electronic items and relating to physical items. In the case of physical items, pickup for shipping is probably done in batches (example: for FedEx the last pickup typically at 5 pm). It is not necessary to verify transactions instantaneously but rather when the order is processed /shipped. This could be done in a batch mode syncronized with order processing. In the case of electronic media there are two choices: either immediate access or delayed access. In the first case either access can be granted or immediate verification can be done. In the case of immediate access, it should be limited to items of restricted value. In delayed access the same batch processing mode can be performed (during the 0-dark hours most likely). This leaves only cases where immediate access must be granted and I suspect that in most cases the vulnerability of 6-24 hours of access before verification will be small. Where the possible loss is low, we are back to (a). So in the small proportion of transactions where immediate verification and transfer is necessary, I have no doubt that the existing infrastructure can handle it. At "slight additional charge" by the credit card company no doubt. Warmly, Padgett From JonWienke at aol.com Tue Mar 5 00:21:53 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Tue, 5 Mar 1996 16:21:53 +0800 Subject: art-stego Message-ID: <960305022451_438384532@emout05.mail.aol.com> .WAV files are potentially a good place to store stego information. With a 16-bit file, as many as 8 of the least significant bits in each sample can be replaced with encrypted info without making the file sound too wierd (depending on the natural background noise of the recording). If you make one of those "waves on the beach" relaxation things, you might be able to get away with even more. Another thing--just a wild idea--test the randomness of encrypted data by storing it in an 8-bit mono .WAV (your choice of sample rates) file and listening to it. Any correlations or patterns in the data should show up in the playback as hums, clicks, squeals, or something. It may even be possible to determine the algorithm by the sound patterns--a sort of "audio cryptanalysis." Has anyone tried this? Are there any .WAV stego programs out there? Jonathan Wienke From jpp at software.net Tue Mar 5 00:31:20 1996 From: jpp at software.net (John Pettitt) Date: Tue, 5 Mar 1996 16:31:20 +0800 Subject: Looking for code to run an encrypted mailing list Message-ID: <2.2.32.19960305071708.00b98a10@mail.software.net> I wrote : >> >> Poster crypts mail with pgp using list exploder key. List exploder decrypts >> mail and recrypts with keys for all current list members and then sends the >> mail. >> >> [I don't want all the list members to need to know every other list members >> public key] > At 09:24 PM 3/4/96 -0800, Alan Bostick replied: >Is this the right way to go about doing this? > >If the mailing list has N members, then, for each message posted to the >list, the list processor must decrypt the message and then reencrypt it >N times. > Hmm thats not what I meant - I just envisioned giving all the recipient public keys to pgp and saying letting it do the rest. This does result in all recipients gettingthe key fingerprints of all other recipients which is not a problem in my application. Alan goes on to suggest sumthing very similar except that he does not decrypt the body first - which apart from meaning I'd have to hack pgp acheives the same effect. The overal intent was to have a message go from one list member to all others with a) a signature to provide strong attribution and a measure of non repudiation b) low probability of interception c) only the gateway has to have all the public keys. Inbound the process looks like this: decrypt and validate signature (leaving original signature) add gateway info (sender signature validation, date received etc) sign the whole thing with the gateway key. crypt with all list member keys (i.e. one message readable by any member) send to members. Several people have pointed me at PGPdomo which I now have a copy of and will be looking at as a basic for this (assuming it's not an exact fit already).\ [thanks to all those who responded] John -- John Pettitt email: jpettitt at well.sf.ca.us (home) jpp at software.net (work) From mixmaster at spook.alias.net Tue Mar 5 16:39:15 1996 From: mixmaster at spook.alias.net (NSA Spook) Date: Tue, 5 Mar 96 16:39:15 PST Subject: None Message-ID: <199603060039.SAA06419@riker.phoenix.net> The Spook is back! Hello everyone! The Spook is back! mixmaster at spook.alias.net is now functional again with bothe Type-I and Type-II remailers. The Type-II remailer supports news posting via mail2news at myriad.alias.net. The PGP Type-I key is the same as the old spook. The Mixmaster key however, is new. For your records: spook mixmaster at spook.alias.net 5c46a4b6c2cf00bfc7f693be81f88554 2.0.3 vishnu mixmaster at vishnu.alias.net bb460f08811a98682def423d30852d11 2.0.3 flame remailer at flame.alias.net 8b52e01256d96db2cefb21a081c64d34 2.0.3 secrets secret at secret.alias.net 834795b553fa43cbf33bea8f490a2b77 2.0.3b6 anon mixmaster at anon.alias.net e3ca4cc5beb9934ae6d52dd27da80332 2.0.2b shinobi remailer at shinobi.alias.net ab3c9b8f6c593ec7af312f5cfec49a9b 2.0.3 treehole treehole at mockingbird.alias.net 2c9f098377bf4f068751683f803834f5 2.0.3 mix mixmaster at remail.obscura.com db91418edac3a4d7329feaee0b79c74f 2.0.1 knight mixmaster at aldebaran.armory.com 6bb0d89a29fd188c67b8e04516b5af33 2.0 rebma mixer at rebma.mn.org e7d84921298b0aadaf8f050d145ccf03 2.0b11 replay remailer at replay.com e3e2b4d67314b6165ee03b0b0ae07a7f 2.0b11 hacktic remailer at utopia.hacktic.nl bf61835a7b3cfa59c409caeab4e8a222 2.0b11 crynwr remailer at crynwr.com 64c62de6b347b3050fbb6e94c649112d 2.0b11 q q at c2.org c44e1cb0f0709465c21b07ac972bf973 2.0.1 ecafe-mix mixmaster at remail.ecafe.org fff0d827161069a26ca44dead777c9ec 2.0.1 amnesia amnesia at chardos.connix.com f37b7c77cd62ede86abb6e10c09601c1 2.0.3 black-ice mix at black-ice.gateway.com 42048f5769ecdd8df71abf49389fb3ac 2.0.3 yap remailer at yap.pactitle.com cb0ffde1d93706502e3b9a2dea3b12cb 2.0.3 alpha mixmaster at alpha.c2.org fb2afc9b497be22ad18abf1c41996eb0 2.0.2 lead mix at zifi.genetics.utah.edu a76c3fda7294a6695c5e6a931d1c0b73 2.0.3 gondolin mix at remail.gondolin.org ed590656117439564465d5cc539864ad 2.0.3 nemesis remailer at meaning.com f59733a7f257900b09eb138764259a38 2.0.3 mix mixmaster at remail.obscura.com db91418edac3a4d7329feaee0b79c74f 2.0.1 -----Begin Mix Key----- db91418edac3a4d7329feaee0b79c74f 258 AATL25WGQY5CMM0/xBjYtuN6IT75h+aBQwwKqZZc isOrqdsl8HWAzARrB0iAtcr34c2qqPBzSRNa5UE8 d3jOYu/wp9K9M5abUSRogcDl7gkPlqxc+e72SdKd 2Gdgib8VDGVLpJdaPk4uSY/pkmsYB30OaQH3W8dU PPciTvSJKAYcTQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- vishnu mixmaster at vishnu.alias.net bb460f08811a98682def423d30852d11 2.0.3 -----Begin Mix Key----- bb460f08811a98682def423d30852d11 258 AAShg2h4xGHueryUFNsFBbtSGZBcj+oDImFMkOZA EQPcbeG6ReEnTnoQ8HBgwtx9isMT9hZ93lBaRY07 ygupHQRi6f+FnlQEZTKqOe+8E+WyDx+ox/1ywgt+ KGFOW+t8WRXA/loKuqD0KH4pwpe7FYE0arGbtm4J EscGM2DE3TeS3QAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- knight mixmaster at aldebaran.armory.com 6bb0d89a29fd188c67b8e04516b5af33 2.0 -----Begin Mix Key----- 6bb0d89a29fd188c67b8e04516b5af33 258 AATOSyg7N2PVg9VgA8voDWglq6ESNBLqH0heB2iE NfvmR/VnyAHCb4ZBtHzvM7ZRBdXYmH/Jt490wg6O ZCbhcIceFKSsibLEH77+111isAhUbHvn0Nh9gOI7 5ngjOGDQaLQvGUbNHRXQaPAZ0rc4lv9gmChJONOJ 7sFC2J96QR4aewAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- rebma mixer at rebma.mn.org e7d84921298b0aadaf8f050d145ccf03 2.0b11 -----Begin Mix Key----- e7d84921298b0aadaf8f050d145ccf03 258 AASjOGqzTLdjweTMiwirrpVNqXj/ODJVyh9pEo5i q5ERILOd1hMNKY9XLNFYM30mUR/Fkh0MnYI/ujWz OTb0rR2a31nvmaLMdaB75nTdGJwHitCmo8k2eTjL XQsXV6zKrzXGp8H8NO34DAFWJy1qVcev+6lLAWGy j/fsJJyJNtl94wAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- replay remailer at replay.com e3e2b4d67314b6165ee03b0b0ae07a7f 2.0b11 -----Begin Mix Key----- e3e2b4d67314b6165ee03b0b0ae07a7f 258 AATZBfJhv+DGg4OEfQfgVnzZZpumEZHI9CES+Ux2 dBp9RBPpJnAtLpcAyCIkNjSaik0togcKhFgcR3nt XIrWclJ/uO/Z1fqW7ESLwzXozCpqnG5S/y6mUPuL yzA9bqtAGd+pvxuK/Cw2Zzx+1QGp0VtWb46KxqvC S4POHYFljkrQiQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- hacktic remailer at utopia.hacktic.nl bf61835a7b3cfa59c409caeab4e8a222 2.0b11 -----Begin Mix Key----- bf61835a7b3cfa59c409caeab4e8a222 258 AATkwgy72zwwavCHn1OytNMsBYAIBnCFa2hcbZPi IN6eS4jDgFdld5DlcqqzdN6Lxv96i0Dg7ElFyAFR 5zmof3oaNqh5vbq/fTEbvFtX9EGyuqkfN6fKoAEv G7gtmkfosoIg/jnI8AL9KC/J5mGaxrWYB6XBe+v9 iI1pOSbPsDCsdQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- crynwr remailer at crynwr.com 64c62de6b347b3050fbb6e94c649112d 2.0b11 -----Begin Mix Key----- 64c62de6b347b3050fbb6e94c649112d 258 AATLe0CWPSn844FCeL7FzUlf+vE2qfYBPs/8PYYm BfITjknJjD0dk7vXhX9Qc5PFgDWRHhVoIRlFT3sc Jp2UVFLOZ5zn/WiT9Wa1tZsqejDf3MRIDT/K6cHB uB/SUaxLzNfk/wG1uBTUHukdjwCyDxNLHuYA5mVz opYJhQR0Nc/ESQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- flame remailer at flame.alias.net 8b52e01256d96db2cefb21a081c64d34 2.0.3 -----Begin Mix Key----- 8b52e01256d96db2cefb21a081c64d34 258 AASr5mNwBYFstmsTI7cPjGSLwLc35A3dmh8jHzAF ixoCn8jCc2ZAfD4WnxcwS0UYcpU0oSYZJhLrIBzq VFNWu+C5+ayJMWBW1xr86TJLX/sNSeQBrnUqbKvF CQW69RZzwNybGtlaPNdqhlJLc1Hr50iZOMykDbu5 hT4SY9gw+YvJHQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- q q at c2.org c44e1cb0f0709465c21b07ac972bf973 2.0.1 -----Begin Mix Key----- c44e1cb0f0709465c21b07ac972bf973 258 AATDBaiKBy4jPlRUIQmVvcjO/GhWLbsls+mKloml 5EScYl+3fGw04P4xVcWOSledFVxKVfNy+xTVI8pE XGXSr0cRUIa1NttzNPk/KObb5SvkeqGtWAyRiWBS G91MkWM6LbqzKPcu6gUON47wJCJCzdvgbUIeVJIT MnyBvMWJX5CKAwAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- secrets secret at secret.alias.net 834795b553fa43cbf33bea8f490a2b77 2.0.3b6 -----Begin Mix Key----- 834795b553fa43cbf33bea8f490a2b77 258 AATXbdk8pTt2maDkz/dtKniKIOgGnVt9HPpf85HY Aau2yuMlwupuN4c+XwLzO1hvdKOIkrJWZagWkmZ2 irSV5sxf0vI8JZ+iKx9T+aoQJLUaBsWTUrLh24kP +IUkVL8AmIkk+grFDdzkS2MmfpP707tlgZB4KWkk uvjUPmBySSgS8wAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- ecafe-mix mixmaster at remail.ecafe.org fff0d827161069a26ca44dead777c9ec 2.0.1 -----Begin Mix Key----- fff0d827161069a26ca44dead777c9ec 258 AATgcIZ9GIj6VEZ2UmDO9BGmGVY5tZHVQp+2rChG 0E+lcD8lrHlWGwc/ea9Ycj8z2HGdWZl5ptXqfabf YenIyO7YRr7teAzAAFmkBuwgBGUcpJUvIOjWlXBo OGnku0AQYqOBDZSfknT+dAP01N82qDN13E6dUhEW /0hdDNVghmsy2wAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- amnesia amnesia at chardos.connix.com f37b7c77cd62ede86abb6e10c09601c1 2.0.3 -----Begin Mix Key----- f37b7c77cd62ede86abb6e10c09601c1 258 AAS6A7+7R0y0piA6pLPMX1ZzaLOt2pWFt4LsSfiu hQty8V0SgfdYv5bKc2BGtfl0kLNAOG8dtyJ0TNQO i6ZQJeZySwH6bKXrUM25VpdOmreXdzO/8vIezmOC BfEh+vZE209WFiLBXwohqvwOIiMAYJGYDRB53Coq Afzn2HCG9sQ37wAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- anon mixmaster at anon.alias.net e3ca4cc5beb9934ae6d52dd27da80332 2.0.2b -----Begin Mix Key----- e3ca4cc5beb9934ae6d52dd27da80332 258 AATZuNYrX4bw6A01PA00qMr7KeJsnHIq9wYoSc5P OrHUEvPUoCxmLfuhwF9eEfSkV4t9DLPIMhKXM4iL Afhv2IZKeWaA98q4NHb6E7Gg6/e6uCI1O3nmXXK8 la4ij9RneCHig5K6JlCh3MJTkuW/IEYQjMrz2/H5 RUDEwx+/HL5K0QAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- black-ice mix at black-ice.gateway.com 42048f5769ecdd8df71abf49389fb3ac 2.0.3 -----Begin Mix Key----- 42048f5769ecdd8df71abf49389fb3ac 258 AASk6EDjLhIJpCRcnBHobRpu9rZrOtroaYlJNjI1 nJOGJkd9nlPHUGxqJcMcbxvvo81xyxtPtUA1TKsp ch+hcZaibCgRoYxlMPW4QmhVr1Tl3jwyl+wBu4iT OjoKklzy+1JW6YYMLwRi1z+Mr9EMdaWmTxrvDVDH QeorT8rGoGNILwAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- yap remailer at yap.pactitle.com cb0ffde1d93706502e3b9a2dea3b12cb 2.0.3 -----Begin Mix Key----- cb0ffde1d93706502e3b9a2dea3b12cb 258 AATdIV0XBb1lsaP9/vKMvpIL9v4bxvcIgWZ0I4is Xt2ZO3HXeDMCFJav+qBuoXOAsNxNImS+qGBS39sc 8fPKfQVnNpfN01ZnISyx+Bdak2bwcmpjE0enU+iN 5O5gfrIiJ65WOwBrXY1G0Q3g+fm84VOMUnU5QnMa dsVqQ6fdlYuEdQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- shinobi remailer at shinobi.alias.net ab3c9b8f6c593ec7af312f5cfec49a9b 2.0.3 -----Begin Mix Key----- ab3c9b8f6c593ec7af312f5cfec49a9b 258 AATwDaZIFy/Qcp83lZ1BDAsdrddG1Zju8EUqpTD9 5p/d33O2i4yfHGqy2v61N/tp7YcrEBCA4w2arPL5 DC4zGxQaNe62ysu5VdZNqMaoc63xsSiAVovsf7I/ SBqCdLLkN/WYQewVTAsvUEEWp/Al42bibuXUSoa4 b5qDNXiPbM42NQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- alpha mixmaster at alpha.c2.org fb2afc9b497be22ad18abf1c41996eb0 2.0.2 -----Begin Mix Key----- fb2afc9b497be22ad18abf1c41996eb0 258 AASlwbleW75llQtd1BAtm87lMgEyQXqzNoceouI1 CcFfermHFbNoyD6kRoG9hyVpgFph6Xx3AYTqwMcp GaHNdFdU35ANXKo4BCC+oMzplca7JJ2tzOdDpRgp DZhMtMtBmIazxxj7VHMe28SNvxNWz1FSCgX0lCBG oDjg6TJAoZeBZwAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- lead mix at zifi.genetics.utah.edu a76c3fda7294a6695c5e6a931d1c0b73 2.0.3 -----Begin Mix Key----- a76c3fda7294a6695c5e6a931d1c0b73 258 AATH5fR56oEcdVRNn2SrjJ4XsoWb+lP2E2GgGdgI 2A3//3ctBkQ13xb5MHOfix8ra63PZmeCrK+6QbbV Ql1iwboMMaWz8NPmNpQz2K0/vnTnp8tWEyL5vo95 jlRmACXPefXdLOzszAgfMn02rzzXrq+9AnaUAUxD idxVglBkXRkriwAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- gondolin mix at remail.gondolin.org ed590656117439564465d5cc539864ad 2.0.3 -----Begin Mix Key----- ed590656117439564465d5cc539864ad 258 AATXSsts2yKvzw3LUZ7ZhW7a66vr236RzIucoPIl PSNoWhlGEgo0kx28MjepovxOz/CSUwYOC+9McFOE oX1xxMag0FiyOXg+pj8NGZj3JVLU3wqTA4aTsoWd njGRlqYen31TbWMh+BOdjqRJXUUHF5U+/acbmsdE njjw+6DFw8PkpwAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- treehole treehole at mockingbird.alias.net 2c9f098377bf4f068751683f803834f5 2.0.3 -----Begin Mix Key----- 2c9f098377bf4f068751683f803834f5 258 AATbAJfluLcAdyjxCbL3inzUHRbarWgLZRzIILCZ rtIYBpw/lGC6AcEJpheq/gl7r1f60B2CPNPTpMZb GJHAQnPUyTRZ9PNJ+UBExaFYUABOR06Nz392K9Gx mBZDrWDqb/q/c5wHp8PSGpfTiSCF9awWctuSsT3e S4W9kpCaxRweewAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- nemesis remailer at meaning.com f59733a7f257900b09eb138764259a38 2.0.3 -----Begin Mix Key----- f59733a7f257900b09eb138764259a38 258 AAS9p2Sdua2d0mtVhhj0qS+RZzawvOCP4Uo2HZZA R3asMJNIVWQyi0jKnOxnHYAr6EizrUX7GdeVVtQw gcjrqhnf1QWMLCZU0L5418uNmbqswGbIVsTK3nsE ShWieAl61R4EDerMheDDlBkuKLTGkOAs4UTAL+Mf fanvf9nqRolmOQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- spook mixmaster at spook.alias.net 5c46a4b6c2cf00bfc7f693be81f88554 2.0.3 -----Begin Mix Key----- 5c46a4b6c2cf00bfc7f693be81f88554 258 AATTyAxnMTTfT5rCnOBCajbfwl7Zj32oGPrTxRcj YDbZb/czR3bR6Yb/uEOtJjhz3tq8gkxEt4XAw+gV cdBxsPYTg3VPoPYO1F6CvmWxUwWkgwx+URibZoWN yGcLefH06Wdon7hhQZI3LzpXbL9p4zseVKr4fD5y lpjefLNO2Ww4mwAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAQAB -----End Mix Key----- From Greg_Rose at sydney.sterling.com Tue Mar 5 00:43:23 1996 From: Greg_Rose at sydney.sterling.com (Greg Rose) Date: Tue, 5 Mar 1996 16:43:23 +0800 Subject: Duress In-Reply-To: <199603032311.PAA16326@netcom7.netcom.com> Message-ID: At 2:49 PM 3/3/96 -0500, Dr. Dimitri Vulis wrote: One of the private pilot magazines reported that a small plane operator used the code (because his airplane was, in fact, being hijacked). When he landed the airplane, it was surrounded by LEA, and in the ensuing gun battle, everyone on the airplane died. The went on to say that the safety of the passengers and airplane are the pilot's primary responsibility and that pilots should consider this incident when deciding to use the code. Actually, that is an urban legend which grew out of a real incident. What actually happened was that they thought the private pilot couldn't really have been hijacked, so when he landed *he* was arrested for creating a public nuisance or something. It wasn't till later, when they found the shotgun-toting druggie, that they believed him... Greg Travis was the pilot's name, I imagine AltaVista might find his original posting. Greg. Greg Rose INTERNET: greg_rose at sydney.sterling.com Sterling Software VOICE: +61-2-9975 4777 FAX: +61-2-9975 2921 28 Rodborough Rd. http://www.sydney.sterling.com:8080/~ggr/ French's Forest 35 0A 79 7D 5E 21 8D 47 E3 53 75 66 AC FB D9 45 NSW 2086 Australia. co-mod sci.crypt.research, USENIX Director. From hallam at w3.org Tue Mar 5 00:43:24 1996 From: hallam at w3.org (hallam at w3.org) Date: Tue, 5 Mar 1996 16:43:24 +0800 Subject: NYT login In-Reply-To: Message-ID: <9603040042.AA20426@zorch.w3.org> >The tobacco companies need a forum. And they are used to spending big >bucks on sponsoring things. That misses the point. There is no shortage of potential sponsors. What these people are asking me is "how much business will Web advertising create for me". The Tobacco companies are just as keen as others to know how much value they get from Web advertising as other companies. No one sector of the ecconomy is going to be able to sustain the whole range of Web content. The amounts involved will be of the order of billions. A few tens of millions from BAT etc will not go very far. Pathfinder alone costs $4 million a year to run. Phill From dlv at bwalk.dm.com Tue Mar 5 17:00:49 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 5 Mar 96 17:00:49 PST Subject: NYT on Crypto Bills In-Reply-To: <199603050354.WAA06580@homeport.org> Message-ID: Adam Shostack writes: > Dr. Dimitri Vulis wrote: > > | Yes - the Markoff quote is factually incorrect. I'm sure he knows better > | than this. Must be the Times editing. > > This mistake has popped up multiple times in his work. I'm not sure > he's aware of it. Well, his address is markoff at nyt.com and he does read his e-mail. I wonder if he's on this list? Probably not, too much noise. :-) (I also spoke to him on the phone a few times some years ago, but have no idea what his # is.) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From weidai at eskimo.com Tue Mar 5 01:43:28 1996 From: weidai at eskimo.com (Wei Dai) Date: Tue, 5 Mar 1996 17:43:28 +0800 Subject: SEAL cipher info requested (something actually list related!) In-Reply-To: Message-ID: On Mon, 4 Mar 1996, Christopher Allen wrote: > At 4:27 PM 1/27/96, Anonymous wrote: > >Anybody have info on the SEAL cipher? I can't find any > >descriptions or analysis of it. Refs, proceedings or URLS > >would be a good thing. > > I also am interested in references to it. I believe it was presented at the first Cambridge security workshop on fast software encryption. Author: Cambridge Security Workshop (1993). Title: Fast software encryption : Cambridge Security Workshop, Cambridge, U.K., December 9-11, 1993 : proceedings / Ross Anderson, (ed.). Pub. Info.: Berlin ; New York : Springer-Verlag, c1994. Phy Descript: ix, 221 p. : ill. ; 24 cm. Notes: Includes bibliographical referenced and title. LC Subject: Computers -- Access-control -- Passwords -- Congresses. Other Author: Anderson, Ross, 1956-. Series Info.: Lecture notes in computer science ; 809. From sandfort at crl.com Tue Mar 5 03:37:43 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Tue, 5 Mar 1996 19:37:43 +0800 Subject: PARTY PICTURES PLUS Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, This should be my last post about my party [sound of crowd cheering]. Because several of you wanted more info about the pictures and/or felt slighted by the file identification tabs, I have added additional information: http://www.c2.org/party/masquerade/ Enjoy. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From PADGETT at hobbes.orl.mmc.com Tue Mar 5 03:39:13 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Tue, 5 Mar 1996 19:39:13 +0800 Subject: NYT on crypto Message-ID: <960304183355.20202bb5@hobbes.orl.mmc.com> >I thought that, for the most part, the telegraph systems described >above were to reduce cable charges (1 code word instead of a 15-word >sentence, a huge savings in those days). Was one use however I seem to recall citations dating back to Niccolo Polo reguarding the use of trade codes & that was a while before the telegraph. If I were really curious, would also check out Reuters, Lloyds, Rothchilds, and the Borgias. Would not be surprised to find a reference in either/all "The Prince", "The Art of War", and the letters of Nathan Hale. However I suspect that Markoff really meant to be referring to mathematical algoritms such as the LOASDR. I suppose that only dates back to the diameters of stygi (sp ?) about the same time that passwords were first recorded (and changed daily). Warmly, Padgett ps if anyone has a spare LOASDR or CMSDR, I would be interested 8*). From jya at pipeline.com Tue Mar 5 03:39:55 1996 From: jya at pipeline.com (John Young) Date: Tue, 5 Mar 1996 19:39:55 +0800 Subject: Assassination Politics 9! Message-ID: <199603050004.TAA28837@pipe1.nyc.pipeline.com> On Mar 04, 1996 14:45:02, 'jim bell ' wrote: Mr. Bell, The Economist terrorism report is unusally thoughtful and open-minded, and considers the benefits of savaging innocents from the perspectives of a variety of deeply held beliefs. But after revewing the plenitude of those who have murdered for understandable motives, it does point to a very small group who truly lack any rationale for earthly comprehension. Not that I want to get on your "Shit, shoot that fucker" list, but take a look at it to double-check that you're not skydiving into the wrong maelstrom. It's pretty long, but I'll gladly scan it and send it along. If not that, read Tim's pithy warning today about shit-stormtroopers provoked by the daredeviltry of extreme-unctuous freedom fighters. From adam at lighthouse.homeport.org Tue Mar 5 03:46:51 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 5 Mar 1996 19:46:51 +0800 Subject: NYT on Crypto Bills In-Reply-To: <199603041810.KAA07446@fionn.lbl.gov> Message-ID: <199603042349.SAA04471@homeport.org> Michael Helm wrote: | On Mar 4, 3:09pm, Adam Shostack wrote: | > Markoff shouyld know better than this. There is a long | > history of business use of codes & ciphers, going back hundereds of | > years, and durring the heyday of the telegraph, there were fair size | > companies that created codebooks with (locally configurable) | > superencipherment systems for the market. | | I thought that, for the most part, the telegraph systems described | above were to reduce cable charges (1 code word instead of a 15-word | sentence, a huge savings in those days). Maybe it's the use to which | the encoding's put that's controversial, not the (idea of) encoding | itself. This is true, the codes were designed to minimize telegraph charges. However, many of them also contained systems (of varying quality) for protecting the privacy of communications. For example, one might buy a book without page numbers, and be encouraged to arbitrarily number the pages. A code entry would then be page indicator and position on the page. Not diplomatic quality, but considering the poor state of commercial cryptanalysis at the time, fairly effective at protecting business secrets. My copy of Kahn is on loan, so I might be misremembering things. Speaking of old crypto, I haven't heard anything on where to find a Jefferson wheel cipher. Does no one know? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From tbyfield at panix.com Tue Mar 5 03:47:46 1996 From: tbyfield at panix.com (t byfield) Date: Tue, 5 Mar 1996 19:47:46 +0800 Subject: Assassination Politics 9! Message-ID: At 2:45 PM 3/4/96, babybell at pacifier wrote: >Most traditional "terrorism" (as least "traditional," by the standards of >the last 20 years) is thought to involve relatively unfocussed attacks >against people and locations, but in situations where attacks against >selected government officials would be far more selective and effective. <...> >Since I propose exactly that kind of replacement, I am presumably not the >most ingratiating figure to these people. Now I understand why you seemed to be "not the most ingratiating figure"--you must've nominated me for assassination. oooo$$$$$$$$$$oooo oo$$$$$$$$$$$$$$$$$$$$$$o oo$$$$$$$$$$$$$$$$$$$$$$$$$$$$o o$ $$ o$ o $ oo o$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$o $$ $$ $$o$ oo $ $ "$ o$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$o $$$o$$o$ "$$$$$$o$ o$$$$$$$$$ ** $$$$$$$$$ ** $$$$$$$$$$o $$$$$$$$ $$$$$$$ $$$$$$$$$$$ $$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$ $$$$$$$$$$$$$$ """$$$ "$$$""""$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ "$$$ o$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$o $$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$" "$$$$$$oooo$$$$o o$$$oooo$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ o$$$$$$$$$$$$$$$$ $$$$$$$$"$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$"""""""" """" $$$$ "$$$$$$$$$$$$$$$$$$$$$$$$$$" o$$$ "$$$o """$$$$$$$$$$$$$$$$"$$" $$$ $$$o "$$""$$$$"""" o$$$ $$$$o oo o$$$" "$$$$o o$$$$$$o"$$$$o o$$$$ "$$$$$oo ""$$$$o$$$$$o o$$$$"" ""$$$$oooo "$$$o$$$$$ $$$""" ""$$$$$$oo $$$$$$$$$ """$$$$$$$$$$ $$$$$$$$$ $$$$$ From adam at lighthouse.homeport.org Tue Mar 5 03:48:46 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 5 Mar 1996 19:48:46 +0800 Subject: A brief comparison of email encryption protocols In-Reply-To: <199603011603.IAA16596@slack.lne.com> Message-ID: <199603050003.TAA04555@homeport.org> Eric Murray wrote: | > key://foo.bar.com/{u,s,h,d}/family/instance | While that would be useful in a lot of cases, I would hope that | all that path gunk wouldn't be required.... most people would | have one key, at least initially, and so a simple | | key://foo.bar.com/username/key.asc | | would be enough for them. I wouldn't want to prevent people | from using your system, in fact it's a good idea. I just don't think | that it should be required, just recommended. | Something else to add would be a specifier for the type of key, i.e. | | key://slack.lne.com/pgp/ericm/key.asc I'd either move that later in the structure, or leave it out. Moving it later in the structure so we don't need duplicate heirarchies. Leaving it out may be ok because we can define a standard location by key type: key://slack.lne.com/~ericm/key.asc key://slack.lne.com/~ericm/key.x509 key://slack.lne.com/~ericm/x509/key.cert key://slack.lne.com/~ericm/pgp/key.asc I have no objection to defining a shorter URL, but would want some indicator that we're in user space, not host/domain/realm space. A ~username serves that purpose as well as /u/ and is a more common usage. My last comment is that if we define a URN scheme for keys, we should force a dependable structure on it, so that its predictable where to find a users PGP key from an email address, without having to check 6 locations. Nothing is there now, we should require order to make everyones life easier. | Finally, a question: should the keyserver be able to serve | keys in a way that is secure from a MITM attack, or can it depend | on the certificate chain in the key certificate itself to | validate the key certificate? I think it can, but I am not | sure, so perhaps someone smarter than I can explain why, or why not. | | The attraction is obvious, if the key server doesn't have to | validate the keys it serves, the whole problem of distributed | key servers becomes much easier. A key server should serve keys because protecting from MITM is hard. Serving keys is easy, so we should solve that problem today, and the other problems as we can. Some infrastructure is better than none. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From dimitrt at dcs.rhbnc.ac.uk Tue Mar 5 03:48:56 1996 From: dimitrt at dcs.rhbnc.ac.uk (Dimitris Tsapakidis) Date: Tue, 5 Mar 1996 19:48:56 +0800 Subject: Diffie-Hellman for Matchmaking? Message-ID: <199603042327.XAA19170@carol.cs.rhbnc.ac.uk> Ok, I am reposting this, with more detail this time. Hope this answers the two questions I received. I want to design/find some matchmaking protocols. I define matchmaking as follows: Bob must find out whether Alice has declared (commited) her interest in him, if and only if he has declared (commited) his interest in her. Before he does so, he can at most know that a girl is interested in him. Another description: Bob and Alice can have a date if they both commit to each other. If only one commits, nobody will ever find out about it. Below are the protocols I came up with. They all depend on the Diffie-Hellman "common key" as derived in the DH key exchange. - T is the trusted third party. - hash_k() is a keyed hash function with key k. - pseudo(Alice) is a pseudonym for Alice. - n is a large prime. - g is a primitive element mod n. - A is Alice's secret exponent. Her public key would be g^A mod n. - Alice's and Bob's "common key" would be g^(AB)mod n ---- 1. The mediated off-line one: - T selects a secret k (which he uses for the duration of a month, say). - Alice is interested in Bob, so she calculates a=g^(AB)mod n and anonymously and securely sends it to T along with pseudo(Alice). - T calculates c=hash_k(a) and broadcasts c and pseudo(A) to the planet or puts them on a bulletin board. - Bob is ignorant of Alice's actions. If he ever decides that he likes her, he calculates and sends a=g^(AB)mod n to T (plus pseudo(Bob)). T will calculate hash_k(a) which equals c. T broadcasts c plus pseudo(B) so both Alice and Bob will know they have a match. If Bob is not actually interested in Alice, he doesn't perform this step at all, so nothing happens, and Alice just assumes Bob is not interested. Replay is not an issue here. 2. The mediated on-line one: - Alice is interested in Bob, so she calculates a=g^(AB)mod n and ANONYMOUSLY approaches Bob. - Bob calculates b=g^(BX)mod n, where X may or may not be Alice. If Bob is not interested in anyone, he could tell Alice to leave, or select a random X while calculating b. - Alice and Bob want to compare a and b. They generate a random k using some coin-flipping protocol. Then they send (possibly pseudonymously) hash_k(a) and hash_k(b) to T who compares them and announces the result. Using a keyed hash function reduces the trust on T, compared to protocol (1), I hope. Now, T has to conspire with one of the parties to get the "common key". I suspect this can be improved using the Digital Envelopes protocol as described by Fagin, Naor and Winkler in "Comparing information without leaking it" to replace the hashing. 3. Non-mediated on-line one: This third protocol would remove T in (2). Alice and Bob would compare their "common keys" directly. The problem here is fairness i.e. to ensure nobody finds the result of the comparison first. If this was possible, people could "probe" other people's interests and terminate the protocol as soon as they find the answer (i.e. the result of the "common key" comparison). I think ZK protocols would be of use here. I am still working on this one. ---- Assume that in any of these protocols Alice calculates her "common key" with X: a=g^(AX)mod n which means that she is interested in X. The reason a must remain sercet is that if X learns it, he could calculate all possible b(Y)=g^(YX)mod n until he finds a Y such that b(Y)=a, in which case he will find out Alice is interested in him. Note that X will not try all possible values for Y, but will use the public keys of all the girls, instead. I would appreciate any comments on these protocols and on the use of DH "common key". Dimitris -- Dimitris Tsapakidis PGP keyID: 735590D5 dimitrt at dcs.rhbnc.ac.uk MSc in Information Security, This space reserved Royal Holloway, University of London for future use. Origin: Thessaloniki, Macedonia, Hellas From perry at vishnu.alias.net Tue Mar 5 04:14:45 1996 From: perry at vishnu.alias.net (John Perry) Date: Tue, 5 Mar 1996 20:14:45 +0800 Subject: (Fwd) Gov't run anon servers In-Reply-To: <199603041852.KAA01295@jobe.shell.portal.com> Message-ID: <199603051202.GAA21522@vishnu.alias.net> -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Hal" == Hal writes: Hal> However, if I were a computer-savvy law enforcement agent, Hal> and I wanted to track messages through one of my remailers, I Hal> would try a technological approach. I would first break the Hal> key for my remailer. That is trivial. The passphrase is in Hal> PLAINTEXT in the script file which runs the remailer!. It Hal> has to be. That is true of all automated remailers. Anyone Hal> who can break into the remailer server and acquire root Hal> permission can find the remailer secret key. My keys have Hal> been unchanged for three years. Surely some enterprising Hal> hackers have stolen the keys by now. Well actually... The passphrase in a mixmaster remailer is defined as an environmental variable at compile time. The passphrase is not stored in any cleartext fashion but is embedded in the executable. Additionally the newer Ghio code (Matt's latest revision) has the passphrase defined as an environmental variable in remailer.c. Once remailer is compiled, you can delete the passphrase from the code. I can't speak for the freedom or other remailers as I haven't tried them. It's a little harder to get the key than just looking for a cleartext file that contains it. That is, if the remailer operator is being careful. John Perry - KG5RG - perry at vishnu.alias.net - PGP-encrypted e-mail welcome! WWW - http://www.alias.net PGP 2.62 key for perry at vishnu.alias.net is on the keyservers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMTwtPqghiWHnUu4JAQGN6wf+NWPn++V/D1kFCp71kDLTe/pNA97n+21L RLaOxWkq7+9K1zBIFHrzQYpJa9msud75gpNUq1s1LxzJAPY0BlCNIvqby9e7DMA/ aM6hhPUoQwljZ4SmE6ZmdFfPHz9ZchVclKUpepTv0melLEpc8Pv62eA9X1iFQMam exIbObjYD1AFYp/6O5tAKh4m+mC0bmH64O4zkXLp9tbDKUPDjdkdN9lOMfjO1oFj xJ+LCwtyA9YZxsD7GBklcd46ltiEQyrpV8PjwNJAvfIvPnplyfsvxBpg58zOF7t6 JGBj5DVk1Eyaw4sIMK6a9y/aDmkyVJVQVYozMigSS+UPKJsMCLQQFQ== =qrrn -----END PGP SIGNATURE----- From ichudov at algebra.com Tue Mar 5 05:42:23 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Tue, 5 Mar 1996 21:42:23 +0800 Subject: Mainstreaming PGP on Usenet In-Reply-To: <3JJakD38w165w@bwalk.dm.com> Message-ID: <199603050645.AAA14546@manifold.algebra.com> -----BEGIN PGP SIGNED MESSAGE----- To: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Cc: cypherpunks at toad.com Subject: Re: Mainstreaming PGP on Usenet Dr. Dimitri Vulis wrote: > > ichudov at algebra.com (Igor Chudov @ home) writes: > > Dr. Dimitri Vulis wrote: > > > One issue that hasn't been addressed by the s.c.r.m robomod is the > > > possibility of persistent nyms: that is, Alice D. Nonymous somehow makes > > > her public key known to the robomod; and later if someone submits an articl > > > via some anon remailer claiming to be hers, it would be rejected if the > > > signature doesn't check. Of course, her true submissions would be accepted > > > from any remailer. How could such protocol be implemented? > > > > We see no problem with user posting under pseudonyms, as long as they do > > not try to pretend to be other real people and do not constantly mutate, > > and submit their messages to the robomoderator for consideration. > > On the contrary, I was thinking of a situation when a person is posting through > an anonymous remailer, yet wishes to establish a persistent nym that can't be > impersonated. E.g., someone may submit articles via remailers (different every > time) and have a signature 'Alice D. N.'; what's to prevent someone else from > submitting an article and also signing it 'Alice D. N.'? > > I was thinking of allowing the user to add a 'From: ' in the first > paragraph of the PGP-signed block. To establish the nym, Alice would first > post her public key under the name of Alice; then she would post things like > > From: remailer at somewhere > > -- begin pgp signed msg > > From: Alice > > ... > > This would also address the problem of someone's misconfigured system where > his submissions appear to come from moron at camelot.ptu.edu or > moron at pendragon.ptu.edu or some other random hostname. > As far as I understand, the problem boils down to this: Nym users want to have an identity (belief of other users that a set of articles originating from many anonymous addresses were in fact written by one person). At the same time, we want to prevent users who do not have a permanent return address from using addresses of other persons. One of the problems with allowing users to specify return addresses in the letters is a possibility of forgery: what if Mallory at evil-services.com posts a MAKE MONEY FAST message, and specifies that her "From: " address should be Popugaev at get_high.edu? Such posting could get Mr. Popugaev in trouble. Maybe the following rewriting rule may be a good compromise between functionality and security, for PGP signed messages: 1. Original "From: " address is rewritten as "X-Origin" or some such. 2. "From:" address is always set to the main user ID of the PGP key that was in the signature. 3. For "Reply-To: " we use "Reply-To: ", if it is present, then we try "From: ", and if "From: " is not present, "Reply-To: " is not set. 4. If "Subject: ", "Date: ", "Message-ID: ", or "Newsgroups: " is present on the block of pseudo-headers starting with the first line of the text, use them instead of trusting the headers of an email. This way, we achieve the following results: 1. Positive and reliable identification of users is possible to every reader of soc.culture.russian.moderated, not only to moderators; 2. Users gain additional protection from man-in-the-middle attacks by using well protected pseudo-headers withing PGP signed blocks; they cannot misuse this feature by lying about who they are; 3. Those who do not want to bother do not have to; 4. People with misconfigured email addresses may have at least some address field ("From: ") set correctly. 5. Nyms can post freely through any anon remailers and always have their identity show up in the "From: " field, even if remailers do not allow users to specify their identity at all. Note that I agree that we need to have a database of MD5 checksums of all submissions and carefully process duplicates. What do you think? - Igor. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMTvi6MJFmFyXKPzRAQGEMQP8C4V9gCs5REc5hez0gRP7bXn9NGV5S/6l fxJo4SPmCBdWxn+msLxchbrho/hlhcUMaPuswcnacgrqEAyd1H4yIiMyZ1s6z06e 0q6WQ8QUy/E1nrc4lCSXKUBYB8MV/SGlynxxq3X9T2eF2lmnoArWj4QpfcVgk9RR HvcvpK3GWuA= =OXCv -----END PGP SIGNATURE----- From 100022.3167 at compuserve.com Tue Mar 5 06:28:43 1996 From: 100022.3167 at compuserve.com (Tim Fulbright) Date: Tue, 5 Mar 1996 22:28:43 +0800 Subject: Truelly Random Numbers Message-ID: <960305135536_100022.3167_EHV125-1@CompuServe.COM> Now I, a lurker for two months, am truelly confused! L. Deitweiler must be right. Surely one of you cyperpunk fellows could hack together a dongle with some kind of AD converter and buffer ram to gather a Truelly Random Bitstream off the environment every couple of milliseconds easier than this raindrop scheme or recording the fan, you're haviung me on!. Let's go back fifty years and get a vacuum tube to fitfully flicker? I who know next to nothing about electronics suspect there is surely enough noise present in electornic devices to gather a random bitstream that you could chop anywya you needed? Anyway, y would you need a WAN for constant raindrop number generation when you could just set up your random number node out in LaPush or up in Volcano sampling every minute ot so : ) ? My second overall question is, isn't the emphasis on encryption of e-mail and e-mail emposters somewhat shortsighted? What if, for the masses which is all that counts, e-mail migrates to voicemail? The issues aren't the same with voicemail, eg PK validation problems go out the window since voicemail validation could take the form of an PK encrypted voicegram. . Something the matter with that? It might also prevent robots from posing as persons while still allowing aliases.. Please pardon this interruption! I really do admire the frankness and quality of your newslist, its democratic open discussion on the most vital political issues facing our time ; but after reading your mail I think that either I need seriously wising up, or, somebody must know where the real newsgroup is! -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2i Comment: Requires PGP version 2.6 or later. mQCNAzBzoaUAAAEEAKwZn14pn79xPqUJW5SbJqU/B1uEtD29xe4/nXedIlc66yt0 +Zh8t/LZtO8CAQn4N5tqzN+cW0ot4yfB1lV2HYOkLCqtfeGqrZbv0q8auR0OV8fQ NvHRdlK5fbZKtFKzEA1y/eh5BQv6pq9YDsoScNdORuynOFYo60208YzGKULxAAUR tEJUaW1vdGh5IEZ1bGJyaWdodDwxMDAwMjIuMzE2N0Bjb21wdXNlcnZlLmNvbT48 Wys0NCwgMF0gMTc4MjYxMTY1MT4= =gSuk -----END PGP PUBLIC KEY BLOCK----- From frissell at panix.com Tue Mar 5 06:49:12 1996 From: frissell at panix.com (Duncan Frissell) Date: Tue, 5 Mar 1996 22:49:12 +0800 Subject: "Physical Reality III" Message-ID: <2.2.32.19960305141212.0072c8f4@panix.com> Bad Boys, Bad Boys Whatcha gonna do? Whatcha gonna do when they come for you? Bad Boys, Bad Boys repeat endlessly. We did 3) last Wednesday. Here are some more points. 4) There must be a you. In order for the Bad Boys to come for you, you have to exist in a form that can be "come for." This is tricky in a world in which "processes" can be spawned more cheaply and easily than guppies. Students of military tactics know that the basic tactical reality is the force ratio. This can be looked at in two parts: 1) the ratio of attackers to defenders (or rulers to ruled in the civilian world) and 2) the ratio of soldiers/law enforcement personnel to space. The lower the ratio, the less effective the force will be. As the Bad Boys confront cyberspace, they find both types of force ratios turned against them. As we discuss here, there are more "defenders" to attack and as we shall see under point 5) below, there is much more space to try to rule. Before there was cyberspace, there were front companies. In the wondrous Anglo Saxon legal system; people, sole proprietorships, partnerships, trusts, and corporations all have somewhat equal and independent legal existence. People, sole proprietorships, partnerships, and trusts can all be created without securing permission from any authority. They come into existence by simple act of will. In times past however, the creation and maintenance of these entities took a bit of time. In a practical sense, a person could only create an maintain a limited number of such "legal persons." The wonder of automation is that the creation of entities becomes much easier and cheaper. Software agents are just one of the new sorts of entities that we are capable of creating. There are also the effects of applying automation to traditional entities. "Let a thousand trusts bloom." In addition to entities created for business purposes, the authorities will have to deal with entities created for entertainment and charitable purposes. This leads to a vast increase in the number of entities who act and who may violate laws and who must, therefore, be subject to control by the Bad Boys if they are to control things. But it is much cheaper and easier to create "legal persons" these days than it is to unravel them "pierce the corporate veil(s)" and bring them under the control of "law." If the permissions aren't set right, it will be very difficult for the authorities to pierce the corporate veil of net-based legal persons. Software processes are hard to arrest and harder to coerce. Remember, as long as an entity pays its bills and meets its commercial obligations, it can find a home and continue its "life." Markets don't care much what your nature is as long as they can buy from or sell to you. Official status is not required. In addition to the proliferation of entities, telecommunications lets each of the traditional human actors do more of everything including those things that regulators wish to regulate. And by letting residents from everywhere on earth into everyone's "home" market, telecoms multiplies the number of potential law enforcement targets within popular jurisdiction. As long as jurisdictions are geographically bound, popular jurisdictions (like the US) will find out that they have gained millions of new virtual citizens/residents who must be ruled by US authorities (if that can be done). But with more natural persons "entering" the jurisdiction, with the previous natural residents doing lots more, and a swarm of new artificial persons, the Bad Boys' resources are strained. The more entities to "rule," the less each entity (including natural persons) can be ruled. [If you believe that the control technologies can be scaled up at the same rate as the entity creation technologies, see my later piece in this series: "8) They must have something to do to you when they 'come for you.'"] DCF From matts at pi.se Tue Mar 5 07:09:51 1996 From: matts at pi.se (Matts Kallioniemi) Date: Tue, 5 Mar 1996 23:09:51 +0800 Subject: Looking for code to run an encrypted mailing list Message-ID: <2.2.32.19960305144735.0036ffc4@mail.pi.se> At 23:17 1996-03-04 -0800, John Pettitt wrote: >The overal intent was to have a message go from one list member to all >others with a) a signature to provide strong attribution and a measure of >non repudiation b) low probability of interception c) only the gateway has >to have all the public keys. You could avoid alot of encryption by setting up a key for the list and giving both keys (secret and public) to all the list members. To write to the list, you encrypt with the lists public key. Everybody reading the list can decrypt with the secret key. Pros: No hacking of majordomo. You can use any mailing list software. The key and clear text message is never available to a robot, making it harder to compromise security. Cons: When somebody is removed from the list you have to change the key, encrypt the new secret key with everybodys public keys and distribute it. For a big dynamic list where people unsubscribe daily this could be a major headache. But for small or static lists it shouldn't be much of a problem. From mab at crypto.com Tue Mar 5 07:42:39 1996 From: mab at crypto.com (Matt Blaze) Date: Tue, 5 Mar 1996 23:42:39 +0800 Subject: My letter to Leahy supporting the crypto bill Message-ID: <199603051509.KAA27596@crypto.com> Here is the text of a letter I sent to Leahy supporting the "Encrypted Communications Privacy Act of 1996" being introduced today. I urge everyone to check out the bill (should be online on thomas.loc.gov sometime soon); on balance, I think the bill is a huge step forward and deserves support. -matt Matt Blaze, Ph.D. 600 Mountain Avenue Murray Hill, NJ 07974 March 1, 1996 Hon. Patrick Leahy United States Senate Dear Senator Leahy: Thank you for introducing the Encrypted Communications Privacy Act of 1996. As a member of the computer security and cryptology research community, I have observed firsthand the deleterious effect that the current regulations governing the use and export of cryptography are having on our country's ability to develop a reliable and trustworthy information infrastructure. Your bill takes an important first step toward creating regulations that reflect the modern realities of this increasingly critical technology. Unlike previous government encryption initiatives such as the technically-flawed and unworkable ``Clipper'' chip, your bill re-affirms the role of the marketplace in providing ordinary citizens and businesses with a full range of choices for securing their private information. In particular, by freeing mass-market cryptographic software and hardware from the burdensome export controls that govern the international arms trade, the bill will help the American software industry compete, for the first time, in the international market for high-quality security products. Law enforcement need not fear the widespread availability of encryption; indeed, they should welcome and promote it. Encryption thwarts electronic predators by preventing unauthorized access to private data and computer systems, and the use of strong cryptography to protect computer networks is becoming as natural and necessary as the use of locks and burglar alarms to protect our homes and businesses. While criminals, too, might occasionally derive some advantage from the use of cryptography, the benefits of widely-available encryption technology overwhelmingly favor the honest user. By recognizing that those who hold decryption keys on behalf of others are in a special position of trust, your bill is respectful of the privacy of law-abiding citizens without introducing impediments to the government's ability to investigate and prevent crime. I have also examined the new provision designed to discourage the use of cryptography by criminals in the furtherance of a felony, and hope to see your carefully-worded language reinforced by a narrow interpretation in the courts, consistent with your intent. Again, thank you for your continued leadership in this area, and I look forward to doing whatever I can to help you bring encryption regulations in line with the fast-changing reality of this emerging technology. Sincerely, (s) Matt Blaze From frissell at panix.com Tue Mar 5 11:25:35 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 6 Mar 1996 03:25:35 +0800 Subject: Banning Explosive Speech Message-ID: <2.2.32.19960305165645.0071761c@panix.com> "I think that the tax serfs of AmeriKKKa should rise and throw off the chains of their oppression by blowing up their nearest federal office building. Here is how they should do it. Take 16 parts ammonium nitrate and one part fuel oil (that's diesel fuel if you like) mix them together..." Voila. I've just converted a discussion of explosives into protected political speech. I consider it highly unlikely that people will be doing much time for so-called explosive speech. The publisher of Paladin Press *is* being sued civilly in a case of a customer who read his "How to Kill" series a bit too closely and used some of the info contained therein. Civil suits mean little in our medium, however, because the cost of production is so low and there are so many judgment-proof practitioners of net communications. In Sterling's "Hacker Crackdown" (http://www.usfca.edu/crackdown/crack_1.html) he discusses how the seizure of 25 "outlaw boards" by the Secret Service was an electronic example of a Vice Raid bust in which the LE's are not really trying to shut everything down but just trying to "show the flag" and intimidate the rest of the scum. The reason that Vice Raids probably won't work too well in cyberspace is because we are harder to intimidate. There are lots of us, we are spread all over the world, and we can so easily disguise ourselves. Note the ineffectiveness of the recent German crackdown. In addition, we don't think of ourselves as scum. We have friends and a pseudo community, we're not hidden, and we have plenty of support in our own "counterculture." Note too that Lady Di Fi's proposal to ban explosive speech did not try and ban public discussion of same but merely the knowing transfer of such info in criminal conspiracy cases. It would not have reached public web sites or newsgroups. DCF "I think that the American people have the right to see things like this -- Start Marlboro Man Commercial" -- how to beat the Tobacco Ad ban. From hfinney at shell.portal.com Tue Mar 5 11:43:44 1996 From: hfinney at shell.portal.com (Hal) Date: Wed, 6 Mar 1996 03:43:44 +0800 Subject: (Fwd) Gov't run anon servers Message-ID: <199603051656.IAA09065@jobe.shell.portal.com> From: John Perry > Well actually... The passphrase in a mixmaster remailer is defined as > an environmental variable at compile time. The passphrase is not > stored in any cleartext fashion but is embedded in the > executable. Additionally the newer Ghio code (Matt's latest revision) > has the passphrase defined as an environmental variable in > remailer.c. Once remailer is compiled, you can delete the passphrase > from the code. I can't speak for the freedom or other remailers as I > haven't tried them. It's a little harder to get the key than just > looking for a cleartext file that contains it. That is, if the > remailer operator is being careful. OK, I stand corrected regarding the operation of mixmaster. However, this does not gain much security, certainly not in comparison to the effort involved to break a key. It will be just as easy to steal the mixmaster executable as to steal a script file containing a pass phrase. And it might even be possible to run the stolen mixmaster directly to decrypt intercepted incoming mail messages, without even having to type in the pass phrase. Failing that the attacker could easily extract the pass phrase from the mixmaster executable file. The other suggestion that was made here, that the operator would have to manually type in the pass phrase every time the computer rebooted, would be a way of avoiding having the information in the clear on the disk. However it would probably not be a practical method of operation given the reliability of at least the Unix operating systems that I am familiar with. And even then the information is in memory. An attacker who could gain root privileges (and let's not pretend that the NSA can't do that) can dump memory and later comb it for the key information. My point remains that strong keys are pointless for remailers which run on Unix systems connected to the net. Now if you have your remailer on a PC at home, and you're not running anything else on it (like http servers), maybe that is safe. I am not familiar enough with security holes in such a configuration to judge. Probably it would depend on what mail-processing software you run, and the nature of your net connection. Recall that my original comments were in connection with the claim that the government was running most of the remailers. As I said, I still think that is absurd when it would be so much easier to simply steal their keys. Hal From editor at cdt.org Tue Mar 5 12:02:17 1996 From: editor at cdt.org (Bob Palacios) Date: Wed, 6 Mar 1996 04:02:17 +0800 Subject: No Subject Message-ID: ----------------------------------------------------------------------------- _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 2, Number 9 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 2, Number 9 March 5, 1996 CONTENTS: (1) Bills To Relax Crypto Export Controls Introduced by Leahy, Burns, Goodlatte, Others (2) Subscription Information (3) About CDT, contacting us This document may be redistributed freely provided it remains in its entirety ** Excerpts may be re-posted by permission (editor at cdt.org) ** ----------------------------------------------------------------------------- (1) BIPARTISAN BILLS TO EASE ENCRYPTION CONTROLS AND PROTECT INTERNET PRIVACY INTRODUCED IN SENATE AND HOUSE A bipartisan group of members from both houses of Congress today introduced legislation to lift many export controls on strong encryption hardware and software and affirm the rights of Americans to use whatever form of cryptography they choose. The bills, sponsored by Sen. Leahy (D-VT), Sen. Burns (R-MT), Rep. Goodlatte (R-VA), Rep. Eshoo (D-CA), and others, represent a major step towards breaking the stranglehold on encryption technologies which for years has denied computer users access to vital privacy-protecting applications. The "Encrypted Communications Privacy Act of 1996" represents a rejection of the Clinton Administration's invasive and unworkable "Clipper Chip" and "Clipper II" key escrow policies. Under the guise of promoting so-called "voluntary" encryption standards, these Administration efforts have sought to use export controls to compel the adoption of key escrow encryption domestically, and have left Internet users without adequate privacy and security. By relaxing export controls on "generally available" cryptographic applications such as PGP, popular Web browsers, and other programs, the Encrypted Communications Privacy Act of 1996 would encourage the development and use of strong privacy protecting technologies. Major provisions of the legislation would: * Ease export controls on encryption products, allowing the export of 'mass market' or 'generally available' cryptography. This would include products such as PGP or many of the popular Web browser programs. * Affirm the right of Americans to use any encryption domestically. The bills explicitly prohibit the government from imposing any limits on the domestic use or sale of encryption. * (Senate version only) Provide protections to those who choose to store their encryption keys with third parties by creating criminal and civil penalties for the unauthorized disclosure of keys and strict requirements for law enforcement access. The bill does not in any way affect the ability of any person to use encryption without a key escrow function.. The legislation also contains several provisions which CDT believes require further clarification and consideration, including controversial language that would create a new federal crime for the use of encryption to willfully obstruct a law enforcement investigation. CDT will work with Senators Leahy and Burns and Representatives Goodlatte, Eshoo, and other interested members to address these concerns as the bill makes its way through the legislative process. The full text of both the House and Senate versions of the bills, along with other relevant background information, is available on CDT's Crypto Issues World Wide Web page: http://www.cdt.org/crypto/ CDT believes that the House and Senate encryption bills are an important step forward in the ongoing attempts to build better security into the information infrastructure through the widespread availability of encryption. Congressional action is particularly welcome as the Administration has continued to impose a flawed approach to encryption based upon export controls, key length limits, and key escrow policies all aimed at slowing the adoption of strong cryptography in the U.S. and throughout the world. While CDT believes improvements can be made in both bills, they establish a solid framework for building a comprehensive, global cryptography policy. CDT believes the bills deserve careful consideration and support. We look forward to working with Senator Leahy, Senator Burns, Rep. Goodlatte, Rep. Eshoo, individual Internet users, public interest advocates, and the computer and communications industry to develop a cryptography policy that protects privacy, security, and competitiveness on the Global Information Infrastructure. SUMMARY OF THE LEGISLATION: WHAT THE BILLS WOULD DO The House and Senate bills both modify Title 18 of the U.S. Code to clarify the status of encrypted communications, access to those communications by law enforcement, and the liability of third-party key holders. The bills would: * SIGNIFICANTLY EASE EXPORT CONTROLS: The bills would remove all export restrictions on "mass market" or publicly accessible encryption software and similar hardware -- that is, products that are generally available to the public and sold for installation "as is," or that are in the public domain such as PGP or some popular web browsers. (For example, products commercially available "off the rack," or freely available to the public via the Internet, would all be exportable.) Other encryption hardware would be exportable to countries where hardware with similar capabilities is already commercially available. The bills also allow export of other encryption software if it is currently exportable under law for use by foreign financial institutions. * PROHIBIT ANY RESTRICTION ON THE DOMESTIC USE OR SALE OF ENCRYPTION: The bills would affirmatively prohibit any government restrictions or attempts to mandate the domestic sale or use of any type of encryption. * IMPOSE CIVIL AND CRIMINAL LIABILITY FOR UNAUTHORIZED KEY DISCLOSURES: (Senate Version Only) The Senate bill would lay down privacy guidelines to protect those users who choose to store their keys with third parties. The bill would impose civil and criminal penalties for the unauthorized release of decryption keys or other decryption assistance by third parties who individuals have entrusted with their keys. No privacy protections and only limited restrictions for law enforcement access currently exist for those who choose to store their keys with trusted third parties. * PROVIDE LIMITS FOR ACCESS TO KEYS BY LAW ENFORCEMENT: (Senate Version Only) The Senate bill would also spell out limits and guidelines for law enforcement access to the keys of those users who have chosen to store their keys with third parties. Today, encryption keys held by third parties could be released to law enforcement with nothing more than a subpoena. Under the Senate bill, third parties could only provide assistance to law enforcement in decrypting communications if presented with a court order. The bill also limits the scope and duration of such assistance. Decryption keys for stored communications could be disclosed with a proper court order or subpoena. * ESTABLISH A BROAD "PERSONAL USE EXEMPTION" FOR U.S. TRAVELERS: The bills would allow U.S. persons to use any form of encryption in a foreign country, establishing a less restrictive form of the "personal use exemption" recently published by the State Department. The provision is intended to accommodate "U.S. citizens and permanent residents who have the need to temporarily export encryption products when leaving the U.S. for brief periods of time". While the intent of this provision is clear, CDT believes that the language of the bill should be further clarified. * PROHIBIT THE USE OF ENCRYPTION TO CONCEAL THE COMMISSION OF A FELONY: Finally, the bills would criminalize the use of encryption to willfully obstruct justice. Anyone who "willfully endeavors" to use encryption for the purpose of obstructing, impeding, or preventing the communication to a law enforcement officer of information relating to a Federal felony would be subject to criminal penalties. CDT believes this new federal crime is unnecessary since it duplicates obstruction of justice crimes that are already available to prosecutors, and is unwise since it might be interpreted to discriminate against users of encryption. BACKGROUND - BILLS ADDRESS LONG-STANDING FRUSTRATIONS WITH U.S. ENCRYPTION POLICY Congressional action comes as Clinton Administration encryption restrictions continue to jeopardize the security of computer users. Encryption tools, which scramble electronic communications and data, are widely viewed as the key to providing security and privacy and encourage commerce on the Global Information Infrastructure. Individuals need encryption in order to trust the GII with confidential data such as financial transactions, medical records, or private communications. Businesses need encryption to provide individuals with privacy protections they need and to protect their own proprietary information as it flows across vulnerable global networks. The lack of good encryption today has left computer users vulnerable to the prying eyes of hackers, corporate competitors, and even foreign governments. Current Administration policy restricts the export of "strong" encryption hardware or software products with keys greater than 40 bits long. (The length of encryption "keys" is often used to indicate the security of a system.) Export controls actually influence the entire GII -- both domestically and internationally -- due to the difficulty of distributing and interoperating products with different strengths of encryption. The level of security permitted under the export controls, and hence the level of security largely available to domestic users as well, has been judged woefully inadequate by many experts. Even the most recent Administration "Clipper II" proposals would only allow the export of moderately stronger encryption, and then only with "key escrow" restrictions to guarantee U.S. government access to individual keys -- restrictions which raise real Constitutional issues and are bound to fail in the competitive international marketplace. In recent months, groups from across the political spectrum have increasingly criticized the Clinton Administration's restrictive export controls. In November 40 companies, trade associations, and public interest groups wrote to Vice President Gore calling the latest Administration proposals flawed and inadequate. Last month a report by the CEOs of 13 leading U.S. technology companies found that U.S. industry stands to lose up to $60 billion dollars per year by the year 2000 due to restrictions on the export of cryptography. And several weeks ago a group of noted computer security experts released a report calling for the deployment of dramatically longer encryption key lengths of at least 75 to 90 bits. The House and Senate bills give voice to this growing drumbeat of criticism demanding a radical departure from the flawed approach of the Clinton Administration's current encryption polices. CDT looks forward to working with members of Congress to push for a more comprehensive U.S. encryption policy that reflects the privacy and security needs of computer users. FOR MORE INFORMATION More information on the cryptography policy debate, including the text of the Senate and House bills, is available on CDT's Cryptography Issues Web Page: http://www.cdt.org/crypto/ For More Information Contact: Center for Democracy and Technology +1.202.637.9800 Daniel Weitzner, Deputy Director Alan Davidson, Staff Counsel ----------------------------------------------------------------------- (2) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 9,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to policy-posts-request at cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts ----------------------------------------------------------------------- (3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info at cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post 2.9 3/5/96 ----------------------------------------------------------------------- From shabbir at vtw.org Tue Mar 5 12:04:20 1996 From: shabbir at vtw.org (Voters Telecommunications Watch) Date: Wed, 6 Mar 1996 04:04:20 +0800 Subject: (INFO) Leahy/Goodlatte introduce crypto bill Message-ID: <199603051717.MAA13628@panix3.panix.com> ======================================================================== __ _________ __ \ \ / /_ _\ \ / / Voters Telecommunications Watch (VTW) \ \ / / | | \ \ /\ / / (We're not the EFF) \ V / | | \ V V / URL:http://www.vtw.org/ \_/ |_| \_/\_/ Mar 5, 1996 (expires Apr 5, 1996) SEN. LEAHY (D-VT) AND REP. GOODLATTE (R-VA) INTRODUCE "ENCRYPTED COMMUNICATIONS PRIVACY ACT" TO THWART CLINTON ADMINISTRATION'S FLAWED CLIPPER PLAN Please widely redistribute this document with this banner intact ________________________________________________________________________ CONTENTS The Latest News Analysis of Leahy bill What You Can Do Now Chronology of Leahy bill Press Contact Information A few questions and answers Our policy on financial donations ________________________________________________________________________ THE LATEST NEWS In the opening round of what promises to be a no-holds-barred fight with the Clinton Administration and the Intelligence community over cryptography policy, Senator Patrick Leahy (D-VT) and Representative Robert Goodlatte (R-VA) presented bills today that intend to: -decontrol the export restrictions on mass-market and publicly available software such as Phil Zimmerman's "Pretty Good Privacy" (PGP), -affirm Americans' right to use cryptography of their own choosing, -affirm Americans' right to *not* use key escrow systems, -make it a crime for an authorized key escrow agent to disclose a key recklessly or intentionally, and -create a crime of using cryptography while committing a felony for the express purpose of thwarting an investigation. The topic of cryptography exports is crucial to the continued growth and security of the Internet and online commerce. The success of the information economy in many cases hinges on the ability to employ strong encryption techniques to protect confidential data. The two bills come at a crucial time after the Clinton Administration has put forth two flawed encryption proposals, Clipper and Son of Clipper. A third plan, this time in the form of legislation, is in the works if one is to believe the rumors in the press. So far the only reason the Clinton Administration's flawed "Clipper" plans have been paid any attention to at all is because they offer relaxed export controls in return for storing your keys with government agencies or quasi-government agencies. The best part of the Leahy bill, though, is that you can use the encryption export provisions without ever thinking about using escrow. Leahy's bill will ensure that few consumers, if any, ever consider another Clinton-mandated encryption scheme ever again. The Leahy/Goodlatte bill allows the export of most of the cryptographic products you and I would would like to use, without any of the Clipper requirements. Without the lure of relaxed export for "Clippered" products, nobody will pay attention to Clipper products. This will surely be the deadly blow to all present and future "Clipper" plans that rely on the Clinton Administration's strongarm export policy tactics. A new Clinton proposal on encryption is rumored to be in the works. However, judging from the way they've bungled the first two proposals, VTW believes the newest Clinton proposal will be created with a similar process, with little regard for the concerns of business, industry and the public. One thing is certain; there will be movement on encryption policy this year. It may be legislative or it may be regulatory; we're in a far better position driving legislation we endorse, rather than lobbing bombs at legislation being driven past us. VTW believes this legislation is an excellent initiative. We have long advocated the decontrol of cryptography export laws based on the following principles: -The public and businesses have the right to use the strongest cryptographic products they (not the government) feel are necessary to ensure the confidentiality of their private communications. -The public and businesses should never be compelled to use software with escrow functionality, escrow agents, nor escrow agents that do not have the public's confidence. -If the public and business should choose to use escrow agents, the agents' primary responsibility should be to key owners, not to law enforcement. They should be mostly unregulated, and in an ideal world, there should be hundreds, if not thousands to choose from. -Current export controls are outdated, don't work, are endangering the worsening the problem of security of the Internet, and are damaging the competitiveness of US companies in the global marketplace. The way Leahy/Goodlatte addresses export of cryptography is consistent with our principles. VTW will keep you informed of its progress. As anyone familiar with the legislative process knows, a bill rarely ever looks the same at the end of the process as it did at the beginning. This bill is good for the Internet, and we intend to monitor it like the watchdogs you expect us to be, to ensure that it does not significantly deviate from the basic principles outlined above. In doing this, it will be crucial for the Internet community to speak up. Big business will weigh in on this bill to protect their rights to sell products with encryption in them. However nobody will speak up for your right to have a private conversation except you. We're counting on you to find that voice, and use it over the next few months to ensure that your present right to use encryption *of your choice* isn't amended out of the bill. There are some powerful forces out there that will be lobbying heavily on this legislation. The White house is rumored to have their bill ready. The law enforcement and intelligence communities, who would rather you couldn't use strong encryption, will be employing their usual scare tactics. Worst of all, the Clinton Administration, particularly Vice President Al Gore, who should be a voice of reason for these issues, will, if the example of Clipper and Son of Clipper is any indication, pander to law enforcement and the anti-crime vote in an election year. We predict that the White House will do everything in their power to prevent Senator Leahy from liberating PGP. He will need your help to push forward. Over the next few months, VTW will be coordinating a coalition of names, many of which are already familiar to you. This coalition will ask you to call and write to Congress, expressing your opinion, and threatening to back it up with the ultimate legitimate weapon of democracy, your vote in this election year. We're counting on you; we know you're up to it. We urge you to visit our homepage at http://www.vtw.org/, where we'll keep you updated on current events involving the bill. If you haven't already, you may want to subscribe to our vtw-announce list, no discussion, low-volume email messages that will keep you updated directly as we issue alerts and newsletters. In the wake of the Telecomm Bill protests, over 3,000 of you have subscribed in less than a month. Use the one-line form on our home page. P.S. We don't count our WWW page hits; we have better things to do. ________________________________________________________________________ ANALYSIS OF ENCRYPTED COMMUNICATIONS PRIVACY ACT The Leahy and Goodlatte bills are not exactly alike. For the moment, we will concentrate on the Leahy bill for purposes of analysis. We find it to be fleshed out in many areas. AFFIRMS OUR RIGHT TO USE CRYPTOGRAPHY OF OWN CHOOSING The bill affirms that "Americans should be free lawfully to use whatever particular encryption techniques, technologies, programs, or products developed in the marketplace they desire in order to interact electronically worldwide in a secure, private, and confidential manner". The bill also affirms our right to use cryptographic products that do not have key escrow functions in them, or to choose not to use such functions. If we do choose to use escrow holders, the bill affirms our right to use key holders of our own choosing. DEREGULATION OF PUBLICLY-AVAILABLE CRYPTOGRAPHIC TECHNOLOGY The bill addresses the "PGP problem" by making software that is "generally available", "publicly available", or "public domain" exportable with NO LICENSE REQUIRED, unless it is "specifically designed for military use". CREATES CRIMINAL PENALTIES FOR MALICIOUS KEY HOLDERS If I designate a local business to be my key holder, it is important that they take that responsibility seriously. The bill creates criminal penalties for key holders that behave recklessly with my decryption keys. Recently the Administration suggested that such individuals must be licensed by the US Government, and in some cases, be required to possess security clearances. This would make them little more than puppets of law enforcement. The bill creates criminal penalties with monetary fines if a key holder releases a key recklessly or inappropriately. Reasonable rules for an escrow agents conduct are described in the bill. These are discussed further below. RAISES THE STANDARD FOR A COURT TO OBTAIN YOUR DECRYPTION KEY Currently a court needs to only issue a simple search warrant to obtain a copy of your key for decryption of your communications. This bill raises the requirement to be equivalent to that of a court-ordered wiretap. ENCOURAGES KEY HOLDERS TO SERVE THE INTERESTS OF KEY OWNERS WHEN PRESENTED WITH A COURT-ORDER If you have chosen to use a key holder, they may find themselves in a curious predicament if presented with a court order at some point in the future. They really don't want to simply hand over your decryption key, since once it is divulged, it might be used to decrypt more information than what is required under the court order. The bill instructs a key holder to provide law enforcement with as little information as possible, in order to satisfy a warrant request, while still protecting as much of the key owner's confidentiality as possible. The bill accomplishes this by instructing a key owner to attempt to deliver decrypted communications only for the times specified by the warrant to law enforcement as a first step. If the key holder is unable to produce the decrypted communication for law enforcement, only then, as a last resort, should a key holder relinquish your key. This allows a key holder to work to protect the confidentiality of your decryption keys, while still fulfilling both the spirit and letter of the court order. DISCOURAGES THE USE OF ENCRYPTION TO THWART A FELONY INVESTIGATION This is probably the one provision we wouldn't have put in the bill, were we drafting it. Clearly added to appease law enforcement, it creates a new crime to "willfully" attempt to thwart a law enforcement investigation by using encryption. VTW feels that such a crime is unnecessary, but we're happy to see this is a fairly narrowly-tailored statute. It only applies to individuals who are engaging in a felony and using encryption to communicate information while in the commission of the felony, and whose intent, in using encryption, is to foil a law enforcement investigation. If you and a friend are talking with an encrypted phone, and you mention that you think some mutual friend is cheating on their taxes, you are not liable under this provision. If you are planning the Million Man March using encrypted email, and fear that you may be investigated because your cause in unpopular in some law enforcement circles, you are not liable because you are not committing a felony, even though law enforcement may find it annoying that they cannot read your mail. This provision only applies to you if you are using encryption to specifically foil a law enforcement investigation AND the communication relates to a felony AND you are using the communication to commit the felony. VTW feels this is a fairly narrowly drawn statute that is not likely to be easily abused. Although this bill is the best thing we've seen in Congress on this issue since ex-Rep. Maria Cantwell's (D-WA) export-of-encryption bill was introduced to the 103rd Congress two years ago, there are still some issues in the bill that bear further examination. Let it be understood that we think the balance of this bill right now will help the net far more than hurt it and the net should step forward and help Leahy and Goodlatte in their fight against the Administration over this issue. Nevertheless, our suggestions for tuning this bill are included below. BILL SHOULD INCLUDE AN EXPLICIT SUPPRESSION PROVISION Although the Fourth Amendment is the law of the land, it is important to note that it a applies to communications decrypted after an erroneous warrant has been issued. VTW feels that such a provision should be enumerated in the bill, just to clarify any concerns a court might have about such evidence. It is also clear, however, that such a provision is nearly impossible to obtain in the current Congressional climate, though we will continue to urge the bill's sponsors to add it. THE BILL SHOULD CLEARLY INCLUDE ENCRYPTION PRODUCTS FOR STORED DATA The bill addresses encryptions products used for wire or oral communications, per the Electronic Communications Privacy Act. Since many encryption products are built for just this purpose, it includes many of them. However, we think it is appropriate to specifically include products that are used only for encrypting stored data. THE BILL SHOULD INSTRUCT ESCROW AGENTS TO REPORT DISCLOSURES AS WELL The bill currently requires law enforcement to notify the Office of the Courts as to the number of court orders served on key holders and for what crimes the court orders were obtained. The Office is required to make this information public annually. VTW feels that accountability should never be in short supply. Requiring key holders to notify the Office of the Courts whenever they are ordered to disclose a key will allow the public yet another way of making sure that appropriate procedures are being followed to protect the public. We suggest an inexpensive reporting method such as registered mail so as not to burden key holders needlessly. Presumably, when the Office of the Courts totals up its numbers every year, the number of disclosures reported by law enforcement will add up to the SAME number reported by key holders themselves. Should there be a discrepancy, the public will be grateful for the additional accountability. NEW CRIMES ARE NEEDED TO DISCOURAGE MISREPRESENTING YOURSELF TO A KEY HOLDER Currently the bill relies on existing laws that cover police misrepresentation to punish law enforcement officials that misrepresent themselves to a key holder with an improper or forged warrant to obtain a key or a decrypted communication. The majority of law enforcement officials are good people that would never consider such an act. Consequently, they should have nothing to fear from such a statute. VTW believes that a new statute is needed to dissuade those few over-zealous law enforcement officials from violating the public's trust in these matters. On the whole, we believe that this bill is a win for the Internet public and Internet businesses that require strong market-driven cryptography. VTW urges you to become familiar with it and support Leahy and Goodlatte in their efforts. ________________________________________________________________________ WHAT YOU CAN DO NOW 1. It's crucial that you familiarize yourself with this bill. You can find links to it at http://www.vtw.org/ If you are an ISP or run a WWW page, we urge you to place a pointer to the bill on your homepage or in your message of the day. Here's a sample paragraph you can use: A bill has been introduced in Congress today that will decontrol many types of encryption products so they may be sold abroad, including the world-famous PGP. To learn more about this legislation, see VTW's home page at http://www.vtw.org/ Please remove this notice after a few days. 2. If you are an Internet Small Business, signon to VTW's Internet Small Business Coalition at http://www.vtw.org/help/ We'll likely be assembling a coalition of Internet small businesses in the next few weeks and will solicit your input on ways of carrying your message to Congress. 3. Join our vtw-announce mailing list by sending mail to majordomo at vtw.org or by signing up straight through our WWW page at http://www.vtw.org/. We'll be following this issue closely in the coming months. Note that vtw-announce is not a discussion list. It's VTW announcements, with little repeat content from other sources. ________________________________________________________________________ CHRONOLOGY OF THE 1996 LEAHY/GOODLATTE CRYPTO BILLS Feb 26, '96 Sen. Leahy (D-VT) and Rep. Goodlatte (R-VA) introduce the Encrypted Communications Privacy Act. Cosponsoring this legislation on the Senate side at Sen. Burns (R-MT) and Sen. Murray (D-WA). On the House side are the following cosponsors: DeLay, Campbell, Eshoo, Moorhead, Doolittle, Barr, Ewing, Mica, Everett, Bono, Lofgren, and McKeon. ________________________________________________________________________ A FEW QUESTIONS AND ANSWERS Q: Does this require, or even urge individuals to use third parties to hold their decryption keys? A: No way. You can use the liberal export provisions in this bill with out ever allowing your keys to leave your "cold dead fingers". Q: Does this advance the Clinton Administration's Clipper scheme in any way? A: No, in fact this bill cuts out the very heart of the Clipper program. The two Clipper programs had the potential to be adopted because Clipper products were intended to receive preferential export treatment. This allows the export of non-Clipper products. In the global marketplace, the Clipper products will not be able to compete. This bill is probably the final nail in the coffin of the Administration's flawed Clipper proposals. Q: Bills change during Congressional deliberation. Could this bill change in such a way that VTW would no longer support it? A: Absolutely. In fact, we consider it our mission to monitor the legislation to ensure that it isn't amended to act against the right of Internet users and businesses. Q: Wasn't Goodlatte one of the bad guys on the Communications Decency Act? Why is he sponsoring this bill, and can we trust him? A: Goodlatte did indeed introduce the fatal amendment that made the House version of the Telecomm Bill unsupportable. Nevertheless, VTW has found that a Congressperson's vote on one sort of bill is little indication of his or her stand on others. VTW wil closely examine any change in the language of the bill throughout its Congressional life. Q: Does this create a requirement for key holders to exist, or for me to use programs that store keys with third parties? A: No. The bill affirms your right to use encryption without such a feature, and if you do use software with such a feature, to self-escrow the keys. In fact, key holders can exist today. Q: Does this create a new obligations for key holders to disclose keys that they wouldn't have to comply with before? A: No. In fact, this bill makes it harder for a law enforcement official to retrieve a key from a key holder, by requiring a wiretap request instead of a simple search warrant. ________________________________________________________________________ PRESS CONTACT INFORMATION BY EMAIL (if your deadline is more than 24 hours away) Send mail to vtw at vtw.org with "press deadline" in the subject line if you are on a deadline. BY PHONE (if your deadline is in less than 24 hours) Call 718-596-2851 and follow the directions for contacting Steven Cherry or Shabbir J. Safdar quickly. ________________________________________________________________________ OUR POLICY ON FINANCIAL DONATIONS We do not accept unsolicited financial donations for our work. If you want to help further VTW's work, we urge you to register to vote. Check the Blue Pages of your local phone book for "Board of Elections". You should be able to obtain voter registration forms from them. ________________________________________________________________________ Copyright 1994-1996 Voters Telecommunications Watch. Permission is granted to copy and distribute this document for non-commercial purposes only, provided that the above banner and this copyright notice appear in all copies. For other uses, see our Copyright Policy at http://www.vtw.org/copyright.html ======================================================================== From alex at proust.suba.com Tue Mar 5 12:19:50 1996 From: alex at proust.suba.com (Alex Strasheim) Date: Wed, 6 Mar 1996 04:19:50 +0800 Subject: Gordon Liddy Message-ID: <199603051758.LAA03907@proust.suba.com> Gordon Liddy just waved the bloody shirt in a stirring defense of crypto rights. The gist of it was that we can't trust the muderers of waco with our secret keys. He also mentioned PGP. I never how to react to over the top rhetoric that supports something I believe strongly in. -- Alex Strasheim, alex at proust.suba.com From tcmay at got.net Tue Mar 5 13:17:09 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 6 Mar 1996 05:17:09 +0800 Subject: Truelly Random Numbers Message-ID: At 1:55 PM 3/5/96, Tim Fulbright wrote: >Now I, a lurker for two months, am truelly confused! L. Deitweiler must be >right. Surely one of you cyperpunk fellows could hack together a dongle with >some kind of AD converter and buffer ram to gather a Truelly Random Bitstream >off the environment every couple of milliseconds easier than this raindrop >scheme or recording the fan, you're haviung me on!. Let's go back fifty years >and get a vacuum tube to fitfully flicker? I who know next to nothing about >electronics suspect there is surely enough noise present in electornic devices >to gather a random bitstream that you could chop anywya you needed? Anyway, y Just because someone floats their idea does not mean it is the "list consensus"! That "raindrops falling on my plate" idea was something I deleted as soon as I saw that it wasn't a joke with a nice punchline. (Not all flaky ideas get rebutted...though, as a matter of fact, I did see several quick rebuttals of the raindrop idea as being impractical, too low a data rate, etc.) Johnson noise in semiconductors and alpha particle noise have indeed been discussed _many_ times. Check the archives, or my Cyphernomicon FAQ. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From isptv at access.digex.net Tue Mar 5 13:34:08 1996 From: isptv at access.digex.net (ISP-TV Main Contact) Date: Wed, 6 Mar 1996 05:34:08 +0800 Subject: "Zap part of the CDA" live Capitol Hill news conference on CU-SeeMe Message-ID: <199603051850.NAA14816@access2.digex.net> ISP-TV Network Presents: Zap the Comstock Law Before It Becomes a Computer Virus on the Internet! [Cybercast using CU-SeeMe (tm)] Representative Patricia Schroeder (D-CO) and Senator Frank R. Lautenberg (D-NJ) will hold a joint news conference at 10:00 AM EST on Wednesday, March 6, to discuss the introduction of a bill to strike a provision of the 1996 Telecommunications Act that criminalizes the transmission and reception of information about abotion over the Internet. The conference will be cybercast live from room HC-6 at the U.S. Capitol in Washington, D.C. Joining Lautenberg and Schroeder will be Kate Michelman, President of the National Abortion and Reproductive Rights Action League, and Kathryn Kolbert, Vice President of the Center for Reproductive Law and Policy. This will be the first Capitol Hill news conference ever to be transmitted live over the Internet using CU-SeeMe technology! See http://www.house.gov/schroeder/cu-seeme.html for more info. Time: 10:00 AM EST Thursday, March 6, 1996 IP: Main ISP-TV Reflector 205.197.247.33 Other ISP-TV affiliates see http://www.digex.net/isptv/members.html To obtain CU-SeeMe software, go to one of these URL's: CU-SeeMe for Windows -- http://goliath.wpine.com/cudownload.htm CU-SeeMe for Macintosh -- http://goliath.wpine.com/moredemos.htm http://www.digex.net/isptv for more information about ISP-TV From erc at dal1820.computek.net Wed Mar 6 06:28:26 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Wed, 6 Mar 96 06:28:26 PST Subject: Steganography idea: CU-SeeMe In-Reply-To: <199603060734.AAA00178@nelson.santafe.edu> Message-ID: On Wed, 6 Mar 1996, Nelson Minar wrote: > The thing that bothers me about existing steganography code I've seen > is that it all uses uncommon communication channels to hide data. For > instance, the "hide data in a picture" programs: useful, up to a > point, but how often do I send pictures to other people? I think to be > effective, methods need to be employed that exploit existing, well > used communication channels. Then he sez: > So here's one idea I've had as a place to hide a channel: network > video, in particular CU-SeeMe video streams. CU-SeeMe is a lowtech I think it likely that people will be sending GIFs and JPEGs to each other far more often than video. Video is far more an "uncommon communications channel" than is a uuencoded picture. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From PADGETT at hobbes.orl.mmc.com Wed Mar 6 06:33:51 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Wed, 6 Mar 96 06:33:51 PST Subject: Whut it sez Message-ID: <960306093341.20204b9a@hobbes.orl.mmc.com> Note: downloaded from www.vtw.org so cannot guarentee correctness- "�2804. Unlawful use of encryption to obstruct justice" "Whoever willfully endeavors by means of encryption to obstruct, impede, or prevent the communication of information in furtherance to a felony which may be prosecuted in a court of the United States, to an investigative or law enforcement officer shall-..." Interesting wording - sounds almost like if you impede the *commission* of a felony, you is been had. Keyword would seem to be "willingly". Suspect they meant to say "...obstruct (etc) the investigation of a felony..." "(b) CONTROL OF EXPORTS BY SECRETARY OF COMMERCE.- "(1) GENERAL RULE.-Notwithstanding any other law, subject to paragraphs (2), (3), and (4), the Secretary of Commerce shall have exclusive authority to control exports of all computer hardware, software, and technology for information security (including encryption), except computer hardware, software, and technology that is specifically designed or modified for military use, including command, control, and intelligence applications. This would seem to extend ITAR, not limit it. "(2) ITEMS NOT REQUIRING LICENSES.-No validated license may be required, except pursuant to the Trading With The Enemy Act or the International Emergency Economic Powers Act (but only to the extent that the authority of such Act is not exercised to extend controls imposed under this Act), for the export or reexport of- "(A) any software, including software with encryption capabilities, that is- "(i) generally available, as is, and designed for installation by the purchaser; or "(ii) in the public domain or publicly available because it is generally accessible to the interested public in any form; or "(B) any computing device solely because it incorporates or employs in any form software (including software with encryption capabilities) exempted from any requirement for a validated license under subparagraph (A). Microsoft's CryptoAPI seems OK. PGP would seem to fall under both (i) and (ii). "(3) SOFTWARE WITH ENCRYPTION CAPABILITIES.-The Secretary of Commerce shall authorize the export or reexport of software with encryption capabilities for nonmilitary end-uses in any country to which exports of software of similar capability are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such software will be- "(A) diverted to a military end-use or an end-use supporting international terrorism; "(B) modified for military or terrorist end-use; or "(C) reexported without requisite United States authorization. Thank you MasterCard/VISA for SET. Note that it does not seem to say that you do not need a license, just that one shall not be witheld without "substantial evidence". "(4) HARDWARE WITH ENCRYPTION CAPABILITIES.-The Secretary shall authorize the export or reexport of computer hardware with encryption capabilities if the Secretary determines that a product offering comparable security is commercially available from a foreign supplier without effective restrictions outside the United States. Same comment except that token & INE vendors will have to demonstrate that a foreign competitor exists. Real lawyers please comment. Warmly, Padgett From uunet!in2.uu.net!news.cais.net!nntp.uio.no!ns.ftns.no!news at warwick.com Wed Mar 6 06:50:59 1996 From: uunet!in2.uu.net!news.cais.net!nntp.uio.no!ns.ftns.no!news at warwick.com (uunet!in2.uu.net!news.cais.net!nntp.uio.no!ns.ftns.no!news at warwick.com) Date: Wed, 6 Mar 96 06:50:59 PST Subject: Test Message-ID: <313B33A3.5956@ringnett.no> This is a test... -- Live on the edge, push the limits, and go EXTREME... -------------------------------------------------------------------------- Svein Ove Solsvik * E-Mail: sveinove at ringnett.no -Our Father, UART in Heaven, I/O'ed by the name... From andrew_loewenstern at il.us.swissbank.com Tue Mar 5 14:51:01 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Wed, 6 Mar 1996 06:51:01 +0800 Subject: (Fwd) Gov't run anon servers In-Reply-To: Message-ID: <9603051943.AA00595@ch1d157nwk> > We've talked about possible hardware security measures, even > those that only rely on physical box security. A box that does > decryption, mixing, readdressing, etc., without being part of > a Unix file system/network, could be a useful "Mom and Pop > remailer" (the idea being that small shop owners, "Mom and > Pop," could set this up, collect a little bit of spare change > as a remailing fee, and not even have access to the internal > state of the machine themselves. While a solution like that would be optimal, even just a version of Mixmaster that can use a secure RSA card would do wonders for security. The secret key is protected in the card and can't be stolen, even by root, without physically stealing the card. As long as the most of the remailers in your chain don't have compromised secret keys, it probably won't matter too much if the individual ops can examine the messages flowing through their remailer. The cards are getting cheaper and can be bought off the shelf (for now). The hardest part of retrofitting existing remailer software would probably be extracting the data from the remailer packet and formatting it properly for the card to do encryption operations on it (and back). andrew From uunet!in1.uu.net!news.mathworks.com!tank.news.pipex.net!pipex!warwick!bsmail!mail!lwmdcg at warwick.com Wed Mar 6 06:51:01 1996 From: uunet!in1.uu.net!news.mathworks.com!tank.news.pipex.net!pipex!warwick!bsmail!mail!lwmdcg at warwick.com (Mark Gould) Date: Wed, 6 Mar 96 06:51:01 PST Subject: test Message-ID: uyfiyufik -- | Mark Gould, Department of Law, University of Bristol | | Mark.Gould at bris.ac.uk | http://www.bris.ac.uk/%7Elwmdcg | From adam at homeport.org Wed Mar 6 06:57:05 1996 From: adam at homeport.org (Adam Shostack) Date: Wed, 6 Mar 96 06:57:05 PST Subject: PGP 3.0/4.0 In-Reply-To: <199603061313.IAA07336@nrk.com> Message-ID: <199603061501.KAA16783@homeport.org> David Lesher wrote: | How about code that goes out & fetches keys upon demand, al-la DNS? This works with procmail to get keys for all mail I receive. I discovered the problem is your keyrings get unmanageably large when you do this. # auto key retreival # # I have an elm alias, pgp, points to a keyserver :0BW * -----BEGIN PGP *!^FROM_DAEMON KEYID=|/home/adam/bin/sender_unknown :0 ahc # added h 8 jan 95 * ! ^X-Loop: Adams akr | formail -a"X-Loop: Adams akr" |elm -s"mget $KEYID" pgp # add the incoming keys to the ring :0 * From bal at swissnet.ai.mit.edu { # if we accidentally get the whole thing. :0 h * >10000 /dev/null :0 h *^Subject:.*no keys match /dev/null :0: *Subject: Your command, ADD $DEFAULT :0E | pgp +batchmode -fka } sender_unknown: #!/bin/sh # unknown returns a keyid, exits 1 if the key is known # $output is to get the exit status. Othierwise, this would be a one liner. OUTPUT=`pgp -f +VERBOSE=0 +batchmode -o /dev/null` echo $OUTPUT | egrep -s 'not found in file' EV=$? if [ $EV -eq 0 ]; then echo $OUTPUT | awk '{print $6}' fi exit $EV -- "It is seldom that liberty of any kind is lost all at once." -Hume From uunet!in2.uu.net!news.cais.net!nntp.uio.no!ns.ftns.no!news at warwick.com Wed Mar 6 07:20:59 1996 From: uunet!in2.uu.net!news.cais.net!nntp.uio.no!ns.ftns.no!news at warwick.com (uunet!in2.uu.net!news.cais.net!nntp.uio.no!ns.ftns.no!news at warwick.com) Date: Wed, 6 Mar 96 07:20:59 PST Subject: Test In-Reply-To: <313B33A3.5956@ringnett.no> Message-ID: <313CD86F.78DB@ringnett.no> > This is a test... Follow up on test...test...test -- Live on the edge, push the limits, and go EXTREME... -------------------------------------------------------------------------- Svein Ove Solsvik * E-Mail: sveinove at ringnett.no -Dyslexic atheists don't believe in Dog. From uunet!in2.uu.net!news.sprintlink.net!news.utech.net! at warwick.com Wed Mar 6 07:21:00 1996 From: uunet!in2.uu.net!news.sprintlink.net!news.utech.net! at warwick.com (uunet!in2.uu.net!news.sprintlink.net!news.utech.net! at warwick.com) Date: Wed, 6 Mar 96 07:21:00 PST Subject: Just testing the post Message-ID: <313CE451.4C9A@utech.net> Post Test -- John G. Jones Director, Computer Services UTDS, Inc. 1593 E. Chestnut Lompoc, CA 93436 (805) 735-4447 From tcmay at got.net Tue Mar 5 15:21:28 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 6 Mar 1996 07:21:28 +0800 Subject: Needed: Dongles and "Crypto Boxes" on Ports Message-ID: At 4:56 PM 3/5/96, Hal wrote: ... >It will be just as easy to steal the mixmaster executable as to steal a >script file containing a pass phrase. And it might even be possible to >run the stolen mixmaster directly to decrypt intercepted incoming mail >messages, without even having to type in the pass phrase. Failing that >the attacker could easily extract the pass phrase from the mixmaster >executable file. > >The other suggestion that was made here, that the operator would have to >manually type in the pass phrase every time the computer rebooted, would >be a way of avoiding having the information in the clear on the disk. >However it would probably not be a practical method of operation given >the reliability of at least the Unix operating systems that I am familiar >with. And even then the information is in memory. An attacker who could ... It seems to me that we get some of the advantages of "secure hardware" (and I don't mean in a formal NSA "Orange Book" sense) by having secure dongles attached to serial or other ports on machines. "Dongles" are the much-hated copy protection devices used with some products: they typically are a small plastic-packages doodad plugged into a serial port on a PC. (The Mac versions are less common; don't know if Unix boxes have ever used them.) In the case described by Hal, there might be two imaginable modes of operation: 1. The dongle feeds a passphrase at boot time. This is not very secure, as means could be found to either intercept the supplied passphrase and/or find system commands that would trigger the providing. But at least the passphrase is nominally not stored on a disk accessible to outsiders. (The passphrase is still presumably in memory, as noted above by Hal, and by others. But at least it's not on a disk.) 2. Some sort of zero knowledge protocol in which the dongle possesses the secret knowledge and does part of the decryption, etc. Seen more broadly, this dongle might actually be a separate PC box, 386- or 486-based, and connected to the main Unix box. The main box would still do the usual stuff, but the "secure box" would have a constrained set of operations--maybe running a stripped-down Linux or FreeBSD a la our discussions a few years ago--and would essentially only operate as a crypto box. A separate crypto box could be quite cheap, and one could imagine measures to make it less prone to physical tampering (*) and certainly less prone to network snooping. (* Tamper-resistant vs. tamper-responding. See the FAQ. Basically, there is no such thing as a "tamper-proof box." But "tamper-resistant" can mean PC boards potted in epoxy, locked lids, no floppies, alarms, etc. And "tamper-responding" means there is evidence given that a security barrier has been breached.) A "crypto box" could in fact handle most of the mix functions directly, bypassing the Unix box. The Unix box--the one hooked to the Net in the usual way--would get the incoming packets, send them to the crypto box, then get back the processed messages. If done right, the crypto box could ensure that no records are kept of the mapping between incoming and outgoing messages. A court order to produce the mapping could then be honestly responded to with a "no records are kept, or can even possibly be kept." (Without modification of the software/hardware, something which Digital Telephony II could certainly mandate, but it doesn't exist now.) I think a "crypto box" based on a cheap 486 box, a reduced functionality Linux, and very limited storage capabilities (possibly no disk, only RAM), could be an interesting way to solve both the passphrase-snarfing and LEA-subpoenaing problems. While not as secure as either a Chaumian tamper-responding digital mix (cf. the 1981 paper in CACM) or as a software-based DC-Net, it sure does beat the current model of multiuser Unix boxes running remailers out of user accounts! (A word on separating the functions into a "network box" (what I've also called a "Unix box") and a separate "crypto box." There is no reason one box cannot do both....but by separating the two functions and linking the boxes via a secure connection, one faces less temptation to add more capabilities, storage, and users to the "crypto box." So, I think it better for remailer operators to continue to have their powerful, capable, net connection boxes and then have a stripped-down, possibly RAM-only box that only does limited things. It's also possible to have several boxes, just with different Net addresses, but there might still be the temptation to give the "remailer box" more capabilities. My intuition is that it would be easier and more secure to just have the crypto/remailer box as a slave or dongle to the more capable box.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From choi at virtu.sar.usf.edu Wed Mar 6 07:22:01 1996 From: choi at virtu.sar.usf.edu (Charles Choi (SAR)) Date: Wed, 6 Mar 96 07:22:01 PST Subject: Signature 2 In-Reply-To: Message-ID: > In the "real world" there is nothing to prevent someone from forging > your real signature on a check or document or from disguising themselves > as you and taking your place at an important business meeting. The > digital equivalents can be slightly more secure, but nothing is ever > perfect. > > jim > Heh. Whoops. I may be a beginner but I'm not THAT green. I shoulda known better than to use that exact wording. Please excuse the inappropriate wording, all. Sincerely. Quentin Holte. ( aka Charles Choi. ) You are all the Buddha. - Last words of Buddha. If you see the Buddha, kill him. - Zen proverb. From jya at pipeline.com Wed Mar 6 07:24:01 1996 From: jya at pipeline.com (John Young) Date: Wed, 6 Mar 96 07:24:01 PST Subject: FT on Crypto Cloud Message-ID: <199603061523.KAA27263@pipe3.nyc.pipeline.com> Financial Times, March 6, 1996, IT Section, p. V. Network Security: Operating under a cloud of uncertainty Companies face a complex web of technical, legal and moral questions The IT security threat has long been depicted in terms of wild-eyed hackers hunched over terminals late into the night. But while there is real cause for concern about criminal activity over computer networks, large corporations are very worried about another threat to their use of electronic communications. Meanwhile, government restrictions on the use of data encryption codes in various countries are limiting the ability of commercial organisations to protect themselves. Cryptography is at the heart of this dilemma. Governments all over the world rely on specialist intelligence units to break down data transmissions from other nations and individuals while encrypting their own messages. The US National Security Agency and the UK's Government Communications HQ are the best-known of these agencies. The NSA is notorious for obsessive secrecy. Meanwhile, in the UK, the GCHQ has lifted its traditional reticence in recent years to offer advice to British companies concerned with data security. Mr Roger James, chairman of Cheshire-based communications software specialist Boldon James, has worked with GCHQ to define data standards for UK government departments. Mr James plays down the cloak-and-dagger imagine of GCHQ, but instead he describes his contact with its staff as "horribly technical". He also portrays the Cheltenham code-breakers as "very down-to-earth people". There are two ways of looking at security, he says "one is the practical approach, which means accepting that perfect security is impossible to obtain. The other is the Ivory Tower approach, which involves dreaming of a world in which security is absolute. There are a lot of 'practicalists' in GCHQ". Mr James, whose clients include the Britannia Building Society and the German Navy, is active in the European Electronic Messaging Association. He is concerned at the lack of a co-ordinated European policy on encryption. And he fears that effective security measures could become illegal with the advent of future legislation curbing the availability of encryption software. It is illegal at the moment to use strong cryptography techniques in France without first depositing the key to unlocking your codes with the French government. UK companies developing sophisticated security programs find their software classified as munitions and subject to tight export restrictions, even within the EC. In the US, the author of strong encryption program, called 'Pretty Good Privacy', found himself facing a Grand Jury and possible charges of exporting prohibited technology. The NSA has proposed that all personal computers made in the US contain the Clipper Chip. This security feature would give easy access to any data communications, however the user chose to encode it. The proposal is currently stalled, having met with ferocious opposition. Both suppliers of information technology and industry at large need to clear a path through this international maze. The legal structure surrounding the use of encryption technology is of particular concern to anyone working in electronic commerce. "The Clipper Chip debate raised a fundamental moral issue," says Mr James. "Software technology means that strong encryption, previously available only to the military, can now be obtained by the public. If governments then find messages hard to break, it leads immediately to a conflict of interest." One company that has confronted this apparent conflict of interest between state and commerce, with its attendant uncertainty, is the Anglo-Dutch oil giant, Shell. Mr Nick Mansfield, a Shell technical consultant specialising in information security, says the company is enthusiastic about the potential for eliminating paperwork across its sprawling global operations -- "we are committed to electronic trading," he says. "We have a vast electronic-mail network. But there is still a section of our business where we have to use paper". Contract agreements are at issue here. Until security can be absolutely guaranteed, bilateral agreements must be seen to be tamper-proofed. Shell is about to deploy technology to secure personal computers and PC servers across the world. This e-mail security system will cost around L1m in software purchasing plus L100,000 a year to run. It will have 4,000 users. Far from escalating costs, Mr Mansfield explains that expenses are falling as security improves. Shell used to run a secure telex network that cost L4m in technology and required L200,000 a year to support 120 sites. This was superseded by a secure fax network costing L1m in systems, plus L100,000 in annual maintenance for 200 sites. The latest system will expand secure messaging beyond the fax network's remit. But setting up this security system involved Shell in a long and involved process. Its chosen security software is subject to close scrutiny by the UK authorities, who worked with Shell to customise the program before it could be released for use overseas. While Mr Mansfield is pleased that Shell's security system is so strong, it required an export licence and he echoes the concerns of EEMA's Mr James -- "it's a cart and horse situation. Until governments agree on policy and relax some restrictions, industry won't be encouraged to development extreme standards of encryption". There needs to be a broad European debate on this issue. Until this complex web of technical, legal and moral questions are resolved, secure commercial data networks will be operating under a cloud of uncertainty. Michael Dempsey [End] Note: Shell's Nick Mansfield was a speaker at the OECD cryptography conference in Paris in December. This issue of FT includes a 22-page special section on Information Technology. From MAILER-DAEMON at warwick.com Tue Mar 5 15:52:48 1996 From: MAILER-DAEMON at warwick.com (Mail Delivery Subsystem) Date: Wed, 6 Mar 1996 07:52:48 +0800 Subject: Returned mail: User unknown Message-ID: <199603050129.RAA06211@waterville.warwick.com> The original message was received at Mon, 4 Mar 1996 17:28:57 -0800 from cmyk.warwick.com [198.102.205.163] ----- The following addresses had delivery problems ----- (unrecoverable error) ----- Transcript of session follows ----- ... while talking to toad.com.: >>> RCPT To: <<< 550 ... User unknown 550 ... User unknown ----- Original message follows ----- To: majordomo at toad.com Subject: unsubscribe cypherpunks From: cypherpunks at warwick.com Date: Tue, 5 Mar 1996 15:11:06 -0500 unsubscribe cypherpunks From alex at proust.suba.com Tue Mar 5 16:03:03 1996 From: alex at proust.suba.com (Alex Strasheim) Date: Wed, 6 Mar 1996 08:03:03 +0800 Subject: new netscape servers Message-ID: <199603052036.OAA04200@proust.suba.com> >From the Netscape home page: "Netscape also announced FastTrack Server 2.0, an entry-level Web server that combines all the new capabilities of the next-generation Netscape Servers into one easy-to-use package. FastTrack comes with SSL security, Java and JavaScript support, and Netscape Navigator Gold content-creation software - for only $295." There are two reactions we can have to this. On the one hand, it's a good thing because it's going to make SSL servers a lot more popular. But at the same time, it raises some serious questoins about how Netscape plans on dealing with competitors. It's not clear whether or not the $295 price tag includes a certificate or not. But is it coincidental that people who want to use alternative technology like apacheSSL will have to pay the same price for the cert along as Netscape's customers will have to pay for a plug and play package? (The rest of this post is based on the assumption that you do get a cert with the "fast-track" server. That's not clear, so if I'm wrong, I apologize to the folks at Netscape.) There are two things keeping an organization like c2.org from competitng with Netcape on price: verisign and the licensing fees on rsaref. Both companies have close ties to Netscape. It's imperative that we challenge Netscape's control over the CAs. Obviously they can preinstall whatever CAs they want in their browsers. But that doesn't mean we're powerless. I think we ought to: (1) form a new non-profit low cost CA (2) make a concerted effort to explain the issue to the public and encourage people to ok the new CA. (3) try to create a sense that using a preinstalled CA is a form a collaboration (this will be hard, but I think it's true). If enough people will use a new CA, then it will be as good as one of the pre-installed ones. We can't let this sort of power concentrate in Netscape's hands. It's not a question of whether or not they're good people. It's just a bad development for everyone. -- Alex Strasheim, alex at proust.suba.com From Majordomo at toad.com Tue Mar 5 16:06:01 1996 From: Majordomo at toad.com (Majordomo at toad.com) Date: Wed, 6 Mar 1996 08:06:01 +0800 Subject: Welcome to cypherpunks Message-ID: <9603052006.AA11933@toad.com> -- Welcome to the cypherpunks mailing list! If you ever want to remove yourself from this mailing list, you can send mail to "Majordomo at toad.com" with the following command in the body of your email message: unsubscribe cypherpunks cypherpunks at warwick.com Here's the general information for the list you've subscribed to, in case you don't already have it: About cypherpunks ----------------- I. Administrivia (please read, boring though it may be) The cypherpunks list is a forum for discussing personal defenses for privacy in the digital domain. It is a high volume mailing list. If you don't know how to do something, like unsubscribe, send mail to majordomo at toad.com and the software robot which answers that address will send you back instructions on how to do what you want. If you don't know the majordomo syntax, an empty message to this address will get you a help file, as will a command 'help' in the body. Even with all this automated help, you may still encounter problems. If you get really stuck, please feel free to contact me directly at the address I use for mailing list management: cypherpunks-owner at toad.com Please use this address for all mailing list management issues. Hint: if you try to unsubscribe yourself from a different account than you signed up for, it likely won't work. Log back into your old account and try again. If you no longer have access to that account, mail me at the list management address above. Also, please realize that there will be some cypherpunks messages "in transit" to you at the time you unsubscribe. If you get a response that says you are unsubscribed, but the messages keep coming, wait a day and they should stop. For other questions, my list management address is not the best place, since I don't read it every day. To reach me otherwise, send mail to eric at remailer.net This address is appropriate for emergencies (and wanting to get off the list is never an emergency), such as the list continuously spewing articles. Please don't send me mail to my regular mailbox asking to be removed; I'll just send you back a form letter. Do not mail to the whole list asking to be removed. It's rude. The -request address is made exactly for this purpose. To post to the whole list, send mail to cypherpunks at toad.com If your mail bounces repeatedly, you will be removed from the list. Nothing personal, but I have to look at all the bounce messages. There is no digest version available. There is an announcements list which is moderated and has low volume. Announcements for physical cypherpunks meetings, new software and important developments will be posted there. Mail to cypherpunks-announce-request at toad.com if you want to be added or removed to the announce list. All announcements also go out to the full cypherpunks list, so there is no need to subscribe to both. II. About cypherpunks The cypherpunks list is not designed for beginners, although they are welcome. If you are totally new to crypto, please get and read the crypto FAQ referenced below. This document is a good introduction, although not short. Crypto is a subtle field and a good understanding will not come without some study. Please, as a courtesy to all, do some reading to make sure that your question is not already frequently asked. There are other forums to use on the subject of cryptography. The Usenet group sci.crypt deals with technical cryptography; cypherpunks deals with technical details but slants the discussion toward their social implications. The Usenet group talk.politics.crypto, as is says, is for political theorizing, and cypherpunks gets its share of that, but cypherpunks is all pro-crypto; the debates on this list are about how to best get crypto out there. The Usenet group alt.security.pgp is a pgp-specific group, and questions about pgp as such are likely better asked there than here. Ditto for alt.security.ripem. The cypherpunks list has its very own net.loon, a fellow named L. Detweiler. The history is too long for here, but he thinks that cypherpunks are evil incarnate. If you see a densely worded rant featuring characteristic words such as "medusa", "pseudospoofing", "treachery", "poison", or "black lies", it's probably him, no matter what the From: line says. The policy is to ignore these postings. Replies have never, ever, not even once resulted in anything constructive and usually create huge flamewars on the list. Please, please, don't feed the animals. III. Resources. A. The sci.crypt FAQ anonymous ftp to rtfm.mit.edu:pub/usenet-by-group/sci.crypt The cryptography FAQ is good online intro to crypto. Very much worth reading. Last I looked, it was in ten parts. B. cypherpunks ftp site anonymous ftp to ftp.csua.berkeley.edu:pub/cypherpunks This site contains code, information, rants, and other miscellany. There is a glossary there that all new members should download and read. Also recommended for all users are Hal Finney's instructions on how to use the anonymous remailer system; the remailer sources are there for the perl-literate. C. Bruce Schneier's _Applied Cryptography_, published by Wiley This is required reading for any serious technical cypherpunk. An excellent overview of the field, it describes many of the basic algorithms and protocols with their mathematical descriptions. Some of the stuff at the edges of the scope of the book is a little incomplete, so short descriptions in here should lead to library research for the latest papers, or to the list for the current thinking. All in all, a solid and valuable book. It's even got the cypherpunks-request address. IV. Famous last words My preferred email address for list maintenance topics only is hughes at toad.com. All other mail, including emergency mail, should go to hughes at ah.com, where I read mail much more regularly. Enjoy and deploy. Eric ----------------------------------------------------------------------------- Cypherpunks assume privacy is a good thing and wish there were more of it. Cypherpunks acknowledge that those who want privacy must create it for themselves and not expect governments, corporations, or other large, faceless organizations to grant them privacy out of beneficence. Cypherpunks know that people have been creating their own privacy for centuries with whispers, envelopes, closed doors, and couriers. Cypherpunks do not seek to prevent other people from speaking about their experiences or their opinions. The most important means to the defense of privacy is encryption. To encrypt is to indicate the desire for privacy. But to encrypt with weak cryptography is to indicate not too much desire for privacy. Cypherpunks hope that all people desiring privacy will learn how best to defend it. Cypherpunks are therefore devoted to cryptography. Cypherpunks wish to learn about it, to teach it, to implement it, and to make more of it. Cypherpunks know that cryptographic protocols make social structures. Cypherpunks know how to attack a system and how to defend it. Cypherpunks know just how hard it is to make good cryptosystems. Cypherpunks love to practice. They love to play with public key cryptography. They love to play with anonymous and pseudonymous mail forwarding and delivery. They love to play with DC-nets. They love to play with secure communications of all kinds. Cypherpunks write code. They know that someone has to write code to defend privacy, and since it's their privacy, they're going to write it. Cypherpunks publish their code so that their fellow cypherpunks may practice and play with it. Cypherpunks realize that security is not built in a day and are patient with incremental progress. Cypherpunks don't care if you don't like the software they write. Cypherpunks know that software can't be destroyed. Cypherpunks know that a widely dispersed system can't be shut down. Cypherpunks will make the networks safe for privacy. [Last updated Mon Feb 21 13:18:25 1994] From tcmay at got.net Tue Mar 5 16:07:08 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 6 Mar 1996 08:07:08 +0800 Subject: (Fwd) Gov't run anon servers Message-ID: At 7:43 PM 3/5/96, Andrew Loewenstern wrote: (my mention of secure "remailer boxes" elided) >While a solution like that would be optimal, even just a version of >Mixmaster that can use a secure RSA card would do wonders for security. The >secret key is protected in the card and can't be stolen, even by root, >without physically stealing the card. As long as the most of the remailers >in your chain don't have compromised secret keys, it probably won't matter >too much if the individual ops can examine the messages flowing through their >remailer. > >The cards are getting cheaper and can be bought off the shelf (for now). >The hardest part of retrofitting existing remailer software would probably be >extracting the data from the remailer packet and formatting it properly for >the card to do encryption operations on it (and back). I just wrote and sent off to the list some thoughts on using cheap PC hardware to do the crypto and remailer functions, thus taking the onus off the networked box to do the same. The idea of a _card_ is a good one, and one we did in fact kick around a couple of years ago. Recall the days of the "Hardcard"? A Winchester mounted on a card that plugged into a PC slot (this was back in the days when slots for cards were sometimes much more available than spare drive bay slots). A crypto card is an elegant approach, but may be less hacker-available than a really cheap PC. (And in my more paranoid moments, I imagine taking a nice, steel-cased cheapo PC and welding it shut...won't stop someone from seizing it and cutting it open, but you'd probably know if it happened...or, a return to sealing wax and seal rings! A low-tech solution to physical security, but something that may still be useful as an option.) --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Tue Mar 5 16:12:42 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 6 Mar 1996 08:12:42 +0800 Subject: Bidzos on CNBC, discussing Leahy's Bill Message-ID: I'm watching Jim Bidzos being interviewed on CNBC...mainly about Leahy's bill (he's in favor of it)....(One of the benefits of having CNBC business news on all the time while I'm here online.) He thinks it's a good bill, good for U.S. industry, good for California...says some of the language in the bill still provides for "key escrow" of some sort (I think he means the criminal use of crypto provisions....). He still thinks customers absolutely do not want any other parties to hold their keys ("You don't give copies of the keys to your front door or your filing cabinets to the government now, so why should you just because the medium changes from filing cabinets to computer form."--paraphrased). No further word on RSADSI going public, though. (I'm constantly surprised that this hasn't happened, what will all the later-comers going public, and the general hyping of "Internet security" (not that it isn't important, just that it seems that any company with these magic words in its name or prospectus zooms through the roof on IPO). --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From rah at shipwright.com Tue Mar 5 16:48:32 1996 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 6 Mar 1996 08:48:32 +0800 Subject: Mail loop? Message-ID: It looks to me like the mailing list got subscribed to itself again. I saw the intro message go by... Cheers, Bob ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From jimbell at pacifier.com Tue Mar 5 16:57:57 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 6 Mar 1996 08:57:57 +0800 Subject: (INFO) Leahy/Goodlatte introduce crypto bill Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 12:17 PM 3/5/96 -0500, Voters Telecommunications Watch wrote on Cypherpunks at toad.com: > SEN. LEAHY (D-VT) AND REP. GOODLATTE (R-VA) INTRODUCE > "ENCRYPTED COMMUNICATIONS PRIVACY ACT" > TO THWART CLINTON ADMINISTRATION'S FLAWED CLIPPER PLAN >VTW believes this legislation is an excellent initiative. It may be MOSTLY good, but I see a big problem. [stuff deleted] >ANALYSIS OF ENCRYPTED COMMUNICATIONS PRIVACY ACT > >The Leahy and Goodlatte bills are not exactly alike. For the moment, >we will concentrate on the Leahy bill for purposes of analysis. We >find it to be fleshed out in many areas. [stuff deleted] >DISCOURAGES THE USE OF ENCRYPTION TO THWART A FELONY INVESTIGATION >This is probably the one provision we wouldn't have put in the bill, >were we drafting it. Clearly added to appease law enforcement, it >creates a new crime to "willfully" attempt to thwart a law enforcement >investigation by using encryption. VTW feels that such a crime is >unnecessary, but we're happy to see this is a fairly narrowly-tailored >statute. It only applies to individuals who are engaging in a felony >and using encryption to communicate information while in the commission >of the felony, and whose intent, in using encryption, is to foil a law >enforcement investigation. For reasons which will be obvious to anyone who has read my "Assassination Politics" idea, I assert that the operation of the central organization could be absolutely legal under current black-letter law. I may be right about this. The description of the proposed bill, however, clearly attempts to criminalize any encryption which may have the effect of preventing discovery of people who ARE guilty of felonies, or are planning them. While the bill is not specifically quoted, the broad description given by VTW clearly suggests that it is an attempt to cover not merely the felon, but also anyone (including entirely innocent people) whose communication thwarts the ability of the cops to investigate the felon. Regularly receiving encrypted, anonymous communications encrypted with your public key would qualify as a crime, I'll bet, if one of the people who sent them was "suspected" of a felony. For that reason, I can't possibly support this bill; as usual, any such provisions will be abused, and obviously I consider any attempt to turn an otherwise-legal activity by private individuals into an illegal one is questionable at best. >This provision only applies to you if you are using encryption to >specifically foil a law enforcement investigation AND the communication >relates to a felony AND you are using the communication to commit the >felony. VTW feels this is a fairly narrowly drawn statute that is not >likely to be easily abused. Oh, really? Why is it that I think this provision was specifically written to deal with ME, huh? > >THE BILL SHOULD INSTRUCT ESCROW AGENTS TO REPORT DISCLOSURES AS WELL >The bill currently requires law enforcement to notify the Office of the >Courts as to the number of court orders served on key holders and for >what crimes the court orders were obtained. The Office is required to >make this information public annually. What about the users themselves? Why shouldn't they be told if their info was decrypted? >VTW feels that accountability should never be in short supply. >Requiring key holders to notify the Office of the Courts whenever they >are ordered to disclose a key will allow the public yet another way of >making sure that appropriate procedures are being followed to protect >the public. How about insisting on a provision which requires a key-holder to inform the source of the encrypted data, as well? >VTW believes that a new statute is needed to dissuade those few >over-zealous law enforcement officials from violating the public's >trust in these matters. I already have a plan to "dissuade over-zealous law enforcement officials." It is called, "Assassination Politics" and I think it will work as well against cops as it would against politicians. >On the whole, we believe that this bill is a win for the Internet >public and Internet businesses that require strong market-driven >cryptography. VTW urges you to become familiar with it and support >Leahy and Goodlatte in their efforts. By what measure? A mixture of 1 pound of food and a couple grams of cyanide is "on the whole" mostly a healthy product. Yet if you eat it, it will kill you. It is those exceptions that make this bill unacceptable to me. Sounds like it's about time to teach myself C++. Jim Bell jimbell at pacifier.com Klaatu Burada Nikto Something is going to happen... Something....Wonderful! _ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMTybRPqHVDBboB2dAQHAxAP/T4XHscUSy9SbcZLIvU+gDlaBilk7wX2a RBk5dnbC/5bItWfYwes60p1/Y+0+8ol1BDyZHD/AfLbv3OQdIOSOyvw30A7s5p5d 6WdYSPa+KKomDnpK9Wa/el9h0KnJF/sU2A2c99cKSyMU1NDH3jVw9HU/Tq4J5He3 C81QvDySrgI= =0Rut -----END PGP SIGNATURE----- From hfinney at shell.portal.com Tue Mar 5 17:26:41 1996 From: hfinney at shell.portal.com (Hal) Date: Wed, 6 Mar 1996 09:26:41 +0800 Subject: (Fwd) Gov't run anon servers Message-ID: <199603052231.OAA03761@jobe.shell.portal.com> From: mccoy at communities.com (Jim McCoy) > > Hal Finney writes: > [...] > > And even then the information is in memory. An attacker who could > >gain root privileges (and let's not pretend that the NSA can't do that) > >can dump memory and later comb it for the key information. > > > > "Security is economics" -E. Hughes > > The point is not to make a system which is absolutely, positively, no > doubt about it, secure against any attacker. If cypherpunks could do > this they would be working for defense contractors and others who make > certified systems. The objective is to make a system which is difficult > to attack, one which costs the attacker time/money. After securing > a host against the obvious attacks one can turn to the esoteric ones > such as you present: move the key to kernel memory and remove tools > for accessing or manipulating that area, run the memory-space encrypted > and do not let it dump the contents to disk, etc. Systems which > have been certified to high Orange book levels already exist, so there > are obviously solutions to the problems you present. The tools and > tricks of these systems just need to be migrated into systems which > people actually use. I was speaking of present conditions. If and when proven-secure Unix systems start being used as remailer servers on the net then it may be worthwhile having a larger key. The point is that there is no advantage in strengthening an element of the system which is not its weakest link. Factoring my remailer keys of 510 bits is not, I am sure, the easiest ways of finding the secret keys. > Then remember that remailers gain strength in numbers. The more > remailers you chain your message through the better your chances of > passing through a single node which is not compromised, at which > point your message has been "mixed." As long as it is easier for > someone to create new remailers than to break existing remailers > we are winning. It's not clear that this is the case, though, is it? What is the rate of creation of new remailers? It doesn't seem that high to me. We can't know how quickly they are being broken, but it is just a matter of getting root privileges on the remailer machine. From what I hear of the capabilities of experienced hacker/cracker types, it is very possible that remailers are being broken faster than they are being created. Of course, there is no way to know. > >My point remains that strong keys are pointless for remailers which run > >on Unix systems connected to the net. > > "Insisting on perfect security is for people who do not have the > balls to live in the real world" -paraphrased from M. Shaefer > > You give far too much credit to the potential attackers. One advantage > that unix systems connected to the net have over your hypothetical > PC at home is the advantage of persistence, what is the point of > running a remailer if it is never up, or only up when you need to use > it? Traffic analysis of that particular node becomes a pretty easy > task :) I meant that the home PC system would have an ongoing connection to the net, perhaps in the form of periodic uucp or POP connections. By using batching, traffic analysis would be no easier for such a system than for any other. > The unix hosts running remailers also have the advantage in > that they have been subjected to attack for quite a while now and > most of the obvious problems (and some of the non-obvious problems) > have been fixed. I am not sure what you mean by this. My experience is that new CERT advisories come out every few months which represent security holes big enough to steal remailer keys. The most recent one, out just a couple of weeks ago, is a bug in sendmail and maybe some other programs which could allow remote users to get root access if they have access to a DNS server: ftp://cert.org/pub/cert_advisories/CA-96.04.corrupt_info_from_servers Even if a remailer host operator is on the ball and fixes each one as it is announced, he still was vulnerable before the announcement was made. In many cases these bugs are found by hackers who exploit them for bad purposes before the good guys figure out what they are doing. Suppose a reasonably large prize of several hundred or a few thousand dollars were offered for someone who could break in and steal the key of some remailer on a net-connected Unix system. Wouldn't you agree that the prize would be claimed before too long? > A strong key on such a host is better than a weak key, so why not > make systems as strong as you can? The only way to have a completely > secure computer is to encase it in concrete, cut any network connections, > and drop it into the ocean; OTOH the only thing you have created in this > case is a fairly unique boat anchor. You are beginning to sound like > the people who claim that the NSA can crack any encryption system, not > because they have any proof but just because they extrapolate their > limited knowledge into the unknown and mix in a bit of paranoia. No, my point is that it doesn't really help to strengthen something which is not the weakest link in the chain. My rationale for having a short key is that it more accurately reflects my estimate of the degree of security provided by my remailer. Actually probably an even shorter length than 510 bits would be appropriate, maybe something more like 300 or 400 bits. Going to a 1000 bit key would probably mislead people into thinking that they only way an attacker could trace their message would be by using a zillion mips-years of computing power or something. > >Recall that my original comments were in connection with the claim that > >the government was running most of the remailers. As I said, I still > >think that is absurd when it would be so much easier to simply steal > >their keys. > > But the point is that it is _not_ easier to steal the keys. It is > much easier to put up a remailer than to attack an existing remailer, > this is why the remailer system is winning the battle of security > economics. By putting up its own remailers a potential attacker > probabalistically diminishes the number of systems which they must > break. > > jim Yes, I think I misstated my point here. My real point was that large keys are inappropriate. Maybe you are right that it is easier to start up a remailer than to break one. On the other hand, unless you also break the ones you don't run, you (as a LEA) are not in a position to accomplish your presumed goal, which is to track criminal messages to their source. So in practice I think they would try to break remailers, and again I am sure they will not do so by factoring keys, even for mine. It's also my personal impression that remailers are not mostly run by LEA's, just on the basis of the occasional postings I have seen by remailer operators here. Frankly I doubt that remailers are enough of a problem to be worth the effort on the part of a LEA to run one and deal with all of the hassles. But this may change in the future. Hal From frantz at netcom.com Tue Mar 5 17:27:53 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 6 Mar 1996 09:27:53 +0800 Subject: (Fwd) Gov't run anon servers Message-ID: <199603052233.OAA26287@netcom7.netcom.com> At 1:08 PM 3/5/96 -0800, Jim McCoy wrote: >The point is not to make a system which is absolutely, positively, no >doubt about it, secure against any attacker. If cypherpunks could do >this they would be working for defense contractors and others who make >certified systems. The objective is to make a system which is difficult >to attack, one which costs the attacker time/money. ... It seems to me that one of the best ways to better protect the remailer system would be to regulary change the remailer keys. By destroying the old secret keys, you protect the remailer and its operator against rubber hose attacks aimed at decrypting recorded traffic. As a suggestion: Assume you change the keys every week. You post this week's key to a public keyserver, replacing last week's key. To allow continuous operation you remember both this week's and last week's secret keys and process messages encrypted under either. To validate these keys, you use a long-term key to sign them. Note that for the really paranoid, this long-term key can be kept at a separate site, and only used after e.g. voice verification of the new key's fingerprint. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jim at RSA.COM Tue Mar 5 17:32:05 1996 From: jim at RSA.COM (Jim Bidzos) Date: Wed, 6 Mar 1996 09:32:05 +0800 Subject: Bidzos on CNBC, discussing Leahy's Bill In-Reply-To: Message-ID: <9603052126.AA19534@RSA.COM> I'm in favor of the Bill because it specifically prevents, by law, the US Govt from mandating key escrow. Also because it would, by law, force export control of crypto out of the Dept. of State and into the Dept. of Commerce, effectively allowing any crypto used in the US and "widely available" to be exported. (The bill does a few other things. One, it provides for criminal penalties for key holders who abuse their role as an escrow agent, assuming anyone *chose* to use key escrow. Second, it makes the use of encryption -any encryption- a crime if used in the commission of or support of any criminal activity. I think the bill would be better off without these provisions, but I suspect this is an attempt to give the administration something.) I anticipate that the Administration, led by the intelligence and law enforcement interests, will vigorously lobby against this bill... From dsmith at midwest.net Tue Mar 5 17:48:25 1996 From: dsmith at midwest.net (David E. Smith) Date: Wed, 6 Mar 1996 09:48:25 +0800 Subject: Remailer Security Message-ID: <2.2.32.19960305212904.00683828@204.248.40.2> At 11:06 PM 3/4/96 -0500, jrochkin at cs wrote: >At 11:06 PM 03/04/96, lmccarth at cs.umass.edu wrote: >Um, there's no reason why your remailer's account needs to be logged into >interactively, is there? Seems like remailer ops should disable login to >remailer accounts, putting '*' into the password field in /etc/passwd, or >however unix lets you disable login (I know it does). If I want a remailer's key, I would probably try to go after root. Not only will it get me that key, but there's no telling what else might turn up in the meantime. If you can get access to any account on the system, odds are good you can give yourself root access anyway. It's almost a "freebie." >Obviously, the general security risk of someone gaining unauthorized access >to the remailer executable or data files is still there, and important to >keep in mind. But this would seem to be a fairly logical security measure. You could always do a custom-compile of PGP that never checks for a passphrase; it's compiled into the executable. That's only a trivial measure at best (heck, hex editors have been around since roughly the dawn of UNIX) but it's a place to start. I don't think it's possible to have too much security. dave ----- David E. Smith, c/o Southeast Missouri State University 1000 Towers Circle South MS 1210 Cape Girardeau MO 63701 dsmith at midwest.net, dave at nym.alias.net, PGP 0x961D2B09 (573)339-3814 http://www.midwest.net/scribers/dsmith/ "Reality is only for those lacking in true imagination." From nobody at REPLAY.COM Tue Mar 5 18:01:52 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 6 Mar 1996 10:01:52 +0800 Subject: Bombings, Surveillance, and Free Societies Message-ID: <199603052148.WAA05491@utopia.hacktic.nl> At 12:51 PM 3/4/96, Timothy C. May wrote: > Personally, while I feel sorry for the dead in Israel, I think anyone who > moves to a small desert state surrounded on all sides by Arabs who want > their land back is asking for trouble. I argue that the invading of countries, bombing of cities, starving of towns, burning of villages, hijacking of ships, and murdering torturing, beating and kidnapping of Arabs to be "asking for trouble." > Being an atheist, I treat all religious mystics as suspect. When a bunch of > people leave London and Chicago and Paris to live in the desert, surrounded > by sworn enemies with nuclear capabilities, I think whatever happens to > them is...."unsurprising." I disagree with you here; the only side with nuclear capabilities is Israel. We cannot keep having this mixture of Jews and Arabs. We have to stop the blurring. There has to be a separation, not just a technical closure. We have to decide on separation as a philosophy." - Yitzhak Rabin From PADGETT at hobbes.orl.mmc.com Tue Mar 5 18:45:24 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Wed, 6 Mar 1996 10:45:24 +0800 Subject: Anonymous Web Browsing Message-ID: <960302131308.20201e1e@hobbes.orl.mmc.com> Realy two questions - will treat each in order > I have followed the ongoing discussion on PGP security, remailers >and the like. I am wondering if the current trend with interactive Web >browsing, Java, etc, is not going to create a privacy problem every bit as >significant as insecure e-mail. As these "applets" become more >sophisticated are we not going to have to face up to the issue of dynamic >links to web sites that gather a lot of info from your computer as you >interact with it? It is possible to design a "prophylactic" environment that would control the interaction between your web browser and the PC. As was determined with FV's keystroke monitor, it only worked because nothing prevented it, not because nothing could prevent it. Such links can be prevented from gathering information but I suspect it would be more creative to feed it information that you would like others to believe. > My question is this: Would it be possible to create a web site that >would function along the same lines as remailers do? Something that would >allow a person to browse anonymously. This is a different question. By nature, web transactions are interactive which means that both sides must know how to reach each other. You could set up a limited proxy and load it with the preferred information but I suspect it would be easier to just send $20 and a requested username/password to a local provider for a PPP account. Would not be "anonymous" but if done carefully, the provider would not have to know who was using the account. In the case of my local provider, no proof of my identity was ever required and the entire set-up was done over the telephone (and I was not at home at the time). Did not try to hide my identity but could have. Warmly, Padgett From ChristopherA at consensus.com Tue Mar 5 19:51:21 1996 From: ChristopherA at consensus.com (Christopher Allen) Date: Wed, 6 Mar 1996 11:51:21 +0800 Subject: SEAL cipher info requested (something actually list related!) In-Reply-To: <9603052220.AA11028@spirit.aud.alcatel.com> Message-ID: At 5:26 PM 3/5/96, Ted Anderson wrote: >As James Earl Jones would say: "It's in the Book". At 6:57 PM 3/5/96, Bill Frantz wrote: >Try "Applied Cryptography, Second Edition", by Bruce Schneier At 10:20 PM 3/5/96, Daniel R. Oelke wrote: >Get Applied Cryptography!!! To all that keep telling me to use Applied Cryptography -- I have the book already (an autographed copy ;-) What I am seeking is more than what is in the book: * are there are any links on the web to SEAL? * is IBM actively marketing it? * what precisely is patent? * for how long? * has anyone currently licensed it? * has anyone tried attacking the algorithm? * should we be (the community) be looking at SEAL for standards (say as an alternative to RC4?)? * is there something better then SEAL available? ------------------------------------------------------------------------ ..Christopher Allen Consensus Development Corporation.. .. 1563 Solano Avenue #355.. .. Berkeley, CA 94707-2116.. .. o510/559-1500 f510/559-1505.. From PADGETT at hobbes.orl.mmc.com Tue Mar 5 19:54:17 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Wed, 6 Mar 1996 11:54:17 +0800 Subject: Square pegs in round holes Message-ID: <960305200147.20203d67@hobbes.orl.mmc.com> >Bob must find out whether Alice has declared (commited) her interest >in him, if and only if he has declared (commited) his interest in her. >Before he does so, he can at most know that a girl is interested in him. >Another description: Bob and Alice can have a date if they both commit >to each other. If only one commits, nobody will ever find out about it. >- T is the trusted third party. Well if we *must* use D-H that is a way, but why do that ? Instead of using a binary assymetric key, why not a triple ? (Just because I do not know of any does not mean that one does not exist). Consider a function such that Alice has a key such that given a message M, when encrypted by Alice may be manipulated by T such that Bob can decrypt it. Similarly, Bob has a key that when manipulated by T' can be read by Alice. Assymetric but not binary. The advantage here is that while "T" is trusted by both, he/she/it/other is not able to read either message, rather acts as a catalyst. Such a mechanism could be as indicated or could be circular e.q. a cipher such that A can generate a message readable by T who can generate a message redable by B who can generate one readable by A. True you could do this with three pairs of keys distributed alternatively so that a single person can only write left and read right. As to why you would want such a curiosity, consider a corporation with 80,000 mailboxes. It would be desirable for each person to be able to send E-Mail to any other person but not desirable for each person to have to hold all 80,000 keys. Given a triple (tertiary ?) function each individual would only need their receive key and a "post office" transmit key. On sending a message, it would be encrypted with a session key and the session key encrypted with the post office key. The post office would have all 80,000 receive functions but through the assymetic keying would only be able to convert the session key to something each intended recipient could decode but not be able to decode the message itself. This would meet both criteria (not key escrow but that is under "management") D-H is wonderful but has difficulties with scalability. If such a function existed (has anyone looked ?) it would solve the problem. "The exercise is left to the student" Warmly, Padgett From choi at virtu.sar.usf.edu Tue Mar 5 19:55:51 1996 From: choi at virtu.sar.usf.edu (Charles Choi (SAR)) Date: Wed, 6 Mar 1996 11:55:51 +0800 Subject: Signature In-Reply-To: <9603052110.AA00640@bilbo.suite.com> Message-ID: Delurking beginner... 1) Is it possible to base a privacy key ( e.g. PGP ) on a fractal equation, instead of an algorithm based on two primes? This would allow for an eternal level of complexity due to infinite field of depth one can find as one 'zooms in' closer ( correct me because I'm wrong; I'm not a math major, although increasingly I wish I was... ), allowing for near unbreakable privacy of information. 2) It is dead certain that our governments will want at their disposal a decrypt program to crack into data containing information possibly related to crimes ( or what not ). Perhaps access to this program can somehow be leased out like a search warrant by a judge, which at least means a check and balance, and any unauthorized use of the program ( perhaps when it cracks into encryptext [ what I call ciphertext, as opposed to uncryptext, or plaintext ;) ] it leaves a very characteristic signature, or cracking into the database that contains the program is near impossible; maybe it's not physically connected to the Internet until the warrant is granted ) results in punishment, of course. Back to lurking... Sincerely. Quentin Holte. ( aka Charles Choi. ) You are all the Buddha. - Last words of Buddha. If you see the Buddha, kill him. - Zen proverb. From choi at virtu.sar.usf.edu Tue Mar 5 19:59:30 1996 From: choi at virtu.sar.usf.edu (Charles Choi (SAR)) Date: Wed, 6 Mar 1996 11:59:30 +0800 Subject: Signature 2 In-Reply-To: <9603052110.AA00640@bilbo.suite.com> Message-ID: Decloaking... Assumption 1 : a privacy key can become uncrackable. Assumption 2 : an individual signature can become immune to fraud. Posit : fuse the two together so that pseudonyms/aliases/online names ensure complete privacy, but ensure that you talk to the same person everytime. Probably proposed already. Cloaking... Sincerely. Quentin Holte. ( aka Charles Choi. ) You are all the Buddha. - Last words of Buddha. If you see the Buddha, kill him. - Zen proverb. From jf_avon at citenet.net Tue Mar 5 20:51:03 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Wed, 6 Mar 1996 12:51:03 +0800 Subject: FW: Communications Decency Act (hee-hee) Message-ID: <9603060237.AB20153@cti02.citenet.net> tcmay wrote: >Welcome to the Fourth Reich. Read _The_Ominous_Parallels_ by Leonard Peikoff JFA **** OLD KEY: USE ONLY FOR VERIFYING SIGNATURES **** 1024 bits Key ID:57214AED 1995/10/04 Jean-Francois Avon 84 96 76 AE EB 7C AB 15 88 47 87 B0 18 31 74 9F From tallpaul at pipeline.com Tue Mar 5 20:55:11 1996 From: tallpaul at pipeline.com (tallpaul) Date: Wed, 6 Mar 1996 12:55:11 +0800 Subject: (Fwd) Gov't run anon servers Message-ID: <199603051337.IAA29936@pipe11.nyc.pipeline.com> On Mar 04, 1996 15:11:43, 'tcmay at got.net (Timothy C. May)' wrote: > >At a Cypherpunks meeting a couple of years ago we spent some time >brainstorming this. It seemed plausible that a small outfit could make such >"remailer boxes" and sell them cheaply. (Hardware prices have plunged even >further.) > I had written on similar things over the past few months, on the "$20 Mixmaster" post. New hardware drives with replaceable media in the 100+ Mb range has developed. The Syquest 135 Mb drive, featured in the latest issue of _PC Mag_ can, with the parallel port version, reportedly boot. This means one can have the drive that weighs about two pounds and a $20 disk, place another OS on the disk, and have a very portable remailer system. I viewed the whole thing as more geared to the amateur market, whereby jr. high school students and the like could set up their own remailers, known only to a "small circle of friends." T.C. May's theory of the commercial "mom and pop" version is just as valid. One major way to "increase the noise level" is to greatly increase the number of remailer, especially small ones that may come and go based on little more than word of mouth advertising. Imagine two scenarios. In scenario one, the are two or three large xerox stores in a city. All advertise in the yellow pages and are known throughout the city as the place you go to have your xeroxing done. They all do a tremendous volumn of business. In scenario two, there are an enormous number of small stores with xerox machines, large numbers of home offices with the machines, and large numbers of people with word-of-mouth knowledge of friends with machines to use. What society is easier to crackdown on? --tallpaul PS: A week or two ago, someone posted a notice of anon remailers under Windows that was in alpha test and due in beta in about a month. Same thing. Same benefit. From sophi at best.com Tue Mar 5 20:56:52 1996 From: sophi at best.com (Greg Kucharo) Date: Wed, 6 Mar 1996 12:56:52 +0800 Subject: EFF Statement on Leahy/Burns/Murray Crypto Bill In-Reply-To: <9603052322.AA16005@toad.com> Message-ID: <313CF3AD.1BC3@best.com> I'm a little confused by this phrase from the bill. It seems to be saying just that export needs to be authorized if the software is already exportable from the U.S. and if to a financial institution. I know that can't be right, but what is the translation of this legalese? > "Requires that export be authorized for non-military encryption > software to any country where similar software is exportable from > the U.S. to foreign financial institutions." -- ----------------------------------------------------------------- "When they came for the Fourth Amendment I didn't say anything because I had nothing to hide. When they came for the Second Amendment I didn't say anything because I wasn't a gun owner. When they came for the Fifth and Sixth Amendments I didn't say anything because I had committed no crimes. When they came for the First Amendment I couldn't say anything." -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCPAzEIa2wAAAEEALouE7MNxsG+QTOJSrMTygYWKblpI9MgOKaFA+5AICNelAw6 6Gj3B0EQr7bwLILk8EJULG+kYh/ND9Kn1EXBK+elXbwpFCLqoyEZrbHJnurhH/t6 VFEwhbN1V0e/bFOCTq8nykoJjZ/uq0mz8HouIbEt6BYWoKVSUIU/T+iDV3TVABEB AAG0DWdoa0Bzb3BoaS5jb20= =gwax -----END PGP PUBLIC KEY BLOCK----- From blancw at accessone.com Tue Mar 5 20:59:33 1996 From: blancw at accessone.com (blanc) Date: Wed, 6 Mar 1996 12:59:33 +0800 Subject: FW: Communications Decency Act (hee-hee) Message-ID: <01BB0932.D4230420@blancw.accessone.com> Had to share this funny bit with y'all...... .. Blanc ---------- From: William Pickard[SMTP:bpickard at pickard-murphy.com] Sent: Sunday, March 03, 1996 6:07 PM To: Mark Anderson Subject: Communications Decency Act Scott Adams, the author of Dilbert, contributes this to the debate: Communications Decency Act -------------------------- The government of the United States has passed a law which makes it a crime to transmit indecent materials over the Internet. As a citizen of this great country I plan to fully comply with that law. >From now on, whenever I get the urge to use an offensive word in e-mail I will substitute the name of an offensive politician. I urge you to do the same. The beauty of this approach is that they can't easily ban these new naughty words without changing their own names. I know I could get in trouble for suggesting such a thing, but I don't give a flying Clinton what they think. And if they don't like it they can come over here and kiss my Gingrich. William Pickard bpickard at pickard-murphy.com Pickard & Murphy, Inc. Telephone (206) 323-5979 3213 East Alder Street FAX (206) 860-4877 Seattle, Washington 98122-6314 From stewarts at ix.netcom.com Tue Mar 5 21:05:47 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 6 Mar 1996 13:05:47 +0800 Subject: Is there any work on entropy-lowering schemes? Message-ID: <199603040206.SAA07584@ix14.ix.netcom.com> At 07:46 PM 3/1/96 -0500, Mutant Rob wrote: >I'm wondering if anyone has done any work on schemes to lower the >entropy of a given stream. Why? Save you've got message M encrypted >with a good cipher, but you're worried that it can be detected because >even with stego, the entropy is a lot higher than normal 'random' data >flowing through a network. Peter Wayner's work on Mimic Functions does just this sort of thing. You can describe a grammar, feed it random bits, and generate output that has the right statistics and can be reversed to get the original bits. His paper was on cs.cornell.edu a few years ago; don't know where to find it now. AltaVista yields a reference to the paper in Cryptologia, and the Cyphernomicon has the following: - "They encode a secret message inside a harmless looking ASCII text file. This is one of the very few times the UNIX tools "lex" and "yacc" have been used in cryptography, as far as I know. Peter Wayner, "Mimic Functions", CRYPTOLOGIA Volume 16, Number 3, pp. 193-214, July 1992.[Michael Johnson, sci.crypt, 1994-09-05] (When I read the Cryptologia reference on my browser, I don't get the ligature in the middle of "Huffman coding"; YMMV. :-) From frantz at netcom.com Tue Mar 5 21:11:29 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 6 Mar 1996 13:11:29 +0800 Subject: Duress Message-ID: <199603040238.SAA09143@netcom7.netcom.com> At 11:38 AM 3/4/96 +1000, Greg Rose wrote: > At 2:49 PM 3/3/96 -0500, Dr. Dimitri Vulis wrote: > One of the private pilot magazines reported that a small plane operator > used the code (because his airplane was, in fact, being hijacked). When he > landed the airplane, it was surrounded by LEA, and in the ensuing gun > battle, everyone on the airplane died. The went on to say that the safety > of the passengers and airplane are the pilot's primary responsibility and > that pilots should consider this incident when deciding to use the code. > >Actually, that is an urban legend which grew out >of a real incident. What actually happened was >that they thought the private pilot couldn't >really have been hijacked, so when he landed *he* >was arrested for creating a public nuisance or >something. It wasn't till later, when they found >the shotgun-toting druggie, that they believed >him... > >Greg Travis was the pilot's name, I imagine >AltaVista might find his original posting. My posting, not Dr. Dimitri Vulis'. I certainly don't remember your version as the one I personally read. The magazine could have been wrong, but I don't think my memory of the article is far enough off for them to be the same incident BTW - I think the magazine was "Flying". Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From stewarts at ix.netcom.com Tue Mar 5 21:15:34 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 6 Mar 1996 13:15:34 +0800 Subject: Truelly Random Numbers Message-ID: <199603040052.QAA20279@ix3.ix.netcom.com> >At 10:11 AM 3/3/96 -0500, Gary Howland wrote: >>Surely the process of counting up until you get a prime means >>that the chances of getting certain primes are greater than >>others (eg. 17 is more likely than 19) ? At 11:07 AM 3/3/96 -0800, jamesd at echeque.com wrote: >In order to use this information, one would need to determine >the number of primes in the vicinity of a potential prime factor. >This costs more than actually checking for the factor, hence is >not useful. The discussion has been about probability of collisions, rather than usable exploits - they're still rare enough that it's a birthday-problem issue. While you're more likely to pick a specific prime with a large gap before it than one with a small gap before it, there are a lot more small gaps than large ones, assuming that primes are roughly uniformly distributed within any given range (which is roughly true) and that therefore the gaps are geometrically distributed. I worked an example for random 384-bit primes, which you'd use to generate 768-bit RSA keys. The density of primes is approximately 1/ln384 = 1/266 = 1/meanlength. The unweighted quartile gap lengths are 77, 186, and 372. The weighted quartiles for the gaps are 255, 447, and 720 ; these correspond to unweighted cdfs of 61%, 81%, and 93%. So, yes, it's a bit skewed (and enough that I'd rather not work the birthday problem math, which is far easier with uniforms :-) But it's probably not skewed enough to affect the number of primes required for a collision to occur by more than a factor of 100 or so, and collisions in RSA keys require collisions in both primes. From jya at pipeline.com Tue Mar 5 21:28:13 1996 From: jya at pipeline.com (John Young) Date: Wed, 6 Mar 1996 13:28:13 +0800 Subject: TER_ror Message-ID: <199603060351.WAA12445@pipe4.nyc.pipeline.com> EcoMist, March 2, 1996: "What is terrorism? The use of terror is more widespread and effective than is generally recognised." A special essay that weighs military action, guerrilla warfare and terrorism. TER_ror ----- This issue also presents "in the mind of the terrorist," "a new plan for Ulster" and "Israel, Palestine and Hamas." From rich at c2.org Tue Mar 5 21:38:43 1996 From: rich at c2.org (Just Rich) Date: Wed, 6 Mar 1996 13:38:43 +0800 Subject: NYT login In-Reply-To: <9603040042.AA20426@zorch.w3.org> Message-ID: On Sun, 3 Mar 1996 hallam at w3.org wrote: > >The tobacco companies need a forum. And they are used to spending big > >bucks on sponsoring things. > > That misses the point. There is no shortage of potential sponsors. > What these people are asking me is "how much business will Web > advertising create for me". This misses another point. The question was, how do *we* pay for this stuff (emphasis mine). If someone develops a reasonably easy-to-use and reasonably secure digital cash micropayment system, then I would be happy to pay to read the New York Times on the Web. I would rather they were dependent on my money than R.J. Reynold's. -rich From declan+ at CMU.EDU Tue Mar 5 22:52:43 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 6 Mar 1996 14:52:43 +0800 Subject: Jump Start ecash With IPhone In-Reply-To: Message-ID: <0lDG84_00YUsAt0jgB@andrew.cmu.edu> When thinking about ecash-supported net.telephony, consider the attached message. -Declan ---------- Forwarded message begins here ---------- Message-ID: Date: Tue, 5 Mar 1996 21:14:08 -0500 (EST) From: "Declan B. McCullagh" X-Andrew-Message-Size: 3344+0 To: Fight Censorship Mailing List Subject: Long distance companies demand FCC net-regulation If the religious right doesn't succeed in pushing FCC Net-regulation with the cyberporn excuse, the long-distance giants will succeed by whining about I-Phone. I am starting to think that FCC regulation of the Internet is almost inevitable. With net-phone projects like Free World Dialup being covered in the New York Times, it may just be a matter of time. -Declan ---------- Forwarded message begins here ---------- FCC PETITIONED TO STOP MISUSE OF THE INTERNET! WASHINGTON, March 4 /PRNewswire/ -- The America's Carriers Telecommunication Association (ACTA), a trade association of competitive, long distance carriers today petitioned the Federal Communications Commission (FCC) to stop companies from selling software and hardware products that enable use of the Internet to voice long distance services. A growing number of companies are selling software programs with ancillary hardware options that enable a computer to transmit voice conversations. This, in fact, creates the ability to "by-pass" local, long distance and international carriers and allows for calls to be made for virtually "no cost." For example, on-line service providers generally charge users around $10.00 for five hours of access and then around $3.00 for each additional hour. Five hours equals 300 minutes, divided by $10 is 3.3 cents per minute. The average residential long distance telephone call costs about 22 cents per minute or seven times as much. The Internet is a unique form of wire communications. The rapid growth of the Internet is stressing the capacities of the Internet itself. The Internet access points are growing at 50% per month with subscriber growth running close to 30% per month. Individuals are accessing the Internet for more and more business applications such as market research, news, and advertising with corporate web sites exploding, to say nothing about using the Internet for E- mail applications. ACTA submits that it is incumbent upon the FCC to exercise jurisdiction over the use of the Internet for unregulated interstate and international telecommunications services. Long distance and international carriers must be approved by the FCC to operate and must file tariffs before both the FCC and state public service commissions. All of these requirements are stipulated in the Communications Act of 1934 and the Telecommunications Act of 1996. Technology may once again be surpassing government's ability to control its proper use. However, the misuse of the Internet as away to "by-pass" the traditional means of obtaining long distance service could result in a significant reduction of the Internet's ability to transport its ever enlarging amount of data traffic. Therefore, ACTA has petitioned the FCC to define the type of permissible communications which may be effected over the Internet. America's Carriers Telecommunication Association was founded in 1985 by independent long distance companies to serve the needs of small businesses and to advance the goals of more effective competition. ACTA's membership today includes over 130 companies engaged in providing telecommunications services. CONTACT: Charles H. Helein, general counsel, 703-714-1301, or Jennifer Durst- Jarrell, executive director, 407-332-9382, both of America's Carriers Telecommunication Association From stewarts at ix.netcom.com Tue Mar 5 23:24:35 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 6 Mar 1996 15:24:35 +0800 Subject: key security for anon remailers Message-ID: <199603060542.VAA28908@ix9.ix.netcom.com> We've been discussing the security problems with leaving your PGP key around on anonymous remailers. Mixmaster and the ghio2 remailers have the key compiled in, but at least for ghio2 the string is sitting there unencrypted and unmasked in the binary, where somebody who can access the binary can run "strings" to steal it, without even the bother of decompiling :-) The primary alternative is to start up the remailer with the PGP passphrase in its environment, but doing that has its problems - the ghio2 remailer is made to run as a batch process called for each message, rather than a permanent listener, and if you did something like put the key into the sendmail daemon's environment, it'd probably be even easier to steal (e.g. anybody on the machine could do it by setting up their own mail-processor.) A minor hack that I do with my remailer is to keep two versions of the source - a vanilla one for distribution, and one with all my customized information that I actually compile and run. So how can you keep a persistent process that isn't part of the mail empire? One approach is to have a remailer daemon using sockets or named pipes that does the decryption and feeds mail to a remailer process (which _it_ calls) for delivery or has its own builtin remailing - you'd input the key to the daemon when you start it up, and wouldn't need to leave it in a file or environment, just in the executing process itself. Probably an hour's hack using PGP3.0, or you can grind up the current I/O routines for PGP 2.6.2 and ignore the fact that you void your RSAREF license that way. You'd have to get rid of some of the code that overwrites the passphrase and other sensitive data, though. Another approach is to have a separate box that's not on the network that the remailer runs on (obviously this is easier on a machine you've got at home or work rather than at an ISP...) You can take that old 8086 or 386, run a daemon to accept files on the serial port and return them to the mail system on the serial port. Uucp is probably secure enough. (Does PGP run on Minix, or on any of the old Xenix or Venix operating systems? It's probably easier to build workable communications daemons on one of them than on DOS, though there are DOS uucp and kermits that you could hack up. For a 386, Linux is the obvious choice.) Since the entire remailer would be running on the box, and you don't permit logins from the serial port, it's probably pretty secure, even against someone with root on the network-connected machine, assuming all your traffic is encrypted. From adam at lighthouse.homeport.org Tue Mar 5 23:29:59 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Wed, 6 Mar 1996 15:29:59 +0800 Subject: WARES - random generator In-Reply-To: <2.2.32.19960305231417.009380a8@mail.teleport.com> Message-ID: <199603060554.AAA15842@homeport.org> I'd be interested in seeing design reviews & the like. A $50 hardware rng that did a recent job would be fabulous, but rngs are notoriously easy to mess up. So can we get design information & such? Adam | >Keywords: madison hawai obsceni prising ridblood ribiliss | >Subject: WARES - random generator | >Reply-To: email at fringeware.com (FringeWare Inc) | >Date: Tue, 5 Mar 1996 11:06:20 -0600 | >Apparently-To: fwlist-daily at fringeware.com | >X-UIDL: 4751f2738fffe6a83cf40be20fcd79a5 | >The product line is called Perfect Crypt Products and the new item | >being considered is a random number generator which plugs into the | >serial port of your PC/Mac/Sparcbook/Cray/etc., and pours out a stream | >of random numbers. The process is based on thermal radiation, the | >randomness looks quite good, and the product would retail for about us$50. | > | >If you have an interest in such a product, please let us know here | >at: email at fringeware.com and we'll add it to our catalog. -- "It is seldom that liberty of any kind is lost all at once." -Hume From unicorn at schloss.li Tue Mar 5 23:40:18 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 6 Mar 1996 15:40:18 +0800 Subject: Duress In-Reply-To: <199603040535.VAA25193@netcom7.netcom.com> Message-ID: On Sun, 3 Mar 1996, Black Unicorn wrote: > On Sun, 3 Mar 1996, Bill Frantz wrote: > > > >Of course, all smart air piracy buffs know the transponder code is 7600, > > >and refuse to allow the pilots to use it. > > > > It changes from time to time. Of course subscribing to an IFR chart > > service will keep you up-to-date with the changes. > > You should forward this to the list. > > > > > Regards - Bill > > > > > > ------------------------------------------------------------------------ > > Bill Frantz | The CDA means | Periwinkle -- Computer Consulting > > (408)356-8506 | lost jobs and | 16345 Englewood Ave. > > frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA Woah! Did I inadvertantly copy this to the list? It should have only gone to Mr. Frantz. My most sincere apologies! --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From lmccarth at cs.umass.edu Tue Mar 5 23:46:57 1996 From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu) Date: Wed, 6 Mar 1996 15:46:57 +0800 Subject: New PRNG method! In-Reply-To: <199603021741.MAA16483@homeport.org> Message-ID: <199603021754.MAA26203@thor.cs.umass.edu> Olcay Cirit writes: > PRNG? (Practical Random Number Gen.) Incidentally, deliberately overloading a widely-used acronym with a similar (?) but distinct meaning is a Bad Thing, unless you're just out to confuse people. Please, oh pretty please, consider reading some of the umpteen discussions of proposed random and pseudorandom sources in the list archives and FAQs and books.... -Lewis From dlv at bwalk.dm.com Tue Mar 5 23:47:39 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Wed, 6 Mar 1996 15:47:39 +0800 Subject: Anonymous Web Browsing In-Reply-To: Message-ID: Little cryptographic relevance... Ed Carp writes: > I wouldn't give Netcom my CC# if my life depended on it. They have a > really lousy record of people breaking in, stealing their lists of CC > numbers, then Netcom trying to sweep it under the rug and not telling > their users that their CC# was compromised. > > Besides, their service really sucks, and their technical "support" > doesn't exist. I heard they have many more people using their system than it can handle, so the response time is really bad. Also several people complained that they tried to cancel a netcom account and netcom kept on billing their credit card. (I'd never deal with an ISP who doesn't accept checks or money orders. And I mean checks, not automatic withdrawals from a checking account.) dhp.com has been recommended to me as an ISP that respects its users privacy. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From eggplant at inlink.com Tue Mar 5 23:51:54 1996 From: eggplant at inlink.com (eggplant) Date: Wed, 6 Mar 1996 15:51:54 +0800 Subject: Truelly Random Numbers Message-ID: >-----BEGIN PGP SIGNED MESSAGE----- > >Tim Fulbright wrote: >> >> Now I, a lurker for two months, am truelly confused! L. Deitweiler must be >> right. Surely one of you cyperpunk fellows could hack together a >>dongle with >> some kind of AD converter and buffer ram to gather a Truelly Random Bitstream >> off the environment every couple of milliseconds easier than this raindrop >> scheme or recording the fan, you're haviung me on!. Let's go back [..] > >The raindrop scheme was (politely) laughed off. As for the fan recording >scheme, it's a good make-do-with-what-you-already-have method, as opposed >to buying and/or building a card. > >A 'simple AD converter' isn't so simple. Especially if you want to be >sure you really have random noise and not something else that just looks >random. >- --- >[This message has been signed by an auto-signing service. A valid signature >means only that it has been received at the address corresponding to the >signature and forwarded.] > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.2 >Comment: Gratis auto-signing service > >iQBFAwUBMTz0nSoZzwIn1bdtAQGl6QF+P1V62qg+Mf5K+VN3q0Y1e6/A4EO4uLLr >WNxAbtE+OxQXFKnP7ajFUFBbnDLJxLmx >=4ysY >-----END PGP SIGNATURE----- Actually, I remember reading somewhere, a long time ago though, that the NSA had come up with an almost undoubtably random sequence by using random high altitude RF signals, scanning a certain frequency I guess. Then using it as the random number. Given the amount of RF transmisions world-wide and the addition of high-altitude interference, it should be completely random. Unless someone were to get their hands on you copy of it or happened to be hooked up to your reciever at the time of recording, there is no way they could figure it out. -- "... In Germany they first came for the Communists and I didn't speak up because I wasn't a Communist. Then they came for the Jews, and I didn't speak up because I wasn't a Jew. Then they came for the trade unionists, and I didn't speak up because I wasn't a trade unionist. Then they came for up because I wasn't a trade unionist. Then they came for Catholics, and I didn't speak up because I was a Protestant. Then they came for me-and by that time no one was left to speak up..." Pastor Martin Niemoller ++++++++++++ ************************************** * Matthew Murphy ------------ eggplant at inlink.com * ---------- * http://www.inlink.com/~eggplant * The Web page is under construciton at this time though.. * Please don't mind the mess.... * ************************************** ++++++++++++ finger eggplant at inlink.com for my PGP key. From eggplant at inlink.com Tue Mar 5 23:52:13 1996 From: eggplant at inlink.com (eggplant) Date: Wed, 6 Mar 1996 15:52:13 +0800 Subject: St. Louis Cypherpunks Message-ID: I'm lookig for people who live in the St. Louis area who are interested in computers in general and the internet specificly. If you could drop me a line, I would be most appreciative. Thnx in advance.... -- "... In Germany they first came for the Communists and I didn't speak up because I wasn't a Communist. Then they came for the Jews, and I didn't speak up because I wasn't a Jew. Then they came for the trade unionists, and I didn't speak up because I wasn't a trade unionist. Then they came for up because I wasn't a trade unionist. Then they came for Catholics, and I didn't speak up because I was a Protestant. Then they came for me-and by that time no one was left to speak up..." Pastor Martin Niemoller ++++++++++++ ************************************** * Matthew Murphy ------------ eggplant at inlink.com * ---------- * http://www.inlink.com/~eggplant * The Web page is under construciton at this time though.. * Please don't mind the mess.... * ************************************** ++++++++++++ finger eggplant at inlink.com for my PGP key. From tcmay at got.net Wed Mar 6 00:25:44 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 6 Mar 1996 16:25:44 +0800 Subject: Bombings, Surveillance, and Free Societies Message-ID: At 5:42 AM 3/6/96, Bill Stewart wrote: >At 07:41 PM 3/4/96 -0800, Tim wrote: > >>Let me use the language Bill Stewart used a while back, language which >>skirts the issue of "right" and "wrong" even more neatly than I did (when I >>said the Jews were "asking for trouble"): >> >>"If a religious group uses force to expel the current occupants of a desert >>region, and expels them to just beyond their borders, it is "unsurprising" >>that those expelled, and their children, and their children's children, >>will swear a blood oath to drive the group into the sea." > >That wasn't me, though I've said similar things about terrorism against >governments - those that go out of their way to attack and harass people >shouldn't be surprised when people attack them in return. I'm pretty sure it was you. As I don't want to search through past posts to try to find your use of this, let me make it clear that the language I was referring to was what I quoted: "unsurprising." I think you pointed out that instead of talking about "right" and "wrong," charged as they are, one can instead talk about certain events being "unsurprising." If this was not your coinage, and no one else steps forward, then I'll gladly steal it and file the serial number off. --Tim May, a felon Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From nelson at santafe.edu Wed Mar 6 00:59:38 1996 From: nelson at santafe.edu (Nelson Minar) Date: Wed, 6 Mar 1996 16:59:38 +0800 Subject: Steganography idea: CU-SeeMe In-Reply-To: <9603041921.AA08825@bilbo.suite.com> Message-ID: <199603060734.AAA00178@nelson.santafe.edu> The thing that bothers me about existing steganography code I've seen is that it all uses uncommon communication channels to hide data. For instance, the "hide data in a picture" programs: useful, up to a point, but how often do I send pictures to other people? I think to be effective, methods need to be employed that exploit existing, well used communication channels. So here's one idea I've had as a place to hide a channel: network video, in particular CU-SeeMe video streams. CU-SeeMe is a lowtech network video application, people running Windows and Macs with a $99 camera and a PPP stack can send about 2fps (160x120) to each other over the Internet. Times I've used it, bandwidth is about 8kbits/sec (I'm on a modem). So here we have a reasonably high bandwidth channel, person to person, that is already being used a lot on the net. How easy would it be to borrow a few bits to hide the secret message? Because the image quality is low (4bpp or 6bpp grey), and definitely nonrandom, you'd need to be more subtle than just borrowing the low bit. I think the answer could be found in image processing algorithms. Spreading a bit out across various pixels would nice, as would some sort of adaptive algorithm that identifies part of the image that's safe to hide data in. It's not good enough that the image with hidden data looks the same to the eye: it has to be statistically identical to undoctored streams. The biggest barrier to this I see is that the CU-SeeMe protocol itself is proprietary, and the only existing free code I know of that does it doesn't work very well (version 3.0 of a Unix reflector: buggy, now very old). Of course you have to emulate the normal software 100% correctly, or the Men in Black will see you're using stego tools. I should remark that the subliminal channel stuff in digital signatures is a really beautiful example of steganography. From bstrawse at copper.ucs.indiana.edu Wed Mar 6 01:11:49 1996 From: bstrawse at copper.ucs.indiana.edu (Bryan Strawser) Date: Wed, 6 Mar 1996 17:11:49 +0800 Subject: Another Motivation for the CDA In-Reply-To: Message-ID: <199603060750.CAA17490@copper.ucs.indiana.edu> > No felon may own a gun legally in California, for some period of time after > conviction. I presume similar laws apply in other states. (Of course, a lot No felon may legally own a gun anywhere. Federal Firearms laws specifically prohibit any person convicted of a crime for which they may receive a sentence of more than one year from possessing a firearm for the rest of their lives Bryan -- = Bryan Strawser / Indiana University / bstrawse at indiana.edu = = Live Free or Die / http://copper.ucs.indiana.edu/~bstrawse = = Gondolin Technologies / http://www.gondolin.org/gondolin = From nelson at santafe.edu Wed Mar 6 01:20:34 1996 From: nelson at santafe.edu (Nelson Minar) Date: Wed, 6 Mar 1996 17:20:34 +0800 Subject: PGP 3.0/4.0 In-Reply-To: <199603030054.QAA28612@ix7.ix.netcom.com> Message-ID: <199603060755.AAA00215@nelson.santafe.edu> >the last time I put together a 6,000 key ring on a 386 it took three >days & several Mb. The MIT PGP keyserver now has new non-PGP based code to manage it's keyring of 20,000+ keys. Not sure if you can get the code, or how easy it'd be to adapt to a deployed usage, but presumably it's much more efficient. From frantz at netcom.com Wed Mar 6 03:52:37 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 6 Mar 1996 19:52:37 +0800 Subject: NYT on Crypto Bills Message-ID: <199603050229.SAA01572@netcom7.netcom.com> On Mar 4, 3:09pm, Adam Shostack wrote: > Markoff shouyld know better than this. There is a long > history of business use of codes & ciphers, going back hundereds of > years, and durring the heyday of the telegraph, there were fair size > companies that created codebooks with (locally configurable) > superencipherment systems for the market. Michael Helm writes: > I thought that, for the most part, the telegraph systems described > above were to reduce cable charges (1 code word instead of a 15-word > sentence, a huge savings in those days). At 8:00 PM 3/4/96 -0500, Perry E. Metzger wrote: >Totally untrue. The use of encryption for business purposes goes back >centuries, and there were commercial providers of blank telegraph code >books all through the 19th century. The use of crptography to protect >communications only declined with the end of telegrams and the >reduction in the perception that large numbers of strangers would be >handling your missives. See "The Codebreakers" for a history of this. "The Codebreakers" describes (Footnote p516) that in 1939 the Allies prohibited the use of any codes, but business pressure made them relent and allow a fixed set of published commercial codes. On page 842, "The code compilers strove constantly to find new ways of reducing cable tolls for users -- this was, after all, their raison d'etre. ..." It also mentions (p839) a class of commercial code, mostly numeric, which lent themselves easily to superencipherment, which seemed to aim quite as much at secrecy as at economy. It also mentions that (p850) after WW2 the rising cost of labor (compared with communication) delt codes a mortal blow. It seems that both uses were important, with different emphasis for different users. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jimbell at pacifier.com Wed Mar 6 04:00:19 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 6 Mar 1996 20:00:19 +0800 Subject: Assassination Politics 9! Message-ID: At 07:04 PM 3/4/96 -0500, John Young wrote: >The Economist terrorism report is unusally thoughtful and open-minded, As opposed to the drivel you normally see in the media? >and >considers the benefits of savaging innocents from the perspectives of a >variety of deeply held beliefs. Which "innocents"? And which "deeply held beliefs"? I've never advocated "savaging innocents." But I don't consider people who benefit from government theft AND actively participate in that theft by being employed by that government as "innocents." >But after revewing the plenitude of those who have murdered I notice you used the term, "murdered." Well, by the strict definition of the term, that's merely premeditated killing which is against the law. In a country suitably dictatorial government, defending oneself from agression by its agents is, then, "murder." Sorry, but I don't subscribe to the agressor's (government's) opinion of what I may do to him if I were given the opportunity. > for >understandable motives, it does point to a very small group who truly lack >any rationale for earthly comprehension. Read: "It selectively focuses on a few, wrong people, and ignores the rest who are justified." Did I get it? >Not that I want to get on your "Shit, shoot that fucker" list, but take a >look at it to double-check that you're not skydiving into the wrong >maelstrom. It's pretty long, but I'll gladly scan it and send it along. Well, go right ahead. The Economist is better than most, but I seriously doubt that there is going to be anything there that changes my mind. Maybe I ought to email my essay to the author, to see what he thinks of it... >If not that, read Tim's pithy warning today about shit-stormtroopers >provoked by the daredeviltry of extreme-unctuous freedom fighters. It's hard to provoke a person who is already dead. If my system were operational, those "stormtroopers" wouldn't dare go to work in the morning. Or can't you see that? If we dictate all of our actions based on the fear of what THEY will do, then THEY have already won, and we have already lost. Jim Bell From wb8foz at nrk.com Wed Mar 6 05:41:41 1996 From: wb8foz at nrk.com (David Lesher) Date: Wed, 6 Mar 1996 21:41:41 +0800 Subject: PGP 3.0/4.0 In-Reply-To: <199603060755.AAA00215@nelson.santafe.edu> Message-ID: <199603061313.IAA07336@nrk.com> > > >the last time I put together a 6,000 key ring on a 386 it took three > >days & several Mb. > > The MIT PGP keyserver now has new non-PGP based code to manage it's > keyring of 20,000+ keys. Not sure if you can get the code, or how easy > it'd be to adapt to a deployed usage, but presumably it's much more > efficient. How about code that goes out & fetches keys upon demand, al-la DNS? [1st pass thinking is there are too many holes in such a method, even if MIT's server could handle the real-time load...] -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From ChristopherA at consensus.com Wed Mar 6 06:06:36 1996 From: ChristopherA at consensus.com (Christopher Allen) Date: Wed, 6 Mar 1996 22:06:36 +0800 Subject: SEAL cipher info requested (something actually list related!) In-Reply-To: <199601280027.BAA07662@utopia.hacktic.nl> Message-ID: At 4:27 PM 1/27/96, Anonymous wrote: >Anybody have info on the SEAL cipher? I can't find any >descriptions or analysis of it. Refs, proceedings or URLS >would be a good thing. I also am interested in references to it. I'm told that it was invented by a cryptographer at IBM, and that it patented, so that should help in the search. ------------------------------------------------------------------------ ..Christopher Allen Consensus Development Corporation.. .. 1563 Solano Avenue #355.. .. Berkeley, CA 94707-2116.. .. o510/559-1500 f510/559-1505.. From abostick at netcom.com Wed Mar 6 06:08:20 1996 From: abostick at netcom.com (Alan Bostick) Date: Wed, 6 Mar 1996 22:08:20 +0800 Subject: FUD about Remailers--the Strassman/Marlow "Revelations" In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article , tcmay at got.net (Timothy C. May) wrote: > Oh really? And just which remailers are in France and Germany? (Raph's list > doesn't show any ".de" or ".fr" sites, at least that I could see. It's > possible that a site or two exists in France or Germany, but I'm skeptical. > And certainly the "the most popular remailers in France and Germany" is an > odd comment.) Actually, Tim, Raph's list includes the "ford" remailer . Nothing in France, though. I agree that Mr. Anonymous's report is FUD. - -- Alan Bostick | "If I am to be held in contempt of court, Seeking opportunity to | your honor, it can only be because the court develop multimedia content. | has acted contemptibly!" Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMTvN5uVevBgtmhnpAQE+OwL/Qn0Fp7/XyrWfsaXSbbYRHNNRCN6pmWNO NfAdvuBbJ5QK+35ozAY8D6xMIEe0bJzECfcl2YflIBIOTHL19IIX6S3Llkh6Br8R ybXBxZM+0tr05y2HHSE4IqbEGOisc1/8 =foPg -----END PGP SIGNATURE----- From dmandl at panix.com Wed Mar 6 06:08:39 1996 From: dmandl at panix.com (David Mandl) Date: Wed, 6 Mar 1996 22:08:39 +0800 Subject: "Political Life in Cyberspace" forum, NYC, 3/12/96 Message-ID: For those of you in the NYC area, I'm presenting a forum next week on "Political Life in Cyberspace" (not my title). I'm going to skip the boring net-boosterism and talk mainly about several bleak scenarios I've been thinking about for the past year or two: the imminent death of the net, the impossibility of digital privacy, and various impending threats, like government/corporate crackdowns on privacy, the disneyfication of the net and conversion to a digital Home Shopping Network, Alta Vista and the increase in dossiers, etc. If I'm in a good mood, I may also talk about how a very close friend of mine was fired for making "unflattering remarks" about her employer on the cypherpunks list. Here are the details: Date: Tuesday, March 12 Place: The Brecht Forum, 122 West 27 St., 10th Floor (NYC) Time: 8:00 p.m. Price: FREE (donation requested) --------------------------------------------- An anarchist forum presented by the Libertarian Book Club -- Dave Mandl dmandl at panix.com http://www.wfmu.org/~davem From an366601 at anon.penet.fi Wed Mar 6 06:09:36 1996 From: an366601 at anon.penet.fi (** CRAM **) Date: Wed, 6 Mar 1996 22:09:36 +0800 Subject: Phil Zimmermann, Cyber Rebel Message-ID: <9603050701.AA04041@anon.penet.fi> brought to you by CRAM ===cut=here=== Cyber Rebel by Maureen Harrington Denver Post Sunday Empire Section March 3, 1996 Boulder -- On a frigid Thursday morning in January, attorney Philip DuBois received a fax in his Boulder office from the Justice Department telling him the criminal investigation of his client, computer engineer Philip Zimmermann, had been dropped. It had been a nerve-racking three years for Zimmermann, his family, friends, and the high-powered legal team that had been advising him. Hailed as a folk hero and cybersaint, Zimmermann had become a cause celebre in the computer world. But he was Public Enemy No. 1 in the intelligence community. No one would say why the feeds had dropped their case against him, but many speculated that the government didn't want to make Zimmermann the first digital martyr. Zimmermann's crime? In the early summer of 1991, he gave away software he designed to scramble, or encrypt, computer e-mail messages. It was intended to circumvent a critical shortcoming of the Internet. Since its inception, the international computer network had been a virtual sieve that could be siphoned by anyone with a modem. Encryption had always been a concern of the military and diplomatic corps, but with the advent of the Internet, protecting information became a commercial concern. Industry and individuals were having enormous problems keeping their communications private. Zimmermann's software, going by the aw-shucks name of Pretty Good Privacy, or PGP, solved that problem. He gave the formula to a friend, who put it out on the Internet, making it possible for an ordinary citizen to have a private conversation on-line. PGP sounds innocent enough. It's sort of an electronic envelop to protect computer messages. Based on a mathematical formula, it uses two "keys"--one private, used only by the individual, and one public, given to anyone. Each user has a unique set of keys and a digital "signature" ensuring the reader that the people generating the messages are really who they say they are. Zimmermann intended his program to give individuals "the right to be let alone," as Justice Louis D. Brandeis called the privilege of privacy. But, his act has had an enormous impact on the government, computer culture, and the individuals who use and misuse the technology. Phil Zimmermann's name may go down in cyberspace history-- whether as a hero or a villain. PGP made Zimmermann's name a rallying cry for people who don't want the government reading their e-mail-- and odd coalition of civil libertarians, the Christian right and computer professionals. But it also set off a firestorm in the nation's house of spooks, the National Security Agency, and lighted a fire under the FBI. Computer crime specialist William Spernow predicts that criminals will be routinely encrypting information within two years, making criminal investigations doubly hard. As far as the surveillance community was concerned, Zimmermann was the Antichrist, making it possible for terrorists, pedophiles and drug lords to flourish behind a shield for messages the super-computers of the NSA couldn't crack. Zimmermann acknowledges that his handiwork might be used for criminal purposes. But the fuel of his motivation was moral outrage at a government that may spy on its citizens. By giving away PGP, the designer felt he could strike a pre- emptive blow before the government made encryption illegal. As it turns out, he made his move just in time. Zimmermann, whether a folk hero or an aider and abettor of criminals, is a man no one would pick out as a cyberspace guerrilla. John Perry Barlow, one of the founders of Electronic Freedom Foundation, an influential cyberspace civil rights group, describes him as "an apparently unformidable gnome on a tight budget (who) now terrifies a security monolith which required half a century, uncounted billions of dollars and the collective IQs of a few thousand geniuses to develop." Zimmermann didn't come out of one of the powerhouses of academia. He went to Florida Atlantic University, where he admits that his original major, physics, "was to hard. The calculus got me." He's definitely the odd man out with just an undergraduate degree in a field crawling with Ph.D.s. He never joined one of the prestigious think tanks or labs on the coasts. He's been in Boulder for nearly 20 years, on his own, without benefit of grants. The Massachusetts Institute of Technology distributes PGP and published "The Official PGP Users Guide," but Zimmermann isn't one of their own. Steve Welch, who's known Zimmermann since college and later went into a boutique computer business with him that went bust in the `80's, said, "I met Phil one night about 2 a.m. in the computer room at college. He knew nothing about computers. He'd just come over from the physics department. Within one week, he was a better programmer than I was." Zimmermann suffered the loneliness of many smartest-in-the- class kids, along with the pain of a bleak childhood with alcoholic parents. "We moved a lot. I went to a lot of schools, and I think I got interested in cryptology then. I played around with it myself." "I thought I was a smart guy, figuring out codes, until I read enough in the field to see how bad I really was," he said, looking back from the safe distance of success. Zimmermann claims he isn't humble, but he is quick to point out, "I'm not the best cryptographer in the would. I figured that out pretty quickly. But I'm probably the most famous." He is powerful because of the fame. But he's more than a little skittish about that. "I think I've been effective with very few resources, so I'd like to see what I could do with a company where I could afford to have people working full time. But it's the power structure I've been questioning most of my life, so I'm wary of it... being seduced by it." Watergate was the incubator of Zimmermann's political awareness. "I began to question a lot of things that government does during that time. I worked for a year on a rape crisis center line and I think... in some ways, I became more of a humanist." Graduating with a degree in computer science, Zimmermann and his wife moved at the urging of friends to Boulder in 1978. It was in that politically volatile environment that Zimmermann became aware of the threat of nuclear proliferation. "In the early `80s we were ready to relocate to New Zealand," he recalled. "We'd had our first child. I began to think about the future and the threats to that future. We had our visas and work papers all ready when we attended a conference on the nuclear threat, in Denver." It was a speech by Daniel Ellsberg that changed the Zimmermanns' minds. "We decided to stay and fight," he said. And fight he did. He began as any techno-wonk would, by learning everything he could about the issues. Zimmermann read military strategy and listened to the thinkers in the opposition. He felt that too often the left refused to know anything about those who disagree with them "That makes you weak," he said. The left was technophobic, as well. It became clear to Zimmermann that the right had some real firepower. The republicans had made very good use of computers in the 1984 campaign. To prevail, the newly minted activist realized that the movement had to use everything in its power. And that included computers. Chet Tchozewski doesn't see as much of Phil as he did during the `80s when both men were immersed in the nuclear freeze community in Boulder, but he has watched Zimmermann's career with interest and pride. "Phil was invaluable to us," said Tchozewski. "Not only as a speaker, at which he was very good, but because of his technical knowledge and his remarkable intellectual capacities. He asked very tough questions. He started a study group and then he contributed his technical expertise." Tchozewski, now running the Boulder-based Global Green Grants Fund, says that Zimmermann was arrested twice at anti- nuclear demonstrations, but he thinks Zimmermann has been more sorely tested in recent years. "The first thing you see in Phil is his brightness, but it's his integrity that is even more striking to me. Imagine the courage it took not to cave in to the government. Imagine what it took for this guy to give away PGP-- to walk away from money-- what most people consider success. He took the risk for something he believed in. He could work for big industry or the government, but he doesn't." "Phil may be gifted in computers, but clearly he's thought deeply about civil disobedience and is influenced by Gandhi and Thoreau, as well as by science." Zimmermann did take the risk. He had begun thinking about encryption after realizing that the government was breaking into radical organizations. "Mostly they were taking floppy disks with membership information. It didn't take much to know we needed to keep our communications secret. So I began to read the scholarly papers on the subject and knew that some of the original problems of encryption had been solved in the `70's by two scholars at Stanford. I began to work on the problems." One of the people Zimmermann contacted for help was Charlie Merritt, a cryptographer in Arkansas. Merritt and his wife, Hobbit, had made their own encryption program years earlier. "We were selling encryption software abroad-- there wasn't much use for it in the U.S. then, but a lot of foreign customers were interested," said Merritt. "The NSA shut us down. Pretty near ruined us. I'd been holding a grudge for years, when Zimmermann called me. I was happy to help." For two years, Zimmermann and Merritt talked on the phone. Eventually Merritt spent a week in Boulder and showed Zimmermann how to run the enormous series of numbers necessary to create PGP. They continued to talk on the phone until the program was nearly completed. Hobbit Merritt added, "I think that the success of PGP is due in part to the growing anti-government feeling in the country. There are so many people-- conservative, liberal, all kinds-- who have an uneasy feeling about the government." By 1990 Zimmermann had most of the pieces for PGP, but he hadn't put it together. So he bit the bullet, taking on very little consulting business and working seven 12-hour days a week on the encryption program. It took him six months and he missed five mortgage payments during that time. "I'm pathologically optimistic," he said. "I had no idea it would take that long." In the middle of the process the government proposed Senate Bill 266, which would essentially outlaw all private encryption. Zimmermann knew then that he was in a race with the government. He beat them. In the summer of 1991, PGP was posted on the Internet. He didn't post it himself, since "I didn't know anything about the Internet, then. I barely knew how to get e-mail." The legislation has not become law, but the government is still working on encryption standards. However, the battle may have been lost-- partly because of Zimmermann. He estimate there are 1 million users of PGP worldwide. Early in 1993, Zimmermann got a call from U.S. customs agents in San Jose, Calif. He thought they were asking for his help. When he realized they were investigating him, Zimmermann hired Phil DuBois, a criminal defense lawyer with high-tech expertise practicing in Boulder. DuBois made an unusual decision: He let Zimmermann talk to the agents. "Usually I don't allow my clients to talk to law enforcement agents. It's not to their benefit, since they've already decided that my client is guilty. But Phil is so clearly not a criminal that I let him talk with them." The investigation intensified and it became clear to DuBois and his client that they were investigating with the intent to prosecute. It was then that Zimmermann put together a team of lawyers across the country who worked on the case pro bono. "Phil has a genius for pulling really talented people around him," DuBois said. "Most of us worked on this case because we're concerned about the rights to privacy being violated, but it's also an exciting legal case." DuBois estimates that the bill would have been in the low- to mid-six figures if everyone had charged for their work. There is a legal defense fund for Zimmermann that, according to DuBois, has brought in $1 contributions as well as a $10,000 anonymous donation. It has reached the mid-five- figure range. Stewart A. Baker, chief counsel for the NSA, has written about PGP in Wired magazine, the bible of the digitally inclined. In his view, the fight for private Internet communication has its dark side. "Rather than rely on laws to protect us, (supporters of PGP) say let's make wiretapping impossible. ... This sort of reasoning is the long-delayed revenge of people who couldn't go to Woodstock because they had too much trig homework. ... Some argue that widespread availability (of PGP) will help Latvian freedom fighters today (but) one of the earliest users of PGP was a high-tech pedophile." Zimmermann acknowledges the possible ugly uses of his program. "I've spent some sleepless nights worrying about what this could be used for. I know that some evil is done, but I believe that there is a greater good served here-- the right to privacy." "Law enforcement says that they need to be able to read computer messages, just as they tap phones. However, they have to have more ways to investigate than just tapping. Criminals leave their footprints in the real world." "I'm sickened by some of the people using this, but I have to remember the Burmese freedom fighters using it to survive and the scientists doing important work that needs to be kept safe." In a worst-case scenario of the investigation, the 42-year- old software designer, husband and father of two would have faced up to five years in prison and been forced to pay $1 million in fines. Zimmermann was accused of breaking export laws-- of sending across international borders what the G-men considered the same as munitions or nuclear secrets. Zimmermann was seen by his government as an intellectual gun-runner and threat to western civilization. Jim Kallstrom, the FBI agent who has been in charge of computer crime, has said about PGP, "Do we want a digital superhighway... where major criminals can operate impervious to the legal process?" By setting PGP loose on the Internet, Zimmermann was accused of sending his program across borders with[out] a license. Of course, the law enforcement community was talking about geographic borders. Defining cyberspace borders is far trickier, let alone figuring out how to police them. That would be the legal sticking point as the investigation progressed. The very right to privacy that Zimmermann had sought to protect is akin to the privilege that President Clinton invoked when he sought to keep his conversations with his attorney private during the Whitewater investigations. Ironically, it is the Clinton administration that has been giving Zimmermann trouble. It all began with the Clipper Chip. Clipper is the technology offered by the government, designed by the NSA, to encrypt messages, but with a "back door" through which the government can gain access to read the coded messages. Individuals and businesses that use the Clipper would give the government a "key" to their encrypted messages, allowing law enforcement the same right they have now to tap phones. The government insists that any business doing work for them use the Clipper, effectively forcing them to allow the feds access to their communications. Zimmermann is one of thousands of computer technocrats who find that idea ludicrous. And dangerous: "If we let the government go on in that blind way, we'll have a surveillance society. And a watched society is a conformist society. We will have totalitarianism if we don't guard against it." As Barlow put it, allowing the government to monitor your computer communications is like "having a peeping Tom install your window blinds." Thousands of computer professionals have signed letters and petitions decrying the use of Clipper. With Vice President Al Gore's enthusiasm for the information highway and so many allies in the computer business, the industry was taken by surprise when Gore and the administration supported the Clipper Chip. But then along came PGP. Within hours of posting PGP on the Internet, the code was sent all over the world, for anyone's use. That's what upsets the U.S. government, in particular the NSA. The super-secret intelligence arm of the U.S. government, the NSA spends nearly $1 million an hour, $8 billion a year, on around-the-world eavesdropping. They monitor computers, phone lines, faxes, and telexes. With the defrosting of the Cold War, NSA has had to rethink its priorities. Who was it supposed to be listening to? On top of that was the frustration of a whole new generation of eavesdropping-proof technologies such as fiber-optic cable and the pesky PGP. Zimmermann's stonewalling software was one problem too many. NSA staffer Clint Brooks used to speak alongside Zimmermann at privacy convention panels, but the agency now has gone silent on PGP. According to a spokeswoman, "The agency does not wish to comment on Mr. Zimmermann's personality, business or other endeavors. We make no comments about private encryption. We have nothing to say about the investigation of Mr. Zimmermann." At a conference on privacy at CU-Boulder in 1994, Dorothy Denning, a proponent of the Clipper and chair of computer sciences at Georgetown University in Washington, D.C., defended the chip. She told the crowd that the government requests fewer than 1,000 wiretaps a year and the Clipper "wouldn't make it any easier to tap phones, let alone computer networks." Denning insists that if the government had no key to encrypted information too many criminals and terrorists would find their work easier. Marc Rotenberg, an expert on privacy and a lawyer for the Electronic Privacy Information Center, or EPIC, sees Zimmermann in quite a different light: "It's significant that one person who sticks by his principles can make the U.S. government back down. That doesn't happen every day. The decision (to discontinue the investigation) doesn't (establish a judicial precedent)... but it may mean the government will be more careful in considering future prosecutions." Rottenberg says the Zimmermann case has forced the public to raise questions about the role of the NSA in regulating encryption, and "perhaps he has helped our government take a look at outdated laws that were drawn up in the Cold Ware era. Society is changing. Because of the Internet, encryption is needed not just for the military, but also by commercial interests as well as individuals. Phil Zimmermann's actions and stand will affect policy, in my opinion." On the other side of the coin, Kallstrom, the FBI agent who has been involved in the Zimmermann case, sees him as helping criminals do their worst. However, Kallstrom added, "Phil Zimmermann is very charming and well-intentioned. If he would work for government wages we'd be happy to have him." Several days after leaning that the federal government was dropping its investigation, Zimmermann is having a helluva day. It's his 42nd birthday. He's leaving for Iceland tomorrow, then on to Monte Carlo with a final stopover in Paris. "Only I would go to Iceland in February," he says on this Monday morning. He'll be speaking on privacy and seeing bankers, venture capitalists and other cryptologists. He'd like to squeeze in the Louvre. He's never been to Paris. He's taking his wife, Casey. She stood by him through some tough years, waiting to see if he was going to be spending time in prison, with no idea of what the future held. Zimmermann's future is finally here, now that the feds have thrown in the towel and he's free to get on with his life. And he's not missing one nanosecond of his 15 minutes. There was a party in his honor the previous Saturday night. He's been up since 9 a.m. having his picture taken, something he's done an average of once a week for two years since his case hit the media. Venture capitalists from Atlanta, a genial father-and-son duo, flew in for a brief dinner with him on Sunday night and 20 minutes of his time Monday morning. They came bearing a gift: a black glove- leather motorcycle jacket with a Harley Davidson logo. The gift must have set them back $500. There's millions more dollars where that came from, and they'd like to give some to Zimmermann to help fund his new business. The new company is going to make PGP look like small potatoes, according to Zimmermann. He says he has developed an encryption program for telephones. This software application will make phone tapping virtually impossible. "It'll have the government going ballistic," crows Zimmermann. The uses are unlimited, especially if it's inexpensive, impenetrable and easy to use. So far, the test model has fulfilled all those criteria. The word is out and entrepreneurs are coming out of the woodwork. Zimmermann's pace has accelerated. He can hardly answer his e-mail and admits that every once in a while when the voice mail is out of hand he just dumps it all and assumes anyone with something important to say will call back. On his phone answering tape, he patiently explains that he can't help everyone who calls him for help with PGP. He's tired of "the guys who think they see black helicopters, but I have had some extraordinary conversations with people using PGP." He may have to take his `60s vintage Volkswagen bus to the shop to be fixed. He used to fix it himself. Even though his schedule has gone into warp speed, Zimmermann is finding the time to do a few things for himself. A little absent-minded, perennially rumpled, with curly hair and beard, he's decided to throw of the sartorial schackles and become "Phil Zimmermann: Bad Boy Cryptologist." He laughs, but he's not kidding. He loves that motorcycle jacket. "After all this attention and tension," he says, "I just want to do some things for fun. I've been wearing a suit and being careful of what I say and how I appear because of this investigation. Now it's time for some other things." Ever since the feds dropped their investigation Jan. 11, he's been spending time in fancy hotels in Silicon Valley, listening to CEOs woo him and consulting with the behemoths of technology. "It's a lot of fun," he says, a bit incredulous. "Guys who have run huge companies want to talk to me." Zimmermann may have become familiar with the toys and terrain of the Silicon Valley potentates and he may miss the Louvre if the French bankers demand all his attention, but Saturday night was like old times. His wife threw a "Phil Got Off the Hook Party" at the Rocky Mountain Peace Center, a funky meeting hall for lefties. It was a gathering of peacenik friends from his nuclear protest days, family and lawyers. Guys with shoulder-length hair scarfed potluck casseroles and talked gigabytes. It ended early. The kids had to get up to bed. Phil cleaned up, recycling the trash, and carefully bagging the leftovers. (Mareen Harrington is the staff writer for Empire Magazine) Sidebar: PGP was huge leap forward for cryptography Historically cryptology has been the realm of spies. It was the veil drawn over military secrets and diplomatic pouches. The cracking of the super-secret Nazi code Enigma by the Allies helped win the Second World War. With the invention of cyberspace, the need to identify message senders and to send messages so that others cannot read them has become a necessity in business and personal lives. The shift was created by the computer, fax, and phone communications. It has become increasingly obvious that almost anyone can listen to or read information from these sources. Two-key cryptography, one of the most important advances in the field and which made PGP possible, was discovered by Whitfield Diffie and Martin Hellman, professors at Stanford University. In this system every user has two keys. The first is a public one, given out to correspondents. The second is a private one, kept by the individual. Before, there had been a third party, a key manager, who kept the keys. In two-key cryptography there is no their party to be trusted. After Diffie and Hellman published their findings in 1976, three MIT mathematicians developed a system to put two-key cryptography into practice. Their company is called RSA. Philip Zimmermann came along in the 1980s, took the information others had developed and created PGP. Using the software's public key, one individual can send a scrambled message with his digital signature to another. That person will use his private key to unscramble the message. As Diffie and Hellman predicted, there is no need for a trusted third party. Zimmermann has published his code system in book form so that it can be examined by anyone. Despite that publication, no one has been able to break the code, since it is longer and more complicated than even the most sophisticated of the known government encryption formulas. Because no one has been able to break the code, users of PGP know that it is trustworthy-- so far. \ \ \ \ \ \ \ \ \ | / / / / / / / / / / _______ ________ _____ _____ _____ /// \\\ ||| \\\ /// \\\ |||\\\///||| ||| ~~ ||| /// ||| ||| ||| \\// ||| ||| __ |||~~~\\\ |||~~~||| ||| ~~ ||| \\\ /// ||| \\\ ||| ||| ||| ||| ~~~~~~~ ~~~ ~~~ ~~~ ~~~ ~~~ ~~~ / / / / / / / / / | \ \ \ \ \ \ \ \ \ \ C y b e r s p a t i a l R e a l i t y A d v a n c e m e n t M o v e m e n t --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi From abostick at netcom.com Wed Mar 6 06:12:41 1996 From: abostick at netcom.com (Alan Bostick) Date: Wed, 6 Mar 1996 22:12:41 +0800 Subject: Looking for code to run an encrypted mailing list In-Reply-To: <2.2.32.19960304053309.00bd5ec8@mail.software.net> Message-ID: <3/8Ox8m9L0/D085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article <2.2.32.19960304053309.00bd5ec8 at mail.software.net>, John Pettitt wrote: > I'd like to run an encrypted mailing list - the model I'm linking of is this .. > > Poster cryptes mail with pgp using list exploder key. List exploder decrypts > mail and recrypts with keys for all current list members and then sends the > mail. > > [I don't want all the list members to need to know every other list members > public key] Is this the right way to go about doing this? If the mailing list has N members, then, for each message posted to the list, the list processor must decrypt the message and then reencrypt it N times. If it is using PGP, that means: (1) decrypting the incoming message's IDEA session key with the list processor's RSA private key; (2) decrypting the incoming message using the IDEA session key; foreach $listmember (@mailinglist) { (3) generate an IDEA session key for message to listmember; (4) encrypt the message with that IDEA session key; (5) encrypt the session key with listmember's RSA public key; (6) send the encrypted message and encrypted IDEA session key to listmember; } PGP does each encryption seamlessly . . . but in a large list, that's a lot of encryptions to do. It seem's to me that it would be more efficient simply to: (1) decrypt the incoming message's IDEA session key using the list processor's RSA private key; foreach $listmember (@mailinglist) { (2) encrypt that same IDEA session key with listmember's RSA public key; (3) send listmember the encrypted message and the encrypted IDEA session key; } This saves one IDEA decryption and N IDEA encryptions of the message. It also saves the need to generate N random session keys, demanding 128N bits of randomness from randseed.bin . It means, however, that the list processing software couldn't use PGP, but has to implement RSA public-key cryptography independently and compatibly with PGP, so that listmembers could use PGP to encrypt and decrypt list messages. (That is, unless the API for PGP 3.0 will be sufficiently robust to allow fancy session key management like this.) According to Schneier, RSA is about 100 times slower than IDEA. (He says it's 100 times slower than DES in software, and DES are about the same speed.) The faster method still requires N RSA encryptions of the 128-byte session key. Processing time is cut in half for a message of about 13kbytes' length; longer messages save more, shorter ones less. And it occurs to me that, since RSA encryptions are commutative, the list processor could encrypt the session key with the recipient's public key *before* it decrypted it with its private key, so that the session key is never available in cleartext to the list processor operator. (Do pseudopunks write pseudocode? ;-) ) - -- Alan Bostick | "If I am to be held in contempt of court, Seeking opportunity to | your honor, it can only be because the court develop multimedia content. | has acted contemptibly!" Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMTvdZuVevBgtmhnpAQEEowMAuo9Z3t8lmE9SH0pSoTXeIIxjwqG/uWWQ kSgichHXmun8X+q+wjRu7iGTaDF1WabvOXUIPOftjZgo7xN5MN5awbEgGmrCidXd ClUQWX/qvH0h+IxcoSURsJOX8MFLMRlP =0Cwo -----END PGP SIGNATURE----- From wlkngowl at unix.asb.com Wed Mar 6 06:14:28 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Wed, 6 Mar 1996 22:14:28 +0800 Subject: SEAL cipher info requested (something actually list related!) Message-ID: <199603061331.IAA12263@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Christopher Allen wrote: > What I am seeking is more than what is in the book: > > * are there are any links on the web to SEAL? I tried skimming the web and found little relevant info. [..] > * has anyone currently licensed it? I have heard through the grapevine that Richard Mark's version of UUENCODE implements SEAL. > * should we be (the community) be looking at SEAL > for standards (say as an alternative to RC4?)? RC4 is not patented, and AFAIK RSA is not actively seeking royalties etc. for using it. SEAL is patented/patent pending. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMT2TwioZzwIn1bdtAQEWnwF/arOP9WA0xMEFNtrPMUt4eTlUPzxRmTnf qbfvyvd9Kd2H9BG4dNF1lgzVFLfj6GnI =nzCA -----END PGP SIGNATURE----- From owner-cypherpunks at toad.com Wed Mar 6 08:49:53 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 7 Mar 1996 00:49:53 +0800 Subject: No Subject Message-ID: This is a test... -- Live on the edge, push the limits, and go EXTREME... -------------------------------------------------------------------------- Svein Ove Solsvik * E-Mail: sveinove at ringnett.no -Our Father, UART in Heaven, I/O'ed by the name... From owner-cypherpunks at toad.com Wed Mar 6 09:09:44 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 7 Mar 1996 01:09:44 +0800 Subject: No Subject Message-ID: On Wed, 6 Mar 1996, Nelson Minar wrote: > The thing that bothers me about existing steganography code I've seen > is that it all uses uncommon communication channels to hide data. For > instance, the "hide data in a picture" programs: useful, up to a > point, but how often do I send pictures to other people? I think to be > effective, methods need to be employed that exploit existing, well > used communication channels. Then he sez: > So here's one idea I've had as a place to hide a channel: network > video, in particular CU-SeeMe video streams. CU-SeeMe is a lowtech I think it likely that people will be sending GIFs and JPEGs to each other far more often than video. Video is far more an "uncommon communications channel" than is a uuencoded picture. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From fpinho at dglnet.com.br Wed Mar 6 10:02:16 1996 From: fpinho at dglnet.com.br (Fernando Pinho) Date: Thu, 7 Mar 1996 02:02:16 +0800 Subject: Message-ID: <199603041301.IAA25608@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTrprCoZzwIn1bdtAQFhzgF/d++LdphH36YJGKYP3PXDMo3qlpUrzMi+ NgzW6ZPcmCIqk1GLupjWsEx2hE7GfgXo =HekL -----END PGP SIGNATURE----- From proff at suburbia.net Wed Mar 6 10:03:28 1996 From: proff at suburbia.net (Julian Assange) Date: Thu, 7 Mar 1996 02:03:28 +0800 Subject: Legal Aspects of Computer Crime (LACC) Message-ID: <199603041324.XAA25903@suburbia.net> _ _____ _____ | | /\ / ____| / ____| | | / \ | | | | | | / /\ \ | | | | | |____ / ____ \ | |____ | |____ |______| /_/ \_\ \_____| \_____| Legal Aspects of Computer Crime "echo subscribe lacc|mail lacc-request at suburbia.net" WHEN YOU HAVE SUBSCRIBED ------------------------ Send in a brief synopsis of who you are and why you are interested in Computer Crime as your first message to the list (this helps to stimulate discussion and debate as well as provide a sense of the LACC community). As a [small] example: "Hello, My name is Jane Reynor. I am an articled clerk at the Director of Public Prosecutions. I have been assigned as an assistant legal researcher to the prosecution of a bank officer involved in fraudulent EDI transactions. My interest in computer crime stems not just from the case we are working on, but also from an otherwise unrelated passion for computer networking that I suffered under during my period as undergraduate." REASONS FOR INCEPTION --------------------- The growing infusion of computers and computing devices into society created a legislative and common law vacuum in the 1980's. State prosecutors attempted to apply traditional property protection and deception laws to new technological crimes. By and large they were successful in this endeavor. There were however a very few but well publicized failed cases against computer "hackers" (notably R vs Gold - UK House of Lords and the E911 case). To the informed, these cases demonstrated not so much a legislation vacuum, but prosecution incompetence in choosing which statute to lay charges under and mis-management by prosecuting cases where the real offence of the defendant was merely the embarrassment of the powerful. In an atmosphere of increased government reliance on computer databases and public fear and hostility towards computerization of the workplace, legislatures rushed to criminalise certain types of computer use. Instead of expanding the scope of existing legislation to more fully encompass the use of computers by criminals, changing phrases such as "utter or write" to "utter, write or transmit" (the former being the prosecutions undoing in the well publicized Gold case) as had been done with the computerization of copyright law, an entirely new class of criminal conduct was was introduced. The computer had been seen not just as another tool that criminals might use in committing a crime but something altogether foreign and removed from the rest of society and established Law. The result was a series of naively drafted, overly broad and under-defined statutes which criminalised nearly all aspects of computer use under certain conditions. In the early 1990's a fundamental and evolving shift in computer usage started to occur. Now, it is rare to see a white collar worker in the work-place without the possession of a computer. In western countries such as Australia, over one third of households have computer systems. The computer is no longer the "altogether foreign and removed from the rest of society" device it once was. It has come out of the domain of the technical specialist and into the main stream. Even our notoriously slow moving legal profession is adopting it as an essential tool. But there is another change. A qualitative one important to our discussion. When you link hundreds of thousands of computers together and thus the people that use them together you find something remarkable occurs. An event that you could never have predicted by merely summing the discrete components involved. A unique virtual society forms. Despite being designed with computer networking in mind, computer crime legislation copes very poorly with non homogeneous authorization [i.e partial authorization]. Societies are based around a common knowledge of history, beliefs, and current events. Each member of a society can be pinpointed as belonging to the society in question by the ideas, beliefs and knowledge held in common with other societal members. Any new member to a society learns this knowledge only because it is passed onto them; directly by other members or indirectly via its media, works of literature, music and art. Successful large scale computer networks like the Internet form for one reason and one reason only; information sharing. When a critical mass of diversity, interests, user population and information exchange is reached, a situation develops that mirrors in all important aspects a vibrant and evolving society. Citizens of the Internet have a nearly equal sized voice with which to convey their thoughts to other members and can do so quickly and without unwanted distortion. This is a remarkably democratic process compared to the very real _self_ censorship and top heavy direction that is so manifest in traditional broadcast and publishing industries. But unlike the physical societies that have here-to been the norm, the electronic network society is remarkably non-isolationist. It continues to draw from, mesh and feed its beliefs into the traditional societies it was populated out of. This coupling process between computer network and traditional societies will continue (at least for English speaking countries -- the cultural barriers imposed by primary language differences are non-trivial) until a stage is reached where the boundary between the two is blurred and intangible. Most citizens will then fall under the rule of appallingly drafted computer crimes legislation every day of their lives. In the vast majority of such legislation directed to address computer crime everything which can be performed on a computer unless "authorized" is defined as illegal. One might think that an individual could authorize themselves to do anything they wished with their own computer [not so, as France and Russia and the USA have demonstrated with anti-cryptography and other information processing and content laws] given their ownership of it. But how does the Law define this "ownership"? Does ownership of the "chattel" (CPU, memory, disks and other hardware) imply ownership of the information created on it? What about employees with "partial authorization" [examine disturbing outcome of Intel employee R.Swartz vs the State of Oregon 1995]? If the user of the computer system isn't the chattel owner, but has been given full control over it does this imply they are authorized for all interaction with the data stored on it? Is there such thing as implicit authorization? Can an operating system grant authorization (implicit or otherwise) as an authorized agent of the owner/operator? If not, is sending electronic mail to someone who doesn't want their computer system to receive it "unauthorized insertion of data"? In a networked topology a typical computer user may use or otherwise interact with hundreds or even thousands of other peoples computers in any given day. What is then the analogous "authorization topology"? In Law it has previously been the case that which was not expressly forbidden was generally permitted. Currently the digital equivalent of moving a chair [modification of trivial data] in someone else's office is illegal and carries with it in most countries a 5 to 10 year prison term. It is a sad reflection on the legislature of the day that the computer _medium_ was criminalised rather than the intent or damage caused to the victim. It is unlikely that law reform will occur until current political concern over computer networks such as the Internet is moderated. If anything the push so far from political drafters has being to once again introduce brand new medium criminalising legislation rather than revitalizing the existing codes. This unfortunate "labeled arrow" approach will continue as long as there exists an ill informed and technologically ignorant legislature that finds itself pliant to the whims of sensationalist media and honed to their dubious targets. Strong ideals do not equal strong policy. So ill defined and over broad are the terms used in most computer crime legislation that typically the pressing of a button on a silicon wrist watch without permission can be construed as "insertion of data into a computer without authority" an offense which carries 10 years penalty in countries such as Australia. The farse inherent is blatant. Surely the process going on within the wrist watch is utterly irrelevant. Victemless crimes should be avoided if at all possible. If interfering with the watch caused damage, even if that damage was to the intellectual property in the watch then the crime is one of Criminal Damage [or one of the other broad ranging damage statutes, depending on jurisdiction]. If changing the internal state of the watch led to fraud or theft, then the crime should be one of fraud or theft (possibly by deception). If pressing the button changed, for instance, the time of the watch and this lead to a death, then the crime should be that of manslaughter or murder. Actions that do not damage (or other wise attempt to negatively effect) the life of human beings directly, or indirectly by damage or loss of property or fundamental societal ideals (such as the right to privacy, freedom of association, speech & movement) should not be crimes. Actions that annoy but do not damage should also not be crimes, and traditionally are not. Crimes and the criminal process are serious. Annoyances by definition are not. In most Commonwealth countries physical trespass [despite the general view] is not a crime and with good reason. The Criminal law system wasn't intended to be the citizen's lacky and enforcer of personal whim, but rather to protect persons from genuine harm and preserve social order and the sovereign. Someone trespassing on your lands may annoy you. It may contradict your authorization. But it [typically] only becomes illegal when you ask the trespasser to leave and they refuse, or if their trespassing was directly associated with the commission or attempted commission of an offence. It is with this lack of appropriate legislation, precedents and judicial guidance that judiciary, practitioners, prosecutors, law enforcement personnel, defendants and drafters of future codes & policy have to struggle to find resolution. This list has been created in an attempt to mitigate the lack of tangible resources people involved with computer crime have at their disposal. It is hoped that by bringing together knowledgeable legal professionals together with para-legal personnel and informed lay persons that information and resources relevant to the difficult task of analyzing, presenting in court, formulating departmental or company policy or otherwise dealing with computer crime law and computer crimes may be shared and intelligent discussion and law reform stimulated. nb. this list it is also an appropriate forum to discuss computerized legal, law enforcement and criminology databases, such as Netmap, Watson, PROMIS, Lexis, APAIS, CRIM-L, et cetera. GUIDELINES ---------- In order to keep the semantic content high on this list, please consult the following before posting: DO POST DON'T POST ------- ---------- Un/reported decisions. Personal insults. Commentaries on cases. Signatures >4 lines. Reviews on relevant books. Quoted replies with more than 30% Relevant journal articles. quoted from the original. Information about proposed legislation. Short questions, or questions which Full text of CC legislation. otherwise do not convey useful Judicially defined terms. information in their own right. Articles on new arrests or Gossip about the moderator. cases. Articles about computer (in)security, Detailed questions. they should be sent to: Intelligent commentary. "best-of-security at suburbia.net" Personal experiences with computer "breaking into a computer is the same crime. as...." Well thought out analogies. Petitions (if you think they are Relevant transcripts. exceptionally relevant, send them to Defense or prosecution strategy. the moderator, who may post them). Relevant papers, thesis. Chain letters. Conference announcements and details. Advertising material. Locations of legal resources. Ethical considerations that are only Computer forensics information. "opinion". Trial/court dates, verdicts etc. Content free news reports or Reviews of legal software. articles. Pointers to any of the above. Abusive, antagonistic or otherwise, Cross post relevant information from non information rich or non other lists or news groups. constructive material. Relevant affidavits, court documents. Quotes from Dan Quayle. SUBSCRIBING ----------- Send mail to: lacc-request at suburbia.net with the body of: subscribe lacc UN-SUBSCRIBING ------------- Send mail to: lacc-request at suburbia.net with the body of: unsubscribe lacc POSTING ------- To send a message to the list, address it to: lacc at suburbia.net REPLYING -------- If you are replying to a message already on the LACC list using your mail programs reply facility you will almost certainly have to change the reply address to lacc at suburbia.net. This is because the LACC mailing list program is configured to have return replies sent no "nobody" in order to avoid receiving the replies of "vacation" programs which automatically send email saying "I've gone to the moon for two weeks to hunt rare bits". ARCHIVES -------- Monthly back issues of lacc since January 96 are available from: ftp://suburbia.net/pub/mailinglists/lacc Unfortunately the the 1995 archive was lost in a disk crash. If anyone still has a copy, then please contact the moderator. -- "I mean, after all; you have to consider we're only made out of dust. That's admittedly not much to go on and we shouldn't forget that. But even considering, I mean it's sort of a bad beginning, we're not doing too bad. So I personally have faith that even in this lousy situation we're faced with we can make it. You get me?" - Leo Burlero/PKD +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff at suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff at gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From owner-cypherpunks at toad.com Wed Mar 6 10:39:54 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 7 Mar 1996 02:39:54 +0800 Subject: No Subject Message-ID: uyfiyufik -- | Mark Gould, Department of Law, University of Bristol | | Mark.Gould at bris.ac.uk | http://www.bris.ac.uk/%7Elwmdcg | From owner-cypherpunks at toad.com Wed Mar 6 14:50:53 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 7 Mar 1996 06:50:53 +0800 Subject: No Subject Message-ID: Financial Times, March 6, 1996, IT Section, p. V. Network Security: Operating under a cloud of uncertainty Companies face a complex web of technical, legal and moral questions The IT security threat has long been depicted in terms of wild-eyed hackers hunched over terminals late into the night. But while there is real cause for concern about criminal activity over computer networks, large corporations are very worried about another threat to their use of electronic communications. Meanwhile, government restrictions on the use of data encryption codes in various countries are limiting the ability of commercial organisations to protect themselves. Cryptography is at the heart of this dilemma. Governments all over the world rely on specialist intelligence units to break down data transmissions from other nations and individuals while encrypting their own messages. The US National Security Agency and the UK's Government Communications HQ are the best-known of these agencies. The NSA is notorious for obsessive secrecy. Meanwhile, in the UK, the GCHQ has lifted its traditional reticence in recent years to offer advice to British companies concerned with data security. Mr Roger James, chairman of Cheshire-based communications software specialist Boldon James, has worked with GCHQ to define data standards for UK government departments. Mr James plays down the cloak-and-dagger imagine of GCHQ, but instead he describes his contact with its staff as "horribly technical". He also portrays the Cheltenham code-breakers as "very down-to-earth people". There are two ways of looking at security, he says "one is the practical approach, which means accepting that perfect security is impossible to obtain. The other is the Ivory Tower approach, which involves dreaming of a world in which security is absolute. There are a lot of 'practicalists' in GCHQ". Mr James, whose clients include the Britannia Building Society and the German Navy, is active in the European Electronic Messaging Association. He is concerned at the lack of a co-ordinated European policy on encryption. And he fears that effective security measures could become illegal with the advent of future legislation curbing the availability of encryption software. It is illegal at the moment to use strong cryptography techniques in France without first depositing the key to unlocking your codes with the French government. UK companies developing sophisticated security programs find their software classified as munitions and subject to tight export restrictions, even within the EC. In the US, the author of strong encryption program, called 'Pretty Good Privacy', found himself facing a Grand Jury and possible charges of exporting prohibited technology. The NSA has proposed that all personal computers made in the US contain the Clipper Chip. This security feature would give easy access to any data communications, however the user chose to encode it. The proposal is currently stalled, having met with ferocious opposition. Both suppliers of information technology and industry at large need to clear a path through this international maze. The legal structure surrounding the use of encryption technology is of particular concern to anyone working in electronic commerce. "The Clipper Chip debate raised a fundamental moral issue," says Mr James. "Software technology means that strong encryption, previously available only to the military, can now be obtained by the public. If governments then find messages hard to break, it leads immediately to a conflict of interest." One company that has confronted this apparent conflict of interest between state and commerce, with its attendant uncertainty, is the Anglo-Dutch oil giant, Shell. Mr Nick Mansfield, a Shell technical consultant specialising in information security, says the company is enthusiastic about the potential for eliminating paperwork across its sprawling global operations -- "we are committed to electronic trading," he says. "We have a vast electronic-mail network. But there is still a section of our business where we have to use paper". Contract agreements are at issue here. Until security can be absolutely guaranteed, bilateral agreements must be seen to be tamper-proofed. Shell is about to deploy technology to secure personal computers and PC servers across the world. This e-mail security system will cost around L1m in software purchasing plus L100,000 a year to run. It will have 4,000 users. Far from escalating costs, Mr Mansfield explains that expenses are falling as security improves. Shell used to run a secure telex network that cost L4m in technology and required L200,000 a year to support 120 sites. This was superseded by a secure fax network costing L1m in systems, plus L100,000 in annual maintenance for 200 sites. The latest system will expand secure messaging beyond the fax network's remit. But setting up this security system involved Shell in a long and involved process. Its chosen security software is subject to close scrutiny by the UK authorities, who worked with Shell to customise the program before it could be released for use overseas. While Mr Mansfield is pleased that Shell's security system is so strong, it required an export licence and he echoes the concerns of EEMA's Mr James -- "it's a cart and horse situation. Until governments agree on policy and relax some restrictions, industry won't be encouraged to development extreme standards of encryption". There needs to be a broad European debate on this issue. Until this complex web of technical, legal and moral questions are resolved, secure commercial data networks will be operating under a cloud of uncertainty. Michael Dempsey [End] Note: Shell's Nick Mansfield was a speaker at the OECD cryptography conference in Paris in December. This issue of FT includes a 22-page special section on Information Technology. From owner-cypherpunks at toad.com Wed Mar 6 14:52:33 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 7 Mar 1996 06:52:33 +0800 Subject: No Subject Message-ID: Note: downloaded from www.vtw.org so cannot guarentee correctness- "�2804. Unlawful use of encryption to obstruct justice" "Whoever willfully endeavors by means of encryption to obstruct, impede, or prevent the communication of information in furtherance to a felony which may be prosecuted in a court of the United States, to an investigative or law enforcement officer shall-..." Interesting wording - sounds almost like if you impede the *commission* of a felony, you is been had. Keyword would seem to be "willingly". Suspect they meant to say "...obstruct (etc) the investigation of a felony..." "(b) CONTROL OF EXPORTS BY SECRETARY OF COMMERCE.- "(1) GENERAL RULE.-Notwithstanding any other law, subject to paragraphs (2), (3), and (4), the Secretary of Commerce shall have exclusive authority to control exports of all computer hardware, software, and technology for information security (including encryption), except computer hardware, software, and technology that is specifically designed or modified for military use, including command, control, and intelligence applications. This would seem to extend ITAR, not limit it. "(2) ITEMS NOT REQUIRING LICENSES.-No validated license may be required, except pursuant to the Trading With The Enemy Act or the International Emergency Economic Powers Act (but only to the extent that the authority of such Act is not exercised to extend controls imposed under this Act), for the export or reexport of- "(A) any software, including software with encryption capabilities, that is- "(i) generally available, as is, and designed for installation by the purchaser; or "(ii) in the public domain or publicly available because it is generally accessible to the interested public in any form; or "(B) any computing device solely because it incorporates or employs in any form software (including software with encryption capabilities) exempted from any requirement for a validated license under subparagraph (A). Microsoft's CryptoAPI seems OK. PGP would seem to fall under both (i) and (ii). "(3) SOFTWARE WITH ENCRYPTION CAPABILITIES.-The Secretary of Commerce shall authorize the export or reexport of software with encryption capabilities for nonmilitary end-uses in any country to which exports of software of similar capability are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such software will be- "(A) diverted to a military end-use or an end-use supporting international terrorism; "(B) modified for military or terrorist end-use; or "(C) reexported without requisite United States authorization. Thank you MasterCard/VISA for SET. Note that it does not seem to say that you do not need a license, just that one shall not be witheld without "substantial evidence". "(4) HARDWARE WITH ENCRYPTION CAPABILITIES.-The Secretary shall authorize the export or reexport of computer hardware with encryption capabilities if the Secretary determines that a product offering comparable security is commercially available from a foreign supplier without effective restrictions outside the United States. Same comment except that token & INE vendors will have to demonstrate that a foreign competitor exists. Real lawyers please comment. Warmly, Padgett From uunet!in2.uu.net!news.ner.bbnplanet.net!news3.near.net!yale!news-mail-gateway!daemon at warwick.com Wed Mar 6 15:07:07 1996 From: uunet!in2.uu.net!news.ner.bbnplanet.net!news3.near.net!yale!news-mail-gateway!daemon at warwick.com (Rich Carreiro) Date: Thu, 7 Mar 1996 07:07:07 +0800 Subject: Test of email netnews post. Message-ID: <9603061032.ZM10102@gumbo.bos.saic.com> Test of email netnews post. -- Rich Carreiro rcarreiro at bos.saic.com Software Engineer (617)221-7607 (voice/voice mail) SAIC (617)270-0063 (fax) 20 Mall Road, Suite 130 Burlington, MA 01803 From owner-cypherpunks at toad.com Wed Mar 6 15:22:16 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 7 Mar 1996 07:22:16 +0800 Subject: No Subject Message-ID: David Lesher wrote: | How about code that goes out & fetches keys upon demand, al-la DNS? This works with procmail to get keys for all mail I receive. I discovered the problem is your keyrings get unmanageably large when you do this. # auto key retreival # # I have an elm alias, pgp, points to a keyserver :0BW * -----BEGIN PGP *!^FROM_DAEMON KEYID=|/home/adam/bin/sender_unknown :0 ahc # added h 8 jan 95 * ! ^X-Loop: Adams akr | formail -a"X-Loop: Adams akr" |elm -s"mget $KEYID" pgp # add the incoming keys to the ring :0 * From bal at swissnet.ai.mit.edu { # if we accidentally get the whole thing. :0 h * >10000 /dev/null :0 h *^Subject:.*no keys match /dev/null :0: *Subject: Your command, ADD $DEFAULT :0E | pgp +batchmode -fka } sender_unknown: #!/bin/sh # unknown returns a keyid, exits 1 if the key is known # $output is to get the exit status. Othierwise, this would be a one liner. OUTPUT=`pgp -f +VERBOSE=0 +batchmode -o /dev/null` echo $OUTPUT | egrep -s 'not found in file' EV=$? if [ $EV -eq 0 ]; then echo $OUTPUT | awk '{print $6}' fi exit $EV -- "It is seldom that liberty of any kind is lost all at once." -Hume From jya at pipeline.com Wed Mar 6 15:23:46 1996 From: jya at pipeline.com (John Young) Date: Thu, 7 Mar 1996 07:23:46 +0800 Subject: POO_bah Message-ID: <199603061600.LAA05718@pipe1.nyc.pipeline.com> 3-6-96. TWP and NYT give additional reports on WW II atomic spying by the Soviets revealed by decoding cables under NSA's Venona program. With more on the role of physicist Theodore Hall and others initially reported by TWP on February 25. NYT quotes David Kahn on the "unquestionable" code-breaking and doubts of FBI "gumshoe" follow-up of decrypted leads. TWP's is more robust, quotes poo-bahs. POO_bah From owner-cypherpunks at toad.com Wed Mar 6 15:34:48 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 7 Mar 1996 07:34:48 +0800 Subject: No Subject Message-ID: Post Test -- John G. Jones Director, Computer Services UTDS, Inc. 1593 E. Chestnut Lompoc, CA 93436 (805) 735-4447 From owner-cypherpunks at toad.com Wed Mar 6 15:39:29 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 7 Mar 1996 07:39:29 +0800 Subject: No Subject Message-ID: > This is a test... Follow up on test...test...test -- Live on the edge, push the limits, and go EXTREME... -------------------------------------------------------------------------- Svein Ove Solsvik * E-Mail: sveinove at ringnett.no -Dyslexic atheists don't believe in Dog. From owner-cypherpunks at toad.com Wed Mar 6 15:57:56 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 7 Mar 1996 07:57:56 +0800 Subject: No Subject Message-ID: > In the "real world" there is nothing to prevent someone from forging > your real signature on a check or document or from disguising themselves > as you and taking your place at an important business meeting. The > digital equivalents can be slightly more secure, but nothing is ever > perfect. > > jim > Heh. Whoops. I may be a beginner but I'm not THAT green. I shoulda known better than to use that exact wording. Please excuse the inappropriate wording, all. Sincerely. Quentin Holte. ( aka Charles Choi. ) You are all the Buddha. - Last words of Buddha. If you see the Buddha, kill him. - Zen proverb. From uunet!in2.uu.net!gatech!newsfeed.internetmci.com!news.emeraldis.com!usenet at warwick.com Wed Mar 6 16:16:46 1996 From: uunet!in2.uu.net!gatech!newsfeed.internetmci.com!news.emeraldis.com!usenet at warwick.com (David G. Cannon) Date: Thu, 7 Mar 1996 08:16:46 +0800 Subject: PLEASE REPLY!! Message-ID: <4hkdsc$fvd@jade.emeraldis.com> Did this message make it out to the "real" world?? Please reply to this message if it did. Thankyou. *David* From uunet!in2.uu.net!newsfeed.internetmci.com!lamarck.sura.net!rs7.loc.gov!news at warwick.com Wed Mar 6 17:15:01 1996 From: uunet!in2.uu.net!newsfeed.internetmci.com!lamarck.sura.net!rs7.loc.gov!news at warwick.com (uunet!in2.uu.net!newsfeed.internetmci.com!lamarck.sura.net!rs7.loc.gov!news at warwick.com) Date: Thu, 7 Mar 1996 09:15:01 +0800 Subject: did this get out? Message-ID: <4hkmso$p9b@rs7.loc.gov> Is this getting past news.loc.gov? These opinions are my own, not those of the Library of Congress. Howard Sanner hcs at hsan.loc.gov sanner at mail.loc.gov From uunet!in2.uu.net!news.sprintlink.net!news.rain.org!sandy.sandpiper.com!usenet at warwick.com Wed Mar 6 17:33:43 1996 From: uunet!in2.uu.net!news.sprintlink.net!news.rain.org!sandy.sandpiper.com!usenet at warwick.com (uunet!in2.uu.net!news.sprintlink.net!news.rain.org!sandy.sandpiper.com!usenet at warwick.com) Date: Thu, 7 Mar 1996 09:33:43 +0800 Subject: This is a test..no reply Message-ID: <4hkldh$ov7@sandy.sandpiper.com> This is just a test...please do not reply From declan+ at CMU.EDU Wed Mar 6 17:38:00 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 7 Mar 1996 09:38:00 +0800 Subject: Zona Labs Was: Cambridge [MA] Cops Assault Mother for Photo In-Reply-To: <4hd5hh$bg3@Mercury.mcs.com> Message-ID: This is only relevant to cypherpunks as it involves child porn hysteria and abusive cops... Let me start by saying the attached message from warwick.com is wildly incorrect: * Zona film labs employees did not lead the child away until afterwards. The police grabbed Angeli, beat her, choked her -- while her child was just a few feet away. * The mother flipped when the Cambridge cops said she was going to be locked up and her child taken away. * The lamp was knocked over when the Cambridge cops wrestled her into the back room. * Zona film lab employees willingly participated in this sting operation and willingly lied to Angeli. Last week, I went to Angeli's attorney's office and saw the (unpublished) pictures that the Cambridge cops and Zona thought were "child porn." They're not "child porn" -- any more than the similar photos my grandparents have of me and my cousins naked in a bathtub when we were three years old. I urge you to check out Bob Chatelle's web site at http://world.std.com/~kip/, which says what actually happened with the Angeli case. I've attached an excerpt from his pages below. -Declan Excerpts from internet.cypherpunks: 4-Mar-96 Re: Zona Labs Was: Cambrid.. by news at warwick.com > Ayse Sercan wrote: > > > At any rate, if I were the mother, and my kid was being led away by a > > clerk who could have been the very pervert who thought that those nude > > pictures meant child pornography, I'd certainly do everything in my power > > to protect my child from such an individual. > > That's rediculous. The mother did not flip because Zona led the child away. > The mother flipped when asked about the photos. This caused Zona to not > want the child to see argument. The mother just has serious problems in > general. She feels justified in trashing the place and throwing the lamp, > which is why she refused the punishment and took 30 days in jail. She, > in the presence of her child, was wrong to get violent. She has a lack of > control. >From http://world.std.com/~kip/ Toni Marie Angeli, for a Harvard photography course, decided to make her four-year-old son Nico the subject of her final class project, The Innocence of a Child's Nudity. After discussing the project with her professor, Angeli began her project with a few shots of Nico and made the fatal mistake of taking her roll of film to Zona Photographic Labs on Rogers Street in Cambridge, Massachusetts. The Zona owners were "alarmed" and called the Cambridge police, who went to Zona, looked at contact sheets prepared by Zona without Angeli's authorization, and decided that the pictures were "gross." Zona and the Cambridge police set up a sting operation, requiring Zona employees to lie, so that the police could come to Zona and confront her about her "pornography" when she came to pick up her negatives. On November 2, Angeli went to Zona, accompanied by Nico and by her husband, Luke D'Ancona. An altercation ensued when Angeli realized why the police were there. Angeli was handcuffed, manhandled into a back room, beaten and choked. During the scuffle a lamp was knocked over, and a picture fell off the wall. A hollow core door was also damaged when Angeli kicked out as she was being escorted to the police van. Angeli was never charged with child pornography, but she was charged with disorderly conduct, malicious destruction of property under $250, and assault and battery with a dangerous weapon. (The police claimed that Angeli threw the lamp.). Angeli's trial began on January 24, 1996, and a verdict was brought in on January 30. She was acquitted of the assault-and-battery charges, but convicted on the two other counts. The judge sentenced her to pay damages, to 50 hours community service, and to 18 months of probation. Angeli refused to sign the probation contract, stating that she wished to make no admission of guilt. The judge then sentenced her to 30 days at MCI Framingham. We are currently trying to raise money to pay for her appeal. From declan+ at CMU.EDU Wed Mar 6 17:53:15 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 7 Mar 1996 09:53:15 +0800 Subject: PLEASE REPLY!! In-Reply-To: <4hkdsc$fvd@jade.emeraldis.com> Message-ID: Excerpts from internet.cypherpunks: 6-Mar-96 PLEASE REPLY!! by Mike McNally at dev.tivoli. > I generally don't comment on noise like this, but I'm getting curious. > Did somebody advertise cypherpunks at toad.com as a uucp configuration > tester? Worse yet, the configuration is as screwed as the users' posts. Don't bother replying to their messages... -Declan ----- The following addresses had delivery problems ----- (unrecoverable error) ----- Transcript of session follows ----- ... while talking to newsfeed.internetmci.com.: >>> RCPT To: <<< 550 ... User unknown 550 ... User unknown From mccoy at communities.com Wed Mar 6 18:12:06 1996 From: mccoy at communities.com (Jim McCoy) Date: Thu, 7 Mar 1996 10:12:06 +0800 Subject: Jump Start ecash With IPhone Message-ID: eggplant writes: >How about...only paying for the initial investment of the phone program and >hardware. No more costs to pay, get rid of long distance charges >all-togther. Two problems: 1- Chaum did not have the clue to pick up on this when two cypherpunks (who shall remain nameless...) pitched this and several other ideas to involve ISPs in jump-starting ecash almost two years ago, so why would he figure it out now? 2- The phone companies (actually ACTA, the telco lobby) petitioned the FCC on Monday to regulate the Internet phone software companies. IP phone systems themselves may need to move underground just to escape regulation. OTOH, there is nothing to prevent people from building their own systems once some free software is out there... On another related note the IRS is not getting someone what concerned about the opportunities the Internet offers people to avoid taxes according to the Treasury department's international-tax counsel. The government will "maintain toll booths on the information superhighway." (WSJ, 3/6/96) jim From declan+ at CMU.EDU Thu Mar 7 10:29:45 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 7 Mar 96 10:29:45 PST Subject: EFF on crypto bills In-Reply-To: <199603062155.NAA22301@eff.org> Message-ID: [In reply to Shabbir's message. -Declan] ---------- Forwarded message begins here ---------- From: Stanton McCandlish Message-Id: <199603062155.NAA22301 at eff.org> Subject: Re: NYT: Encryption compromise bill introduced To: shabbir at vtw.org (Shabbir J. Safdar) Date: Wed, 6 Mar 1996 13:55:07 -0800 (PST) Cc: declan+ at cmu.edu, fight-censorship+ at andrew.cmu.edu, jim at rsa.com In-Reply-To: <199603062014.PAA02169 at panix4.panix.com> from "Shabbir J. Safdar" at Mar 6, 96 03:14:01 pm > The Leahy bill is actually much better than Stanton lets on. Take a > look at it, it affirms Americans' right to choose whatever algorithm or > technique they'd like, as well as takes great pains to go on record to > say that Congress treaded very carefully to preserve Americans' right > to not use key escrow algorithms, and if they did, not to use escrow > agents. You don't get much more of a guarantee than that. Sure you do: Goodlatte's more direct prohibition on the Exec. branch mandating Key Escrow. What's the problem here? We know Goodlatte's version, on this provision at very least, is better. Why can't we just agree that it is, and support that? Goodlatte's bill isn't competing with Leahy's, they were introduced simultaneously in different chambers, and are intended to get the same message across. I can't see a problem with saying "we like this particular phrasing better, let's have it in both versions." The entire point of all this is to have the same bill on both sides of Congress anyway. It can either happen early, or (on the off chance it ever gets that far) in conference committee. Here we have a large say. In conf. cmte. we have almost no say. Again, what's the problem? What are we arguing about? > Regardless of the ulterior motives of the White House, key escrow > programs are still voluntary as read on the books. The best we can > write into a law is to have our rights reaffirmed. Leahy has given > this to us in spades. I disagree. A better thing we can write into law is to simultanously have rights reaffirmed, and send a more direct message to the Admin that it cannot tread here. > Let's not soft-pedal this legislation. Let's not hard sell flawed parts of it, when fixes are not just available but already introduced as "live" legislation. > Leahy and Goodlatte are going > head to head with the White House to undermine the strongarm export > tactics of Clipper and Son of Clipper. They've stuck their necks out for > us, we need to back them up. Certainly. > Just wait until the White House starts to act in reaction to this. It's > not going to be pretty.... No kidding. I expect either an attempt to mandate escrow, a worsening of the export controls, and/or an all-out assault on American's rights to encrypt at all, or without some kind of worse-than-GAK registry or licensing. If not all of the above. -- Stanton McCandlish
mech at eff.org

Electronic Frontier Foundation

Online Activist From declan+ at CMU.EDU Thu Mar 7 10:30:10 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 7 Mar 96 10:30:10 PST Subject: VTW on crypto bills In-Reply-To: <199603062014.PAA02169@panix4.panix.com> Message-ID: ---------- Forwarded message begins here ---------- From: shabbir at vtw.org (Shabbir J. Safdar) To: Stanton McCandlish cc: declan+ at cmu.edu (Declan B. McCullagh), fight-censorship+ at andrew.cmu.edu, jim at rsa.com Subject: Re: NYT: Encryption compromise bill introduced Date: Wed, 06 Mar 1996 15:14:01 -0500 Sender: shabbir at panix.com The Leahy bill is actually much better than Stanton lets on. Take a look at it, it affirms Americans' right to choose whatever algorithm or technique they'd like, as well as takes great pains to go on record to say that Congress treaded very carefully to preserve Americans' right to not use key escrow algorithms, and if they did, not to use escrow agents. You don't get much more of a guarantee than that. Regardless of the ulterior motives of the White House, key escrow programs are still voluntary as read on the books. The best we can write into a law is to have our rights reaffirmed. Leahy has given this to us in spades. Let's not soft-pedal this legislation. Leahy and Goodlatte are going head to head with the White House to undermine the strongarm export tactics of Clipper and Son of Clipper. They've stuck their necks out for us, we need to back them up. Just wait until the White House starts to act in reaction to this. It's not going to be pretty.... -Shabbir J. Safdar * Online Representative * Voters Telecomm. Watch (VTW) http://www.vtw.org/ * Defending Your Rights In Cyberspace Stanton McCandlish writes: >> Date: Tue, 5 Mar 96 13:26:39 PST >> From: jim at RSA.COM (Jim Bidzos) >> Message-Id: <9603052126.AA19534 at RSA.COM> >> Cc: cypherpunks at toad.com >> >> >> I'm in favor of the Bill because it specifically prevents, by law, the >> US Govt from mandating key escrow. > >This is only true of the Goodlatte bill. The Leahy bill just explicitly >does not mandate GAK. Goodlattes does this, and goes further, preventing >the Administration from doing so. > >Needless to say, we'd like to see the two bills merged, and the better >features of each kept. > >> I anticipate that the Administration, led by the intelligence and law >> enforcement interests, will vigorously lobby against this bill... > >Right. We don't expect it to pass, but it could be an important step in >raising the issues. > > >-- > Stanton McCandlish >

mech at eff.org >

Electronic Frontier Foundation >

Online Activist From jimbell at pacifier.com Wed Mar 6 18:33:05 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 7 Mar 1996 10:33:05 +0800 Subject: Another Motivation for the CDA Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 08:45 AM 3/6/96 -0500, Mutant Rob wrote: >Timothy C. May wrote: >> >> Given that Sen. Fineswine is one of the strongest supporters of gun >> confiscation, and that she had this to say about the Telecom Bill:[..] > >Felons may not own a gun unless granted a waiver by certain judges. They >also lose the right to vote, BTW. > >I think you're reading too much into motives, Tim. I don't think that >most in congress are capable of thinking that elaborately, and besides, >if someone is convicted of violating the CDA for saying "fuck" online, >that is the type of felony that one can get a judge's waiver for... I am NOT relieved at hearing this. If one must have a "judge's waiver," then that means he probably can "request" whatever other conditions he chooses to put on his waiver. The government still has a motivation to make every crime a felony, down to and including jaywalking and speeding tickets. (Don't try to tell me "they can't turn speeding tickets into a felony." The term "felony" is defined, and can be RE-defined, to whatever the legislature wants at any time. Naturally, this won't occur all at once; it'll happen in "reasonable" stages.) All the more reason to adopt a system that will rid us of these parasites forever. KnowhutImean? Jim Bell jimbell at pacifier.com Klaatu Burada Nikto Something is going to happen. Something.......................Wonderful! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMT3R4PqHVDBboB2dAQGOKAP/aLqcF1rK+sXHS2rFMHWhtOUw/0Su8J2l Cpk5GhmEJxGnBK4LKszhl/jX982AMDIRRrop5k0z1l4ezs1cnI0fwzniNwYWluG0 qjmcJ/rkEmPrA5cKwj9dqxsKi+lex1pApNOmogICkLdzUZgHrj6wAEmLKzqiNDiU 7XJdtbsMSFY= =7sEd -----END PGP SIGNATURE----- From maldrich at grctechs.va.grci.com Thu Mar 7 10:38:29 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Thu, 7 Mar 96 10:38:29 PST Subject: forwarded message from Kendall Collett In-Reply-To: <199603071552.HAA23865@netcom20.netcom.com> Message-ID: On Thu, 7 Mar 1996, cjs wrote: > > > > BTW, did you hear that IO got on the SurfWatch "bad list" because there > > were more than 25 complaints about objectionable material in the io.com > > domain. (Apparently, when SurfWatch hears more than 25 complaints > > against a particular domain, the just deny access to the whole domain > > rather than particular URLs.) > > So.. whats the number to call? Microsoft has material on their site I > object too. =) And let's not forget the really objectionable stuff at http://www.buchanan.org/pjbindex.html (the Buchanan Campaign web site). ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From uunet!in2.uu.net!news.cais.net!news.cais.com!news at warwick.com Wed Mar 6 19:05:38 1996 From: uunet!in2.uu.net!news.cais.net!news.cais.com!news at warwick.com (uunet!in2.uu.net!news.cais.net!news.cais.com!news at warwick.com) Date: Thu, 7 Mar 1996 11:05:38 +0800 Subject: Ignore Message-ID: <4hkqiq$6rs@news.cais.com> ----------------------------------------------------------------------------- _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 2, Number 9 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 2, Number 9 March 5, 1996 CONTENTS: (1) Bills To Relax Crypto Export Controls Introduced by Leahy, Burns, Goodlatte, Others (2) Subscription Information (3) About CDT, contacting us This document may be redistributed freely provided it remains in its entirety ** Excerpts may be re-posted by permission (editor at cdt.org) ** ----------------------------------------------------------------------------- (1) BIPARTISAN BILLS TO EASE ENCRYPTION CONTROLS AND PROTECT INTERNET PRIVACY INTRODUCED IN SENATE AND HOUSE A bipartisan group of members from both houses of Congress today introduced legislation to lift many export controls on strong encryption hardware and software and affirm the rights of Americans to use whatever form of cryptography they choose. The bills, sponsored by Sen. Leahy (D-VT), Sen. Burns (R-MT), Rep. Goodlatte (R-VA), Rep. Eshoo (D-CA), and others, represent a major step towards breaking the stranglehold on encryption technologies which for years has denied computer users access to vital privacy-protecting applications. The "Encrypted Communications Privacy Act of 1996" represents a rejection of the Clinton Administration's invasive and unworkable "Clipper Chip" and "Clipper II" key escrow policies. Under the guise of promoting so-called "voluntary" encryption standards, these Administration efforts have sought to use export controls to compel the adoption of key escrow encryption domestically, and have left Internet users without adequate privacy and security. By relaxing export controls on "generally available" cryptographic applications such as PGP, popular Web browsers, and other programs, the Encrypted Communications Privacy Act of 1996 would encourage the development and use of strong privacy protecting technologies. Major provisions of the legislation would: * Ease export controls on encryption products, allowing the export of 'mass market' or 'generally available' cryptography. This would include products such as PGP or many of the popular Web browser programs. * Affirm the right of Americans to use any encryption domestically. The bills explicitly prohibit the government from imposing any limits on the domestic use or sale of encryption. * (Senate version only) Provide protections to those who choose to store their encryption keys with third parties by creating criminal and civil penalties for the unauthorized disclosure of keys and strict requirements for law enforcement access. The bill does not in any way affect the ability of any person to use encryption without a key escrow function.. The legislation also contains several provisions which CDT believes require further clarification and consideration, including controversial language that would create a new federal crime for the use of encryption to willfully obstruct a law enforcement investigation. CDT will work with Senators Leahy and Burns and Representatives Goodlatte, Eshoo, and other interested members to address these concerns as the bill makes its way through the legislative process. The full text of both the House and Senate versions of the bills, along with other relevant background information, is available on CDT's Crypto Issues World Wide Web page: http://www.cdt.org/crypto/ CDT believes that the House and Senate encryption bills are an important step forward in the ongoing attempts to build better security into the information infrastructure through the widespread availability of encryption. Congressional action is particularly welcome as the Administration has continued to impose a flawed approach to encryption based upon export controls, key length limits, and key escrow policies all aimed at slowing the adoption of strong cryptography in the U.S. and throughout the world. While CDT believes improvements can be made in both bills, they establish a solid framework for building a comprehensive, global cryptography policy. CDT believes the bills deserve careful consideration and support. We look forward to working with Senator Leahy, Senator Burns, Rep. Goodlatte, Rep. Eshoo, individual Internet users, public interest advocates, and the computer and communications industry to develop a cryptography policy that protects privacy, security, and competitiveness on the Global Information Infrastructure. SUMMARY OF THE LEGISLATION: WHAT THE BILLS WOULD DO The House and Senate bills both modify Title 18 of the U.S. Code to clarify the status of encrypted communications, access to those communications by law enforcement, and the liability of third-party key holders. The bills would: * SIGNIFICANTLY EASE EXPORT CONTROLS: The bills would remove all export restrictions on "mass market" or publicly accessible encryption software and similar hardware -- that is, products that are generally available to the public and sold for installation "as is," or that are in the public domain such as PGP or some popular web browsers. (For example, products commercially available "off the rack," or freely available to the public via the Internet, would all be exportable.) Other encryption hardware would be exportable to countries where hardware with similar capabilities is already commercially available. The bills also allow export of other encryption software if it is currently exportable under law for use by foreign financial institutions. * PROHIBIT ANY RESTRICTION ON THE DOMESTIC USE OR SALE OF ENCRYPTION: The bills would affirmatively prohibit any government restrictions or attempts to mandate the domestic sale or use of any type of encryption. * IMPOSE CIVIL AND CRIMINAL LIABILITY FOR UNAUTHORIZED KEY DISCLOSURES: (Senate Version Only) The Senate bill would lay down privacy guidelines to protect those users who choose to store their keys with third parties. The bill would impose civil and criminal penalties for the unauthorized release of decryption keys or other decryption assistance by third parties who individuals have entrusted with their keys. No privacy protections and only limited restrictions for law enforcement access currently exist for those who choose to store their keys with trusted third parties. * PROVIDE LIMITS FOR ACCESS TO KEYS BY LAW ENFORCEMENT: (Senate Version Only) The Senate bill would also spell out limits and guidelines for law enforcement access to the keys of those users who have chosen to store their keys with third parties. Today, encryption keys held by third parties could be released to law enforcement with nothing more than a subpoena. Under the Senate bill, third parties could only provide assistance to law enforcement in decrypting communications if presented with a court order. The bill also limits the scope and duration of such assistance. Decryption keys for stored communications could be disclosed with a proper court order or subpoena. * ESTABLISH A BROAD "PERSONAL USE EXEMPTION" FOR U.S. TRAVELERS: The bills would allow U.S. persons to use any form of encryption in a foreign country, establishing a less restrictive form of the "personal use exemption" recently published by the State Department. The provision is intended to accommodate "U.S. citizens and permanent residents who have the need to temporarily export encryption products when leaving the U.S. for brief periods of time". While the intent of this provision is clear, CDT believes that the language of the bill should be further clarified. * PROHIBIT THE USE OF ENCRYPTION TO CONCEAL THE COMMISSION OF A FELONY: Finally, the bills would criminalize the use of encryption to willfully obstruct justice. Anyone who "willfully endeavors" to use encryption for the purpose of obstructing, impeding, or preventing the communication to a law enforcement officer of information relating to a Federal felony would be subject to criminal penalties. CDT believes this new federal crime is unnecessary since it duplicates obstruction of justice crimes that are already available to prosecutors, and is unwise since it might be interpreted to discriminate against users of encryption. BACKGROUND - BILLS ADDRESS LONG-STANDING FRUSTRATIONS WITH U.S. ENCRYPTION POLICY Congressional action comes as Clinton Administration encryption restrictions continue to jeopardize the security of computer users. Encryption tools, which scramble electronic communications and data, are widely viewed as the key to providing security and privacy and encourage commerce on the Global Information Infrastructure. Individuals need encryption in order to trust the GII with confidential data such as financial transactions, medical records, or private communications. Businesses need encryption to provide individuals with privacy protections they need and to protect their own proprietary information as it flows across vulnerable global networks. The lack of good encryption today has left computer users vulnerable to the prying eyes of hackers, corporate competitors, and even foreign governments. Current Administration policy restricts the export of "strong" encryption hardware or software products with keys greater than 40 bits long. (The length of encryption "keys" is often used to indicate the security of a system.) Export controls actually influence the entire GII -- both domestically and internationally -- due to the difficulty of distributing and interoperating products with different strengths of encryption. The level of security permitted under the export controls, and hence the level of security largely available to domestic users as well, has been judged woefully inadequate by many experts. Even the most recent Administration "Clipper II" proposals would only allow the export of moderately stronger encryption, and then only with "key escrow" restrictions to guarantee U.S. government access to individual keys -- restrictions which raise real Constitutional issues and are bound to fail in the competitive international marketplace. In recent months, groups from across the political spectrum have increasingly criticized the Clinton Administration's restrictive export controls. In November 40 companies, trade associations, and public interest groups wrote to Vice President Gore calling the latest Administration proposals flawed and inadequate. Last month a report by the CEOs of 13 leading U.S. technology companies found that U.S. industry stands to lose up to $60 billion dollars per year by the year 2000 due to restrictions on the export of cryptography. And several weeks ago a group of noted computer security experts released a report calling for the deployment of dramatically longer encryption key lengths of at least 75 to 90 bits. The House and Senate bills give voice to this growing drumbeat of criticism demanding a radical departure from the flawed approach of the Clinton Administration's current encryption polices. CDT looks forward to working with members of Congress to push for a more comprehensive U.S. encryption policy that reflects the privacy and security needs of computer users. FOR MORE INFORMATION More information on the cryptography policy debate, including the text of the Senate and House bills, is available on CDT's Cryptography Issues Web Page: http://www.cdt.org/crypto/ For More Information Contact: Center for Democracy and Technology +1.202.637.9800 Daniel Weitzner, Deputy Director Alan Davidson, Staff Counsel ----------------------------------------------------------------------- (2) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 9,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to policy-posts-request at cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts ----------------------------------------------------------------------- (3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info at cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post 2.9 3/5/96 ----------------------------------------------------------------------- From janzen at idacom.hp.com Thu Mar 7 11:14:24 1996 From: janzen at idacom.hp.com (Martin Janzen) Date: Thu, 7 Mar 96 11:14:24 PST Subject: Good news for Canadians, I think... Message-ID: <9603071822.AA07880@sabel.idacom.hp.com> On the mailing list for the "Electronic Frontier Canada" (similar to, but not a part of EFF), David Jones (djones at insight.dcss.McMaster.CA) writes: > > Feds want encryption; Police opposition ignored. > >The federal government wants its employees, and Canadians in general, >to use strong, public-key encryption. Yes, the same encryption methods >that American law enforcement is so uptight about. The same encryption >that Canadian cops want to avoid, so they can continue to eavesdrop. > >It's summarized in a recent Ottawa Citizen article: > > gopher://insight.mcmaster.ca/00/org/efc/media/citizen.13feb96 > >You may recall the Canadian Association of Chiefs of Police (CACP) >have voiced their opposition to any encryption of communications unless >police had access to a "backdoor" last summer. > > gopher://insight.mcmaster.ca/00/org/efc/law/cacp.24aug95 > >In Canada, it looks like the right to privacy of telecommunications >might take precedence over the police interest in snooping to catch >criminals. I won't repost the entire article here, but here are some highlights: - The system is initially intended to secure email between federal government employees. Deployment is expected to begin next year. - Key management is decentralized; each department hands out its own keys. - Top-secret messages will be encoded using "palm-sized computer cards" (presumably some kind of PCMCIA device). - The Communications Security Establishment (~= NSA) helped to design the system, and claims that it's "more sophisticated than existing public versions". (This is the part that still worries me a bit, even though EFC's David Jones is quoted as saying that he has no concerns. Will the algorithms be published? Also, why develop a new, untested system -- why not just buy the thing from RSA, Viacrypt, etc.? Stay tuned...) - There's a great quote from Bob Little, deputy secretary of financial and information management for the Treasury Board: "[The CSE] don't have access to the keys . . . and never will. We did it to avoid the American experience with the Clipper Chip." - The RCMP (~= FBI) is not amused. All in all, it sounds like a positive development for once. -- Martin Janzen janzen at idacom.hp.com From sandfort at crl.com Wed Mar 6 19:25:24 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 7 Mar 1996 11:25:24 +0800 Subject: MARCH BAY AREA MEETING Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, For the second (and last) time, the Bay Area Cypherpunks meeting will be held at the offices of Simple Access, fourth floor, 388 Market Street, San Francisco. The meeting will be from noon to 6pm (or so) on Saturday, 9 March. As of this notice, there is no agenda. (Funny, we never seem to be at a loss for words.) Street parking is scarce, garages are expensive; consider public transit. If anyone wants BART, CalTrain or bus information, let me know. Otherewise, here are driving instructions: PENINSULA --North on 101 (or 280 to 101) to Golden Gate/Bay Bridge fork. --Right on 80 (Bay Bridge, Oakland) to 4th St. exit. --Take 4th St. exit. --At the bottom of the ramp, go sort of straight (soft left) onto Bryant (parallel to 80, towards Bay). --Take Bryant about 4 blocks to Fremont. --Take Fremont about 5 blocks to Market. --Follow instructions under "END GAME," below. EAST BAY --Take 80, west across the Bay Bridge to Fremont exit. --Take exit and turn left on Fremont. --Take Fremont about 2.5 blocks to Market. --Follow "END GAME" instructions. END GAME --The building on the far-right corner is 388 Market. --Find a place to park. --Sign in at lobby desk. You are going to visit Simple Access on the 4th floor. --Take the elevator to 4 and follow the signs. --The phone number is: 415-296-2544. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From anonymous-remailer at shell.portal.com Wed Mar 6 19:26:08 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Thu, 7 Mar 1996 11:26:08 +0800 Subject: Boycott "Applied Cryptography" and AT&T and RSA Message-ID: <199603062058.MAA28987@jobe.shell.portal.com> Bruce Schnier (Author of applied cryptography) and Matt Blaze (Who is a crypto bigwig at at&t) have made it clear that they support key escrow. Both have written letters in favor of the new crypto law, it creates a key escrow system and also other restricts on crypto. The letters are on the CDT homepage and i think were posted here. WHAT THE FUCK?????????????????????????????????????????? EFF, EPIC, VTW and almost everyone else (except for Bizdos at RSA, hmmmm) have all come out against this piece of shit. But with these so called experts baking it it could pass anyway. Maybe the ltrs are a forgery? We should ask them, and if this is true, LETS SEND THEM A MESSAGE!!!!!!!! SWITCH YOUR PHONE SERVICE AND TELL AT&T WHY!!! STOP RECOMMENDING APPLIED CRYPTO (THERE ARE EASIER BOOKS ANYWAY). DEMAND THAT THESE PEOPLE STOP GIVING AWAY YOUR RIGHTS!!!!!!!!!!!!!!!!!!!!!!!!!!! their addresses are schneier at counterpane.com mab at crypto.com jim at rsa.com From gnu at toad.com Wed Mar 6 19:26:12 1996 From: gnu at toad.com (John Gilmore) Date: Thu, 7 Mar 1996 11:26:12 +0800 Subject: EFF Statement on Leahy/Burns/Murray Crypto Bill Message-ID: <9603052322.AA16005@toad.com> New "Encrypted Communications Privacy Act" - Enabling Electronic Envelopes ========================================================================== FOR IMMEDIATE RELEASE ELECTRONIC FRONTIER FOUNDATION +1 415 436 9333 ask at eff.org March 5, 1996 http://www.eff.org The Electronic Frontier Foundation (EFF) is encouraged to see Congressional support for lifting restrictions on encryption and affirming privacy rights for U.S. citizens. The bill introduced today by Senators Pat Leahy (D-VT), Patricia Murray (D-WA) and Conrad Burns (R-MT) is an important step in reclaiming privacy and encryption rights for society and business. The bill would legalize wide use of "electronic envelopes" to protect private information. Today this information travels on "electronic postcards" which can easily be altered or intercepted. However, the bill also includes key escrow and obstruction of justice provisions which would cause problems if enacted. "The bill provides a new opportunity to bring reason into the crypto policy debate," said EFF co-founder John Gilmore. "We support the Senators for bringing their energy into the process. The bill is a good start, and with healthy debate and modification, it could become acceptable legislation." Electronic privacy and encryption policy is extremely complex because it intertwines our constitutional rights of free speech, publication, association, and protection from self-incrimination and unreasonable search, with issues of wiretapping, spying, military security, personal privacy, and computer security. This bill would pick a new balance among these competing interests, with long-term impacts on our society and economy. EFF is committed to working with government, industry and public interest organizations to raise the level of understanding and debate in resolving these complex issues. Export Control Liberalization ----------------------------- The Encrypted Communications Privacy bill would make long-overdue changes to the export restrictions currently hampering the deployment of privacy and security "envelopes" for Windows, Unix, the Mac, and the Internet. The bill: * Moves export control of all non-military information security products, incuding encryption, to the Commerce Dept., whose rules protect constitutional rights and reflect market realities. * Requires that no license be required to export generally available mass-market software, public domain software, and computers that include such software. * Requires that export be authorized for non-military encryption software to any country where similar software is exportable from the U.S. to foreign financial institutions. * Requires that export be authorized for encryption hardware if a comparable product is available overseas. The above changes would significantly improve the nation's crypto policy. But they make detailed changes in a very complex section of the law and regulations. There is a significant risk that they will be implemented by the Administration in a different fashion than Congress intended. This happened in 1987, for example, when Congress tried to eliminate NSA meddling with civilian computers by passing the Computer Security Act. It was subverted by a series of Presidential directives and agreements among Executive Branch departments. The result today is that NSA is still in control of domestic security and privacy policy. We would encourage futher deregulation as a simpler, more effective, and far more reliable solution. The bill should simply eliminate all export controls on non-military encryption. Criminalization of Encryption and Encouragement of Key Escrow ------------------------------------------------------------- The following provisions raise serious concerns about the imbalance between the rights of the people and the desires of the goverment. EFF feels that the impact of these provisions must be closely considered, and will work to modify or remove them to better serve the public interest. The bill: * Makes it a new crime to "use encryption to obstruct justice", with 5-10 year sentences, plus fines. In plain language, this is a extra criminal charge that can be applied when police are frustrated in an investigation but happen to catch someone breaking the law in some other way. It's like Adding an extra ten-year jail term if you close your curtains while committing a crime. Americans have the right to protect their own privacy by any nonviolent means, and we expect that encryption will soon be built into all computers, phones, and networks. * Provides a legal infrastructure for key escrow, a system in which all users' keys are copied to permit government access. The Clinton Administration has been pushing key escrow to replace its failed "Clipper chip", out of fear that if Americans have real privacy they will abuse it. These provisions in the bill would encourage people to use the flawed key-copying system. Clarification and Refinement ---------------------------- The are a number of areas of the bill that would benefit from additional debate and clarification. Specifically, where the bill: * Explicitly does not mandate key escrow, but fails to prohibit the Administration from attempting to impose it with regulations. * Outlaws disclosure of others' keys except to the government, with 1-2 year sentences, plus fines, but includes a broad "good faith" exemption for when the government does something illegal or unconstitutional. * Requires disclosure of other peoples' keys to the government, under the same procedures currently used for wiretaps, searches of online records and backup tapes, and fishing expeditions in billing records. The provision does not always require adversary legal process, in which citizens can argue for their privacy before a judge, but instead relies solely on the integrity of prosecutors. * Legalizes the use any encryption "except as provided in this Act...or in any other law". EFF's Proposed Crypto-Privacy Principles ---------------------------------------- EFF's Cryptography and Privacy Policy Principles, which were originally written during the Clipper Chip debate, are the touchstone by which we measure privacy legislation and policy issues: * Private-sector access to encryption technology must not be hindered, either by regulation of what crypto may be used domestically, or by restriction on what may be exported. * Government policy on encryption usage and standards must be set in open forums with proper attention paid to public input. Secret hearings and classified algorithms have no part to play in a democratic process. * Encryption must become part of the "information infrastructure" to protect personal, commercial and governmental privacy and security. Cryptographic tools must not be crippled or weakened for the convenience of government agents, and users must be free to choose what encryption they prefer and whether and to whom they will reveal encryption keys. Law enforcement must obtain court orders, not simply administrative subpoenas to seize keys or decrypt and search encrypted information. * Government policy regarding emerging technologies like encryption must not erode Constitutional protections. In particular, any such policies must be compatible with the rights to freedom of speech, press and association, freedom from coerced self-incrimination, and freedom from unreasonable search and seizure. * Encryption will be built into all next-generation Internet, communications and computer technology. There must be no government policy equating use of encryption with evidence of criminal behavior, nor the creation of any new crime category that holds encryption users liable for making criminal investigation more difficult. * Government at all levels should explore cryptography's potential to replace identity-based or dossier-based systems - such as driver's licenses, credit cards, social security numbers, and passports - with less invasive technology. The Encrypted Communications Privacy bill at this time passes some of these tests, and we are committed to working with industry, government, and public interest organiations to address the remaining issues. Background: EFF and Crypto-Privacy Policy ----------------------------------------- The Electronic Frontier Foundation (EFF) is a nonprofit public interest organization devoted to the protection of online privacy and free expression. EFF was founded in 1990, and is based in San Francisco, California. The International Traffic in Arms Regulations (ITARs), administered by the State Department, and in the background by the National Security Agency, unreasonably treat encryption software and hardware as if they were weapons of war, like rockets and bombs. It has proven very difficult to deploy U.S.-made encryption products in an increasingly important global market due to these regulations, at a time when the need for online security systems for personal and commercial use has never been more keenly felt. EFF has for several years led efforts to fend off governmental attempts to restrict the development and public availability of secure privacy technology. In 1993-4, EFF and other civil liberties organizations successfully opposed implementation of the U.S. Administration's "Clipper" or "Skipjack" system - hardware encryption for voice and data communications in which all encryption keys are held by government for the convenience of law enforcement and intelligence agencies. In 1994, we helped ensure that crypto export became a major legislative topic, laying the groundwork for eventual liberalization of the ITARs. In 1994 and 1995 EFF opposed implementation of and helped defeat funding for the FBI's "Digital Telephony" scheme, in which up to one person on every city block could be simultaneously wiretapped. In 1995, we filed an ongoing federal lawsuit with mathematician Daniel Bernstein, challenging the constitutionality of the export control laws. Online Resources for More Information ------------------------------------- Please see EFF's Internet archives for more details on this and other issues. EFF Privacy & Encryption Archive: http://www.eff.org/pub/Privacy/ EFF Legal Issues & Policy Archive: http://www.eff.org/pub/Legal/ Action Alerts: http://www.eff.org/pub/Alerts/ Topical Index of the EFF Archive: http://www.eff.org/links.html Contact Information ------------------- The Electronic Frontier Foundation 1550 Bryant St., Suite 725 San Francisco CA 94103 USA +1 415 436 9333 (voice) +1 415 436 9993 (fax) Internet: ask at eff.org John Gilmore, Co-founder and Member of the Board gnu at eff.org +1 415 221 6524 From droelke at rdxsunhost.aud.alcatel.com Wed Mar 6 19:29:53 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Thu, 7 Mar 1996 11:29:53 +0800 Subject: SEAL cipher info requested (something actually list related!) Message-ID: <9603052220.AA11028@spirit.aud.alcatel.com> > > Christopher Allen writes: > > At 4:27 PM 1/27/96, Anonymous wrote: > > >Anybody have info on the SEAL cipher? I can't find any > > >descriptions or analysis of it. Refs, proceedings or URLS > > >would be a good thing. > > > > I also am interested in references to it. > > > > I'm told that it was invented by a cryptographer at IBM, and that it > > patented, so that should help in the search. > > Its a Don Coppersmith creation. It is blazingly fast. I believe it is > patented. > > Perry > Get Applied Cryptography!!! - Page 398 in issue 2. Source code on page 667 Brief - steam cipher. Phil Rogaway and Don Coppersmith @ IBM. uses "pseudo-random function family". Fast. Patented. ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From clarissa_wong at alpha.c2.org Thu Mar 7 11:46:49 1996 From: clarissa_wong at alpha.c2.org (Clarissa Wong) Date: Thu, 7 Mar 96 11:46:49 PST Subject: Jump Start ecash With IPhone Message-ID: <199603071936.LAA25351@eternity.c2.org> Adam Shostack mentioned: > The big problem with this is that net phones can be subject to > delay & drop out, and I don't want to deal with that when I'm talking > on the phone. Adam, Yes, and that's good news. We can claim, while we are building up our infrastructure, that we have a low-quality service that cannot compete with the current LD carriers. Meanwhile, several companies and committed enthusiasts are solving IPhone's technological problems. Also, ATM and other high-bandwidth technologies that the LD carriers are deploying can bring them profits when IPhone users request the _fast_ Internet. But the real money is in the billing system. And an efficient, decentralized ecash infrastructure will change the world. A cheap telephone-to-telephone long distance and international voice service, which people do want to buy, could provide the cash flow to jump start it. CW From frissell at panix.com Wed Mar 6 19:51:09 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 7 Mar 1996 11:51:09 +0800 Subject: Jump Start ecash With IPhone Message-ID: <2.2.32.19960306214604.007235dc@panix.com> At 11:37 AM 3/6/96 -0800, Jim McCoy wrote: > 2- The phone companies (actually ACTA, the telco lobby) petitioned > the FCC on Monday to regulate the Internet phone software > companies. > >IP phone systems themselves may need to move underground just to >escape regulation. OTOH, there is nothing to prevent people from >building their own systems once some free software is out there... That would be a super neat trick since the LD business is currently deregulated (and in fact was never a government monopoly) and the local loop is in the process of deregulation, and Vocaltec is in some senses an Israeli company anyway and need not have a presence in New Jersey if it doesn't want do. DCF From uunet!in2.uu.net!newsfeed.internetmci.com!gordius!news.service.uci.edu!usenet at warwick.com Wed Mar 6 19:54:41 1996 From: uunet!in2.uu.net!newsfeed.internetmci.com!gordius!news.service.uci.edu!usenet at warwick.com (uunet!in2.uu.net!newsfeed.internetmci.com!gordius!news.service.uci.edu!usenet at warwick.com) Date: Thu, 7 Mar 1996 11:54:41 +0800 Subject: http://www.grfn.org/~blacktar/KilltheNewbies.htm In-Reply-To: <4h3e98$i8q@news.mel.aone.net.au> Message-ID: <313DE81A.6403@grfn.org> http://www.grfn.org/~blacktar/KilltheNewbies.htm From jimbell at pacifier.com Thu Mar 7 12:03:55 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 7 Mar 96 12:03:55 PST Subject: Anonymous remailers and Leahy bill Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 01:06 PM 3/7/96 -0500, A. Padgett Peterson P.E. Information Security wrote: >Do not agree with you. Do support your right to disagree though. > P.fla That's all this guy said. Here's my more verbose response. >Do not agree with you. You are _entitled_ to not "agree" with me. What you are NOT entitled to, however, is to have a government that violates my rights by attempting to restrict crypto and other freedoms, even if it is with the support of 51% of the Congress or 51% of the voters or 51% of the population. (or even substantially more.) If you actively support such a government, or even encourage such a government, you are doing what is analogous to "inciting a riot": You are guilty of inciting the government to take improper, illegal, unconstitutional, or simply immoral actions against me and others, and in my opinion if such actions are taken you enter into that conspiracy. You may be alarmed that I might consider you a criminal for just exercising your "free speech." (If you're not alarmed, you SHOULD be!) I myself would greatly prefer to live in a society where speech was totally free: There would be no laws against libel and slander, and you could "yell 'fire' in a crowded theatre" without the possibility of prosecution. (All the other potential customers will be home watching on tape rental, which will make what you can do in a theatre less significant.) But until we live in such a world, I consider that yelling "child porn!" or "terrorism!" or "drug smuggling" in "a crowded Congress" or _to_ "a crowded Congress" that's anxious to restrict our rights ever further, is an incitement to violate my rights. > Do support your right to disagree though. No, I don't think you do. You've done NOTHING to actually _support_ my right to disagree, except possibly waste a few bytes of information space on a message that you did not see fit to publicize. (I did, however.) Clearly, your "support" for my "right to disagree" is essentially non-existent. Jim Bell Klaatu Burada Nikto! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMT866/qHVDBboB2dAQHqfAP9F1vYWiHVT67QXNXwuDWpR9n6THRL4S2W vJq256khHXs4pMawUiGitkovVEDSBM8Tc6t6NpgNbwEojZ40dF147gqq7iTLOrf0 TU4RrUvBKiRJbTXnJM6YdHL7gOHQtU5TqHRft3R9JAHR5zEpetUSIo7+uVbklqqd Du1cZlTbu68= =M+dV -----END PGP SIGNATURE----- From sawyer at nextek.com Thu Mar 7 12:14:52 1996 From: sawyer at nextek.com (Thomas J. Sawyer) Date: Thu, 7 Mar 96 12:14:52 PST Subject: FCC and Internet telephones Message-ID: > In a statement from Washington, the America's Carriers Telecommunication >Association says it "submits that it is incumbent upon the FCC to exercise >jurisdiction over the use of the Internet for unregulated interstate and >international telecommunications services." > "For example," adds the ACTA statement, "online service providers generally >charge users around $10 for five hours of access and then around $3 for each >additional hour. Five hours equals 300 minutes, divided by $10 is 3.3 >cents per >minute. The average residential long distance telephone call costs about 22 >cents per minute or seven times as much." It seems that once again, big business is trying to get in the way of progress and competition because they are afriad they are going to lose some money. It seems to me that the ACTA is upset because someone found a way to "do it cheaper" and the telco's stand to lose a lot of long distance dollars. So rather then using this technology and perhaps lowering LD rates, instead they seek to block out the technology from the public. I wonder what would happen if someone discovered an drastically cheaper alternative to gasoline, but it never made it main stream because the oil companies would go out of business. Seems like the same type of situation with the telco's. > Says ACTA, "Technology may once again be surpassing government's ability to >control its proper use. However, the misuse of the Internet as a way to >'by-pass' the traditional means of obtaining long distance service could >result in a significant reduction of the Internet's ability to transport >its ever >enlarging amount of data traffic." No, the technology is surpassing the telco's ability to provide low-cost communications. > Specifically, ACTA petitions the FCC to define the type of permissible >communications that may be effected over the Internet. Permissible communications? This sounds like something out of the CDA ... I say, just try and regulate it. I want to see the FCC try and monitor several million computer transmissions every day and see how well regulation works. Thomas J. Sawyer sawyer at nextek.com From froomkin at law.miami.edu Thu Mar 7 12:22:27 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Thu, 7 Mar 96 12:22:27 PST Subject: new netscape servers In-Reply-To: <2.2.32.19960307143422.0073f934@panix.com> Message-ID: On Thu, 7 Mar 1996, Duncan Frissell wrote: > However, a CA operating outside the licensing structure of current CA's > would have very low costs and hence no investment to lose in litigation. > Costs would be almost entirely marketing related and as long as you stayed > out of jurisdictions with some of the new CA law, no regulatory costs or > barriers. > I don't think this is definitional. If nothing else they can take the equipment. If you don't incorporate, your personal assets are at risk; if you do, you have to keep a real separation between the corporation and yourself, pay the taxes, etc. Ok, make it a non-profit labor of love; low risks, no returns, then maybe you are right. Just hope that there ar no punitive or large consequential damages, and no one pierces the corporate veil (unlikely, I admit, but not impossible). What law applies to a certificate used in a multi-jurisdictional transaction is less obvious to me than I would like. I think I have talked a student in my seminar into writing a paper to educate me. [The above may have been dictated with Dragon Dictate/Win 2.0 voice recognition. Be alert for unintentional strange word substitutions.] A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From cmyk.warwick.com!not-for-mail at warwick.com Wed Mar 6 20:24:15 1996 From: cmyk.warwick.com!not-for-mail at warwick.com (cmyk.warwick.com!not-for-mail at warwick.com) Date: Thu, 7 Mar 1996 12:24:15 +0800 Subject: jfjdjdf Message-ID: <4hkvq6$d36@cmyk.warwick.com> fjhdgfh dfhjd From m5 at dev.tivoli.com Thu Mar 7 12:41:09 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Thu, 7 Mar 96 12:41:09 PST Subject: io.com & SurfWatch Message-ID: <199603072041.OAA17349@kenya.tivoli.com> Well, it turns out that (according to a nice person at SurfWatch who put up with the rant I mailed in and send back a denial rather quickly) io.com isn't actually blocked. At least, so they say. No comment on whether there's anything like the "25 complaints" policy. I don't own SurfWatch, but if anybody does and finds www.io.com blocked, I'll send in another rant. I wonder whether they've actually considered the liability situation in re: blocking sites that shouldn't be blocked? I mean, sure, they seem nice enough about setting things right (like with the Nynex sites whose url's had "xxx" in the paths), but it seems to this non-lawyer that a case could be made for damages inflicted by being known as a purveyor of filthy indecency for even a short while. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From mutant at compuville.com Thu Mar 7 12:51:22 1996 From: mutant at compuville.com (mutant at compuville.com) Date: Thu, 7 Mar 96 12:51:22 PST Subject: surfwatch filtering Message-ID: <199603072056.PAA05237@lemieux.compuville.com> -----BEGIN PGP SIGNED MESSAGE----- someone wrote: >[homepage on IO] > >BTW, did you hear that IO got on the SurfWatch "bad list" because there >were more than 25 complaints about objectionable material in the io.com >domain. (Apparently, when SurfWatch hears more than 25 complaints >against a particular domain, the just deny access to the whole domain >rather than particular URLs.) A quick phone call to the Surf Watch people revealed that they rarely block whole domains, and that they are not currently blocking all of io.com. - -- mutant at compuville.com "They that can give up essential liberty to mutant at cypher.net obtain a little temporary safety deserve (send mail with Subject: neither liberty nor safety." send-pgp-key for PGP key) -Ben Franklin ~1784 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMT9NaH0ndmRPxibdAQFSJwQAtq/s1c+GZlHvgVOhNgM8Dseq0SQ+6L8U bx8FV0l85anNk+fjRnY5hD8RflHFeVzLis2yDmn8BLjYzVnHBEWBXXncpwg3okoQ FOMJJTZZbOec10ESy3pvRPwgie60IaR3qIcHUmUHRqbv5dOjgDg5GhYWeZ8rhCCN 0pisfaQBsVc= =qgSw -----END PGP SIGNATURE----- From gary at kampai.euronet.nl Wed Mar 6 21:41:08 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Thu, 7 Mar 1996 13:41:08 +0800 Subject: (Fwd) Gov't run anon servers Message-ID: <199603051038.LAA17028@kampai.euronet.nl> Hal wrote: > However, if I were a computer-savvy law enforcement agent, and I wanted > to track messages through one of my remailers, I would try a > technological approach. I would first break the key for my remailer. > That is trivial. The passphrase is in PLAINTEXT in the script file > which runs the remailer!. It has to be. That is true of all automated > remailers. The passphrase could be kept in memory and entered every time the system is started. Gary From jimbell at pacifier.com Wed Mar 6 21:45:08 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 7 Mar 1996 13:45:08 +0800 Subject: Whut it sez Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 09:33 AM 3/6/96 -0500, A. Padgett Peterson P.E. Information Security wrote: > >Note: downloaded from www.vtw.org so cannot guarentee correctness- > > "�2804. Unlawful use of encryption to obstruct justice" > "Whoever willfully endeavors by means of encryption to obstruct, > impede, or prevent the communication of information in furtherance > to a felony which may be prosecuted in a court of the United States, > to an investigative or law enforcement officer shall-..." > >Interesting wording - sounds almost like if you impede the *commission* of >a felony, you is been had. Keyword would seem to be "willingly". You need to learn to read more carefully. The word they (according to VTW) used was "willfully," not "willingly." In any case, assuming they either never made the error you noticed, or they manage to correct it before the bill becomes law, they will have just outlawed the used of encrypted remailers, because: 1. They use encryption to hide the sender and/or the recipient of a note. 2. Any law-enforcement agency could get a "cooperative", computer-literate criminal to upload a message that might, arguably, be part of a larger criminal offense (but really wasn't; the purpose is simply to justify an investigation) . The encrypted remailer is then guilty of violation of this section, even if the underlying crime is never completed or even attempted. Remember, you can have a "criminal investigation" without having a crime. Or a "crime" can be fabricated at the appropriate time, just like they did to those operators of a California BBS, called from Oklahoma by the cops, and using a kid to turn the whole fraud into a crime. > Suspect they meant to say "...obstruct (etc) the investigation of a felony..." Probably. This section is their wish-list to Santa Claus. It's easy to make mistakes when you're excited about something. They're hoping you suckers will support the whole bill despite this booby-trap. You're the fish, the rest of the bill is the worm, and this section is the hook. Will you bite? Jim Bell jimbell at pacifier.com Klaatu Burada Nikto -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMT4JOvqHVDBboB2dAQFgDQQAmWrTqEaFUC6eFH79cGLeSHXqrXxXb25H 79I+SHT1chhrDQjHYvlPlpovcv/ShyqJB47w8z9XfGTggGKp+WvFVk10du9iviFF GZRsNgkjtdEpattuw/tZpmCrWW+aOAtM0Ziw+cYQsGdDlbkdHZueJTuCjDwUndGm BARsyesyGzA= =kEFi -----END PGP SIGNATURE----- From uunet!in2.uu.net!gatech!newsfeed.internetmci.com!athos.itribe.net!logrus!page at warwick.com Wed Mar 6 21:46:03 1996 From: uunet!in2.uu.net!gatech!newsfeed.internetmci.com!athos.itribe.net!logrus!page at warwick.com (d.) Date: Thu, 7 Mar 1996 13:46:03 +0800 Subject: test Message-ID: <4hl7ck$e95@athos.itribe.net> test. d. -- Homo vult decipia; decipiatur. page at itribe.net From perry at piermont.com Wed Mar 6 21:59:45 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 7 Mar 1996 13:59:45 +0800 Subject: Boycott "Applied Cryptography" and AT&T and RSA In-Reply-To: <199603062058.MAA28987@jobe.shell.portal.com> Message-ID: <199603062302.SAA09771@jekyll.piermont.com> anonymous-remailer at shell.portal.com writes: > Bruce Schnier (Author of applied cryptography) and Matt Blaze (Who > is a crypto bigwig at at&t) have made it clear that they support > key escrow. Not again. Could this guy please find a nice crowbar with which to pry his head out of the dark orafice he has stuck it in to? Perry From PADGETT at hobbes.orl.mmc.com Wed Mar 6 22:09:41 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Thu, 7 Mar 1996 14:09:41 +0800 Subject: Lawz to be. Message-ID: <960306193119.20205a93@hobbes.orl.mmc.com> Cut & Paste > "�2804. Unlawful use of encryption to obstruct justice" > "Whoever willfully endeavors by means of encryption to obstruct, ... >Interesting wording - sounds almost like if you impede the *commission* of >a felony, you is been had. Keyword would seem to be "willingly". Jim: >You need to learn to read more carefully. The word they (according to VTW) >used was "willfully," not "willingly." Agree, problem was that to get into E-Mail had to cut/paste in 255 bytes segments but the quoted part is what I got off VTW with minor line length adjustment and separation of elements for clarity. >In any case, assuming they either never made the error you noticed, or they >manage to correct it before the bill becomes law, they will have just >outlawed the used of encrypted remailers, because: No, what the wording seems to outlaw was the use of encryption to obstruct the commission of the crime, not the investigation. Read it again please. >> Suspect they meant to say "...obstruct (etc) the investigation of a >>felony..." >Probably. This section is their wish-list to Santa Claus. It's easy to >make mistakes when you're excited about something. They're hoping you >suckers will support the whole bill despite this booby-trap. Thought the gotcha was down in the part about the Secretary of Commerce. My reading is that the secretary will still be required to grant approval for commercial export. Is past the part about no regulation inside the US (which is true now - still would be nice to see a "Congress shall make no law..."). The puzzler is the requirement that a comperable foreign product must exist before permission to export will be granted. Will this be like "comparable product" price matching in discount houses ? Somehow there never is one... Warmly, Padgett ps did you mean the Thomases and Memphis ? Not aware of similar prosecution in Oklahoma. Besides my understanding was that the online stuff was dropped, the conviction was for stuff sent through the mails. Is that incorrect ? From uunet!in2.uu.net!news.ios.com!news2.ios.com!usenet at warwick.com Wed Mar 6 22:16:36 1996 From: uunet!in2.uu.net!news.ios.com!news2.ios.com!usenet at warwick.com (Mr. Sam) Date: Thu, 7 Mar 1996 14:16:36 +0800 Subject: What do these words mean on your planet? In-Reply-To: Message-ID: <4hl8en$mnv@news2.ios.com> In , ahall at cs.uml.edu (Andrew Hall) wrote: >>>>>> Sam writes: > Sam> In , ahall at cs.uml.edu (Andrew Hall) > wrote> > >>>>>>> Sam writes: > Sam> In , tilley at netcom.com (Tom Tilley) wrote: > >> >> In article <4h23li$p20 at news2.ios.com> mrsam at soho.ios.com (Mr. Sam) writes: > >> >>> In , tilley at netcom.com (Tom Tilley) wrote: > >> >>> > >> >>>> a.c, a.flame.r-l, and a.c-e.c.w removed. > >> >>> > >> >>>> In article <4gqd9u$u6 at news2.ios.com> mrsam at soho.ios.com (Mr. Sam) writes: > >> >>> > >> >>>>> Here's one: why doesn't it say 'no tax on capital gains', like for other > >> >>>>> categories, hhhhhhhhhmmmmmmmmmmmmmm? > >> >>> > >> >>>> I don't know about where you're from, but here on planet > >> >>>> Earth zero'ing out taxes is the same as "no tax." > >> >>> > >> >>> I don't know about what's it's like over there, but in this universe, words > >> >>> mean things. > >> >> Yes, they do, and whether you like it or not "zero out capital > >> >> gains tax" means the same thing as "no tax on capital gains." > Sam> Nope. In case you haven't noticed, a few words differ from one to another. > Sam> And, as I said, words mean things. > >> >> Deal with it. > Sam> I do. I have a dictionary. > >> Please let me know which dictionary it is that says > >> "zero = 17%". I want to be sure not to get a copy. > Sam> The same one that says, for you, that convicted drug users are always > Sam> innocent. >I used common sense for that. What is your excuse? No, you didn't. "Convicted" is not the same thing as "innocent", how does that grab you? Conviction logically follows being proven guilty. And guilty is the opposite of innocent, at least on my planet. -- Mr. Sam: member, talk.politics.misc troll patrol channel operator, #Sci-Fi - Undernet IRC sci-fi/fantasy channel http://www.cyberstorm.com/~rockd/sci-fi.html _____________________________________________________________________________ "Government is not a solution to our | "First of all, keep in mind that most problem, government IS the problem." | of our problem is with working -- R. Reagan. | Americans." -- B. Clinton. _____________________________________|_______________________________________ From uunet!in2.uu.net!gatech!purdue!haven.umd.edu!hecate.umd.edu!not-for-mail at warwick.com Wed Mar 6 22:51:38 1996 From: uunet!in2.uu.net!gatech!purdue!haven.umd.edu!hecate.umd.edu!not-for-mail at warwick.com (David J. Murphy) Date: Thu, 7 Mar 1996 14:51:38 +0800 Subject: testing 1 2 3 v1.0 Message-ID: <4hl5tn$6f6@wolfe.umd.edu> This is a test. This is only a test. -- David J. Murphy for now: eg392 at umd5.umd.edu Remember, only YOU can prevent fire drills! From markm at voicenet.com Wed Mar 6 22:52:10 1996 From: markm at voicenet.com (Mark M.) Date: Thu, 7 Mar 1996 14:52:10 +0800 Subject: Signature In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 5 Mar 1996, Charles Choi (SAR) wrote: > 1) Is it possible to base a privacy key ( e.g. PGP ) on a fractal > equation, instead of an algorithm based on two primes? > This would allow for an eternal level of complexity due > to infinite field of depth one can find as one 'zooms in' > closer ( correct me because I'm wrong; I'm not a math major, > although increasingly I wish I was... ), allowing for near > unbreakable privacy of information. The fact that the private key is based on fractals rather than prime numbers really doesn't make a difference. Fractals are not random, and do in fact, have a pattern. The Mandelbrot Set, for instance, can be expressed in a few bytes of information even though it is infinitely complex. Therefore, the fractal has extremely low entropy making it a bad choice from which to obtain random data. - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMT4ljbZc+sv5siulAQF15gP/St6B3vkSWbyjtEZOhQmChDi2yZsZFgRv sQgpo0+k9Blg085J5FZGrHqKIvOSp2ylU9bjto77tnzaXd5e/d0i23/IS1g8yeR+ OotFKwXa0oFpNEXrVBKAgSJKgpngKaVEjBpkNZYeqOscsccLR09CeUVrfMn/+YjQ 4ywYjaf9Q1k= =DQxa -----END PGP SIGNATURE----- From declan+ at CMU.EDU Wed Mar 6 23:30:40 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Thu, 7 Mar 1996 15:30:40 +0800 Subject: Garbage from warwick.com stopped In-Reply-To: <199603070132.UAA22692@cmyk.warwick.com> Message-ID: <0lDXyF200bl40Y43I0@andrew.cmu.edu> ---------- Forwarded message begins here ---------- From: "harry's panix mail" Message-Id: <199603070132.UAA22692 at cmyk.warwick.com> Subject: Sorry for looping feed To: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 6 Mar 1996 20:32:09 -0500 (EST) Cc: cypherpunks at toad.com (Good Guys) In-Reply-To: <0lDXZl200bl40Y40M0 at andrew.cmu.edu> from "Declan B. McCullagh" at Mar 6, 96 08:18:41 pm SOrry. Not an intentional spam.... but rather a software bug. It has been stoped. Harry Hawk Ray Cromwell From panix at warwick.com Wed Mar 6 23:40:18 1996 From: panix at warwick.com (harry's panix mail) Date: Thu, 7 Mar 1996 15:40:18 +0800 Subject: Sorry for looping feed In-Reply-To: <0lDXZl200bl40Y40M0@andrew.cmu.edu> Message-ID: <199603070132.UAA22692@cmyk.warwick.com> SOrry. Not an intentional spam.... but rather a software bug. It has been stoped. Harry Hawk Ray Cromwell > > Please stop this spam addressed to cypherpunks at toad.com, now. > > Sincerely, > > Declan > > > ---------- Forwarded message begins here ---------- > > X-Andrew-WideReply: internet.cypherpunks > X-Added: With Flames (listbb v2.2) > Return-path: > X-Andrew-Authenticated-as: 0;andrew.cmu.edu;Network-Mail > Received: from po2.andrew.cmu.edu via trymail for > arpalists+cypherpunks at andrew.cmu.edu (->listbb+cypherpunks) > ID ; > Wed, 6 Mar 1996 20:03:29 -0500 (EST) > Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by > po2.andrew.cmu.edu (8.7.4/8.7.3) with ESMTP id UAA08989 for > ; Wed, 6 Mar 1996 20:03:25 -0500 > Received: from toad.com by relay3.UU.NET with SMTP > id QQafxy03661; Wed, 6 Mar 1996 19:36:29 -0500 (EST) > Received: by toad.com id AA09621; Wed, 6 Mar 96 16:36:07 PST > Received: from waterville.warwick.com by toad.com id AA09600; Wed, 6 Mar > 96 16:35:57 PST > Received: from cmyk.warwick.com by waterville.warwick.com > id VAA08365 for ; Tue, 5 Mar 1996 21:52:33 -0800 > Received: by cmyk.warwick.com > id TAA21695 for cypherpunks at toad.com; Wed, 6 Mar 1996 19:30:02 -0500 > Received: from GATEWAY by cmyk.warwick.com with netnews > for cypherpunks at toad.com (cypherpunks at toad.com) > To: cypherpunks at toad.com > Date: Thu, 7 Mar 1996 00:01:36 GMT > Message-Id: > Organization: The Fractal Images Company > Content-Type: text/html > From: > uunet!in2.uu.net!newsfeed.internetmci.com!info.ucla.edu!ihnp4.ucsd.edu!pwa > .acusd.edu!news at warwick.com > Subject: test > Sender: owner-cypherpunks at toad.com > Precedence: bulk > > Test > --- > Robert Uomini > The Fractal Images Company (http://www.fractals.com) > Voice: 510-528-0258/800-548-0258 > Fax: 510-528-0243 > ******************************************************************************* > * Buying or selling a home? Come visit the most comprehensive set of * > * residential real estate listings and related services on the Internet: * > * The FractalNet Real Estate Server, http://www.fractals.com/realestate.html * > ******************************************************************************* > ---------- > X-Fractalimgs-Data-Name: sample.html > X-Fractalimgs-Content-Length: 1255 > > > > FractalNet Home Page > > > >

> This is a test of WebReader. This line should appear as text in the font > chosen by the user, as defined in the Properties file. A horizontal rule > follows: >

>

FractalNet Advertisers

>
>
    >
  • Unordered item #1 >
  • Unordered item #2 >
  • Unordered item #3 >
  • Unordered item #4 >
>
    >
  1. Ordered item #1 >
  2. Ordered item #2 >
  3. Ordered item #3 >
  4. Ordered item #4 >
>
    >
  1. Ordered item #5 >
  2. Ordered item #6 >
  3. Ordered item #7 >
  4. Ordered item #8 >
>
>

FTP icon

>
> Swearest thou, ungracious boy? Henceforth, ne'er look upon me. There is > a devil haunts thee in the likeness of an old, fat man. A tun of man is > thy companion. Wherein is he neat and cleanly, but to carve a capon and > to eat it? Wherein is he cunning, but in craft? Wherein is he crafty, > but in villainy? Wherein is he villainous, but in all things? Wherein is > he worthy, but in nothing? >
>
>
> Bob >
> Bob's address >
>
>
>
Term 1: >
This is the first definition >
Term 2: >
This is the second definition >
Term 3: >
This is the third definition >
> > > > > > From PADGETT at hobbes.orl.mmc.com Thu Mar 7 00:03:59 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Thu, 7 Mar 1996 16:03:59 +0800 Subject: Bootable disks Message-ID: <960305215227.20204ca4@hobbes.orl.mmc.com> > New hardware drives with replaceable media in the 100+ Mb >range has developed. The Syquest 135 Mb drive, featured in the latest issue >of _PC Mag_ can, with the parallel port version, reportedly boot. >This means one can have the drive that weighs about two pounds and a $20 >disk, place another OS on the disk, and have a very portable remailer >system. Have made some small study of that area and would be somewhat surprised if possible as advertised (BIOS would need some reason to look for disk on parallel port). What *might* be possible is to create a floppy that would install a device driver that would install directly on top of the BIOS intercepts that would transfer the boot to the Syquest but this would only work for an OS that did not replace the BIOS access with "something else" unless you had a driver for *that*. If you *really* wanted to go overboard, it would also be possible to create a PROM that could be plugged into the "bootp" socket of a NIC and do the same thing but the floppy route would be lots easier. A prom is how Iomega used to be able to make Bernoullis the boot disk - went into a socket on the PC2B (and earlier combo) card. Incidently more than one "hard disk encryption system" using this method has been broken once I have grabbed the intercept out of a booted system. Is also effective for recovering from CPTs. Warmly, Padgett From wlkngowl at unix.asb.com Thu Mar 7 00:04:15 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Thu, 7 Mar 1996 16:04:15 +0800 Subject: Truelly Random Numbers Message-ID: <199603060212.VAA09237@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Tim Fulbright wrote: > > Now I, a lurker for two months, am truelly confused! L. Deitweiler must be > right. Surely one of you cyperpunk fellows could hack together a dongle with > some kind of AD converter and buffer ram to gather a Truelly Random Bitstream > off the environment every couple of milliseconds easier than this raindrop > scheme or recording the fan, you're haviung me on!. Let's go back [..] The raindrop scheme was (politely) laughed off. As for the fan recording scheme, it's a good make-do-with-what-you-already-have method, as opposed to buying and/or building a card. A 'simple AD converter' isn't so simple. Especially if you want to be sure you really have random noise and not something else that just looks random. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTz0nSoZzwIn1bdtAQGl6QF+P1V62qg+Mf5K+VN3q0Y1e6/A4EO4uLLr WNxAbtE+OxQXFKnP7ajFUFBbnDLJxLmx =4ysY -----END PGP SIGNATURE----- From warlord at MIT.EDU Thu Mar 7 00:06:43 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 7 Mar 1996 16:06:43 +0800 Subject: Signature 2 In-Reply-To: Message-ID: <199603060218.VAA08242@in-touch.mit.edu> Hi, > Assumption 1 : a privacy key can become uncrackable. > Assumption 2 : an individual signature can become immune to fraud. > Posit : fuse the two together so that pseudonyms/aliases/online names ensure > complete privacy, but ensure that you talk to the same person > everytime. > Probably proposed already. Unforutnately both of your assumptions are wrong. A key cannot be 100% uncrackable, and a signature cannot be 100% immune to fraud. With electronic security, there is always a chance that a key can be cracked or a signature forged. The question is how hard is it to crack the key or forge the signature? You need to balance the security with the price. For example, a 1024-bit RSA key cannot be cracked, today, in a reasonable amount of time. However it is unclear how long that will last. Look at RSA-129; in 1977 Ron Rivest said it would take 40 quadrillion years to break the key. In 1993-4 it took 8 months (5000 MIPS-years). A key has a limited size, therefore it is theoretically possible to try every single key (this is called brute-force). Therefore it is impossible to have 100% uncrackable keys. Singatures have the same problem. Enjoy! -derek From mccoy at communities.com Thu Mar 7 00:06:57 1996 From: mccoy at communities.com (Jim McCoy) Date: Thu, 7 Mar 1996 16:06:57 +0800 Subject: (Fwd) Gov't run anon servers Message-ID: Hal Finney writes: >From: mccoy at communities.com (Jim McCoy) [...] >> The point is not to make a system which is absolutely, positively, no >> doubt about it, secure against any attacker. If cypherpunks could do >> this they would be working for defense contractors and others who make >> certified systems. The objective is to make a system which is difficult >> to attack, one which costs the attacker time/money. [...] > >I was speaking of present conditions. If and when proven-secure Unix >systems start being used as remailer servers on the net then it may be >worthwhile having a larger key. You are correct in stating that having a huge key on a remailer is as silly as putting a $500 lock on a door made of balsa wood. OTOH, the key selected is vulnerable from attacks which you cannot protect yourself against. No amount of detailed security analysis for a host is going to prevent someone else from factoring the keys, and there is nothing that can be done to prevent this from happening. To prevent this is seesm reasonable to select a key which is at least somewhat outside the range of most attackers, 510 bits seems to be pushing the lower bounds of this range a bit (while more than 1024 is probably useless overkill.) With fairly decent logging and auditing at least you know that you have been screwed when it comes to standard system break-ins, you do not know that you have a problem when your key is factored. [...] >> The unix hosts running remailers also have the advantage in >> that they have been subjected to attack for quite a while now and >> most of the obvious problems (and some of the non-obvious problems) >> have been fixed. > >I am not sure what you mean by this. My experience is that new CERT >advisories come out every few months which represent security holes big >enough to steal remailer keys. Well, most of the announcements in the past year have been attacks through subsystems which a remailer should not be running in the first place (e.g. the recent chargen/daytime/etc attacks.) The fact that the announcements come out in the first place is a "good thing" because it makes you aware of the problem. The timid will then think that the system which is the subject of the announcement is insecure and place their trust in a system which is not under the same sort of public scrutiny (e.g. Windows NT, or a VM/CMS system) but which is even easier to hack. At least people are aware of security issues on Unix hosts... (a quick walk through a Computer Literacy bookstore last night turned up twelve books on Unix/internet-server security and none dealing specifically with Windoze95 or NT security, does that mean that my NT test box is perfectly secure? :) Otherwise, I agree that assuming you have a secure remailer just because you use a big key is a foolish attitude. jim From master at internexus.net Thu Mar 7 00:15:41 1996 From: master at internexus.net (Laszlo Vecsey) Date: Thu, 7 Mar 1996 16:15:41 +0800 Subject: Boycott "Applied Cryptography" and AT&T and RSA In-Reply-To: <199603062058.MAA28987@jobe.shell.portal.com> Message-ID: > WHAT THE FUCK?????????????????????????????????????????? > > EFF, EPIC, VTW and almost everyone else (except for Bizdos at RSA, hmmmm) > have all come out against this piece of shit. But with these so called > experts baking it it could pass anyway. > > Maybe the ltrs are a forgery? We should ask them, and if this is true, LETS > SEND THEM A MESSAGE!!!!!!!! SWITCH YOUR PHONE SERVICE AND TELL AT&T WHY!!! > STOP RECOMMENDING APPLIED CRYPTO (THERE ARE EASIER BOOKS ANYWAY). DEMAND > THAT THESE PEOPLE STOP GIVING AWAY YOUR RIGHTS!!!!!!!!!!!!!!!!!!!!!!!!!!! I'm not so much concerned about who supports key eskrow, I just want to learn about cryptography! I sent away for my copy of Applied Cryptography many months ago and it has yet to show up. Bruce, please ship out a book to me! (I would also appreciate a list of these "easier" bookst hat you mention, as well as any free on-line information on crypto) From hua at chromatic.com Thu Mar 7 00:23:46 1996 From: hua at chromatic.com (Ernest Hua) Date: Thu, 7 Mar 1996 16:23:46 +0800 Subject: FCC and Internet telephones Message-ID: <9603070216.AA13123@krypton.chromatic.com> Dost my ears deceive me? Is this true? Ern -------- INCLUDED MESSAGE FCC Asked to Stop Net Phones A trade association of long distance phone service carriers has asked the Federal Communications Commission to halt companies from selling software and hardware products that enable use of the Internet for long distance voice services. In a statement from Washington, the America's Carriers Telecommunication Association says it "submits that it is incumbent upon the FCC to exercise jurisdiction over the use of the Internet for unregulated interstate and international telecommunications services." A growing number of companies sell such software with ancillary hardware for transmitting and receiving voice over the Net, which, says the statement, "creates the ability to 'by-pass' local, long distance and international carriers and allows for calls to be made for virtually 'no cost.'" "For example," adds the ACTA statement, "online service providers generally charge users around $10 for five hours of access and then around $3 for each additional hour. Five hours equals 300 minutes, divided by $10 is 3.3 cents per minute. The average residential long distance telephone call costs about 22 cents per minute or seven times as much." Long-distance and international telephone service carriers must be approved by the FCC to operate and must file tariffs before both the FCC and state public service commissions. All of these requirements are stipulated in the Communications Act of 1934 and the Telecommunications Act of 1996. Says ACTA, "Technology may once again be surpassing government's ability to control its proper use. However, the misuse of the Internet as a way to 'by-pass' the traditional means of obtaining long distance service could result in a significant reduction of the Internet's ability to transport its ever enlarging amount of data traffic." Specifically, ACTA petitions the FCC to define the type of permissible communications that may be effected over the Internet. From jimbell at pacifier.com Thu Mar 7 00:53:46 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 7 Mar 1996 16:53:46 +0800 Subject: Leahy bill nightmare scenario? Message-ID: In case any of you people still think that Leahy bill ostensibly freeing up encryption is "progress," the following scenario is provided for your consideration: "Bob" runs an encrypted remailer. His system forwards mail whose contents he cannot read, even if he wanted to. He cannot know from where the messages originated, or where they ended up. He likes it this way, because nobody can accuse him of complicity with a (encrypted) message that he can't read. One day, Leahy's bill passes, as described by VTW (and quoted by Peterson): "�2804. Unlawful use of encryption to obstruct justice" "Whoever willfully endeavors by means of encryption to obstruct, impede, or prevent the communication of information in furtherance to a felony which may be prosecuted in a court of the United States, to an investigative or law enforcement officer shall-..." I am assuming they fix the obvious error in the phrasing above. "Bob," the operator of the encrypted remailer, receives an email one day which states something like: "Thanks for the use of your nifty anonymous remailer. Under a different name, I intend to use this remailer (along with others) to transmit child pornography, plot terrorism, and do all of my drug deals. You've made my life so much more secure!" Bob, alarmed at this note, tries to cover his ass by sending back a message asking this person to not do anything illegal on his machine, hoping that this will protect himself. The response is "as long as the system operates, it will be used for whatever I want!" What "Bob" doesn't realize is that the message came from an agent for the cops, who now have proof that he is aware that his system will be regularly used for illegal purposes. If "Bob" is smart enough, he will realize his quandary, and he has only two choices: 1. Shut the remailer down to prevent such use. 2. Continue to run the remailer, knowing that it is being used for illegalities. If he should choose the latter, the cops merely have their agent mail some kid some child pornography, and use Bob's remailer as the last link in the chain. At that point, the "investigation" starts. The cops approach "Bob," and insist that he tell them from where the message came. Naturally, however, "Bob" is an honest fellow, and he runs a remailer that doesn't keep records. At that point, Bob is GUILTY of violation of the Leahy bill, because his encrypted anonymous remailer: 1. Uses encryption to thwart message tracing, and thus the "criminal investigation." 2. Bob has already been informed that his system will be used for illegal purposes; the cops have the messages to prove he has been told. He's GUILTY GUILTY GUILTY, he will definitely lose the system and possibly whatever residence it runs in, and will probably have to pay a huge fine to boot. Now, you may not sympathize with Bob. This doesn't affect YOU, right? RIGHT?!? But let's suppose the cops offer him a DEAL! "Spy for us, keep records and forward each and every one of them to us, and we won't prosecute you!" Such a deal! At that point, even an idiot begins to see the problem: Suddenly, you can no longer trust ANY anonymous remailer, because the operator might have been "stung" already, and he's keeping his system up only to keep his house and life savings. One by one, each encrypted anonymous remailer is dealt the same treatment, and pretty soon you can't trust any of them. All the systems run by honest, uncoerced people will go down. Naturally, this treatment will occur in every country that sites anonymous remailers. So maybe the word gets out, occasionally. At that point, usage of anonymous remailers declines, and people willing to risk operating one declines. A few come up which are run by the Feds, which log anyone who attempts to use it... Or am I the only person who can see this, huh? If anybody doubts this scenario, I challenge you to tell me WHY it cannot happen. I am, frankly, astonished at anybody who did not immediately see the potential downside to this portion of the bill! Jim Bell, Pessimist and proud of it. Klaatu Burada Nikto From shabbir at vtw.org Thu Mar 7 01:37:13 1996 From: shabbir at vtw.org (Shabbir J. Safdar) Date: Thu, 7 Mar 1996 17:37:13 +0800 Subject: Boycott "Applied Cryptography" and AT&T and RSA Message-ID: <199603070500.AAA28329@panix4.panix.com> VTW supports the Leahy/Goodlatte bill, since it helps to free lots and lots of cryptography that is currently being crushed under the weight of the Clinton Administration's cryptography export regulations. -Shabbir J. Safdar * Online Representative * Voters Telecomm. Watch (VTW) http://www.vtw.org/ * Defending Your Rights In Cyberspace PS AT&T makes so much money in a year that if everyone on cypherpunks switched to Sprint, it still probably wouldn't even put a dent in their annual budget for paperclips. anonymous-remailer at shell.portal.com writes: >Bruce Schnier (Author of applied cryptography) and Matt Blaze (Who >is a crypto bigwig at at&t) have made it clear that they support >key escrow. Both have written letters in favor of the new crypto >law, it creates a key escrow system and also other restricts on >crypto. The letters are on the CDT homepage and i think were >posted here. > >WHAT THE FUCK?????????????????????????????????????????? > >EFF, EPIC, VTW and almost everyone else (except for Bizdos at RSA, hmmmm) >have all come out against this piece of shit. But with these so called >experts baking it it could pass anyway. > >Maybe the ltrs are a forgery? We should ask them, and if this is true, LETS >SEND THEM A MESSAGE!!!!!!!! SWITCH YOUR PHONE SERVICE AND TELL AT&T WHY!!! >STOP RECOMMENDING APPLIED CRYPTO (THERE ARE EASIER BOOKS ANYWAY). DEMAND >THAT THESE PEOPLE STOP GIVING AWAY YOUR RIGHTS!!!!!!!!!!!!!!!!!!!!!!!!!!! > >their addresses are > schneier at counterpane.com > mab at crypto.com > jim at rsa.com > From mccoy at communities.com Thu Mar 7 02:00:26 1996 From: mccoy at communities.com (Jim McCoy) Date: Thu, 7 Mar 1996 18:00:26 +0800 Subject: Jump Start ecash With IPhone Message-ID: Duncan Frissell writes: >At 11:37 AM 3/6/96 -0800, Jim McCoy wrote: >> 2- The phone companies (actually ACTA, the telco lobby) petitioned >> the FCC on Monday to regulate the Internet phone software >> companies. >> >>IP phone systems themselves may need to move underground just to >>escape regulation. OTOH, there is nothing to prevent people from >>building their own systems once some free software is out there... > >That would be a super neat trick since the LD business is currently >deregulated (and in fact was never a government monopoly) and the local loop >is in the process of deregulation, and Vocaltec is in some senses an Israeli >company anyway and need not have a presence in New Jersey if it doesn't >want do. > The regulation in question was regarding things like local/state/federal telecom taxes and levies, and all of the BS hoops that LD carriers must jump through. Regarding where such companies are located, I am also at a loss as to how this recent action will be enforced; that does not necessarily mean that a bureaucrat somewhere will not try to do something stupid. Just because LD is "deregulated" does not mean that it is without any governmental oversight, much as I wish it were... LD companies still have to pay certain taxes (take a look at your next phone bill, they are clearly listed in addition to your actual phone charges) and I am certain that they have entire office buildings stuffed with drones filling out paperwork for Uncle Sam... jim From dee at cybercash.com Thu Mar 7 02:05:01 1996 From: dee at cybercash.com (Donald E. Eastlake 3rd) Date: Thu, 7 Mar 1996 18:05:01 +0800 Subject: DNSSEC (was: A brief comparison of email encryption protocols) In-Reply-To: Message-ID: On Tue, 5 Mar 1996, Carl Ellison wrote: > Date: Tue, 5 Mar 1996 00:34:41 -0500 > >From: Adam Shostack > >Subject: Re: A brief comparison of email encryption protocols > >To: ericm at lne.com (Eric Murray) > >Date: Mon, 4 Mar 1996 21:18:41 -0500 (EST) > >Cc: ericm at lne.com, perry at piermont.com, cme at cybercash.com, warlord at mit.edu, > > lgl at qualcomm.com, Cypherpunks at toad.com > > ... > > > >| Along those lines, I was envisioning adding a KEY RR type to > >| DNS, and using it to maintain pointers to keyservers. > > > >[...] > >| This sounds so obvious that I'm sure that I'm not the first > >| or even the tenth person to think of it, and in fact I > >| see a KEY RR type defined in the BIND 4.9.3BETA17 source. But > >| there's just a type there, nothing else to support it. > >| Anyone know what it's for? > > > > Donald Eastlake is writing the spec for storing keys in > >nameservers. Its in the process of moving to draft standard; there > >will probably be something about it after LA. I think its: > > > >ftp://ds.internic.net/draft-ietf-dnssec-secext-09.txt actually its in /internet-drafts/draft-ietf-dnssec-secext-09.txt on any of the IETF shadow directory machines such as ftp.isi.edu or ds.internic.net via ftp. It's up for Internet Proposed Standard and tehre were no objections at the DNSSEC working group meeting this morning. It provides for KEY RRs and SIG (signature) RRs. I recommend people check it out. > >Adam > > > >-- > >"It is seldom that liberty of any kind is lost all at once." > > -Hume > +--------------------------------------------------------------------------+ > |Carl M. Ellison cme at cybercash.com http://www.clark.net/pub/cme | > |CyberCash, Inc., Suite 430 http://www.cybercash.com/ | > |2100 Reston Parkway PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 | > |Reston, VA 22091 Tel: (703) 620-4200 | > +--------------------------------------------------------------------------+ Donald ===================================================================== Donald E. Eastlake 3rd +1 508-287-4877(tel) dee at cybercash.com 318 Acton Street +1 508-371-7148(fax) dee at world.std.com Carlisle, MA 01741 USA +1 703-620-4200(main office, Reston, VA) http://www.cybercash.com http://www.eff.org/blueribbon.html From djw at vplus.com Thu Mar 7 02:12:06 1996 From: djw at vplus.com (Dan Weinstein) Date: Thu, 7 Mar 1996 18:12:06 +0800 Subject: Boycott "Applied Cryptography" and AT&T and RSA In-Reply-To: <199603062058.MAA28987@jobe.shell.portal.com> Message-ID: <313e7e12.5256043@mail.vplus.com> On Wed, 6 Mar 1996 12:58:20 -0800, you wrote: >Bruce Schnier (Author of applied cryptography) and Matt Blaze (Who >is a crypto bigwig at at&t) have made it clear that they support >key escrow. Both have written letters in favor of the new crypto >law, it creates a key escrow system and also other restricts on >crypto. The letters are on the CDT homepage and i think were >posted here. > >WHAT THE FUCK?????????????????????????????????????????? > >EFF, EPIC, VTW and almost everyone else (except for Bizdos at RSA, hmmmm) >have all come out against this piece of shit. But with these so called >experts baking it it could pass anyway. > >Maybe the ltrs are a forgery? We should ask them, and if this is true, LETS >SEND THEM A MESSAGE!!!!!!!! SWITCH YOUR PHONE SERVICE AND TELL AT&T WHY!!! >STOP RECOMMENDING APPLIED CRYPTO (THERE ARE EASIER BOOKS ANYWAY). DEMAND >THAT THESE PEOPLE STOP GIVING AWAY YOUR RIGHTS!!!!!!!!!!!!!!!!!!!!!!!!!!! > >their addresses are > schneier at counterpane.com > mab at crypto.com > jim at rsa.com Don't you think you should read the bill prior to condmening those that support it? The bill states "Americans should be free to lawfully use whatever particular encryption techniques, technologies, programs, or products developed in the marketplace they desire in order to interact electronically worldwide in a secure private, and confidential manner;" The bill gives everyone the right to use whatever publically available encryption scheme they chose. The provisions you refer to about key esrow simply require the escrow agent to be responsible in handling your key, this provision is to protect those that DICIDE VOLUNTARILY to escrow keys. In fact, the escrow agent would be criminally liable for handing your key over to someone without a court order. Your assertion that everyone and his borther has rejected the bill is simple non-sense. The VTW and EPIC web pages contain positive, if not rave reviews of the bill. Dan Weinstein djw at vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche From tcmay at got.net Thu Mar 7 02:19:40 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 7 Mar 1996 18:19:40 +0800 Subject: Fractals, Cellular Automata, and Encryption Message-ID: Note: I have changed the thread title from the meaningless "Signature" (meaningless to this context) to something I think is more appropriate. Someone recently wrote to me asking why I so often change thread names, as, in his words, "it screws up the threading in my reader." Well, I think accurately labelled articles are more important that having a reader place an article in its "correct" position when the themes have changed so much. I urge all of you to think about what your article says and what the most accurate name is for it. By all means leave the name the same if you want, or if the Hamming distance is not too great. But if the topic has changed away from the name given by default, then _change_ the name to reflect the topic at hand. On to the actual article: At 11:54 PM 3/6/96, Mark M. wrote: >On Tue, 5 Mar 1996, Charles Choi (SAR) wrote: > >> 1) Is it possible to base a privacy key ( e.g. PGP ) on a fractal >> equation, instead of an algorithm based on two primes? >> This would allow for an eternal level of complexity due >> to infinite field of depth one can find as one 'zooms in' >> closer ( correct me because I'm wrong; I'm not a math major, >> although increasingly I wish I was... ), allowing for near >> unbreakable privacy of information. > >The fact that the private key is based on fractals rather than prime numbers >really doesn't make a difference. Fractals are not random, and do in fact, >have a pattern. The Mandelbrot Set, for instance, can be expressed in a >few bytes of information even though it is infinitely complex. Therefore, >the fractal has extremely low entropy making it a bad choice from which to >obtain random data. Besides these points, something missing from cellular automata-based crypto schemes is this: invertibility with a different key than was used to encrypt. That is, in any fractal or cellular automata-based schemes I have seen, a generator iterates a data set, transforming it into something which appears to have "no resemblance" to the original data set. The problem is that there is no second key, the decryption key (or "private" key) which reverses the process and recovers the original data set. That is, it is certainly possible to get some "messy" output by running a cellular automata (think: "the Game of Life" as an example) on an input. An attacker would be hard-pressed to determine the starting pattern if given the nth generation! So far, so good. The problem is that the _recipient_ would also have a hard time determining the starting pattern! And a more detailed wrinkle is this: at best, the system would be a single-key or symmetric system, losing the advantages of a public key system. At worst, the scrambled message could _never_ be recovered, as no inverse can be found of the CA. (In CA research, finding a starting pattern from some nth generation is known as the "Garden of Eden" problem, for reasons I won't get into here. Clearly, some CAs have no single inverse, as multiple inputs map into the same output--again, think of "Life.") Steven Wolfram had some speculations about using fractal or cellular automata-based systems for a new kind of cipher. His paper is in one of his books ("Theory and Application of Cellular Automata"), but it doesn't really get beyond just speculating. And, I recall that someone proved several years ago that Wolfram's CA-based encryption scheme was formally equivalent to a linear congruential generator. I think I included a few paragraphs on this topic in my Cyphernomicon. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From froomkin at law.miami.edu Thu Mar 7 02:26:26 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Thu, 7 Mar 1996 18:26:26 +0800 Subject: new netscape servers In-Reply-To: <313D5C6A.6A4A@netscape.com> Message-ID: On Wed, 6 Mar 1996, Jeff Weinstein wrote: > Alex Strasheim wrote: > > But that doesn't mean we're powerless. I think we ought to: > > > > (1) form a new non-profit low cost CA > > I encourage you and anyone else who is interested to do this if you want > to. However I do suggest that you consult a lawyer, since there may be > liability issues involved. There are a lot of big and medium sized companies Oh boy are there liability issues. Talk to me if you seriously want to know a lot more. (My paper on this will be out soonish....) > that are entering or about to enter this market. I'm sure there is room for > some lean low cost ones too. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From JonWienke at aol.com Thu Mar 7 02:26:38 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Thu, 7 Mar 1996 18:26:38 +0800 Subject: Boycott "Applied Cryptography" and AT&T and RSA Message-ID: <960307014209_343625184@emout05.mail.aol.com> >Bruce Schnier (Author of applied cryptography) and Matt Blaze (Who >is a crypto bigwig at at&t) have made it clear that they support >key escrow. Both have written letters in favor of the new crypto >law, it creates a key escrow system and also other restricts on >crypto. The letters are on the CDT homepage and i think were >posted here. Whoever wrote this crap is an idiot. In the preface of Applied Cryptography, (Page xx) on the subject of government key escrow, Schneier states: "Some dangerously Orwellian assumptions are at work here: that the government has the right to listen to private communications and that there is something wrong with a private citizen trying to keep a secret from the government. ...this is the first time people have been forced to make themselves available for surveillance. These initiatives are not simple government proposals in some obscure area; they are pre-emptive and unilateral to usurp powers that previously belonged to the people. Clipper and Digital Telephony do not protect privacy; they force individuals to unconditionally trust that the government will respect their privacy. ... The lesson here is that it is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics. Encryption is too important to be left solely to governments." Schneier goes on to state that the purpose of the book is to ensure that people will have access to strong crypto, even if it is outlawed. It is hard to interpret this as support for government key escrow. Check your facts before slandering people. Jonathan Wienke From boykin at pobox.com Thu Mar 7 02:30:50 1996 From: boykin at pobox.com (Oscar Boykin) Date: Thu, 7 Mar 1996 18:30:50 +0800 Subject: crypto ++ where? Message-ID: <2.2.32.19960307063219.0097bc70@fitten95.residence.gatech.edu> How can I obtain crypto++, I seem to have deleted the email I had reguarding it. any info would be appreciated. thanks. oscar boykin mailto:boykin at pobox.com http://pobox.com/~boykin home: 404-206-0477 From clarissa_wong at alpha.c2.org Thu Mar 7 02:37:58 1996 From: clarissa_wong at alpha.c2.org (Clarissa Wong) Date: Thu, 7 Mar 1996 18:37:58 +0800 Subject: Jump Start ecash With IPhone Message-ID: <199603070638.WAA11611@eternity.c2.org> > ... With net-phone projects like Free World Dialup ... My thanks to "Declan B. McCullagh" for his timely and informative reply. I am somewhat embarrassed to see the inadequacy of my homework but appreciate the lesson. A web search on "Free World Dialup" yielded several tasty URLs, including: http://www.pulver.com/fwd/ and: http://www.bekkoame.or.jp/~brandon/fwd/servinfo.html These people possess both a subtlety of purpose and an organizational capability that exceed my initial ham-handed efforts, yet their cognizance of the value of ecash is uncertain. > FCC PETITIONED TO STOP MISUSE OF THE INTERNET! It's not surprising that the ACTA coalition chose to solicit their armed friends to protect them from superior technology. But events are unfolding faster than I anticipated. Jim McCoy pointed out that: > 1- Chaum did not have the clue to pick up on this when two > cypherpunks (who shall remain nameless...) pitched this > and several other ideas to involve ISPs in jump-starting ... I don't know about Chaum but perhaps now one can work around the ISPs, making the game accessible to anyone with a spare computer and some spunk. Sometimes for as little as $20. / month one can buy unlimited 28.8 PPP access. With the proper voice modem, two phone lines, and some software, perhaps Joe's Homebrew International Phone Service can go into business. CW From erc at dal1820.computek.net Thu Mar 7 02:43:55 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Thu, 7 Mar 1996 18:43:55 +0800 Subject: What's anyone know about Teledyne Electronic Technologies? In-Reply-To: <960307014224_343625326@mail04.mail.aol.com> Message-ID: On Thu, 7 Mar 1996 JonWienke at aol.com wrote: > >Teledyne (TET) is out marketing a "new" crypto system as a competitor > >against DES and what TET calls "linear" cryptosystems. They are claiming > >a non-linear approach in which (as best I can tell) they are permuting > >the s-boxes and using 4 bit/16 entry substitution tables. > > Dont trust it unless you are a good cryptanalyst and have a copy of the > source code. Most commercial crypto products are crap. You'd be surprised how many of them are doing the "message XOR key" stuff that so many of us wrote when were, as Roy Scheider put it in 'Blue Thunder', "young and stupid". Also, S-boxes are a fancy way of getting yourself into a lot of trouble while promoting a false sense of security - they are *very* hard to get right, and it takes a lot of work to prove that you haven't introduced a weakness with the "improvement". See "S-Box Design" in Schneier's book, page 349 for a good intro to designing such. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From stewarts at ix.netcom.com Thu Mar 7 03:00:27 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 7 Mar 1996 19:00:27 +0800 Subject: Jump Start ecash With IPhone Message-ID: <199603070739.XAA23003@ix2.ix.netcom.com> At 12:26 AM 3/6/96 -0500, "Declan B. McCullagh" wrote: >WASHINGTON, March 4 /PRNewswire/ -- The America's Carriers >Telecommunication Association (ACTA), a trade association of >competitive, long distance carriers today petitioned the Federal >Communications Commission (FCC) to stop companies from selling >software and hardware products that enable use of the Internet to >voice long distance services. .... >CONTACT: Charles H. Helein, general counsel, 703-714-1301, or Jennifer Durst- >Jarrell, executive director, 407-332-9382, both of America's Carriers >Telecommunication Association Their complaint was that Internet time, at $2/hour, is 3.3 cents/minute, far cheaper than the 22 cents/minute many of them are charging. (The real price is, of course, double that, 6.6cents, because both ends of the connection need Internet connections.) I assume they're hoping that the FCC won't know that the "hardware and software products" are the sound cards that almost every new PC sells with and software ranging from $50 down to free, and offers encryption which they don't, as well as voice quality ranging from worse to much worse to better. Some of the software works over the Internet, some chooses to get better voice quality over direct modem connections (which use their services.) They're also sleazing over the issue that many businesses are using low-bit-rate voice on their private networks to squeeze more voice calls into the networks they buy at bulk rates, most of which are billed at rather less that 22 cents/minute. If you're fitting four 16kbps calls into the 64kbps standard voice circuit, and you're paying 12 cents/minute, that's 3 cents/minute/call. And _really_ big bulk-buying customers are paying a lot less than 22 cents - I read in the papers that the Federal Telephone System is under 5 cents/minute. Bill Stewart P.S. Yes, I work for one of their competitors, though I'm not in the voice business, and not speaking for my employer. Aside from being a concerned citizen, and a voice telephone service customer who objects to companies that try to use the government to stomp their competitors instead of competing against them freely, I'm also an Internet user. Yes, the Internet is providing lots of new and exciting communications possibilities, and if you're worried that people are going to use the Internet for low-cost un-wiretappable encrypted phone calls that sound worse than ham radio and allow folks in third-world countries to better afford communications, go into the Internet business yourself. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # From wlkngowl at unix.asb.com Thu Mar 7 03:18:10 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Thu, 7 Mar 1996 19:18:10 +0800 Subject: art-stego Message-ID: <199603050914.EAA01262@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- JonWienke at aol.com wrote: > Another thing--just a wild idea--test the randomness of encrypted data > storing it in an 8-bit mono .WAV (your choice of sample rates) file and > listening to it. Any correlations or patterns in the data should show > the playback as hums, clicks, squeals, or something. It may even be > to determine the algorithm by the sound patterns--a sort of "audio > cryptanalysis." Has anyone tried this? Are there any .WAV stego > out there? s-tools is an audio stego utility(s), but I've not used it. As for testing methods, noise spheres are an interesting graphical method for testing randomness (check the archives from late Dec/early Jan, I posted a short Turbo Pascal program that implements them). I'm not entirely sure if noise spheres will capture any crypto-relevant correlations, but it seems worth investigating. The reference to the article on noise spheres and other graphical methods for testing PRNGs is: Pickover, Clifford A. 1995. "Random number generators: pretty good ones are easy to find." The Visual Computer (1995) 11:369-377. - --Rob - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTwF5ioZzwIn1bdtAQG/ogF5AdudaHeEb+b2eOWs/XA3ZCIYGKrW1alg abs4UNS5OC2jjqr5UPfrVq5LB8lMwLS7 =OjB4 -----END PGP SIGNATURE----- From nobody at REPLAY.COM Thu Mar 7 06:16:26 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 7 Mar 1996 22:16:26 +0800 Subject: Announce: 155mbps ATM 3DES crypto gateway Message-ID: <199603071341.OAA29152@utopia.hacktic.nl> Secant Network Technologies announces: The Key Agile Encryption System is an affordable perimeter security system that provides privacy through high speed cryptography for information traversing public Asynchronous Transfer Mode networks. The cryptographic units function as "bump in the fiber" security interfaces between a secure LAN and a public network. As data crosses this interface, the system encrypts each ATM cell's payload without affecting the header. Encrypted cells pass through the public network infrastructure and are decrypted upon arriving at the destination LAN. The benefit is that the user can conduct business as usual within the LAN and only encrypt the data as it enters the non-secure public network (or non-secure area of a LAN). Many individual workstations, servers or other end nodes may be protected by a single encryption unit. The system provides privacy and access control guarantees when using public ATM networks today, eliminating the need to wait for implementation and availability of pending ATM Forum security standards. System operation is transparent to all network and end user systems. Available: summer 1996 Physical interfaces: single mode SONET OC-3c, multi mode SONET OC-3c, T3 carrier, T1 carrier. Key management: proprietary method, transparent to network and end user equipment, compliant with UNI 3.0/3.1 specifications. SVC's handled transparently, PVC support available. Public key based authentication. PKCS and X.509 compliant public key certificates are supported. Dynamic key update based on policy - transparent to end systems. Key agility: up to 65,534 active VC's per cryptographic unit. Each active VC has a unique key. Encryption algorithms used: triple DES for cell payload encryption, triple DES, RSA, and MD5 for key management. DES mode agility: single DES, 3DES ECB or 3DES long cycle chaining. True hardware random number generation (Johnson noise). Performance: full duplex encryption/decryption at the OC-3c (155Mbps) rate. Key management support for up to 35 secure calls per second Approximately 16 microseconds latency. See: http://www.secantnet.com/ for more details and for contact information. Based on over 2 years of ARPA funded research: http://www.mcnc.org/HTML/ITD/ANT/Enigma2.html From stewarts at ix.netcom.com Thu Mar 7 06:26:22 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 7 Mar 1996 22:26:22 +0800 Subject: Bombings, Surveillance, and Free Societies Message-ID: <199603060542.VAA28879@ix9.ix.netcom.com> At 07:41 PM 3/4/96 -0800, Tim wrote: >Let me use the language Bill Stewart used a while back, language which >skirts the issue of "right" and "wrong" even more neatly than I did (when I >said the Jews were "asking for trouble"): > >"If a religious group uses force to expel the current occupants of a desert >region, and expels them to just beyond their borders, it is "unsurprising" >that those expelled, and their children, and their children's children, >will swear a blood oath to drive the group into the sea." That wasn't me, though I've said similar things about terrorism against governments - those that go out of their way to attack and harass people shouldn't be surprised when people attack them in return. From stewarts at ix.netcom.com Thu Mar 7 06:33:14 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 7 Mar 1996 22:33:14 +0800 Subject: Looking for code to run an encrypted mailing list Message-ID: <199603060542.VAA28896@ix9.ix.netcom.com> >John Pettitt wrote: >> Poster cryptes mail with pgp using list exploder key. List exploder decrypts >> mail and recrypts with keys for all current list members and then sends the >> mail. At 09:24 PM 3/4/96 -0800, abostick at netcom.com (Alan Bostick) suggested having the mailing list handler decrypt the session key using its private key, and re-encrypt with the public keys of the list members, but not do the IDEA decryption and re-encryption N times of the message body. This has the further advantage that the cleartext message body is never sitting around on the server where it might end up in swap space or file system leftover blocks. On the other hand, it really only costs you one IDEA encryption if you want to use the multiple-recipients options to PGP. With the current PGP, this means you don't have to hack your own crypto code; the toolkits in PGP 3.0 will make that easier, though. >> [I don't want all the list members to need to know every other list members >> public key] The multiple-recipients PGP doesn't give away everyone's public keys, only their keyIDs. If you want to remain pseudonymous, just create a public key that you use only for subscribing to the list. (Hmmm - multiple recipient support probably makes stealth-PGP harder to implement...) From eggplant at inlink.com Thu Mar 7 06:35:04 1996 From: eggplant at inlink.com (eggplant) Date: Thu, 7 Mar 1996 22:35:04 +0800 Subject: Hmmm Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >(Lots of stuff deleted) > >>I attended last weeks "Information, National Policies, and International >>Infrastructure" Symposium at Harvard Law School, organized by the Global >>Information Infrastructure Commission, the Kennedy School and the >>Institute for Information Technology Law & Policy of Harvard Law School. > >>During the presentation by Paul Strassmann, National Defense University >>and William Marlow, Science Applications International Corporation, >>entitled "Anonymous Remailers as Risk-Free International Infoterrorists" >>the questions was raised from audience (Professor Chaarles Nesson, >>Harvard LAw School) - in a rather extended debate - whether the CIA and >>similar government agencies are involved in running anonymous remailers >>as this would be a perfect target to scan possibly illegal messages. > >>Both presenters explicitly acknowledged that a number of anonymous >>remnailers in the US are run by government agencies scanning traffic. >>Marlow said that the government runs at least a dozen remailers and that >>the most popular remailers in France and Germany are run by the >>respective government agencies in these countries. In addition they >>mentioned that the NSA has successfully developed systems to break >>encrypted messages below 1000 bit of key length and strongly suggested >>to use at least 1024 bit keys. They said that they semselves use 1024 >>bit keys. > >>I ask Marlos afterwards if these comments were off or on record, he >>paused then said that he can be quoted. > >>So I thought I pass that on. It seems interesting enough, don't you >>think? > >(more stuff deleted) > > I don't know about everyone else, but I consider this, if true, to be a >MAJOR worry. It never ceases to amaze me how lightly the government takes >lying to the people. Unfortunately I don't have the contacts or resources >to do any further investigation, I hope this thread is resolved one way or >another soon. > >nobody at unimportant Ther is always the posibility of disinformation. That is one of the governments specialties. I'm not saying the posibility isn't there, I'm sure there are anon remailers run by the government. An I remember from a show on PBS I watched months ago in which someone from inside the CIA said that the government does actively monitor the Internet and has for a long time. The thing to remember is to PGP your important mail and sign everything.... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMTvIw4WnykIBM1nhAQEnpAgAjVDhjgKrLQWxzRIL6nc8WQLCOLxTkGI7 ybr6cse/ARbdhNv+FD+XHEEtXngxA+p45jJHUE4OHyIKUTy6AVa3wi1U5DlBmTB8 XbFHF4YwTwpMhBpBnGl5iBMwO3ZYrtQ/3SE4mIi99DhVzpQHywlJeo0DbHAdrPJU UunZF0nhZyz0ycCQWMJ8yZL6iVkuZXnCkZfMjNtMIttEgh+I/R3hRiGNisZPJQvX krbrJsRZhpYv7Fk72zXD9YxqizczJuom63jPQNqkUK/XqfuulQD4b632BS1gmhNc jHwLw9tUkV5bne2digLe5FDL2Jxhi7TsZ56MzAgB8D8SDBf/I6Dphw== =XBqQ -----END PGP SIGNATURE----- -- "... In Germany they first came for the Communists and I didn't speak up because I wasn't a Communist. Then they came for the Jews, and I didn't speak up because I wasn't a Jew. Then they came for the trade unionists, and I didn't speak up because I wasn't a trade unionist. Then they came for up because I wasn't a trade unionist. Then they came for Catholics, and I didn't speak up because I was a Protestant. Then they came for me-and by that time no one was left to speak up..." Pastor Martin Niemoller ++++++++++++ ************************************** * Matthew Murphy ------------ eggplant at inlink.com * ---------- * http://www.inlink.com/~eggplant * The Web page is under construciton at this time though.. * Please don't mind the mess.... * ************************************** ++++++++++++ finger eggplant at inlink.com for my PGP key. From tcmay at got.net Thu Mar 7 06:39:34 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 7 Mar 1996 22:39:34 +0800 Subject: Another Motivation for the CDA Message-ID: Given that Sen. Fineswine is one of the strongest supporters of gun confiscation, and that she had this to say about the Telecom Bill: "Sen. Feinstein (D-CA) Mrs. Feinstein: Mr. President, I rise in support of the conference report for the Telecommunications Act of 1995. This legislation establishes real progress on important issues and I am pleased to provide my support. Senator Exon's provisions to control access to indecent materials will require the operators of computer networks, like America Online, to screen out indecent materials for children." I think we need to look at another motive, or at least another effect, of the CDA's felonization of "indecent" speech (uttering the words "fuck" or "shit," or doing a large number of other such things, where any minor could possibly see these words, is a felony. Not a misdemeanor, a _felony_. No felon may own a gun legally in California, for some period of time after conviction. I presume similar laws apply in other states. (Of course, a lot of real criminals own all sorts of guns, but at least the "indecent speakers" will have their existing guns removed from them and will be unable to buy new ones for some number of years after their convictions.) Therefore, one think to think about is that a felony conviction for violation of the CDA will result in one being disarmed (of the ones they know about). Duncan Frissell frequently regales us with tales of how he has made himself "judgment-proof." More power to him, but it doesn't make me feel any better. Fineswine, Schroeder, and similar such vermin have probably figured out that by felonizing dirty words they have another tool to use in the disarming of America. When nearly everyone is a criminal, in the eyes of the law, then the populace is well and truly under their thumbs. The good news is that I can probably get off of jury duty pretty simply by saying "But I'm a felon." (Even if they ask for details, about my conviction, merely by explaining why I answered this way I'll doubtless be excused.) Of course, I haven't been called for jury duty and actually had to report for selection since 1973, so I must be in their file of Undesirables already. --Tim May, a fucking felon Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From frissell at panix.com Thu Mar 7 07:14:29 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 7 Mar 1996 23:14:29 +0800 Subject: new netscape servers Message-ID: <2.2.32.19960307143422.0073f934@panix.com> At 01:29 AM 3/7/96 -0500, Michael Froomkin wrote: >Oh boy are there liability issues. Talk to me if you seriously want to >know a lot more. (My paper on this will be out soonish....) > However, a CA operating outside the licensing structure of current CA's would have very low costs and hence no investment to lose in litigation. Costs would be almost entirely marketing related and as long as you stayed out of jurisdictions with some of the new CA law, no regulatory costs or barriers. DCF From frissell at panix.com Thu Mar 7 07:31:09 1996 From: frissell at panix.com (Duncan Frissell) Date: Thu, 7 Mar 1996 23:31:09 +0800 Subject: Jump Start ecash With IPhone Message-ID: <2.2.32.19960307143411.0074be14@panix.com> At 09:49 PM 3/6/96 -0800, Jim McCoy wrote: >Just because LD is "deregulated" does not mean that it is without any >governmental oversight, much as I wish it were... LD companies still >have to pay certain taxes (take a look at your next phone bill, they are >clearly listed in addition to your actual phone charges) and I am certain >that they have entire office buildings stuffed with drones filling out >paperwork for Uncle Sam... > >jim > Granted. Of course it is quite a jump to claim that a software program is a "Long Distance Carrier." If I run Winsock on my machine and a Winsock application like Iphone, if anyone is the LD carrier, *I* am because I am digitizing my voice and doing the first part of the switching necessary to send the packets on their way. Maybe the FCC should bust *me* for practicing telecommunications without a license. It would make for an interesting case. DCF From jimbell at pacifier.com Thu Mar 7 07:45:15 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 7 Mar 1996 23:45:15 +0800 Subject: Lawz to be. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 07:31 PM 3/6/96 -0500, A. Padgett Peterson P.E. Information Security wrote: >Cut & Paste >> "�2804. Unlawful use of encryption to obstruct justice" >> "Whoever willfully endeavors by means of encryption to obstruct, >... > >>In any case, assuming they either never made the error you noticed, or they >>manage to correct it before the bill becomes law, they will have just >>outlawed the used of encrypted remailers, because: > >No, what the wording seems to outlaw was the use of encryption to obstruct >the commission of the crime, not the investigation. Read it again please. The wording of the paragraph is stilted and probably poorly written, as you noticed and as I've acknowledged. Nevertheless, I think my objections are still valid: If they get what they want, it will be possible for the government to _make_ encrypted remailers guilty of a crime, under the hypothetical scenario I mentioned before, with minor modifications depending on the law's exact phrasing. The potential problem still exists. In my opinion, if the underlying act they are describing is really illegal, and they can back up their claims with evidence, they should prosecute that act, NOT the use of encryption. Yet another problem is that while the use of encryption today is comparatively rare and you have to go out of your way to use it, presumably we anticipate that both hardware and software developments will make use of encryption routine and ignorable. Imagine a world in which it was as difficult to NOT use good encryption as it is now to use it: The government would suddenly be able to tack on another charge to just about every major crime. Is that what you really want? >>> Suspect they meant to say "...obstruct (etc) the investigation of a >>>felony..." > >>Probably. This section is their wish-list to Santa Claus. It's easy to >>make mistakes when you're excited about something. They're hoping you >>suckers will support the whole bill despite this booby-trap. > >Thought the gotcha was down in the part about the Secretary of Commerce. Well, I disagree. There may, indeed, be a "gotcha" THERE, too, but I don't think that's the main one. >My reading is that the secretary will still be required to grant >approval for commercial export. Is past the part about no regulation >inside the US (which is true now - still would be nice to see a "Congress >shall make no law..."). This is yet another reason that I'm opposed to this bill. The "gains" we supposedly get are mostly re-statements of rights we already possess, but which the government has tried and mostly failed to curtail. Why should we reward these people for stopping their attempts to steal from us? > The puzzler is the requirement that a com perable >foreign product must exist before permission to export will be granted. >Will this be like "comparable product" price matching in discount houses ? >Somehow there never is one... That's another thing to be afraid of. We're dependant on their interpretation of the law, and there's no reason to believe that they'll be generous once they have what they want. >ps did you mean the Thomases and Memphis ? Not aware of similar > prosecution in Oklahoma. My recollection of the details may be in error, but the principle and the problem remains: The government clearly is willing to use a tactic which fabricates a crime, turning the victim into the "criminal." There is no reason to believe that they won't try the same thing the moment a new "crime" is defined of using encryption. >Besides my understanding was that the online > stuff was dropped, the conviction was for stuff sent through the mails. > Is that incorrect ? Is this relevant? I mean, have YOU ever been prosecuted for a crime before? Especially one that you didn't intend to commit? Do you know how much it costs to defend yourself, even before the trial? Do you know how much a trial will cost you? Did you know that you aren't reimbursed if the verdict is "not guilty" or the charges are dropped? This is called "deterrence", dammit! Encrypted remailers aren't in it for the money. They don't have a "legal budget." They would be severely dissuaded if there was even a possibility that the government could decide to start harassing them. Surely you see that! Jim Bell jimbell at pacifier.com Klaatu Burada Nikto -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMT751/qHVDBboB2dAQGZMQP/fJ7SMKwvZEZjg3KGgF1WE7jtYnetMv9+ v/4+0ezJ4GVRt0rkPX1YGjJxpQEk73d+J78zxHi87hQq8WBXRz4pNWGBGRMu0iqG fk0N2FTXxIFivsqu0vZLW5zVYs0W9v1ZGN4jFQ3vYCMIhzP8ig8gQrATOnag1Vmu EPUZdCnsAxw= =1OLz -----END PGP SIGNATURE----- From PADGETT at hobbes.orl.mmc.com Thu Mar 7 08:07:14 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Fri, 8 Mar 1996 00:07:14 +0800 Subject: Anonymous remailers and Leahy bill Message-ID: <960307102609.2020616c@hobbes.orl.mmc.com> >I am assuming they fix the obvious error in the phrasing above. Until they do, we can only guess at the intent. >"Thanks for the use of your nifty anonymous remailer. Under a different >name, I intend to use this remailer (along with others) to transmit child >pornography, plot terrorism, and do all of my drug deals. You've made my >life so much more secure!" At this point, Bob has no choice other than to reply with: "I assume you are joking however since what you have stated is in violation of numerous laws, we have no choice other than to disable your account. If we find that illegal acts have been committed using this remailer, we will have no choice other than to report such actions." Anyone stupid enough to make a statement like this deserves to be disabled. >At that point, Bob is GUILTY of violation of the Leahy bill, because his >encrypted anonymous remailer: No, if Bob were to follow the above scenario, he would already be guilty of terminal stupidity. >So maybe the word gets out, occasionally. At that point, usage of anonymous >remailers declines, and people willing to risk operating one declines. A >few come up which are run by the Feds, which log anyone who attempts to use >it... Declines ? They are only protection from amateurs. Do you really not believe that everything in and out of anon.penet.fi & others is not monitored *at the ISP/carrier level* ? Warmly, Padgett From owner-cypherpunks at toad.com Thu Mar 7 08:53:37 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 8 Mar 1996 00:53:37 +0800 Subject: No Subject Message-ID: Ayse Sercan wrote: > At any rate, if I were the mother, and my kid was being led away by a > clerk who could have been the very pervert who thought that those nude > pictures meant child pornography, I'd certainly do everything in my power > to protect my child from such an individual. That's rediculous. The mother did not flip because Zona led the child away. The mother flipped when asked about the photos. This caused Zona to not want the child to see argument. The mother just has serious problems in general. She feels justified in trashing the place and throwing the lamp, which is why she refused the punishment and took 30 days in jail. She, in the presence of her child, was wrong to get violent. She has a lack of control. -- 617/253-6515 http://grim.media.mit.edu From m5 at dev.tivoli.com Thu Mar 7 09:25:06 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Fri, 8 Mar 1996 01:25:06 +0800 Subject: forwarded message from Kendall Collett Message-ID: <199603071544.JAA07912@kenya.tivoli.com> Boy, this net filtering sure is high-tech. ------- start of forwarded message (RFC 934 encapsulation) ------- From: Kendall Collett To: m5 at dev.tivoli.com (Mike McNally) Subject: IO is officially bad (was Re: clavicle) Date: Thu, 07 Mar 1996 09:42:28 -0600 Message-Id: <9603071542.AA20096 at ker-plop.tivoli.com> In-Reply-To: Your message of Fri, 01 Mar 1996 12:36:39 CST. Reply-To: Kendall Collett [homepage on IO] BTW, did you hear that IO got on the SurfWatch "bad list" because there were more than 25 complaints about objectionable material in the io.com domain. (Apparently, when SurfWatch hears more than 25 complaints against a particular domain, the just deny access to the whole domain rather than particular URLs.) Kendall ------- end ------- ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From perry at piermont.com Thu Mar 7 09:33:01 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 8 Mar 1996 01:33:01 +0800 Subject: SEAL cipher info requested (something actually list related!) In-Reply-To: Message-ID: <199603052114.QAA07081@jekyll.piermont.com> Christopher Allen writes: > At 4:27 PM 1/27/96, Anonymous wrote: > >Anybody have info on the SEAL cipher? I can't find any > >descriptions or analysis of it. Refs, proceedings or URLS > >would be a good thing. > > I also am interested in references to it. > > I'm told that it was invented by a cryptographer at IBM, and that it > patented, so that should help in the search. Its a Don Coppersmith creation. It is blazingly fast. I believe it is patented. Perry From uunet!in2.uu.net!newsfeed.internetmci.com!news.emeraldis.com!news.emeraldis.com!not-for-mail at warwick.com Thu Mar 7 09:35:28 1996 From: uunet!in2.uu.net!newsfeed.internetmci.com!news.emeraldis.com!news.emeraldis.com!not-for-mail at warwick.com (Gary Beihl) Date: Fri, 8 Mar 1996 01:35:28 +0800 Subject: test message Message-ID: <4hkfg8$i0m@jade.emeraldis.com> This is a test message... .. ignore it. From uunet!in2.uu.net!gatech!newsfeed.internetmci.com!lamarck.sura.net!mother.usf.edu!luna!panagopo at warwick.com Thu Mar 7 09:35:34 1996 From: uunet!in2.uu.net!gatech!newsfeed.internetmci.com!lamarck.sura.net!mother.usf.edu!luna!panagopo at warwick.com (uunet!in2.uu.net!gatech!newsfeed.internetmci.com!lamarck.sura.net!mother.usf.edu!luna!panagopo at warwick.com) Date: Fri, 8 Mar 1996 01:35:34 +0800 Subject: Your Mama's so...... In-Reply-To: <312BF238.4F69@tyrell.net> Message-ID: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaak From JonWienke at aol.com Thu Mar 7 09:35:59 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Fri, 8 Mar 1996 01:35:59 +0800 Subject: Bootable disks Message-ID: <960306145542_239131693@emout09.mail.aol.com> I recently installed an IDE version of the Syquest EZ 135 hard drive for a client. Since it is a fully functional hard drive, it is bootable, unlike the parallel port model. The biggest advantage to this type of drive is that the cartridge (and any potentially incriminating data) can be quickly removed and destroyed (burn it, smash it with a large heavy object, insert it into a bulk eraser) or taken to a secure location for storage. Also, this type of drive provides an excellent place to put swap files, which have an annoying tendency to pick up sensitive data. That is less of a problem if you can remove the cartridge and store it in a secure location when not processing sensitive data. Jonathan Wienke From uunet!in2.uu.net!gatech!newsfeed.internetmci.com!solaris.cc.vt.edu!news.genie.net!usenet at warwick.com Thu Mar 7 09:36:08 1996 From: uunet!in2.uu.net!gatech!newsfeed.internetmci.com!solaris.cc.vt.edu!news.genie.net!usenet at warwick.com (Michael Lepore) Date: Fri, 8 Mar 1996 01:36:08 +0800 Subject: test ignore Message-ID: <4hhdhk$j34@rock101.genie.net> able the workers to protect their immediate interests against the employers. In addition to organizing industrially, the workers will need a political party to spread the idea of social ownership, and to gain the supprt of the majority at the polls. When this is achieved, the workers will assume control of their workplaces, and manage them democratically through their New Unions. An elected Congress of delegates from each industry will plan and manage the national economy, and will replace the present political Congress as the nation's government. New Unionist 621 W. Lake St., Suite 210 Minneapolis, MN 55408 nup at delphi.com From uunet!in1.uu.net!news2.cais.com!news.cais.net!nntp.uio.no!solace!news.ifm.liu.se!usenet at warwick.com Thu Mar 7 09:36:21 1996 From: uunet!in1.uu.net!news2.cais.com!news.cais.net!nntp.uio.no!solace!news.ifm.liu.se!usenet at warwick.com (uunet!in1.uu.net!news2.cais.com!news.cais.net!nntp.uio.no!solace!news.ifm.liu.se!usenet at warwick.com) Date: Fri, 8 Mar 1996 01:36:21 +0800 Subject: PLEASE REPLY!! In-Reply-To: <4hkdsc$fvd@jade.emeraldis.com> Message-ID: <313DC109.EAE@lysator.liu.se> David G. Cannon wrote: > > Did this message make it out to the "real" world?? Please reply to this message > if it did. Thankyou. > > *David* Yes it did!! Have a nice day / Walle From perry at piermont.com Thu Mar 7 09:36:29 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 8 Mar 1996 01:36:29 +0800 Subject: NYT on Crypto Bills In-Reply-To: <199603041810.KAA07446@fionn.lbl.gov> Message-ID: <199603050100.UAA04996@jekyll.piermont.com> Michael Helm writes: > On Mar 4, 3:09pm, Adam Shostack wrote: > > Markoff shouyld know better than this. There is a long > > history of business use of codes & ciphers, going back hundereds of > > years, and durring the heyday of the telegraph, there were fair size > > companies that created codebooks with (locally configurable) > > superencipherment systems for the market. > > I thought that, for the most part, the telegraph systems described > above were to reduce cable charges (1 code word instead of a 15-word > sentence, a huge savings in those days). Totally untrue. The use of encryption for business purposes goes back centuries, and there were commercial providers of blank telegraph code books all through the 19th century. The use of crptography to protect communications only declined with the end of telegrams and the reduction in the perception that large numbers of strangers would be handling your missives. See "The Codebreakers" for a history of this. Perry From frissell at panix.com Thu Mar 7 09:36:42 1996 From: frissell at panix.com (Duncan Frissell) Date: Fri, 8 Mar 1996 01:36:42 +0800 Subject: Jump Start ecash With IPhone Message-ID: <2.2.32.19960306221919.00727068@panix.com> At 11:37 AM 3/6/96 -0800, Jim McCoy wrote: >On another related note the IRS is getting somewhat concerned >about the opportunities the Internet offers people to avoid taxes >according to the Treasury department's international-tax counsel. The >government will "maintain [tax] toll booths on the information superhighway." >(WSJ, 3/6/96) The note in the WSJ's regular Wednesday "Tax Report" column specified that the IRS was most concerned about the possibility that electronic payment systems could lead to "extensive transactions outside of normal banking channels." As well they might worry. "When money is data, data switches are money switches." Talking about toll booths is easier than erecting them on a system built by consensus. I can see the ETF meeting when the Service presents its proposal. And as for those who say that the ETF will be replaced by the 'Big Boys' now that the Net is a hot item, I say so what. We can have our own net running on any infrastructure. What counts is how many hosts run the protocols not who wrote the protocols. And how successful will the Service be in convincing lots of hosts to run its new and improved Simple Tax Collection Protocol (STCP)? DCF From hallam at w3.org Thu Mar 7 09:36:51 1996 From: hallam at w3.org (Phillip M. Hallam-Baker) Date: Fri, 8 Mar 1996 01:36:51 +0800 Subject: NYT login Message-ID: <199603050134.UAA29186@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Just Rich wrote: > > On Sun, 3 Mar 1996 hallam at w3.org wrote: > > > >The tobacco companies need a forum. And they are used to spending big > > >bucks on sponsoring things. > > > > That misses the point. There is no shortage of potential sponsors. > > What these people are asking me is "how much business will Web > > advertising create for me". > > This misses another point. The question was, how do *we* pay for this > stuff (emphasis mine). > > If someone develops a reasonably easy-to-use and reasonably secure digital > cash micropayment system, then I would be happy to pay to read the New > York Times on the Web. I would rather they were dependent on my money than > R.J. Reynold's. I am attempting to support the largest number of models possible. Micropayments is only one model, I have an internet draft out describing a scheme based on a suggestion by Ron. I don't think I should choose how people will raise revenue. I don't think that the NYT will want to be associated with cancer sticks in any case. There are plenty of sponsors such as IBM, Intel etc who will be happy to pay cash for a Web site ad, provided it makes them money. Phill - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTuaOCoZzwIn1bdtAQF5DQGAsdUiYsmP0EwHZUWA2ijeAZf/pBoqFtzR VDYY2760gf0QLqNBDbLHo6LnJp7T4b5h =vjES -----END PGP SIGNATURE----- From dlv at bwalk.dm.com Thu Mar 7 09:36:59 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Fri, 8 Mar 1996 01:36:59 +0800 Subject: NYT on Crypto Bills In-Reply-To: <199603041509.KAA02654@homeport.org> Message-ID: Adam Shostack writes: > Markoff shouyld know better than this. There is a long > history of business use of codes & ciphers, going back hundereds of > years, and durring the heyday of the telegraph, there were fair size > companies that created codebooks with (locally configurable) > superencipherment systems for the market. > > Adam > > John Young wrote: > > | Compromise Bills Due on Data Encryption > | Industry Opponents and Civil Libertarians Are Lukewarm, > | at Best > | By John Markoff > > | Data-coding, or encryption, technology is based on > | mathematical formulas that rely on the immense computing > | challenge inherent in factoring large numbers. Until > | recently, such technology was largely used by military and > | intelligence organizations and by some corporations like > | banks. As electronic mail and commerce have become > | increasingly accessible, however, the technology has become > | more controversial. > Yes - the Markoff quote is factually incorrect. I'm sure he knows better than this. Must be the Times editing. What he probably meant (and perhaps wrote) was that the cyphers used in business for centuries could be broken by governments. This started changing only after WW I. Wasn't the Enigma marketed to businesses? --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From ncognito at gate.net Thu Mar 7 09:37:23 1996 From: ncognito at gate.net (Ben Holiday) Date: Fri, 8 Mar 1996 01:37:23 +0800 Subject: Steganography idea: CU-SeeMe In-Reply-To: <199603061134.MAA17301@utopia.hacktic.nl> Message-ID: On Wed, 6 Mar 1996, Anonymous wrote: > On Wed, 6 Mar 1996, Nelson Minar wrote: > > [Re: data steams to put steno in] > > So here's one idea I've had as a place to hide a channel: network > > video, in particular CU-SeeMe video streams. CU-SeeMe is a lowtech > > That's an excellent idea. > [lots of snippage] Another problem is that in order to get a decent frame-rate CU-SeeMe does some image editing of its own: selectively sending only the portions of an image that have changed (I.e. the portion of the image that is a person who is moving is sent, The bookshelves in the background are not.) This could probably be easily gotten around however. This seems like a decent idea, however, once the initial obstacles have been overcome.. one typical problem with steg is the small number of bits that can be hidden.. i beleive a ratio of 1k per 100k is typical. Far too small to be useful for most people. Over the course of an hour long CU-SeeMe session however you could easily move enough data back and forth to provide adequate cover for a reasonablly long bit of cyphertext. As long as we're on the subject of stego, has anyone discussed/implemented subliminal streams in raw TCP packets? Seems possible to do at least on a point to point basis. If you could stash your data in the tcp packet itself, it wouldnt matter much what was actually being sent across the link. Some possibilities: a telnet client with a stegometer that would count the number of hidden bits remaining to be sent.. chat clients similarly equiped, etc. Then you could start up any client you choose and send data across it until you had gotten enough bits to complete transmission of your stego'd file.. just a thought.. ;) Benji.. From maldrich at grctechs.va.grci.com Thu Mar 7 09:37:42 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Fri, 8 Mar 1996 01:37:42 +0800 Subject: What's anyone know about Teledyne Electronic Technologies? Message-ID: Teledyne (TET) is out marketing a "new" crypto system as a competitor against DES and what TET calls "linear" cryptosystems. They are claiming a non-linear approach in which (as best I can tell) they are permuting the s-boxes and using 4 bit/16 entry substitution tables. They are also asserting that these "key generated substitution tables and inter-round permutations" are supported by "nonlinear orthomorphic mappings generated from arbitrary key" (and that this is patented) and "row-complete Latin Squares generated from an arbitrary key" (and that this is also patented). The claimed benefits include being invulnerable to differential and "linear" cryptanalysis, no linear key/data interaction to hide, that this results in the tables and permutations being "transient/secret," and that fewer rounds are needed (fewer than what, I don't know) to attain "resistance to cryptanalysis." If there's any c'punks who'd care to comment on these notions, I'd very much appreciate the feedback. Also, if anyone's actually seen the algorithm, reviewed it, or knows of published material about these techniques, I'd also appreciate seeing those posted. Of course, any feedback from existing customers of TET would also be great. Thanks! ------------------------------------------------------------------------- |So, I went walking through the street. |Mark Aldrich | |I saw you strung up in a tree. |GRCI INFOSEC Engineering | |A woman knelt there, said to me, |maldrich at grci.com | |Hold your tongue, man, hold your tongue. |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From hallam at w3.org Thu Mar 7 09:38:09 1996 From: hallam at w3.org (Phillip M. Hallam-Baker) Date: Fri, 8 Mar 1996 01:38:09 +0800 Subject: Bombings, Surveillance, and Free Societies Message-ID: <199603050128.UAA29140@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Timothy C. May wrote: >The Red Brigade in Italy sought a fascist crackdown, and > the "strategy of tension" is common. (And even revolutionists of crypto > anarchist persuasion often think laws like the CDA are good in the long > run, by undermining respect for authority and triggering more extreme > reactions....) It is important to note in this regard that the worst bombing in Italy was the Bologna station bombing, now decisively linked to right wing facist groups the involvment in which of ex-prime minister Adreotti is shortly to be examined in a criminal trial. The point being that the extreemists play into each others hands. > -- expect increased support for a "New World Order" to restrict > non-governmental access to strong crypto (via key escrow measures) This is pretty much a diversion. Terrorist groups have been using encryption since long before PGP arrived. > -- expect the various laws about "talking about explosives on the Net" to > be used to clamp down on various fringe groups Hang on here, some of those groups are actively conspiring to commit terrorist acts. If someone sends a message saying "lets plant a bomb under a federal building, that will show them" I'm not worried if the govt. decides to arrest a few people. There is a border between free speech and conspiracy to murder which some people have crossed. > -- expect "national security" to become a bigger part of the political debate Possibly. > -- expect more and bigger bombings, as the groups thinking about bombings > see how productive they are in accomplishing policy goals (such as ending > peace talks, triggering police state actions, etc.) The IRA has not got very far after 25 years or terrorism. The civil rights movement which the IRA usurped achieved much more in the five years before the IRA started killing people. Had it not been for the IRA there would probably have been a settlement by now. The same goes for Israel where the PLO only gained a partial settlement after giving up the terrorism. > I predict that it will take about 5 more major bombings in European and > American cities to trigger substantive changes in laws. Generally it takes two. The legislation is written after the first and then staled until being passed on the second. There is a usefull procedure in the UK parliament which causes bills to expire at the end of each session. Note that on the CDA there was the behaviour of certain people deliberately seeking to create an issue. The CDA was to a large extent the work of one Marty Rimm and his fellow conspirators. > Personally, while I feel sorry for the dead in Israel, I think anyone who > moves to a small desert state surrounded on all sides by Arabs who want > their land back is asking for trouble. A point to consider is that there are many Isralis born in Israel who have no other home. These people did not ask to be born in the middle of a desert state. As with the Irish problem it is easy to solve if one could change the past. The fundamental problem being that the wrong side won at Hastings. Phill - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTuYpioZzwIn1bdtAQEkMQF+I1lUyGbzdScAyYqtSDLPGuX4qsCTKcmM Plfdv25rn9u8M6squAw5xfgaQu8au1Ce =9xbY -----END PGP SIGNATURE----- From cjs at netcom.com Thu Mar 7 09:45:07 1996 From: cjs at netcom.com (cjs) Date: Fri, 8 Mar 1996 01:45:07 +0800 Subject: forwarded message from Kendall Collett In-Reply-To: <199603071544.JAA07912@kenya.tivoli.com> Message-ID: <199603071552.HAA23865@netcom20.netcom.com> > [homepage on IO] > > BTW, did you hear that IO got on the SurfWatch "bad list" because there > were more than 25 complaints about objectionable material in the io.com > domain. (Apparently, when SurfWatch hears more than 25 complaints > against a particular domain, the just deny access to the whole domain > rather than particular URLs.) So.. whats the number to call? Microsoft has material on their site I object too. =) Christopher From jim at bilbo.suite.com Thu Mar 7 09:48:47 1996 From: jim at bilbo.suite.com (Jim Miller) Date: Fri, 8 Mar 1996 01:48:47 +0800 Subject: art-stego Message-ID: <9603052110.AA00640@bilbo.suite.com> Jonathan Rochkind wrote: > So a good steganography algorithm (which I understand > exists) merely changes the values of the noise so that it > now encodes your (random) message. So there's no way to > look for "suspicious bit patterns" > You are assuming that the noise bits have the same statistical properties as cyphertext. I would be very surprised if this were the case. It takes special effort to achieve good random bit streams. Image scanners may do this by accident, but then again, maybe they don't. This uncertainty is, in my opinion, the fatal flaw in image-based steganography. The same reasoning applies to audio-based steganography. Unless the devices were specially designed to insert cryptagraphically useful bits in the output (or, as Tim May suggested, good garbage bits are inserted later), then you should not rely on the pictures or audio files to keep your messages hidden. As an alternative to trying to hide bits, I proposed not hiding them at all, but instead creating an innocent reason for passing around files that contain, in some way or another, obvious random bit streams. The first idea that came to mind was to use the random bit streams to create pretty fractal pictures. I soon realized that any function that produces pretty pictures would do the trick as long as there was a way to recover the random bit stream given only the picture and the function. Perhaps it would be possible to use random bit streams to generate cool BioMorphs (ala "The Blind Watchmaker"). If enough people start passing around pictures generated from meaningless random bit streams, then other people could use this traffic to covertly exchange pictures generated from meaningful random bit streams. > if they can manage to get a cleartext message out of it, > plausible deniability is unlikely to get you far. > You could always claim you didn't know it was there, that you just downloaded the picture out of curiosity. It might help, depending on what country you live in. Tim May wrote: > Just bear in mind that this form of steganography is > getting further away from conventional hiding, and > into "pure plausible deniability." In fact, one need > not even make a serious attempt to hide the encrypted > bits: just call the encrypted file "art" and be done with > it! > Come to think of it, if the picture files were larger than the random bit streams, people very well might send just the random bit streams. "Hey Bob, take a look at the picture this creates when you feed it to the XYZ function (coefficient values A, B, and C)." Jim_Miller at suite.com P.S. In case anyone is wondering, the reason there is a large delay between a post from me and a reply from me is that I'm not actually on the mailing list. I read the messages by pointing my news reading at nntp.hks.net From unicorn at schloss.li Thu Mar 7 09:53:12 1996 From: unicorn at schloss.li (Black Unicorn) Date: Fri, 8 Mar 1996 01:53:12 +0800 Subject: book idea: info terrorism/espionage etc. In-Reply-To: <199603040045.QAA24345@netcom5.netcom.com> Message-ID: On Sun, 3 Mar 1996, Vladimir Z. Nuri wrote: [...] > I was just thinking what an interesting book this could be. if > it doesn't cover the ideas of "information terrorism" that are > hinted in e.g. Strassman's remailer paper, it seems this is a > vacuum that could be filled with a very significant/interesting > tome by someone. Been addressed. See e.g., Winn Schwartau, "Defense in Depth for Information Systems Survival" 8 International Journal of Intelligence and Counterintelligence 2, 229. Mr. Schwartau is the Exec. director of Inter.Pact, Inc., a Florida information security firm and has written what is considered, in some circles, the seminal work on the subject "Informational Warfare: Chaos on the Electronic Superhighway. [..] > I've seen a lot of editorials on reforming the spook apparatus, > and it seems now is the prime moment for some very influential books > to come out to influence future policy ideas. Apparently you're not as well read as you think, Lance. :) --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From anon-remailer at utopia.hacktic.nl Thu Mar 7 09:53:23 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Fri, 8 Mar 1996 01:53:23 +0800 Subject: No Subject Message-ID: <199603040440.FAA28574@utopia.hacktic.nl> (Lots of stuff deleted) >I attended last weeks "Information, National Policies, and International >Infrastructure" Symposium at Harvard Law School, organized by the Global >Information Infrastructure Commission, the Kennedy School and the >Institute for Information Technology Law & Policy of Harvard Law School. >During the presentation by Paul Strassmann, National Defense University >and William Marlow, Science Applications International Corporation, >entitled "Anonymous Remailers as Risk-Free International Infoterrorists" >the questions was raised from audience (Professor Chaarles Nesson, >Harvard LAw School) - in a rather extended debate - whether the CIA and >similar government agencies are involved in running anonymous remailers >as this would be a perfect target to scan possibly illegal messages. >Both presenters explicitly acknowledged that a number of anonymous >remnailers in the US are run by government agencies scanning traffic. >Marlow said that the government runs at least a dozen remailers and that >the most popular remailers in France and Germany are run by the >respective government agencies in these countries. In addition they >mentioned that the NSA has successfully developed systems to break >encrypted messages below 1000 bit of key length and strongly suggested >to use at least 1024 bit keys. They said that they semselves use 1024 >bit keys. >I ask Marlos afterwards if these comments were off or on record, he >paused then said that he can be quoted. >So I thought I pass that on. It seems interesting enough, don't you >think? (more stuff deleted) I don't know about everyone else, but I consider this, if true, to be a MAJOR worry. It never ceases to amaze me how lightly the government takes lying to the people. Unfortunately I don't have the contacts or resources to do any further investigation, I hope this thread is resolved one way or another soon. nobody at unimportant From reagle at rpcp.mit.edu Thu Mar 7 09:59:23 1996 From: reagle at rpcp.mit.edu (Joseph M. Reagle Jr.) Date: Fri, 8 Mar 1996 01:59:23 +0800 Subject: Newest CACM and Key Escrow Message-ID: <9603071605.AA04844@rpcp.mit.edu> The newest Communications of the ACM (March 90) is entitled "How to Use Key Escrow." I haven't read it yet, but on a quick glance, I don't see some of the newer schemes I've heard of, but there is an article "taxonomy of key escrow encryption systems" by Denning and Branstad -- Which does briefly mention of the Lotus scheme and some of the other published schemes that I was thinking of. _______________________ Regards, 8146th member of the CIEC coalition Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu 0C 69 D4 E8 F2 70 24 33 B4 5E 5E EC 35 E6 FB 88 From bs208 at newton.cam.ac.uk Thu Mar 7 10:27:21 1996 From: bs208 at newton.cam.ac.uk (B. Schneier) Date: Fri, 8 Mar 1996 02:27:21 +0800 Subject: TET cryptosystem In-Reply-To: <199603071529.HAA04759@well.com> Message-ID: <199603071719.MAA06009@gibbs.newton.cam.ac.uk> ************************************************************************* This is a temporary e-mail address; I am in Cambridge until 12 March. Continue to send mail to schneier at counterpane.com; it forwards by itself. ************************************************************************* > Teledyne (TET) is out marketing a "new" crypto system as a > competitor against DES and what TET calls "linear" cryptosystems. > They are claiming a non-linear approach in which (as best I can > tell) they are permuting the s-boxes and using 4 bit/16 entry > substitution tables. > > They are also asserting that these "key generated substitution > tables and inter-round permutations" are supported by "nonlinear > orthomorphic mappings generated from arbitrary key" (and that this > is patented) and "row-complete Latin Squares generated from an > arbitrary key" (and that this is also patented). > > The claimed benefits include being invulnerable to differential and > "linear" cryptanalysis, no linear key/data interaction to hide, > that this results in the tables and permutations being > "transient/secret," and that fewer rounds are needed (fewer than > what, I don't know) to attain "resistance to cryptanalysis." This explanation is so laced with nonsensical buzzwords that the algorithm is probably absolute nonsense. I can't tell you (because of NDAs) how many times I've seen proprietary algorithms that make all sorts of grandeose claims of security and are actually terrible. Bruce ************************************************************************** * Bruce Schneier * Counterpane Systems For a good prime, call 391581 * 2^216193 - 1 * schneier at counterpane.com ************************************************************************** From geeman at best.com Thu Mar 7 10:28:26 1996 From: geeman at best.com (geeman at best.com) Date: Fri, 8 Mar 1996 02:28:26 +0800 Subject: What's anyone know about Teledyne Electronic Technologies? Message-ID: <199603071709.JAA17447@dns1.noc.best.net> At 01:42 AM 3/7/96 -0500, you wrote: >>Teledyne (TET) is out marketing a "new" crypto system as a competitor >>against DES and what TET calls "linear" cryptosystems. They are claiming >>a non-linear approach in which (as best I can tell) they are permuting >>the s-boxes and using 4 bit/16 entry substitution tables. > > A couple of points: 1. DES is nonlinear and (I believe) provably not a group; that TET is alluding to DES being linear casts grave doubt. If their S-Box "permutes" I'd also be concerned! >Dont trust it unless you are a good cryptanalyst and have a copy of the >source code. Most commercial crypto products are crap. > >Jonathan Wienke > 2. Most NEW UNPROVEN CRYPTOSYSTEMS are crap, not crypto products. That's too strong an assertion. Plenty of commercial crypto products(and perhaps "most" which in significant commercial disctribution) are based on strong DES/RSA, etc. proven technologies. From jimbell at pacifier.com Thu Mar 7 12:50:33 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 8 Mar 1996 04:50:33 +0800 Subject: Anonymous remailers and Leahy bill Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 10:26 AM 3/7/96 -0500, A. Padgett Peterson P.E. Information Security wrote: > >>I am assuming they fix the obvious error in the phrasing above. > >Until they do, we can only guess at the intent. > >>"Thanks for the use of your nifty anonymous remailer. Under a different >>name, I intend to use this remailer (along with others) to transmit child >>pornography, plot terrorism, and do all of my drug deals. You've made my >>life so much more secure!" > >At this point, Bob has no choice other than to reply with: "I assume you are >joking however since what you have stated is in violation of numerous laws, >we have no choice other than to disable your account. If we find that >illegal acts have been committed using this remailer, we will have no choice >other than to report such actions." Wouldn't help "Bob" in the least. And you didn't read what I wrote very carefully, either: Notice that I said, "under a different name." In other words, the source of the note does not identify the user name under which the illegal activity is promised to occur. Cancelling this particular fellow's account does NOTHING to prevent the illegal activity from occurring by other, unidentified users, and "Bob" knows it. Moreover, such a statement (by Bob) would be considered deliberately ineffective: Any anonymous encrypted remailer operator is perfectly aware that his remailer can be used for illegal purposes without him ever finding out. If the law was written carefully enough, that mere knowledge would make it a crime to continue to operate that remailer unless its use could be monitored and verified to be legal. Technically, encryption would not be illegal, but using encryption would open one up to harrassment by government. This would become a de-facto ban, at least for whoever was on the government's "shit list" that week. >Anyone stupid enough to make a statement like this deserves to be disabled. Anyone stupid enough to misinterpret what I clearly wrote above deserves to be lambasted. >>At that point, Bob is GUILTY of violation of the Leahy bill, because his >>encrypted anonymous remailer: > >No, if Bob were to follow the above scenario, he would already be guilty of >terminal stupidity. Poor response, and inaccurate too. >>So maybe the word gets out, occasionally. At that point, usage of anonymous >>remailers declines, and people willing to risk operating one declines. A >>few come up which are run by the Feds, which log anyone who attempts to use >>it... > >Declines ? They are only protection from amateurs. Do you really not >believe that everything in and out of anon.penet.fi & others is not >monitored *at the ISP/carrier level* ? I am well aware of the possibilities. But you just destroyed your own argument: If the government is already capable of tracing such messages, and is doing so, it is presumably doing so illegally, or this tracing SHOULD be illegal. If the government is already doing that, then we'd damn well look VERY carefully at any new bills that are proposed to regulate encryption, because we have far more to fear from them than they currently let on. > Warmly, > Padgett I'm disgusted by your "Warmly, Padgett." While I don't sympathize with their motivations, the "red-hunters" of the early 1950's had a term, "pink" to describe a person who was unduly sympathetic to the Communist cause: A person who was just a bit too cozy with their philosophy. Not quite "red," but... In the 1990's encryption debates, you're a bit too "pink" on the pro-government side for me. With generous amounts of disgust, Jim Bell jimbell at pacifier.com .....Klaatu Burada Nikto -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMT8axfqHVDBboB2dAQHp5AP5AeJ8dPNy9Hkbvyrk6QD/pIIEz7ZeLK3l V2O7zD9Fsvtb6KfIlczX6wpWXOM3RTvgItASg8yNnibLwT37vCKkrpkWKujjIUKb CXGZPZaHGMAAOc9+nU5OzjsAS4IyFuycOlP5z7PlpEap9xo4DlQFJwpgFxHeu53E B3277PHwak4= =5Ff6 -----END PGP SIGNATURE----- From hfinney at shell.portal.com Thu Mar 7 13:36:51 1996 From: hfinney at shell.portal.com (Hal) Date: Fri, 8 Mar 1996 05:36:51 +0800 Subject: Square pegs in round holes, matchmaking, corporate mailservers Message-ID: <199603071824.KAA17363@jobe.shell.portal.com> -----BEGIN PGP SIGNED MESSAGE----- Dimitris Tsapakidis wrote: >Bob must find out whether Alice has declared (commited) her interest >in him, if and only if he has declared (commited) his interest in her. >Before he does so, he can at most know that a girl is interested in him. >Another description: Bob and Alice can have a date if they both commit >to each other. If only one commits, nobody will ever find out about it. To avoid a trusted intermediary, the problem can be thought of as a secure multi-party communication problem with private inputs, which is much studied in the literature. The easiest formulation is pairwise: Alice and Bob mutually engage in the calculation of "Alice loves Bob" AND "Bob loves Alice". Each inputs his feelings as an input bit, and the output will be true only if they have mutual feelings. Each pair of potential lovers would then go through the protocol with each other. This problem is solved in "Multiparty Computations Ensuring Privacy of Each Party's Input and Correctness of the Result", by Chaum, Damgard, and van de Graaf, in the proceedings of the Crypto 87 conference. They even discuss this application directly: "Note that this AND-gate computation, where both parties want to hide their input from each other, has a meaningful application: consider the situation where Alice and Bob have just met, and each considers dating the other. Neither wishes to lose face in the following sense: if Alice wants a date but Bob doesn't, Alice does not want to let Bob know that she wanted the date. And the same holds for Bob. In other words: if a party does not want the date it does not find out the other party's decision." The solution is reasonably practical, involving scrambled truth tables and bit commitments, and is related to some of Chaum's work on zero-knowledge. The paper is a bit theoretical and hard to read, though. I can write up the protocol if anyone is interested. Hal -----BEGIN PGP SIGNATURE----- Version: 2.6 iQBVAwUBMT8p4RnMLJtOy9MBAQHUAQIAv6tTbhLvTnbxX+7BlSIQcxCBfF+FhL1E mR57Ks8Rklg2PxEotSl9BDEtKWVFoqXg8UdNhsj6d3ASFzdQe0B6Hg== =tCch -----END PGP SIGNATURE----- From hfinney at shell.portal.com Thu Mar 7 13:42:12 1996 From: hfinney at shell.portal.com (Hal) Date: Fri, 8 Mar 1996 05:42:12 +0800 Subject: Square pegs in round holes, matchmaking, corporate mailservers Message-ID: <199603071812.KAA16510@jobe.shell.portal.com> From: Bill Stewart > [>>Dimitris Tsapakidis wrote:] > > >Bob must find out whether Alice has declared (commited) her interest > > >in him, if and only if he has declared (commited) his interest in her. > > >Before he does so, he can at most know that a girl is interested in him. > > >Another description: Bob and Alice can have a date if they both commit > > >to each other. If only one commits, nobody will ever find out about it. > > >- T is the trusted third party. > [Padgett contribution elided] > Oh, that would work fine. Let a, b, and t be Alice, Bob, and Trent's secret DH > keys, and g and p be the generator and prime (all math below is mod p.) > If Bob wants to talk to Alice, he sends Trent B = g**b, marked "For Alice", > optionally anonymously. Trent calculates X = B**t == g**bt, and sends it to > Alice. > Alice calculates K = X**a == g**bat, calculates H = Hash(K) and > posts it anonymously, or sends it to Trent to post or mail to Bob. > If Alice wants to talk to Bob, she calculates A = g**a mod p, > sends it to Trent, optionally anonymously, marked "For Bob". > Trent calculates Y = A**t == g**at , and sends it to Bob. > Bob calculates K' = Y**b == g**abt, calculates H' = Hash(K') and > notices that it's the same as the H he pulled off the net earlier. > Bob says "Oh, wow! Alice wants to talk to me!", encrypts some lame drivel > of a message M with key K'==K, and mails it to Alice if he knows her address > or posts it with Subject: H', which Alice receives. I don't think this satisfies the requirements. Once Bob calculates H' and sees that it matches H, he knows that Alice likes him, but Alice doesn't know that he likes her. The whole point of the protocol was to be fair. Bob must only learn that Alice likes him if Alice is guaranteed to learn that he likes her. I have posted an alternate solution in another message. Hal From declan+ at CMU.EDU Thu Mar 7 13:45:45 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 8 Mar 1996 05:45:45 +0800 Subject: CDT on crypto bills In-Reply-To: Message-ID: ---------- Forwarded message begins here ---------- Date: Tue, 5 Mar 1996 23:12:49 +0100 To: "Declan B. McCullagh" From: jseiger at cdt.org (Jonah Seiger) Subject: Re: NYT: Encryption compromise bill introduced Cc: Fight Censorship Mailing List , jim at RSA.COM If you read our statement, you will see that we agree completely with EFF & Jim that the new crime is unnecessary and needs to be addressed. As for the second issue, I understand EFF's concerns, and this is definitely an issue that needs further clarification and discussion. But you should note that the bills do not in any way impose key escrow (and only the Senate bill contains these provisions anyway). In fact,the legislation does precisely the opposite in two ways: 1. The bill explicitly affirms the rights of Americans to use any form of cryptography they choose domestically. 2. By directly attacking export controls, the legislation undermines the only lever the Administration has in imposing Clipper and Clipper II. The Clipper and Clipper II policies are based on the assumption that the market in most cases will support only one version of a particular crypto application. By encouraging only the export of cyrpto w/key escrow mechanisms, the Administration believes that they can force the domestic market to adopt escrow as well. This has not worked yet, but it *has* forced a stalemate that has led to a very little privacy and security for the Net. By undermining the only leverage the Administration has for left to impose key escrow domestically (beyond an explicit effort to ban it outright), these bills effectively remove the current threat of a government imposed domestic escrow crypto policy, and allow the market for strong cryptography to flourish. So again, CDT believes that this legislation represents the best opportunity we have had yet to provide the Internet with the privacy protections and security it desperately needs. There are most certainly areas that we would like to see changed and/or clarified, but that should not overshadow the important opportunity these bills represent. Jonah >Thanks for the clarification, Jonah. I agree the bill will undercut >Clipper II, but I share the concerns outlined in the EFF statement, >which says the bill: > > * Makes it a new crime to "use encryption to obstruct justice", with > 5-10 year sentences, plus fines. In plain language, this is a > extra criminal charge that can be applied when police are frustrated > in an investigation but happen to catch someone breaking the law in > some other way. > > * Provides a legal infrastructure for key escrow, a system in which > all users' keys are copied to permit government access. > >Jim Bidzos is the CEO of RSA Data Security, and he supports Leahy's >bill. His mail is attached below. > >-Declan > >---------- Forwarded message begins here ---------- > >Date: Tue, 5 Mar 96 13:26:39 PST >From: jim at RSA.COM (Jim Bidzos) >Message-Id: <9603052126.AA19534 at RSA.COM> >Cc: cypherpunks at toad.com > > >I'm in favor of the Bill because it specifically prevents, by law, the >US Govt from mandating key escrow. Also because it would, by law, >force export control of crypto out of the Dept. of State and into the >Dept. of Commerce, effectively allowing any crypto used in the US and >"widely available" to be exported. (The bill does a few other things. >One, it provides for criminal penalties for key holders who abuse >their role as an escrow agent, assuming anyone *chose* to use key >escrow. Second, it makes the use of encryption -any encryption- a >crime if used in the commission of or support of any criminal >activity. I think the bill would be better off without these >provisions, but I suspect this is an attempt to give the >administration something.) > >I anticipate that the Administration, led by the intelligence and law >enforcement interests, will vigorously lobby against this bill... -- Jonah Seiger, Policy Analyst Center For Democracy and Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 PGP key via finger (v) +1.202.637.9800 http://www.cdt.org/ (f) +1.202.637.0968 http://www.cdt.org/homes/jseiger.html From owner-cypherpunks at toad.com Thu Mar 7 14:04:12 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 8 Mar 1996 06:04:12 +0800 Subject: No Subject Message-ID: ---------- Forwarded message begins here ---------- From: shabbir at vtw.org (Shabbir J. Safdar) To: Stanton McCandlish cc: declan+ at cmu.edu (Declan B. McCullagh), fight-censorship+ at andrew.cmu.edu, jim at rsa.com Subject: Re: NYT: Encryption compromise bill introduced Date: Wed, 06 Mar 1996 15:14:01 -0500 Sender: shabbir at panix.com The Leahy bill is actually much better than Stanton lets on. Take a look at it, it affirms Americans' right to choose whatever algorithm or technique they'd like, as well as takes great pains to go on record to say that Congress treaded very carefully to preserve Americans' right to not use key escrow algorithms, and if they did, not to use escrow agents. You don't get much more of a guarantee than that. Regardless of the ulterior motives of the White House, key escrow programs are still voluntary as read on the books. The best we can write into a law is to have our rights reaffirmed. Leahy has given this to us in spades. Let's not soft-pedal this legislation. Leahy and Goodlatte are going head to head with the White House to undermine the strongarm export tactics of Clipper and Son of Clipper. They've stuck their necks out for us, we need to back them up. Just wait until the White House starts to act in reaction to this. It's not going to be pretty.... -Shabbir J. Safdar * Online Representative * Voters Telecomm. Watch (VTW) http://www.vtw.org/ * Defending Your Rights In Cyberspace Stanton McCandlish writes: >> Date: Tue, 5 Mar 96 13:26:39 PST >> From: jim at RSA.COM (Jim Bidzos) >> Message-Id: <9603052126.AA19534 at RSA.COM> >> Cc: cypherpunks at toad.com >> >> >> I'm in favor of the Bill because it specifically prevents, by law, the >> US Govt from mandating key escrow. > >This is only true of the Goodlatte bill. The Leahy bill just explicitly >does not mandate GAK. Goodlattes does this, and goes further, preventing >the Administration from doing so. > >Needless to say, we'd like to see the two bills merged, and the better >features of each kept. > >> I anticipate that the Administration, led by the intelligence and law >> enforcement interests, will vigorously lobby against this bill... > >Right. We don't expect it to pass, but it could be an important step in >raising the issues. > > >-- > Stanton McCandlish >
mech at eff.org >

Electronic Frontier Foundation >

Online Activist From mccoy at communities.com Thu Mar 7 14:18:22 1996 From: mccoy at communities.com (Jim McCoy) Date: Fri, 8 Mar 1996 06:18:22 +0800 Subject: (Fwd) Gov't run anon servers Message-ID: Hal Finney writes: [...regarding mixmaster remailer passwords...] > >The other suggestion that was made here, that the operator would have to >manually type in the pass phrase every time the computer rebooted [...] >However it would probably not be a practical method of operation given >the reliability of at least the Unix operating systems that I am familiar >with. Then you need to start running PC unix systems which were last written or updated during this decade. Keeping a unix system running, _as long as it is running a limited subset of application programs_, is a trivial task in Linux, BSD/OS, FreeBSD, and others. I routinely have server systems which perform specific tasks (e.g. smtp mail services, DNS, etc.) with uptimes of 5-6 months; there is no reason why a host serving as a remailer should not be able to be as reliable. > And even then the information is in memory. An attacker who could >gain root privileges (and let's not pretend that the NSA can't do that) >can dump memory and later comb it for the key information. > "Security is economics" -E. Hughes The point is not to make a system which is absolutely, positively, no doubt about it, secure against any attacker. If cypherpunks could do this they would be working for defense contractors and others who make certified systems. The objective is to make a system which is difficult to attack, one which costs the attacker time/money. After securing a host against the obvious attacks one can turn to the esoteric ones such as you present: move the key to kernel memory and remove tools for accessing or manipulating that area, run the memory-space encrypted and do not let it dump the contents to disk, etc. Systems which have been certified to high Orange book levels already exist, so there are obviously solutions to the problems you present. The tools and tricks of these systems just need to be migrated into systems which people actually use. Then remember that remailers gain strength in numbers. The more remailers you chain your message through the better your chances of passing through a single node which is not compromised, at which point your message has been "mixed." As long as it is easier for someone to create new remailers than to break existing remailers we are winning. >My point remains that strong keys are pointless for remailers which run >on Unix systems connected to the net. "Insisting on perfect security is for people who do not have the balls to live in the real world" -paraphrased from M. Shaefer You give far too much credit to the potential attackers. One advantage that unix systems connected to the net have over your hypothetical PC at home is the advantage of persistence, what is the point of running a remailer if it is never up, or only up when you need to use it? Traffic analysis of that particular node becomes a pretty easy task :) The unix hosts running remailers also have the advantage in that they have been subjected to attack for quite a while now and most of the obvious problems (and some of the non-obvious problems) have been fixed. A strong key on such a host is better than a weak key, so why not make systems as strong as you can? The only way to have a completely secure computer is to encase it in concrete, cut any network connections, and drop it into the ocean; OTOH the only thing you have created in this case is a fairly unique boat anchor. You are beginning to sound like the people who claim that the NSA can crack any encryption system, not because they have any proof but just because they extrapolate their limited knowledge into the unknown and mix in a bit of paranoia. [...] >Recall that my original comments were in connection with the claim that >the government was running most of the remailers. As I said, I still >think that is absurd when it would be so much easier to simply steal >their keys. But the point is that it is _not_ easier to steal the keys. It is much easier to put up a remailer than to attack an existing remailer, this is why the remailer system is winning the battle of security economics. By putting up its own remailers a potential attacker probabalistically diminishes the number of systems which they must break. jim From unicorn at schloss.li Thu Mar 7 14:47:12 1996 From: unicorn at schloss.li (Black Unicorn) Date: Fri, 8 Mar 1996 06:47:12 +0800 Subject: Remailers run by spooks In-Reply-To: <199603040511.AAA24235@bb.hks.net> Message-ID: On Mon, 4 Mar 1996, Just Rich wrote: > -----BEGIN PGP SIGNED MESSAGE----- > I have no doubt that the CIA can break 1000-bit keys on a case-by-case > basis, *if they decide to allocate the resources*. I think it's possible > that some remailers are run by spooks. However, I seriously doubt that > anyone is breaking stuff routinely, and I think the web of trust is pretty > good. What does the web of trust currently have to say about the political reliability of remailers? > However, I also have no doubt that Strassmann and Marlow are spreading > disinformation and exaggerating their capabilities in an attempt to break > the web of trust and incite a witch hunt. It won't work. The answer in any > case is more use of remailers, not less. Just turn up the noise level. > You already know that nothing is 100% secure, but you do what you can. > It's a war of attrition. And thus the winner will be the one who makes it the hardest for the other to fight, not who inflicts the most casualities. > > - -rich > - --- > [This message has been signed by an auto-signing service. A valid signature > means only that it has been received at the address corresponding to the > signature and forwarded.] > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > Comment: Gratis auto-signing service > > iQBFAwUBMTp7ayoZzwIn1bdtAQFJXgGAg8I4+IwZYrDI46bMj2nED+Dh0AeoMJVs > PP10Ui5u46sXDAUjpMzJSwv5EqdIOEKy > =611k > -----END PGP SIGNATURE----- > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From owner-cypherpunks at toad.com Thu Mar 7 14:58:00 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 8 Mar 1996 06:58:00 +0800 Subject: No Subject Message-ID: [In reply to Shabbir's message. -Declan] ---------- Forwarded message begins here ---------- From: Stanton McCandlish Message-Id: <199603062155.NAA22301 at eff.org> Subject: Re: NYT: Encryption compromise bill introduced To: shabbir at vtw.org (Shabbir J. Safdar) Date: Wed, 6 Mar 1996 13:55:07 -0800 (PST) Cc: declan+ at cmu.edu, fight-censorship+ at andrew.cmu.edu, jim at rsa.com In-Reply-To: <199603062014.PAA02169 at panix4.panix.com> from "Shabbir J. Safdar" at Mar 6, 96 03:14:01 pm > The Leahy bill is actually much better than Stanton lets on. Take a > look at it, it affirms Americans' right to choose whatever algorithm or > technique they'd like, as well as takes great pains to go on record to > say that Congress treaded very carefully to preserve Americans' right > to not use key escrow algorithms, and if they did, not to use escrow > agents. You don't get much more of a guarantee than that. Sure you do: Goodlatte's more direct prohibition on the Exec. branch mandating Key Escrow. What's the problem here? We know Goodlatte's version, on this provision at very least, is better. Why can't we just agree that it is, and support that? Goodlatte's bill isn't competing with Leahy's, they were introduced simultaneously in different chambers, and are intended to get the same message across. I can't see a problem with saying "we like this particular phrasing better, let's have it in both versions." The entire point of all this is to have the same bill on both sides of Congress anyway. It can either happen early, or (on the off chance it ever gets that far) in conference committee. Here we have a large say. In conf. cmte. we have almost no say. Again, what's the problem? What are we arguing about? > Regardless of the ulterior motives of the White House, key escrow > programs are still voluntary as read on the books. The best we can > write into a law is to have our rights reaffirmed. Leahy has given > this to us in spades. I disagree. A better thing we can write into law is to simultanously have rights reaffirmed, and send a more direct message to the Admin that it cannot tread here. > Let's not soft-pedal this legislation. Let's not hard sell flawed parts of it, when fixes are not just available but already introduced as "live" legislation. > Leahy and Goodlatte are going > head to head with the White House to undermine the strongarm export > tactics of Clipper and Son of Clipper. They've stuck their necks out for > us, we need to back them up. Certainly. > Just wait until the White House starts to act in reaction to this. It's > not going to be pretty.... No kidding. I expect either an attempt to mandate escrow, a worsening of the export controls, and/or an all-out assault on American's rights to encrypt at all, or without some kind of worse-than-GAK registry or licensing. If not all of the above. -- Stanton McCandlish

mech at eff.org

Electronic Frontier Foundation

Online Activist From wlkngowl at unix.asb.com Thu Mar 7 15:22:23 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Fri, 8 Mar 1996 07:22:23 +0800 Subject: Truelly Random Numbers Message-ID: <199603032316.SAA22404@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Mark Allyn 206-860-9454 wrote: [..] > Take a piece of non conducting board, say about six by six > feet. Put electrodes on it; say a pair of electrodes every > quarter inch or so across and down. > > Each pair of electrodes would be connected to logic so that > it generates a unique number. When the electrodes are shorted, > the number would be generated. Quite elaborate. And unless you live in a rainy part of the world, not very useful. Better off using those contraptions where little steel balls fall around the electrodes. There's some entropy there... but still, it's too elaborate for RNG generation. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMTooTyoZzwIn1bdtAQFXIwF/cjzvAfNJMOn9Pw6VSztPKCHUc/dmuwZ1 bOAEKnlQmwhRKOxpNmBr+EpM3zoRIWWP =8nb+ -----END PGP SIGNATURE----- From PADGETT at hobbes.orl.mmc.com Thu Mar 7 15:22:42 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Fri, 8 Mar 1996 07:22:42 +0800 Subject: DoubleSpeak Message-ID: <960303190109.2020177f@hobbes.orl.mmc.com> > In addition they >mentioned that the NSA has successfully developed systems to break >encrypted messages below 1000 bit of key length and strongly suggested >to use at least 1024 bit keys. They said that they semselves use 1024 >bit keys. Is there anyone her who has *not* "developed systems to break encrypted messages" ? One is called brute force and can run on any PC. The two pieces missing from the statement is the *cost* and *time* involved in breaking keys of X length & would suspect the algorithm might have something to do with the answer. (Can generate a LOASDR key of 1024 bits real easily, breaks just as fast). I use a PGP key of 1024 bits simply because I am too lazy to go to 2048 so why was this turkey posted twice ? Lacking meaningful parameters, it does not really say anything. Warmly, Padgett From owner-cypherpunks at toad.com Thu Mar 7 15:24:51 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 8 Mar 1996 07:24:51 +0800 Subject: No Subject Message-ID: On Thu, 7 Mar 1996, cjs wrote: > > > > BTW, did you hear that IO got on the SurfWatch "bad list" because there > > were more than 25 complaints about objectionable material in the io.com > > domain. (Apparently, when SurfWatch hears more than 25 complaints > > against a particular domain, the just deny access to the whole domain > > rather than particular URLs.) > > So.. whats the number to call? Microsoft has material on their site I > object too. =) And let's not forget the really objectionable stuff at http://www.buchanan.org/pjbindex.html (the Buchanan Campaign web site). ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From FGALLICC at MICRARN2.SSW.JNJ.COM Thu Mar 7 15:28:25 1996 From: FGALLICC at MICRARN2.SSW.JNJ.COM (Gallicchio, Florindo) Date: Fri, 8 Mar 1996 07:28:25 +0800 Subject: No Subject Message-ID: Most humble apologies from a lurker for posting this question to the whole list. I couldn't find the reference in the archives... About a month or two ago, someone posted some information on that little piece of code attached to MS Mail messages alongside the file attachment. I need to find out the vulnerabilities of that code, such as susceptibility to virus, spoof, attack, etc. Not crypto related, but important to me nonetheless. Please send responses to me via e-mail. Thanks in advance. Florindo Gallicchio fgallicc at ncsus.jnj.com "I don't speak for my company yadda yadda yadda..." From davidw at hpato.aus.hp.com Thu Mar 7 15:29:14 1996 From: davidw at hpato.aus.hp.com (David Weiss) Date: Fri, 8 Mar 1996 07:29:14 +0800 Subject: PGP backdoor? (No, I'm not paranoid.) Message-ID: <4841.825560962@hpautoas.aus.hp.com> jf_avon at citenet.net wrote: >perry at piermont.com wrote: >> [...] >>Your informant is taking extremely good drugs. You should find out who >>his connection is should you want to get any. >> >>Perry > >Dear Perry, > [interesting statement of why nothing one hears should ever be discounted] > >So, why waste bandwith with a post that apparently mainly seems to be aimed >at dismissing somebody but brings *absolutely no* new knowledge to >the discussion? Please, next time, post privately. Sure it does; Perry's opinion. And what that is worth, depends on the reader's opinion of Perry. >Funny jokes are, IMHO, welcome because they have some life-enhancing value. > >So please, at least be funny... I thought it was pretty funny (more so than your post, anyway). David (I feel another really silly and pointless thread starting...) From nobody at REPLAY.COM Thu Mar 7 15:31:59 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 8 Mar 1996 07:31:59 +0800 Subject: No Subject Message-ID: <199602290317.EAA08427@utopia.hacktic.nl> This came from Associated Press (27th Feb) : ============================================================================ Europe pushes Asian weapons sales KUALA LUMPUR, Malaysia - Russia is doing it. So are Britain, France, Germany and Spain. Even neutral Sweden has joined the race to sell warplanes, missiles, tanks and warships for Asia's rapidly expanding arsenals. The Europeans, fighting an uphill battle against dominant U.S. competitors, are offering what the Americans sometimes won't - the newest, deadliest technology with no political strings attached. While post-Cold War budget cutting devastated the arms trade in the rest of the world, military spending in Asia is still rising. >From 1991 to 1994, Asian sales by Britain, France, Germany and Italy totaled $3.4 billion - a 30% increase over their sales in the 1987-1990 period, according to figures compiled by economist Digby Waller of the International Institute of Strategic Studies in London. By contrast, American weapons sales in the region were $5.4 billion in 1991-1994, a 7% decline from the previous three-year period. Despite widespread agreement that U.S. weapons makers are technologically superior, European producers have signed a flurry of deals with nearly every Asian country. According to military analysts, buyers were attracted by Europe's lower prices, equipment - like submarines - that the United States doesn't sell and - perhaps most important - the chance to avoid becoming dependent on American suppliers in case the United States cuts back future arms exports. In one of the most powerful signs of the Asian market's allure, Russia tossed out ideological considerations in favor of cash, selling its former Chinese rivals high-performance Sukhoi 27 jet fighters and the technology to make more. Thailand bought an aircraft carrier from Spain. Taiwan bought six frigates and 50 fighter jets from France. South Korea bought three German cruisers and Malaysia bought two British frigates. Sweden sold diesel-electric submarines to Thailand and Singapore. The United States no longer manufactures such vessels, partly in an attempt to halt their proliferation. Such submarines are very quiet and almost impossible to detect, even with sophisticated equipment. Some military analysts argue the unprecedented weapons buildup will ignite an arms race in a region crisscrossed by territorial disputes. They point to the growing military might of Japan, China and India and a series of smoldering regional disputes, including those between Taiwan and China and between North and South Korea. Asian governments counter that they're entitled to defend their territory. "It is wrong to see the purchase of defense equipment by countries in the region as an arms race,'' Singapore's defense minister, Tony Tan, said in a TV interview in January. "We and our ... neighbors are proceeding with plans to modernize our armed forces, now that our economies have grown and we have the resources to pay for better weapons and equipment.'' The biggest potential source of conflict in the region is China's feud with its Southeast Asian neighbors over oil and gas riches in the South China Sea. China has declared the entire region its territory, and sent warships to enforce the claim. While European governments try not to fuel arms races, they may sell to buyers who are refused American weapons for political reasons, said Paul Beaver, a military analyst for Jane's Information Group. Beaver pointed to the example of Britain's $35 billion deal to supply Tornado fighters and other weapons to Saudi Arabia after the United States balked at selling warplanes that could be used to attack Israel. "That has been seen by the Muslim countries in Southeast Asia as a strong sign that Britain doesn't attach the same political conditions to its sales as the United States does,'' he said in a telephone interview from London. Thailand wants to buy advanced American AMRAAM missiles to arm its new F-18 fighters. But because no other country in the region has a missile that sophisticated, the Clinton administration is hesitating for fear of sparking competition among Thailand's neighbors to match it. "If the United States did not want to sell AMRAAM missiles to Thailand, I wouldn't be surprised if France would be willing to sell a similar missile,'' said Pieter Wezeman, a researcher for the Stockholm International Peace Research Institute. Asian governments also appear to be buying European weapons to diversify their arsenals in case Washington shuts off their supply. "The United States has shown several times that they don't want to sell weapons to everyone, and so at any moment they might start an embargo,'' Wezeman said. In one of the region's biggest recent sales, Taiwan bought 210 fighter jets, splitting the order between French Mirage-2000s and U.S.-made F-16s after Washington first refused to sell and then approved fewer planes than Taiwan wanted. Pakistan, blocked by U.S. law from buying F-16s because of evidence it has built nuclear weapons, is reported to be shopping for French or Russian warplanes to fill the gap. By The Associated Press ============================================================================= no_one at unimportant. From owner-cypherpunks at toad.com Thu Mar 7 16:09:45 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 8 Mar 1996 08:09:45 +0800 Subject: No Subject Message-ID: Adam Shostack mentioned: > The big problem with this is that net phones can be subject to > delay & drop out, and I don't want to deal with that when I'm talking > on the phone. Adam, Yes, and that's good news. We can claim, while we are building up our infrastructure, that we have a low-quality service that cannot compete with the current LD carriers. Meanwhile, several companies and committed enthusiasts are solving IPhone's technological problems. Also, ATM and other high-bandwidth technologies that the LD carriers are deploying can bring them profits when IPhone users request the _fast_ Internet. But the real money is in the billing system. And an efficient, decentralized ecash infrastructure will change the world. A cheap telephone-to-telephone long distance and international voice service, which people do want to buy, could provide the cash flow to jump start it. CW From adam at lighthouse.homeport.org Thu Mar 7 16:25:30 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 8 Mar 1996 08:25:30 +0800 Subject: SEAL cipher info requested (something actually list related!) In-Reply-To: Message-ID: <199603060521.AAA15746@homeport.org> Christopher Allen wrote: | * are there are any links on the web to SEAL? Ask Altavista. | * is IBM actively marketing it? See above. If you can't find it on the web, they're not actively marketing it. :) | * what precisely is patent? | * for how long? | * has anyone currently licensed it? | * has anyone tried attacking the algorithm? | * should we be (the community) be looking at SEAL | for standards (say as an alternative to RC4?)? | * is there something better then SEAL available? How about Blowfish? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From owner-cypherpunks at toad.com Thu Mar 7 16:27:28 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 8 Mar 1996 08:27:28 +0800 Subject: No Subject Message-ID: On the mailing list for the "Electronic Frontier Canada" (similar to, but not a part of EFF), David Jones (djones at insight.dcss.McMaster.CA) writes: > > Feds want encryption; Police opposition ignored. > >The federal government wants its employees, and Canadians in general, >to use strong, public-key encryption. Yes, the same encryption methods >that American law enforcement is so uptight about. The same encryption >that Canadian cops want to avoid, so they can continue to eavesdrop. > >It's summarized in a recent Ottawa Citizen article: > > gopher://insight.mcmaster.ca/00/org/efc/media/citizen.13feb96 > >You may recall the Canadian Association of Chiefs of Police (CACP) >have voiced their opposition to any encryption of communications unless >police had access to a "backdoor" last summer. > > gopher://insight.mcmaster.ca/00/org/efc/law/cacp.24aug95 > >In Canada, it looks like the right to privacy of telecommunications >might take precedence over the police interest in snooping to catch >criminals. I won't repost the entire article here, but here are some highlights: - The system is initially intended to secure email between federal government employees. Deployment is expected to begin next year. - Key management is decentralized; each department hands out its own keys. - Top-secret messages will be encoded using "palm-sized computer cards" (presumably some kind of PCMCIA device). - The Communications Security Establishment (~= NSA) helped to design the system, and claims that it's "more sophisticated than existing public versions". (This is the part that still worries me a bit, even though EFC's David Jones is quoted as saying that he has no concerns. Will the algorithms be published? Also, why develop a new, untested system -- why not just buy the thing from RSA, Viacrypt, etc.? Stay tuned...) - There's a great quote from Bob Little, deputy secretary of financial and information management for the Treasury Board: "[The CSE] don't have access to the keys . . . and never will. We did it to avoid the American experience with the Clipper Chip." - The RCMP (~= FBI) is not amused. All in all, it sounds like a positive development for once. -- Martin Janzen janzen at idacom.hp.com From owner-cypherpunks at toad.com Thu Mar 7 16:27:54 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 8 Mar 1996 08:27:54 +0800 Subject: No Subject Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 01:06 PM 3/7/96 -0500, A. Padgett Peterson P.E. Information Security wrote: >Do not agree with you. Do support your right to disagree though. > P.fla That's all this guy said. Here's my more verbose response. >Do not agree with you. You are _entitled_ to not "agree" with me. What you are NOT entitled to, however, is to have a government that violates my rights by attempting to restrict crypto and other freedoms, even if it is with the support of 51% of the Congress or 51% of the voters or 51% of the population. (or even substantially more.) If you actively support such a government, or even encourage such a government, you are doing what is analogous to "inciting a riot": You are guilty of inciting the government to take improper, illegal, unconstitutional, or simply immoral actions against me and others, and in my opinion if such actions are taken you enter into that conspiracy. You may be alarmed that I might consider you a criminal for just exercising your "free speech." (If you're not alarmed, you SHOULD be!) I myself would greatly prefer to live in a society where speech was totally free: There would be no laws against libel and slander, and you could "yell 'fire' in a crowded theatre" without the possibility of prosecution. (All the other potential customers will be home watching on tape rental, which will make what you can do in a theatre less significant.) But until we live in such a world, I consider that yelling "child porn!" or "terrorism!" or "drug smuggling" in "a crowded Congress" or _to_ "a crowded Congress" that's anxious to restrict our rights ever further, is an incitement to violate my rights. > Do support your right to disagree though. No, I don't think you do. You've done NOTHING to actually _support_ my right to disagree, except possibly waste a few bytes of information space on a message that you did not see fit to publicize. (I did, however.) Clearly, your "support" for my "right to disagree" is essentially non-existent. Jim Bell Klaatu Burada Nikto! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMT866/qHVDBboB2dAQHqfAP9F1vYWiHVT67QXNXwuDWpR9n6THRL4S2W vJq256khHXs4pMawUiGitkovVEDSBM8Tc6t6NpgNbwEojZ40dF147gqq7iTLOrf0 TU4RrUvBKiRJbTXnJM6YdHL7gOHQtU5TqHRft3R9JAHR5zEpetUSIo7+uVbklqqd Du1cZlTbu68= =M+dV -----END PGP SIGNATURE----- From clarissa_wong at alpha.c2.org Thu Mar 7 16:28:22 1996 From: clarissa_wong at alpha.c2.org (Clarissa Wong) Date: Fri, 8 Mar 1996 08:28:22 +0800 Subject: Jump Start ecash With IPhone Message-ID: <199603060435.UAA07171@eternity.c2.org> Proposal: Augment computer-to-computer Internet phone with local telephone-to-Internet-phone gateways to create a new telephone-to-telephone long distance network via the Internet. Result 1: No computer is needed for cheap long distance or international voice phone calls. Result 2: ecash gets its "Killer Ap", a service that (a) people want to buy and (b) requires micropayments for economic feasibility. (Details below.) Result 3: Creates a large, decentralized market that is difficult for anyone to regulate and that provides many opportunities to make money. Obvious Nonresult: Achieving privacy in long distance or international voice requires further development. Hardware and software beyond that in an ordinary telephone is needed at each end. Who Can Do It: ISPs (Internet Service Providers) are in the best position to operate nodes of this decentralized network. They have the Internet connection, the phone banks, the technical expertise, and some business experience. Telephone <---> ISP <---------> ISP <---> Telephone Scenario (Result 1): Granny Smith in Paducah wants to chat with her grandson Adam Smith, who is studying economics in Hong Kong. From her ordinary touch-tone phone she makes a local _voice_ call to Cheap Speech, Inc. and at the prompt enters the phone number for Adam. Cheap Speech finds that TalkToMe Ltd is a network node in Hong Kong within a local phone call of Adam and, through the Internet, establishes a connection. Then it patches in the voice call from Granny as TalkToMe dials out and reaches Adam. Granny Smith <--> Cheap Speech <-----> TalkToMe <--> Adam Smith Payments (Result 2): More than half the cost of running a traditional long distance voice business is for handling the billing. The cost of the technology to provide the service is thus less than the cost of the billing! Cheap Speech and TalkToMe cannot provide cheap voice service, as in the example above, unless they use a much more efficient payment system. That is why the low transaction cost of ecash is so important and that is why this message is being sent to cypherpunks rather than a telecom list or news group. So who uses the ecash? Surely Granny and Adam Smith can't shove it through ordinary telephones. They just want to get ordinary voice connections with ordinary telephones as they have for many years, only cheaper. Here is how I think ecash fits in: Granny Smith --> Cheap Speech Granny pays Cheap Speech through ordinary means, probably by monthly credit card charge, which is common for ISPs. The overhead for this probably is only around 5% (plus staff for account setup and support) because the ISP already is set up for that kind of payment system and Granny Smith is a local person providing repeat business, not a bad apple on a spending spree with a stolen credit card number. Cheap Speech --> TalkToMe Cheap Speech and TalkToMe do not have any previous business arrangement with each other and probably never have done business with each other before. They also are on opposite sides of the world. But Cheap Speech consults a Rating Service that says TalkToMe is reliable, so Cheap Speech sends a small amount of ecash to TalkToMe to open a connection and dial out to Adam. Since ecash clears instantly, TalkToMe does not need to know anything about Cheap Speech. No international billing network is needed. Little overhead is incurred. TalkToMe --> Adam Smith TalkToMe provides this service in exchange for the ecash from Cheap Speech. The main problem I see with this scheme is that Cheap Speech may have a cash flow problem. Payment to TalkToMe must be made immediately whereas payment from Granny Smith may take a couple of months to arrive. If, however, the volume of incoming calls (ecash coming in) matches the volume of outgoing calls (ecash going out), then the cash flow will balance out. Also, Cheap Speech could offer Granny a discount for prepayment. Regulation and Profit Opportunities (Result 3): Big, centralized organizations are big targets for lawsuits and regulation. They are the "deep pockets" lawyers love to pick. They are the leverage points for power-hungry politicians. But the Internet was designed to survive nuclear war. It was designed to route around outages, no matter their cause. A decentralized, Internet-based, international network of small, independent voice service providers could enjoy similar advantages. Many companies are creating _computer-to-computer_ Internet phone software. See the NetWatch Top Ten - Voice / Video On The Net at URL: http://www.pulver.com/netwatch/topten/tt24.htm We can depend on that technology to improve. I do not know of any companies who also are providing interfaces to ordinary telephones and designing a decentralized network with an ecash-powered payment system. That is our advantage. But the network described above has many limitations. These are opportunities to make money by selling your solutions to customers. Examples: It needs a directory and rating service for voice providers such as Cheap Speech and TalkToMe. (Perhaps Raph Levien will expand his rating services to a new domain?) The network will not be useful until it has many nodes. That is partly why this proposal is being sent to a large audience. Cypherpunks who cut their teeth building a remailer network perhaps can build a voice network, too? Think of it as a challenge. People who travel a lot will want cheap long distance telephone service while on the road. How do they arrange that if their only contract is with a service provider near their home? We need a more flexible payment protocol than the one described above. Enhanced services - fax, teleconferencing, time-delay and retry, phone mail, and collect calls. Multiple brands of ecash will require conversion services. Currently Mark Twain Bank's offering looks best, but when ecash succeeds, expect many more. Eventually, the network may work best with ecash denominated in currencies other than government-sponsored fiat currencies. Conclusion: If this idea is so good, then why am I telling you about it? (A) I cannot do it all myself. (B) Feedback on the idea from knowledgeable people is valuable. (C) If it succeeds, it will create a market with opportunity for plenty of people to make money, including me. (D) We have a limited window of opportunity to get this done. My guess is that we have roughly one year before other people embed their solutions into the Internet and financial system so deeply that this network will be locked out from commercial success. According to the theory of increasing returns, whoever gets to market first usually gets the market. (E) Even though the decentralized structure should help reduce exposure of the network-as-a-whole to harmful lawsuits and regulations, individual local providers may face sanctions from regulators of the FCC, state PUCs, national Telekom monopolies, etc. once they realize what's happening. (Operators of cypherpunk remailers endure similar risks.) The faster the system can be developed and deployed, with a large number of satisfied customers, the more widespread support it will have, the harder it will be to stamp out, and the safer life will be for everyone involved. It would be nice to be able to say "The Genie is out of the bottle." CW From jimbell at pacifier.com Thu Mar 7 16:30:30 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 8 Mar 1996 08:30:30 +0800 Subject: Bidzos on CNBC, discussing Leahy's Bill Message-ID: At 01:26 PM 3/5/96 PST, Jim Bidzos wrote: > >I'm in favor of the Bill because it specifically prevents, by law, the >US Govt from mandating key escrow. Justa sec! I thought it was the 1st amendment to the Constitution which was supposed to prevent mandatory key escrow. Why should you be happy about a law: A law which is made by Congress can be UNmade by Congress. >Also because it would, by law, >force export control of crypto out of the Dept. of State and into the >Dept. of Commerce, effectively allowing any crypto used in the US and >"widely available" to be exported. While I agree this segment of the bill may be an excellent result, there is no reason that we should have to tolerate the bad portions of this bill to get the good portions. >(The bill does a few other things. >One, it provides for criminal penalties for key holders who abuse >their role as an escrow agent, assuming anyone *chose* to use key >escrow. Which may, inadvertently, give the average individual the ILLUSION of protection. Remember, prosecutions occur because the GOVERNMENT wants them to occur; there is no such thing as a "private prosecution," unfortunately. I'm not particularly afraid of abuse by key escrow agents, because I have no intent of using one. >Second, it makes the use of encryption -any encryption- a >crime if used in the commission of or support of any criminal >activity. Having not read the bill, I can't know for sure, but I'd imagine that if the term "support" is in the bill, they define that term as broadly as they want to. Sorry, but I'm not satisfied. If an act is criminal, let's prosecute the act itself. Any attempt to prosecute USE of encryption must, essentially by definition, impute an INTENT to the user, an intent that the government will fabricate after-the-fact. The government will also use this law to keep themselves in business, as you probably understand I believe. >I think the bill would be better off without these >provisions, but I suspect this is an attempt to give the >administration something.) Let's give them NOTHING. The government is already hamstrung in their attempt to restrict encryption. I expect that nothing in this bill helps us out in any way. >I anticipate that the Administration, led by the intelligence and law >enforcement interests, will vigorously lobby against this bill... As surprising as this may sound, I hope THEY "win." Because that won't really be a win for them, and it won't really be a loss for "us." From owner-cypherpunks at toad.com Thu Mar 7 17:10:26 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 8 Mar 1996 09:10:26 +0800 Subject: No Subject Message-ID: On Thu, 7 Mar 1996, Duncan Frissell wrote: > However, a CA operating outside the licensing structure of current CA's > would have very low costs and hence no investment to lose in litigation. > Costs would be almost entirely marketing related and as long as you stayed > out of jurisdictions with some of the new CA law, no regulatory costs or > barriers. > I don't think this is definitional. If nothing else they can take the equipment. If you don't incorporate, your personal assets are at risk; if you do, you have to keep a real separation between the corporation and yourself, pay the taxes, etc. Ok, make it a non-profit labor of love; low risks, no returns, then maybe you are right. Just hope that there ar no punitive or large consequential damages, and no one pierces the corporate veil (unlikely, I admit, but not impossible). What law applies to a certificate used in a multi-jurisdictional transaction is less obvious to me than I would like. I think I have talked a student in my seminar into writing a paper to educate me. [The above may have been dictated with Dragon Dictate/Win 2.0 voice recognition. Be alert for unintentional strange word substitutions.] A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From owner-cypherpunks at toad.com Thu Mar 7 17:44:53 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 8 Mar 1996 09:44:53 +0800 Subject: No Subject Message-ID: Well, it turns out that (according to a nice person at SurfWatch who put up with the rant I mailed in and send back a denial rather quickly) io.com isn't actually blocked. At least, so they say. No comment on whether there's anything like the "25 complaints" policy. I don't own SurfWatch, but if anybody does and finds www.io.com blocked, I'll send in another rant. I wonder whether they've actually considered the liability situation in re: blocking sites that shouldn't be blocked? I mean, sure, they seem nice enough about setting things right (like with the Nynex sites whose url's had "xxx" in the paths), but it seems to this non-lawyer that a case could be made for damages inflicted by being known as a purveyor of filthy indecency for even a short while. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From owner-cypherpunks at toad.com Thu Mar 7 17:47:35 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 8 Mar 1996 09:47:35 +0800 Subject: No Subject Message-ID: -----BEGIN PGP SIGNED MESSAGE----- someone wrote: >[homepage on IO] > >BTW, did you hear that IO got on the SurfWatch "bad list" because there >were more than 25 complaints about objectionable material in the io.com >domain. (Apparently, when SurfWatch hears more than 25 complaints >against a particular domain, the just deny access to the whole domain >rather than particular URLs.) A quick phone call to the Surf Watch people revealed that they rarely block whole domains, and that they are not currently blocking all of io.com. - -- mutant at compuville.com "They that can give up essential liberty to mutant at cypher.net obtain a little temporary safety deserve (send mail with Subject: neither liberty nor safety." send-pgp-key for PGP key) -Ben Franklin ~1784 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMT9NaH0ndmRPxibdAQFSJwQAtq/s1c+GZlHvgVOhNgM8Dseq0SQ+6L8U bx8FV0l85anNk+fjRnY5hD8RflHFeVzLis2yDmn8BLjYzVnHBEWBXXncpwg3okoQ FOMJJTZZbOec10ESy3pvRPwgie60IaR3qIcHUmUHRqbv5dOjgDg5GhYWeZ8rhCCN 0pisfaQBsVc= =qgSw -----END PGP SIGNATURE----- From warlord at MIT.EDU Thu Mar 7 17:57:08 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Fri, 8 Mar 1996 09:57:08 +0800 Subject: A brief comparison of email encryption protocols In-Reply-To: <199602292202.RAA19004@jekyll.piermont.com> Message-ID: <199602292208.RAA19010@toxicwaste.media.mit.edu> > Yes, but we have to assume that the need for central key servers would > go away if we had a way of distributing the data around, which would > reduce the problem substantially... Oh, of course the central keyserver model would disappear, but I'm still trying to design a system which is as compact as possible. -derek From perry at piermont.com Thu Mar 7 17:58:49 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 8 Mar 1996 09:58:49 +0800 Subject: A brief comparison of email encryption protocols In-Reply-To: <199602292139.QAA18366@toxicwaste.media.mit.edu> Message-ID: <199602292202.RAA19004@jekyll.piermont.com> Derek Atkins writes: > > is a URL just too big? My sigs are already several lines long. E.g., > > > > Key: ftp://ftp.clark.net/pub/cme/cme.asc > > IMHO, yes. Consider for a minute: there are currently about 20000 PGP > keys on the public keyservers. There are about 30000 signatures on > those keys. The keyrings are already 8MB or more. > > Now, consider adding a URL to every signature. Lets even use your > URL, which is 35 characters long (and lets not even count the NULL or > length byte). Adding this URL to 30000 signatures would add 1050000 > bytes, or just over 1MB. This is an increase in 12% of the keyrings! Yes, but we have to assume that the need for central key servers would go away if we had a way of distributing the data around, which would reduce the problem substantially... > On the other hand, using my method and your "URL" (clark.net) would > add only 10 bytes per sig, or 300k. This is only a 4% increase. By the way, a lot of this discussion should probably also be taking place on SPKI. Perry From perry at piermont.com Thu Mar 7 18:04:04 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 8 Mar 1996 10:04:04 +0800 Subject: A brief comparison of email encryption protocols In-Reply-To: Message-ID: <199602292135.QAA18937@jekyll.piermont.com> Carl Ellison writes: > At 15:54 2/29/96, Derek Atkins wrote: > >So, there needs to be a compromise, some shorthand method to describe > >the hint. One solution is to provide a "keyserver" type and then some > >string that says which "keyserver" to use. For example, if there is a > >DNS-style keyserver deplyed, I could put '1,"mit.edu"' in all my > >signatures, if we assume that '1' is the DNS-style keyserver code. > > > >I'm sure there are other possible solutions as well, and any real > >suggestions are welcome. > > is a URL just too big? My sigs are already several lines long. E.g., > > Key: ftp://ftp.clark.net/pub/cme/cme.asc URLs are nice, but I'm not quite sure they are sufficient in practice, though they are certainly theoretically sufficient. If I get a document from someone, and it is signed, I'd like to be able to get the key associated with the signature, and the URL is in theory enough to do that. However, going in the opposite direction -- retrieving a key associated with, say, a remote host's TELNET server, I'd like to be able to query a server ask much more flexible questions than an FTP URL would let me ask -- I might have a prefered public key system (RSA versus DSS or what have you), I might want to be able to distinguish between versions of the key, I might want to ask for all keys of a certain class, etc. In the end, we are probably going to need something in the way of key servers, which may (or may not) imply either a new type of URL or something other than a URL to do retrieval off of. Perry From owner-cypherpunks at toad.com Thu Mar 7 19:09:04 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 8 Mar 1996 11:09:04 +0800 Subject: No Subject Message-ID: > In a statement from Washington, the America's Carriers Telecommunication >Association says it "submits that it is incumbent upon the FCC to exercise >jurisdiction over the use of the Internet for unregulated interstate and >international telecommunications services." > "For example," adds the ACTA statement, "online service providers generally >charge users around $10 for five hours of access and then around $3 for each >additional hour. Five hours equals 300 minutes, divided by $10 is 3.3 >cents per >minute. The average residential long distance telephone call costs about 22 >cents per minute or seven times as much." It seems that once again, big business is trying to get in the way of progress and competition because they are afriad they are going to lose some money. It seems to me that the ACTA is upset because someone found a way to "do it cheaper" and the telco's stand to lose a lot of long distance dollars. So rather then using this technology and perhaps lowering LD rates, instead they seek to block out the technology from the public. I wonder what would happen if someone discovered an drastically cheaper alternative to gasoline, but it never made it main stream because the oil companies would go out of business. Seems like the same type of situation with the telco's. > Says ACTA, "Technology may once again be surpassing government's ability to >control its proper use. However, the misuse of the Internet as a way to >'by-pass' the traditional means of obtaining long distance service could >result in a significant reduction of the Internet's ability to transport >its ever >enlarging amount of data traffic." No, the technology is surpassing the telco's ability to provide low-cost communications. > Specifically, ACTA petitions the FCC to define the type of permissible >communications that may be effected over the Internet. Permissible communications? This sounds like something out of the CDA ... I say, just try and regulate it. I want to see the FCC try and monitor several million computer transmissions every day and see how well regulation works. Thomas J. Sawyer sawyer at nextek.com From adam at lighthouse.homeport.org Thu Mar 7 19:55:54 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 8 Mar 1996 11:55:54 +0800 Subject: crypto ++ where? In-Reply-To: <2.2.32.19960307063219.0097bc70@fitten95.residence.gatech.edu> Message-ID: <199603072325.SAA22694@homeport.org> Oscar Boykin wrote: | How can I obtain crypto++, I seem to have deleted the email I had | reguarding it. I've got a page of cryptographic libraries, with information comparing crypto++, cryptolib, the python crypto library and rsaref. It includes pointers to the software, what they contain, and other useful tidbits. I'm open to suggestions for improvement. www.homeport.org/~adam/crypto/ -- "It is seldom that liberty of any kind is lost all at once." -Hume From froomkin at law.miami.edu Thu Mar 7 20:19:05 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Fri, 8 Mar 1996 12:19:05 +0800 Subject: new netscape servers In-Reply-To: <199603072142.NAA16559@netcom7.netcom.com> Message-ID: My paper focuses on interstate. International is probably harder; on the other hand the parties are more likely to make specific provisions in their agreement about what law applies. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From WlkngOwl at UNiX.asb.com Thu Mar 7 20:29:45 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Fri, 8 Mar 1996 12:29:45 +0800 Subject: Another Motivation for the CDA Message-ID: <199603080011.TAA13347@UNiX.asb.com> Note: This post is 100% free of crypto and conspiracy theories. My response to Tim: > >I think you're reading too much into motives, Tim. I don't think that > >most in congress are capable of thinking that elaborately, and besides, > >if someone is convicted of violating the CDA for saying "fuck" online, > >that is the type of felony that one can get a judge's waiver for... Jim Bell's response to mine: > I am NOT relieved at hearing this. If one must have a "judge's waiver," > then that means he probably can "request" whatever other conditions he > chooses to put on his waiver. The government still has a motivation to make Yes and no. Depends on the judge. Some are hard-assed about granting waivers, others aren't. Part of the problerm is that judges have too much discretion. Another is in the constitution, w/regards to right to vote (it can be denied to felons... I know a couple of people convicted of DWIs that can no longer vote... they just don't care enough to go to a judge and get a waiver.) Not that you would want to put faith in getting a waiver. I'm just critical of Tim's assertion/speculation that gun-control is related to voting for the CDA. Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From JonWienke at aol.com Thu Mar 7 20:45:58 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Fri, 8 Mar 1996 12:45:58 +0800 Subject: TCP/IP Stego (was CU-SeeMe) Message-ID: <960307191318_240274129@mail04.mail.aol.com> >A tcp header contains quite a bit of useful information.. but most of it >wouldnt be easily manipulated (by me) to get a bit. You cant very well >alternate the port number you are using, or change the packet sequence >numbers. However, the tcp protocol forces each tcp header to contain a >'checksum' field.. which is (more or less) the sum of all the octets in >the packet. This is used as error correction for the protocol. It >shouldn't be too difficult to force TCP to fiddle with the data in the >packet a bit to force the checksum to be a particular sort of thing (i.e. >even or odd number) .. 0 for even and 1 for odd would get us our one >bit of data per packet. This is a bad idea, because in addition to the extra processor overhead, it is an incredible waste of bandwidth. For a 512 byte packet, you are only getting .02% efficiency, because you wouldn't be able to use the actual data in the packet; otherwise someone would probably notice the increased error rate if you dink around with the checksum. This does not provide adequate plausible deniability. Stegoing a 16 bit WAV file gives you 50% efficiency, (you can replace the 8 least significant bits with stego data and still keep 10 bits worth of sound quality) and someone else would be unable to prove there was any encrypted info in it if you did it right. Jonathan Wienke From lmccarth at cs.umass.edu Thu Mar 7 21:05:37 1996 From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu) Date: Fri, 8 Mar 1996 13:05:37 +0800 Subject: (Fwd) Gov't run anon servers In-Reply-To: Message-ID: <199603042306.SAA15164@opine.cs.umass.edu> Hal writes: # The passphrase is in PLAINTEXT in the script file # which runs the remailer!. It has to be. That is true of all automated # remailers. Jim Bell writes: > Maybe I just don't know much about automated remailers, but I don't > understand why you said that the passphrase "has to be" in plaintext in the > script file. I find this hard to believe. While I am far from an expert on > cryptographic matters, I would assume that any received attempt at a > password could be securely hashed (128 bits?) and compared with a pre-stored > hash value. If it's the same, it's assumed that the password was correct. > > What's wrong with this? For the less sophisticated remailer software that uses variable-size messages and (optionally) PGP, the remailer script needs to feed the plaintext passphrase into PGP to decrypt the remailer's private PGP key. Mixmaster, which includes its own set of crypto routines (currently using RSA with 3DES as I recall), allows you to compile the private key passphrase into the executable, and wipe out the source code. This obscures the passphrase plaintext from (very) casual observers. The fundamental problem AFAICS is the difficulty of getting a program to keep a secret from an observer. If the program doesn't actually _use_ the secret (in the way that the secret is useful, e.g. as the basis for a symmetric key), then it seems you can attain an arbitrary level of "security through obscurity", because you can encode the secret however you want in the code. But if a program is capable of possessing and using the secret without human intervention, then anyone with a copy of the program can do the same. Bottom line: if you can crack (say) the 8-character Unix passphrase for a remailer account, you have full access to the remailer's secrets and all the opportunities that presents. Good remailer account passphrases are important. -Lewis "You're always disappointed, nothing seems to keep you high -- drive your bargains, push your papers, win your medals, fuck your strangers; don't it leave you on the empty side ?" (Joni Mitchell, 1972) From jimbell at pacifier.com Thu Mar 7 21:05:39 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 8 Mar 1996 13:05:39 +0800 Subject: Assassination Politics 9! Message-ID: At 12:13 PM 3/3/96 -0500, John Young wrote: >On Mar 03, 1996 10:57:14, 'nobody at REPLAY.COM (Anonymous)' wrote: > > >>Just because you two aren't interested, doesn't mean others aren't. >>Work is actually in progress in implementing such a system. > > >The Economist of March 2 has a cover story on state, church and private >terrorism, the effectiveness and failures of each, the arguments and >apologies, the savages and the victims, the lucrative concocting of >imaginary enemies -- military, religious, political, personal. > >It's conclusions are ... well, have a read and dread how the Demon Trio of >state, church and private super-righteous sub-humans will murder you and >your loved ones next to fulfill their blind ambitions. Well, I'm not particularly interested in how the Establishment is going to demonize those who would seek its eventual downfall. While I probably wouldn't have any argument against complaints about "state and church terrorism," I really doubt whether the so-called "private terrorism" you mention above qualifies. Most traditional "terrorism" (as least "traditional," by the standards of the last 20 years) is thought to involve relatively unfocussed attacks against people and locations, but in situations where attacks against selected government officials would be far more selective and effective. Naturally, those same officials wouldn't approve of replacing a scattershot technique with one that targets them more directly. Since I propose exactly that kind of replacement, I am presumably not the most ingratiating figure to these people. From tcmay at got.net Thu Mar 7 21:23:45 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 8 Mar 1996 13:23:45 +0800 Subject: Not a good idea... Message-ID: At 10:35 PM 3/7/96, owner-cypherpunks at toad.com wrote: >I wonder whether they've actually considered the liability situation >in re: blocking sites that shouldn't be blocked? I mean, sure, they >seem nice enough about setting things right (like with the Nynex sites >whose url's had "xxx" in the paths), but it seems to this non-lawyer >that a case could be made for damages inflicted by being known as a >purveyor of filthy indecency for even a short while. We need to be very careful here. A service like "SurfWatch," voluntarily used by others, has entered into no contracts with sites to meet defined standards of what should and shouldn't be blocked. It is essentially a "review" service, like a reviewer of books, movies, restaurants, etc. Sure, some books, movies, and restaurants are "hurt" by negative reviews, but this is life in a free society. It has not yet reached the point in these Beknighted States that a bad review can be the basis of a tort (though I could be wrong...nothing would surprise me these days). Let me use myself as an example. "TimWatch" offers to inform people of sites he thinks are not desirable for them to visit. I freely admit that my criteria are imperfect, and people can choose to follow my advice or not follow my advice. I may even sell a software package ("TimWatch") to let users screen sites at their own machines. Now, do we as Cypherpunks really think TimWatch or SurfWatch should be liable for "damages" because someone got their feelings hurt? Absent a contract, spelling out the performance expected, of course not. If SurfWatch can be sued for a "bad review," then Siskel and Ebert had better find a new line of work. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Thu Mar 7 21:24:28 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 8 Mar 1996 13:24:28 +0800 Subject: Anonymous remailers and Leahy bill Message-ID: Note to the rest of you: Observe how Mr. Peterson carefully avoids quoting any material that was contained in my notes to him. This makes his failure to respond to my points less clear. This is entirely intentional on his part. At 03:51 PM 3/7/96 -0500, A. Padgett Peterson P.E. Information Security wrote: >Understand though I feel no obligation to assist you in disagreeing 8*). While technically correct, that comment was bullshit (at least as applied to my previous commentary) and you know it. I've NEVER asked to be "assisted" in freedom; that's not what I'm complaining about. I think it's clear you can't distinguish between "assisting" and "failing to prohibit." Try again. >Personally, I believe that this country is stronger than any individual >(or individual congress). Silly truism. What does this mean, anyway? >I do disagree with your concept of assasination politics in that is is not >only "overkill" but a violation of *their* rights. Who, exactly, are you referring to when you say "*their*"? rights? An innocent citizen, unaffiliated with government? Or somebody who violates my rights, steals my money to do it, etc. It's not surprising that you weren't more clear. > To me is is enough >to simply remove a person from the ability to apply power in a way that >would irritate me. They can always resign first. Nothing in the system I describe prevents this. It _may_ save their lives. >In an electronic world this is relatively easy. Problem is, we don't yet live in "an electronic world." Or, at least, our freedom is dependant on being able to deal with others in the non-electronic world. And the government thugs of the world are busily trying to keep Internet from staying relatively free of controls and coercion. >As for crypto, I feel that the government's desires are irrelevant since >they lack the ability to control or even to detect it if we choose to >hide it. That's a dangerous position to take. When a law is on the books that the police can't easily enforce, they generally only enforce it against the people they perceive as being their enemies, and are worth spending the time to harass. >Certain things I would like to do internationally would be easier if the >US would clear the way with other nations (like France) first. In exchange >I am willing to use key escrow (if powerful enough) so long as I hold >my own keys. Huh? What does this comment mean? I wouldn't trust "key escrow" EVEN IF I was the only one to "hold the keys." The reason is simple: When I make a crypted telephone call, I was the session key used to evaporate the instant the call ends. I don't want to allow the government to try to coerce me into revealing "my keys" because if there is no reason to keep those keys, they should not be kept. Simple. >None of this has anything to do with my personal agenda except peripherally >other than I tend to take a very long view of things and prefer to exert >gentle pressures to get there. In other words, you're as spineless as a jellyfish. I prefer methods more likely to get results. And when it's RIGHTS we're talking about, I will not hesitate to punish people who violate them. > Secure E-Mail is a task that I expect to >take about 2-3 years of my time and 5 years to reach completion. If this >happens sooner, fine. I do not expect it to take longer since I expect to >have other interests by then. Which means that you have no persistence nor sense of priorities. Five years from now and the "war" will probably be over. >Your postings assist me with this. Thank you. No, my postings show how silly your postings are. BTW, "reverse psychology" doesn't work on anyone above the age of five or so. Jim Bell jimbell at pacifier.com Klaatu Burada Nikto From frantz at netcom.com Thu Mar 7 22:12:01 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 8 Mar 1996 14:12:01 +0800 Subject: SurfWatch Message-ID: <199603080236.SAA17345@netcom7.netcom.com> At 6:59 PM 3/7/96 -0800, Timothy C. May wrote: >If SurfWatch can be sued for a "bad review," then Siskel and Ebert had >better find a new line of work. As long as a reviewer corrects errors, as SurfWatch seems to be willing to do, I think they are relativly suit-proof. If they don't, well - anyone can be sued for anything. I'll let the lawyers comment on the possibility of success. Does anyone know the protocol SurfWatch uses to communicate their ratings to the software that runs in individual's PCs? Does it allow monitoring browsing patterns? Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From cwalton at jovanet.com Thu Mar 7 23:21:51 1996 From: cwalton at jovanet.com (cwalton at jovanet.com) Date: Fri, 8 Mar 1996 15:21:51 +0800 Subject: remailers, govmnts, and the Co$ Message-ID: <9603070107.AA10247@toad.com> It's one thing that the government runs remailers and they're just really not nice for doing that and all, but what about other people/organizations? I applied for a job at Earthlink in Los Angeles last year, around may or june. they had been small ISP, but growing fast. they were established by a 24(?) yr old wizz kid named Sky about july or so of 1994 and were hiring. they had given me great service aand i was excited about getting into 'the business'. I went for an interview and talked with the 3 VPs at the time. I did not talk to sky, the owner. first guy tells me they are running the biz based on the principles of the church of scientology. humm.. hands me a huge book published by them. i read the inscription in the front. "To Sky, happy birthday, love dad". this guy says he's in the Co$. I talk to the next 2 guys. they have been hired from all over the country, moved out here and they both tell me they are in the Co$ too. all 3 VP and the "owner" are tied into the Co$. i turned down their offer and got another ISP. I thot back. the thing with anon.penet in finland and the Co$ had been a couple months before Earthlink started into business. I have watched them grow incccedibly fast with a huge advertising budget. Read a Wired magazine or any other computer mag. they're advertising in it. they've gone national. they're everywhere. Does Earthlink exist as a reaction to the net controversy and the Co$? I donno. Are they really owned by the Co$? I donno. Does the Co$ have access to all the mail that comes across their servers? i donno. Am I gonna get sued because of this note? I donno. are you listening? Conrad Walton http://www.industrial-artworks.com/ --------------------------------------------------------------------------- --- INDUSTRIAL ARTWORKS | POB 2815, El Segundo, CA 90245 | 1-310-640-3365 From astro at clover.cleaf.com Thu Mar 7 23:32:25 1996 From: astro at clover.cleaf.com (Tom Hallgren) Date: Fri, 8 Mar 1996 15:32:25 +0800 Subject: Life, The Universe, and Everything Message-ID: <01BB0C76.5FEC0C40@dial4txk.cleaf.com> hey... everyone else has decided to annoy me with their test messages, so I have decided to hop on the annoy the hell out of everyone bandwagon. yah, i know this is gonna make it to the real world, but what do you think of my signature? it was lined up on the note pad but it looks like crap in MS Exchange (but then again so do all of yours.. hehe). �������Ž������Ž�����������Ž������Ž��� � Tom Hallgren, freelance misanthrope � � (903)792-9836 � � astro at clover.cleaf.com � �"All men are intrinsical rascals, and I� � am only sorry that not being a dog I � � can't bite them." � � --Lord Byron � ���Ž������Ž�����������Ž������Ž������� From mccoy at communities.com Fri Mar 8 00:27:46 1996 From: mccoy at communities.com (Jim McCoy) Date: Fri, 8 Mar 1996 16:27:46 +0800 Subject: TCP/IP Stego (was CU-SeeMe) Message-ID: JonWienke at aol.com writes: >>A tcp header contains quite a bit of useful information.. but most of it >>wouldnt be easily manipulated (by me) to get a bit. [header checksum >>twiddling...] > >This is a bad idea, because in addition to the extra processor overhead, it >is an incredible waste of bandwidth. For a 512 byte packet, you are only >getting .02% efficiency, because you wouldn't be able to use the actual data >in the packet; otherwise someone would probably notice the increased error >rate if you dink around with the checksum. I think that the original poster meant twiddling some of the (relatively) unused fields of the header which most routers and applications do not care about, the type-of-service field or priority would good place to start. This would have no effect on the data in the packet, particularly if you fiddle at the IP level instead of TCP. While it is a low bandwidth comm channel, it has a couple of advantages which you seem to overlook: -It can be applied by two routers which are in the middle of the connection. The two endpoints of the TCP/IP connection would not even notice. For example, if I control a router "upstream" of a major connection point and the site I wish to communicate with is in a similar position then I can run the subliminal channel in a "spread spectrum" mode across many connections and the packets can get reset to their original settings by the other site. The user whose stream we fiddled with does not even know that they were used as carrier wave... -While the per-packet information rate is low, such a system has a _lot_ of packets to work with and a much larger choice of endpoints. Your hypothetical .WAV file may pack more information in, but there are a miniscule amount of such files moving on the Internet; just by transmitting such a file you could be suspect (honestly, how many soundfiles do you think you could ship around before people get suspicious...) By hiding the information in the lower layers of TCP/IP you also make it less likely to be noticed; unless someone hooks up a packet sniffer and filters at the IP level the stream will go unnoticed, while a soundfile is an application-level communication and much easier to watch. It is, in effect, hiding the channel in the low-order bits of the comm channel used to transmit your soundfile... -An application encoding method (pictures,soundfiles, etc.) also needs a "reason" for being sent. You can legitimately send packets for no reason whatsoever, at least from the users perspective (e.g. DNS lookups, ICMP messages, faked fragments, etc.) A packet system also has a constant stream of traffic to play with; you could run TCP/IP _on top of such a system_! Passing soundfiles and images back and forth would not work for interactive communication, it is UUCP at best. jim From perry at piermont.com Fri Mar 8 00:37:53 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 8 Mar 1996 16:37:53 +0800 Subject: ANTI-CRYPTO CYPHERPUNKS In-Reply-To: <199603080239.SAA00668@jobe.shell.portal.com> Message-ID: <199603080543.AAA12484@jekyll.piermont.com> We can understand why it is that you would want to remain anonymous, as the embarassment of being associated with your ideas is probably too much to bear.... anonymous-remailer at shell.portal.com writes: > B. Schneier: bs208 at newton.cam.ac.uk, schneier at counterpane.com > M. Blaze: mab at crypto.com, mab at research.att.com > J. Bizdos: jim at rsa.com > S. Safaddar: shabbir at vtw.org > D. Weinstein: djw at vplus.com > P.. Peterson: padgett at hobbes.orl.mmc.com > > I wish to point out that some of these people are just probably misguided > and should be educated not hurt. A full mail spool is educatio[nal but > but it would IMHO be wrong to do mailbombing the postmaster or hacking > their accts etc. Give them a chance. > > From djw at vplus.com Fri Mar 8 00:40:49 1996 From: djw at vplus.com (Dan Weinstein) Date: Fri, 8 Mar 1996 16:40:49 +0800 Subject: Leahy bill nightmare scenario? In-Reply-To: Message-ID: <313fceb9.6819979@mail.vplus.com> On Wed, 06 Mar 1996 16:59:36 -0800, you wrote: >At that point, Bob is GUILTY of violation of the Leahy bill, because his=20 >encrypted anonymous remailer: > >1. Uses encryption to thwart message tracing, and thus the "criminal=20 >investigation." > >2. Bob has already been informed that his system will be used for illegal= >=20 >purposes; the cops have the messages to prove he has been told. He's GUILTY= >=20 >GUILTY GUILTY, he will definitely lose the system and possibly whatever=20 >residence it runs in, and will probably have to pay a huge fine to boot.=20 This is not my understanding. I believe that Bob has to be commiting a felony himself before they can get him under the current phrasing. Dan Weinstein djw at vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche From merriman at arn.net Fri Mar 8 01:31:33 1996 From: merriman at arn.net (David K. Merriman) Date: Fri, 8 Mar 1996 17:31:33 +0800 Subject: ANTI-CRYPTO CYPHERPUNKS Message-ID: <2.2.32.19960307184349.006816e8@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 07:05 PM 03/7/96 -0800, you wrote: >This is the first in a regular series of postings of cypherpunks >who have joined big brothers fight to deprive you from Unescrowed >Crypto. ... ... A: Who fucking died and made you God? B: Give it a rest. You're getting annoying. C: Fuck off. I decide for myself what the 'value' of these people is in my life. As it stands right now, their horsepower rates higher than yours by a factor of about a billion to one. My apologies to the CP list for this - lots of late nights and little sleep tend to make me less tolerant of bullshit than usual. Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMT8RpMVrTvyYOzAZAQH4kAQAh4w6YEknXtc/yWHRfh+l1lUdvZKgKswh EX3EMhI4b5A5JB9zRDCG0GbnzqA4UHANQOvtDqSKvOnCvDsMOqo0cUv9QxWyes2x v0ElHSXxuuIeMX1vsM0oJbFlfEiXjU0/KMcKUOppQFvpJ7+xzV9Ag/PD3FGTsCrP VYdvI9/86Ns= =F0Da -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> For privacy tools: http://www.geocities.com/capitolhill/1148 From frantz at netcom.com Fri Mar 8 01:55:30 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 8 Mar 1996 17:55:30 +0800 Subject: Vexatious Litigants (was: SurfWatch) Message-ID: <199603080708.XAA25178@netcom7.netcom.com> At 10:29 PM 3/7/96 -0800, Timothy C. May wrote: >My point was that "opinions" (such as movie reviews) are not "tortable" >(don't know the legal name), unless specific inaccuracies can be >demonstrated, and even then it is hard. Siskel and Ebert have undoubtedly >destroyed the box office prospects of many a movie with their "thumbs down" >diss of death, but I know of no successful (or even adjudicated) lawsuits >on this basis. I agree fully so far. However, when your TimWatch software takes action based on your opinions, you may have crossed the line between speech and action. Since you made the decision, rather than just provided an opinion, you might, in our current legal climate, have caused a tort. It would be interesting to see if a HIV positive teen could sue SurfWatch because it blocked him from getting information on safe sex. IMO our society has tilted too far away from caveat emptor toward "it's someone else's fault". People who let a machine censor their data deserve what they get. Parents who consistantly hide reality from their children, instead of helping them learn how to deal with it, are crippling their children. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From JonWienke at aol.com Fri Mar 8 02:17:18 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Fri, 8 Mar 1996 18:17:18 +0800 Subject: No Subject Message-ID: <199603080728.CAA23535@emout05.mail.aol.com> d 96-03-07 20:19:12 EST, you write: >Because the drive is portable. You can place an easily concealled two-pound >135 Mb drive in a briefcase or backpack and have a travelling MixMaster >site. Here today, there tomorrow, someplace else the next day. Makes the >whole system a real problem for the security types to track down. > Why not just put an IDE/SCSI EZ drive in a Pentium laptop with an ISDN or 28.8K modem? That would be the ultimate in portability; you could still hide the whole thing, or remove the cartridge and destroy it fairly quickly if necessary. That would give you the best of all worlds. However, no matter where you are physically located, you have to have an account with somebody somewhere to get Internet access. If the gov't wants you out of business, they can cancel your ISP account or revoke your domain name and shut you down that way. I suppose it would be harder for them to prosecute you if they didn't know where you were, though... Jonathan Wienke From WlkngOwl at UNiX.asb.com Fri Mar 8 02:17:29 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Fri, 8 Mar 1996 18:17:29 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guid Message-ID: <199603080737.CAA10760@UNiX.asb.com> tj_lists at prado.com wrote: > Couldn't help noticing this, presume you mean Federal Judges since the > waiver would be from aspects of GCA 1968, a Federal law. The fact is, at > least in sentencing, Federal Judges now have very little discretion. The > Federal Sentencing Guideline structure established in the 1980's provides > "guidelines" for a given defendant convicted of a given set of charges. Things That aside, in running trials and in many other little things both federal and non-federal judges have too much leeway in deciding what evidence can be admitted, in some of the sentencing details and in various forms of punishment and restitution, etc. But yes, you made a good reminder point about mandatory sentencing. Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From declan+ at CMU.EDU Fri Mar 8 03:13:00 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 8 Mar 1996 19:13:00 +0800 Subject: U.S. State Dept criticizes Chinese net-censorship Message-ID: The U.S. State Department's Human Rights Report for 1995 talks about restrictions on new media in China, pointing out that Internet access is now limited. How ironic that the U.S. Government would report that "government limits on Internet access" will harm the medium's growth -- while our _own_ government is imposing similarly suffocating regulations domestically. I draw small comfort from the fact that, as censors, we're not quite as accomplished as those in China or Zambia: http://www.cs.cmu.edu/~declan/zambia/ http://fight-censorship.dementia.org/top/ -Declan ---- U.S. State Department Human Rights Report gopher://dosfan.lib.uic.edu/0F-1%3A23308%3AChina In many respects, Chinese society continued to open up: greater disposable income, looser ideological controls, and freer access to outside sources of information have led to greater room for individual choice, more diversity in cultural life, and increased media reporting. Although the sale and use of satellite dishes are tightly regulated, satellite television broadcasts are widely available, particularly in coastal areas. Telephone and facsimile communication is also extensively used. In many cities, the introduction of commercial Internet service promoted access to international sources of information. At year's end, however, new government limits on Internet access threatened to halt the growth of Internet use. In addition, new controls on reporting economic information introduced doubts about the Government's commitment to freedom of information. Government control of news media generally continues to depend on self-censorship to regulate political and social content, but the authorities also consistently penalize those who exceed the permissable. ### From jrochkin at cs.oberlin.edu Fri Mar 8 03:26:57 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Fri, 8 Mar 1996 19:26:57 +0800 Subject: Anonymous remailers and Leahy bill Message-ID: At 5:22 PM 03/07/96, jim bell wrote: >Wouldn't help "Bob" in the least. And you didn't read what I wrote very >carefully, either: Notice that I said, "under a different name." In other >words, the source of the note does not identify the user name under which >the illegal activity is promised to occur. Cancelling this particular >fellow's account does NOTHING to prevent the illegal activity from >occurring by other, unidentified users, and "Bob" knows it. How is this differnet then me calling up AOL and saying "Using a friend's account whose password I have, I'm going to send child pornography out to many people sometime tommorow"? I don't know if it is or not, but hopefully it's the same. As long as anonymous remailers are legally identical to ISPs, I think we don't have to worry too much becuase ISPs are now serious money-making businesses with lots to spend on lobbying and legal fees, and will fight any laws that effect them such. Whether this Leahy bill is passed or not, clearly AOL is not going to quietly shut down their entire company after receiving such a phone call. And they can't really do anything to stop the theoretical next-day child porn mailing either. [If you like, have the phone caller threaten to send out encrypted child porn, just to make it more perfect an example.] So it would be beneficial to present anonymous remailers as just another sort of internet service provider. And we only really have to worry when there are laws that seem to apply to anon remailers but not AOL. From wlkngowl at unix.asb.com Fri Mar 8 03:27:22 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Fri, 8 Mar 1996 19:27:22 +0800 Subject: Fractals, Cellular Automata, and Encryption Message-ID: <199603080056.TAA23869@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Interesting point. I've dabbled with CA a little bit, though not in terms of crypto. I think at best CA can be used for stream ciphers... and a big problem is that people assume it's a totally new form of computing, when in fact it's only a different form, and anything that can be done with a conventional formula-based scheme can be done with CA and visa- versa... the pitfall is that one can get all caught up in how chaotic CA behaves and lose sight that the same thing can be done in a formula, and that possibly it can be easily broken. Fractals are interesting. I've thought about using the Julia-set iterations as a form of crypto (or for that matter, recursive methods in general)... maybe a kind of block cipher that works with complex numbers, but using the words as fractions rather than whole numbers. Perhaps using 64-bit binary fractions, and iterating X = X^2 + C, where the iteration count and C are keys... using the result as a kind of stream cipher. Problem is it would be slow on most machines. I've also thought about genetic algorithms. An interesting ideal would be a genetic algorithm that operated on plaintext, key, ciphertext but would be self-analyzing and evolve itself in ways to make cryptanalysis difficult. - --Rob - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMT+FpSoZzwIn1bdtAQHg9QF+OhSfJi0WIPB1Lqg5ne7f8mYYvow7yl5k 0gJh0KHaCEJZUcwhmRZ1uWlDlExcx+Q/ =sgLv -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Fri Mar 8 03:30:14 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 8 Mar 1996 19:30:14 +0800 Subject: Vexatious Litigants (was: SurfWatch) Message-ID: <199603080907.BAA23787@ix9.ix.netcom.com> At 10:29 PM 3/7/96 -0800, the TimWatch service posted: >Opinions are opinions, and a free society has no business suppressing >opinions by use of torts. (Another related area is the use of torts to halt >public comment on controversial development plans. These are called "SLAPP" >suits--"Strategic Lawsuits Against Public Participation." For example, >where AT&T sues "the Cypherpunks" to shut them up about their anti-Clipper >feelings. Some judges are awarding large damages to the groups hit with the >SLAPP suits.) Hey, give The Big Phone Company a break - they did just stop pushing Lotus Notes (I don't remember if they were providing the latest espionage-enabled verstion or just the one previous to it.) Of course, their decision wasn't based on Lotus's selection of GAK; it was more related to their success in selling this high-mainenance service, which may also be related to Lotus's decision to try to increase their foreign market...... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # From stewarts at ix.netcom.com Fri Mar 8 03:31:05 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 8 Mar 1996 19:31:05 +0800 Subject: Square pegs in round holes, matchmaking, corporate mailservers Message-ID: <199603080906.BAA23766@ix9.ix.netcom.com> At 10:12 AM 3/7/96 -0800, Hal Finney wrote: >I don't think this satisfies the requirements. Once Bob calculates H' >and sees that it matches H, he knows that Alice likes him, but Alice >doesn't know that he likes her. The whole point of the protocol was to >be fair. Bob must only learn that Alice likes him if Alice is guaranteed >to learn that he likes her. Hmmm, you're right - Bob still has the choice at the end to reveal or not reveal to Alice that he was the one who sent the note. Back to the drawing board. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # From tj_lists at prado.com Fri Mar 8 03:54:50 1996 From: tj_lists at prado.com (tj_lists at prado.com) Date: Fri, 8 Mar 1996 19:54:50 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guidelines) Message-ID: <199603080947.BAA21810@zoe.prado.com> ** Reply to note from Deranged Mutant 03/07/96 7:06pm +0000 > Yes and no. Depends on the judge. Some are hard-assed about granting > waivers, others aren't. Part of the problerm is that judges have too ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > much discretion. ^^^^^^^^^^^^^^^^^ Couldn't help noticing this, presume you mean Federal Judges since the waiver would be from aspects of GCA 1968, a Federal law. The fact is, at least in sentencing, Federal Judges now have very little discretion. The Federal Sentencing Guideline structure established in the 1980's provides "guidelines" for a given defendant convicted of a given set of charges. Things like prior offenses add "points", ratting on your friends takes away "points". In this case less is better than more. Anyway, a low level bureaucrat fills out a presentence investigation report on the basis of complicated, arcane rules it is easy to get wrong. This report goes to the judge who can pass sentence only within a narrow range, say 6 months 1 way or the other on a 5 year sentence (very few new Federal "crimes" carry less than this). Any departure from this range, either upward or downward, must be justified in a formal opinion, & can be appealed by either party. Very few judges bother. This system is cookie cutter in-justice at it's finest, & only a lack of bureaucratic imagination has prevented it from being computerized beyond the use of word processors to write the report. Since well over 90% of Federal Criminal cases end in guilty pleas, this method has the effect of transferring discretion that formerly belonged to the judge to the prosecutor, who gets to pick from a variety of charges covering the same offense, and the low level flunkey who gets to fill out the forms. This is exactly the big problem with the new "crime" of using encryption in a felony in the Leahy bill. Assuming for a moment this new law is tailored very narrowly & is only used on people who 1. Commit without governmental entrapment an underlying felony. 2. Exclusively use encrypted traffic in direct furtherance of the underlying felony, (example: murder for hire is negotiated via encrypted messages) there still remains the fact that this is simply another tool of prosecutorial discretion, of which there is way to much already. The problem with prosecutorial discretion is that it is always used to encourage snitching, turning this country into a nation of Pavel Mozorov's (12 year old Hero of the Soviet Union who ratted out his parents to the Cheka for concealing a pig from collectivization. His uncles did as should be done in such cases & cut him up with an axe). However, I do agree that in setting conditions other than fines & prison time, Federal Judges do have too much discretion. Chris Lambert (mthreat, Minor Threat) a 21 year old Austin cracker now doing time in Bastrop FCI, as part of his sentence is forbidden to own or work with any computer w/ modem or network card/connection. This of course is to apply after he gets out. Traditionally, counterfeiters, who come from the ranks of printers, merely have to report to their parole officer & get his ok in order to own or go to work for a print shop. cc: cypherpunks at toad.com mthreat at paranoia.com From infsuphw at ix.netcom.com Fri Mar 8 03:58:42 1996 From: infsuphw at ix.netcom.com (Jack Vonderheide ) Date: Fri, 8 Mar 1996 19:58:42 +0800 Subject: Who is DCS? (was "Finding Married Women} Message-ID: <199603041640.IAA11672@ix6.ix.netcom.com> This is in response to the many e-mails I have received on this subject: 1. I am a consultant that works with major banks in the fraud prevention and due diligence areas. 2. I have no connection whatsoever with DCS or any member of its management. 3. Last week (2/26) I made a personal visit to DCS' offices near Dallas for the purpose of learning more about their offerings. 4. VERY BRIEFLY, DCS has assembled a database with in excess of 200 million records. The database is searchable by any criteria or combination of criteria. As an example, if you wanted to know all Janes that were born on 03/01/42, you can simply ask the system for that information and you get it. If you wanted to know everyone with the last name Williams that lives in zip code 90210, same deal. 5. There is a wide variety of information available, including full DOB, physical description, SSN, address, phone number. 6. What I found particularly attractive about this service is the pricing scheme. There is a one-time charge of $195 to establish an account. Thereafter, you only pay for what you access. A nationwide search is $5.00 and returns up to 100 matches. If you want a full report on one of the "hits" that will return everything but credit header information, it costs an additional $4.00. Credit header information costs another $6.00. So, for $15.00, you get everything without paying any monthly fees or "time online" charges. However, if none of the "hits" look promising, you've only spent $5.00. 7. DCS can be reached at 800-299-3647 or 214-422-3600. Contact's name is Andy. From uunet!in2.uu.net!news.iag.net!newsboy.utelfla.com!news.utelfla.com!gslinkr.pop at warwick.com Fri Mar 8 04:02:08 1996 From: uunet!in2.uu.net!news.iag.net!newsboy.utelfla.com!news.utelfla.com!gslinkr.pop at warwick.com (Brett) Date: Fri, 8 Mar 1996 20:02:08 +0800 Subject: Alabama - the Internet JobLocator - test Message-ID: <26Mar96135125mtc@gslinkr.pop> Welcome to the Internet JobLocator http://www.joblocator.com/jobs/ Now Providing Instant NewsGroup Posting ______________________________________________________ Ad # : 2333 Date : March 06 1996 Category : Accounting/Bookkeeping Company : TOL Position : test Salary Range : test Contact : Brett Phone # : test Fax # : test Email Address : mtc at gslink.net Street Address : test City : test Country/State : Alabama Zip Code : test Fee Req. : No Contract Position: No Job Description testtesttesttesttest test testtesttesttesttest testtesttest testtesttesttest testtest testtesttesttest End Job Post (C) Copyright Travelers On-Line 1996 From nobody at REPLAY.COM Fri Mar 8 04:29:38 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 8 Mar 1996 20:29:38 +0800 Subject: No Subject Message-ID: <199603081057.LAA24365@utopia.hacktic.nl> Subject: Unproductive punks (was ANTI-CRYPTO CYPHERPUNKS) anonymous-remailer at shell.portal.com wrote: > > This is the first in a regular series of postings of cypherpunks > who have joined big brothers fight to deprive you from Unescrowed > Crypto. Some of these pigs have come out in favor of the new anticrypto [..] Fuck you. This is bullshit FUD. If you really feel that this bill would make escrow mandatory, do some work to have the wording fixed rather than attack other people on the list... [..] > A few megabytes an hour of email from real cypherpunks/patriots Mailbombing people who don't agree with you will do nothing to affect the wording or passage of the bill. (And damned if I'd be called a "patriot"....) From nobody at REPLAY.COM Fri Mar 8 04:30:09 1996 From: nobody at REPLAY.COM (Anonymous) Date: Fri, 8 Mar 1996 20:30:09 +0800 Subject: No Subject Message-ID: <199603081054.LAA24235@utopia.hacktic.nl> Subject: Unproductive punks (was ANTI-CRYPTO CYPHERPUNKS) anonymous-remailer at shell.portal.com wrote: > > This is the first in a regular series of postings of cypherpunks > who have joined big brothers fight to deprive you from Unescrowed > Crypto. Some of these pigs have come out in favor of the new anticrypto [..] Fuck you. This is bullshit FUD. If you really feel that this bill would make escrow mandatory, do some work to have the wording fixed rather than attack other people on the list... [..] > A few megabytes an hour of email from real cypherpunks/patriots Mailbombing people who don't agree with you will do nothing to affect the wording or passage of the bill. (And damned if I'd be called a "patriot"....) From romina at canaa.usma.ac.pa Fri Mar 8 06:52:48 1996 From: romina at canaa.usma.ac.pa (Asesor de seguridad) Date: Fri, 8 Mar 1996 22:52:48 +0800 Subject: Restricted Bourne Shell Message-ID: In AIX exist a Rsh (Restricted Bourne Shell), that mean you can not go out of your account, or you can not be around and see everything in the server. Does anyone know's about in LINUX, or something that could restrict a user???... From PADGETT at hobbes.orl.mmc.com Fri Mar 8 07:04:26 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Fri, 8 Mar 1996 23:04:26 +0800 Subject: Quotations Message-ID: <960308091758.202098c7@hobbes.orl.mmc.com> Mr. Bell posted: >Note to the rest of you: Observe how Mr. Peterson carefully avoids quoting >any material that was contained in my notes to him. This makes his failure >to respond to my points less clear. This is entirely intentional on his part. The reason I avoided references is that the E-Mail in question was sent off line to him personally. Fortunately I do not expect others to respect that so avoid saying anything that cannot be made public. However in such cases I do not feel any need to requote everything I am responding to. Warmly, Padgett From uunet!in2.uu.net!newsfeed.internetmci.com!news.sprintlink.net!news.rain.org!sandy.sandpiper.com!usenet at warwick.com Fri Mar 8 07:18:33 1996 From: uunet!in2.uu.net!newsfeed.internetmci.com!news.sprintlink.net!news.rain.org!sandy.sandpiper.com!usenet at warwick.com (uunet!in2.uu.net!newsfeed.internetmci.com!news.sprintlink.net!news.rain.org!sandy.sandpiper.com!usenet at warwick.com) Date: Fri, 8 Mar 1996 23:18:33 +0800 Subject: This is another test....no reply Message-ID: <4hknhn$r2h@sandy.sandpiper.com> This is my 2nd test...please do not reply From smith at sctc.com Fri Mar 8 07:18:36 1996 From: smith at sctc.com (Rick Smith) Date: Fri, 8 Mar 1996 23:18:36 +0800 Subject: art-stego Message-ID: <199603062006.OAA25056@shade.sctc.com> In a related vein, consider the work of a Minnesota folk hero from the last century named Ignatius Donneley. Aside from trying to start a Utopian community just north or our town, he wrote a book "proving" that Shakespeare was really Francis Bacon. His proof was based on "decrypting" hints in messages hidden in Shakespeare's writings. Donneley also wrote a book on Atlantis (available from Dover) and another postulating that a huge comet caused the extinction of the dinosaurs. A crackpot, eh? Rick. smith at sctc.com secure computing corporation From tallpaul at pipeline.com Fri Mar 8 07:24:30 1996 From: tallpaul at pipeline.com (tallpaul) Date: Fri, 8 Mar 1996 23:24:30 +0800 Subject: No Subject Message-ID: <199603081404.JAA26883@pipe12.nyc.pipeline.com> On Mar 08, 1996 02:28:22, 'JonWienke at aol.com' wrote: >d 96-03-07 20:19:12 EST, you write: > >>Because the drive is portable. You can place an easily concealled two-pound >>135 Mb drive in a briefcase or backpack and have a travelling MixMaster >>site. Here today, there tomorrow, someplace else the next day. Makes the >>whole system a real problem for the security types to track down. >> > >Why not just put an IDE/SCSI EZ drive in a Pentium laptop with an ISDN or >28.8K modem? That would be the ultimate in portability; you could still hide >the whole thing, or remove the cartridge and destroy it fairly quickly if >necessary. That would give you the best of all worlds. > Indeed this would be a technologically superior system. The system I'm thinking of, however, has a capital startup cost of under $250. >However, no matter where you are physically located, you have to have an >account with somebody somewhere to get Internet access. If the gov't wants >you out of business, they can cancel your ISP account or revoke your domain >name and shut you down that way. I suppose it would be harder for them to >prosecute you if they didn't know where you were, though... > I am not entirely sure how the whole domian name etc. issue will be handled as numbered accounts fill up. I am also discussing with friends the idea of the no-domain-name style, similar to penet.fi with various forms of REQUEST REMAILING TO.... In other words, this or that person acts as a (perhaps temporary) remailer from their regular account, gets the material encrypted, and massages it in various ways before sending it out. The point is to increase entropy by creating the technological base for an enormous proliferation of remailer/anon tech at the lowest possible price. Internationally know "elite" (in the good sense of the word) remailers are by definition known, and thus easy to monitor. Mixmaster etc sites popping up from the home computers in the rec rooms of suburbia are not. --tallpaul >Jonathan Wienke > From frissell at panix.com Fri Mar 8 08:53:50 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 9 Mar 1996 00:53:50 +0800 Subject: FCC and Internet telephones Message-ID: <2.2.32.19960308153651.00737d2c@panix.com> At 03:13 PM 3/7/96 -0500, Thomas J. Sawyer wrote: >It seems that once again, big business is trying to get in the way of >progress and competition because they are afriad they are going to lose >some money. It seems to me that the ACTA is upset because someone found a >way to "do it cheaper" and the telco's stand to lose a lot of long distance >dollars. So rather then using this technology and perhaps lowering LD >rates, instead they seek to block out the technology from the public. Actually they *are* using the technology -- digital networking. They are just keeping the markup. It costs less that 2 cents a minute to produce a New York to London call but AT&T charges me more than 50 cents a minute. That sort of markup can't last. They need more copetition. Iphone is just part of the disintermediation. DCF From froomkin at law.miami.edu Fri Mar 8 08:56:01 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Sat, 9 Mar 1996 00:56:01 +0800 Subject: Not a good idea... In-Reply-To: <199603080546.XAA00397@proust.suba.com> Message-ID: On Thu, 7 Mar 1996, Alex Strasheim wrote: > I might be stretching things a bit, but couldn't you call a CA a "review > service"? Essentially instead of having a banned list, you have an >"accepted list". > Nice try. Wish my students were that creative. I don't think it works, though, at least when CA's represent that their info is suitable for relying parties to use in financial transactions (something Siskel & Ebert do not do!). A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From declan+ at CMU.EDU Fri Mar 8 11:13:19 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 9 Mar 1996 03:13:19 +0800 Subject: LACC: TER_ror In-Reply-To: Message-ID: <0lE76iC00YUuEF0aIr@andrew.cmu.edu> Bruce Tober is a generally good guy, but on copyright issues he's a one-man net-police-bureau, filtering through various mailing lists for suspected violations. Bruce has a history of calling those whom he suspects misuse copyrighted materials "copyright thieves" -- a term that I love, since it's so close to the Church of Scientology's label of "copyright terrorists." Sign me, Declan McCullagh Copyright Terrorist Excerpts from internet.cypherpunks: 8-Mar-96 Re: LACC: TER_ror by T Bruce Tober at crecon.dem > In message <199603080259.VAA05749 at pipe2.nyc.pipeline.com>, John Young > writes > > The Economist, March 2, 1996, pp. 23-25. > > With whose permission are you posting this copyrighted material? From jimbell at pacifier.com Fri Mar 8 11:24:21 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 9 Mar 1996 03:24:21 +0800 Subject: Leahy bill nightmare scenario? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 06:14 AM 3/8/96 GMT, Dan Weinstein wrote: >On Wed, 06 Mar 1996 16:59:36 -0800, you wrote: > >>At that point, Bob is GUILTY of violation of the Leahy bill, because his >>encrypted anonymous remailer: >> >>1. Uses encryption to thwart message tracing, and thus the "criminal >>investigation." >> >>2. Bob has already been informed that his system will be used for illegal >>purposes; the cops have the messages to prove he has been told. He's GUILTY >>GUILTY GUILTY, he will definitely lose the system and possibly whatever >>residence it runs in, and will probably have to pay a huge fine to boot. > >This is not my understanding. I believe that Bob has to be commiting >a felony himself before they can get him under the current phrasing. Well, first, the section's phrasing is screwed up. Whether this is the fault of VTW, who posted the text, or the original bill I do not know. Second, if what they're charging is the hindrance of an felony investigation, it isn't clear to me why they would be limiting the charging of that "crime" to only those actually who have committed a felony. (logic isn't the normal mode of thought for a government employee, you realize.) Third, all they have to do is to "suspect" the person of a felony, and a "felony investigation" starts. That would presumably make him guilty of the Leahy bill's provision, regardless of whether he is actually participating in the crime supposedly being investigated. Fourth, I gave what I considered to be a clear example of the hypothetical misuse of an encrypted remailer by the cops, one that would arguably make the remailer operator guilty of some "reasonable" anti-kiddie-porn statute. At that point, _he_is_ the target of the investigation. Unless you can show that this kind of action by the government is impossible, I consider it to be not merely possible but almost certain to occur. Fifth, it isn't clear what amount of knowledge is necessary to "trigger" this clause, especially in its current flawed state. Since ISP's and encrypted remailers might know, in general, that their systems can and probably are being used for SOME criminal activity, even if they can't identify it or the user, or decrypt it, etc, a broad interpretation of the resulting law could easily de-facto prohibit any business practices (i.e., allowing users to use encryption) that prevents full-scale monitoring and/or tracing. This is only the beginning of the problems with this section. If you can explain why nothing I've described could possibly occur, I welcome a contrary explanation. But I would also ask this: Why, exactly, do we need this section? We've already been told that the opponents of this bill will fight it tooth-and-nail under its current wording; if that's the case then the presence of this section is inadequate to appease their unhappiness. Therefore, we shouldn't include it in the bill at all; it does no good. Any explanations, Dan? BTW, I'm not the source of those recent anonymous notes on Cypherpunks criticizing you for the support of this bill. As you by now have guessed, I'm not at all reticent about standing up and being counted and identified. Jim Bell jimbell at pacifier.com Klaatu Burada Nikto -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUBjH/qHVDBboB2dAQEeEAQAm5V7jTZWZo1MIIaL1WlQjQHdSlAOCMNJ 7j7tfpH6peWM23T7iGhZT3AckqPYwLxV8u6N96SFxaQDJ+IiCRyBRO+5qxr6sxXk A9BCkmRxzorsqeViyIVev9lzMcljtTiZmTQ7KIAToSZD4+12xQgROLZRYtf1/tlv E7ypJHLtsFM= =2MNi -----END PGP SIGNATURE----- From jimbell at pacifier.com Fri Mar 8 11:43:27 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 9 Mar 1996 03:43:27 +0800 Subject: Quotations Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 09:17 AM 3/8/96 -0500, A. Padgett Peterson P.E. Information Security wrote: >Mr. Bell posted: >>Note to the rest of you: Observe how Mr. Peterson carefully avoids quoting >>any material that was contained in my notes to him. This makes his failure >>to respond to my points less clear. This is entirely intentional on his part. > >The reason I avoided references is that the E-Mail in question was sent off >line to him personally. 1. Peterson admits he "avoided" references. 2. The "reason" he gave (that the material was sent to me personally) does not justify or even explain his failing to quote my material and respond to it. He could have just as easily sent me email that contained responses to all of my comments, had he chosen to do so. > Fortunately I do not expect others to respect that >so avoid saying anything that cannot be made public. I do not "respect" sleazy people, and especially sleazy people who are trying to evade the issues and their failure to be able to address the matters under discussion by hiding it in email. I refuse to assist others in hiding their dishonesty by such a tactic. Since the matter started out as a public discussion, I chose to keep it public and still choose this. > However in such cases >I do not feel any need to requote everything I am responding to. Except that your failure to quote that material was clearly intended to disguise the fact that you had no satisfactory response (even by your own standards!) to my commentary. This is typical of you. Jim Bell jimbell at pacifier.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUBtIPqHVDBboB2dAQFZoQP6AjnijC6gNXWewtrRs3PMYLQn/nUQSQ31 vEQcQMVd+M0siyiv9DdARNGM/Vt6vfxuEIRrfZFw3uUTjLJvjHi7MxsD8BEGUbCZ z1+6OA8y3ei7yJ7h3zL7lFi+0m76lA0Njp3HSscRXPkNPAGJR7WnMlJcl6ELsDv5 WZygZS8ivlo= =JTFh -----END PGP SIGNATURE----- From baldwin at RSA.COM Fri Mar 8 12:02:48 1996 From: baldwin at RSA.COM (baldwin (Robert W. Baldwin)) Date: Sat, 9 Mar 1996 04:02:48 +0800 Subject: News on RSA vs. Cylink Injunctions and Patents Message-ID: <9602088263.AA826308428@snail.rsa.com> The following press release from RSA may be of interest to the folks on this list. --Bob ----------------------------------- Subject: NEWS: Cylink loses in attempt to enjoin RSA licensing REDWOOD CITY, Calif.--(BUSINESS WIRE)--March 8, 1996--In a ruling filed March 4, the Honorable Spencer Williams, U.S. District Court Judge for the Northern District of California, denied Cylink Corporation's motion seeking an injunction against RSA Data Security, Inc.'s licensing of its BSAFE/TIPEM toolkit software. Cylink contends that RSA's software infringes its Stanford patents and that licensing required an additional grant from Cylink, despite the fact that RSA already has a license. After hearing oral arguments on Feb. 29, Judge Williams denied Cylink's motion from the bench and later issued a written order explaining that "several factors weigh against finding that (Cylink) has shown a likelihood of success on the merits." In denying the motion the court found that "RSA has raised serious question (sic) regarding the validity of the first of the Stanford patents, the Diffie-Hellman patent." With respect to Cylink's other patent, the Hellman-Merkle patent, the court had this to say: "(I)t is questionable whether the patent warrants such broad coverage." Thus, Cylink has "failed to demonstrate a likelihood of success on the merits." RSA had initiated the lawsuit against CKC, a wholly owned subsidiary of Cylink, because CKC was threatening RSA's customers in an effort to induce them to purchase sublicenses to the Stanford patents. RSA's action seeks a court determination that the patents are invalid, not infringed and/or RSA's licensing does not exceed its existing rights under the patents. Cylink/CKC responded by filing its motion for preliminary injunction which was denied by the court as described above. In a related matter, the arbitration panel which is handling the winding up and dissolution of Public Key Partners ("PKP"), the entity that formerly held the licensing rights to the MIT and Stanford patents, ruled that: "In addition to the claims discussed above and in our prior rulings, Cylink presented the claim, but did not prove, that RSA breached its fiduciary duty to PKP by providing patent licenses to third parties." The arbitration panel also found that PKP was obligated to reimburse RSA for the costs and attorney's fees incurred in other related litigation, including a patent lawsuit brought by Cylink to invalidate the MIT patent. "The court confirmed that RSA has existing rights to the Stanford patents, and although Cylink knew this, it has forced RSA to investigate. In that process, we have found a number of disturbing facts about the Stanford patents," said Jim Bidzos, president of RSA. He went on to add: "Cylink's losing its motion is likely only a surprise to Cylink who thinks they can achieve through the courts what they haven't been able to accomplish in the marketplace." From eagle at armory.com Fri Mar 8 12:27:53 1996 From: eagle at armory.com (Jeff Davis) Date: Sat, 9 Mar 1996 04:27:53 +0800 Subject: EFF Statement on Leahy/Burns/Murray Crypto Bill In-Reply-To: <313CF3AD.1BC3@best.com> Message-ID: <9603060157.aa06384@deepthought.armory.com> (Greg Kucharo) sez... > I'm a little confused by this phrase from the bill. It seems to be > saying just that export needs to be authorized if the software is > already exportable from the U.S. and if to a financial institution. > I know that can't be right, but what is the translation of this > legalese? > > > "Requires that export be authorized for non-military encryption > > software to any country where similar software is exportable from > > the U.S. to foreign financial institutions." That's so the Federal Reserve doesn't become crippled in the world monetary market, just because the NSA doesn't want to lose its wire-tap ability. -- According to John Perry Barlow: *What is EFF?* "Jeff Davis is a truly gifted trouble-maker." *email * *** O U T L A W S On The E L E C T R O N I C F R O N T I E R **** US Out Of Cyberspace!!! Join EFF Today! *email * From anon-remailer at utopia.hacktic.nl Fri Mar 8 12:29:27 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Sat, 9 Mar 1996 04:29:27 +0800 Subject: Steganography idea: CU-SeeMe In-Reply-To: <199603060734.AAA00178@nelson.santafe.edu> Message-ID: <199603061134.MAA17301@utopia.hacktic.nl> On Wed, 6 Mar 1996, Nelson Minar wrote: [Re: data steams to put steno in] > So here's one idea I've had as a place to hide a channel: network > video, in particular CU-SeeMe video streams. CU-SeeMe is a lowtech That's an excellent idea. The only problem with using CU-SeeMe is that, due to the nature of the data being transferred, it is more important to keep up to date than to not lose data. I believe it uses UDP to do this. There would have to be some protection mechanism in the stego patches to tolerate high amounts of data loss - the obvious solution would be to loop the data, but that is easily detectable, and is not a guarantee that the data arrived safely. Setting up a connection outside of Cu-SeeMe attracts attention, especially if there was a correlation between what occurred on that connection and what occurred in the LOBs of the Cu-SeeMe connection. -- Abraham d'Anonymous (No relation to Alice) From hwh6k at fulton.seas.virginia.edu Fri Mar 8 12:34:18 1996 From: hwh6k at fulton.seas.virginia.edu (Henry Huang) Date: Sat, 9 Mar 1996 04:34:18 +0800 Subject: Vexatious Litigants (was: SurfWatch) Message-ID: <199603081753.MAA65714@fulton.seas.Virginia.EDU> On Mar 7, 22:29, Timothy C. May wrote: > At 2:38 AM 3/8/96, Bill Frantz wrote: > >At 6:59 PM 3/7/96 -0800, Timothy C. May wrote: > >>If SurfWatch can be sued for a "bad review," then Siskel and Ebert had > >>better find a new line of work. > > > >As long as a reviewer corrects errors, as SurfWatch seems to be willing to > >do, I think they are relativly suit-proof. If they don't, well - anyone > >can be sued for anything. I'll let the lawyers comment on the possibility > >of success. > > My point was that "opinions" (such as movie reviews) are not "tortable" > (don't know the legal name), unless specific inaccuracies can be > demonstrated, and even then it is hard. Siskel and Ebert have undoubtedly > destroyed the box office prospects of many a movie with their "thumbs down" > diss of death, but I know of no successful (or even adjudicated) lawsuits > on this basis. Thanks for the clarification. However, this line of argument applies only to "third-party" ratings systems. Right now, Microsoft/RSAC/SurfWatch and SafeSurf/Cybersitter/etc. are setting up competing standards which would essentially force people to "self-rate" their own sites, or else be blocked out by browsers configured to reject unrated sites (a feature Microsoft plans to add to its Internet Explorer). The question I have is if these systems were widely implemented, could an Web page author or provider of content be sued for "mislabeling" their page? If so, under what circumstances? Could the RSAC attach legal requirements to the use of their system, and open up such a loophole (similar to how Sun attaches conditions to the use of its "Java" logo)? If it's possible, the implications of this are pretty dire. The RSAC itself reports that many retailers refuse to stock software that's not labeled according to their standards. If Web sites were similarly coerced into not only labeling their pages, but abiding by any arbitrary conditions attached to *use* of those standards, things could get pretty ugly. Hell, who needs the Gov't when industry can censor more efficiently? -H From rah at shipwright.com Fri Mar 8 12:40:23 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sat, 9 Mar 1996 04:40:23 +0800 Subject: Can you say "market opportunity"? Message-ID: I knew you could... Cheers, Bob --- begin forwarded text Comments: Authenticated sender is From: "Marcel van der Peijl" Organization: DigiCash bv To: ecash at digicash.com Date: Fri, 8 Mar 1996 16:09:26 +0100 Subject: MT ecash censoring? Priority: normal Sender: owner-ecash at digicash.com Precedence: bulk I would like to state here that the policy of Mark Twain Bank on what merchants can or can not sell with ecash is NOT the official policy of DigiCash. We can not and do not force our banking licensees any restrictions on the kind of material they sell. On the other hand, we can also not forbid them to put restrictions on that. There are laws that require MT to comply with local (St. Louis MO USA) regulations even when things being sold are acceptible in both the merchant's and the buyer's country. I don't know for sure if this is relevant in this specific case, and I would also like to hear a comment from Mark Twain at this moment. We do not know their exact policy. // Marcel van der Peijl, DigiCash bv, http://www.digicash.com/~bigmac/ // "Sacred cows make the best hamburger." -- Mark Twain --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From octobersdad at crecon.demon.co.uk Fri Mar 8 12:42:51 1996 From: octobersdad at crecon.demon.co.uk (T Bruce Tober) Date: Sat, 9 Mar 1996 04:42:51 +0800 Subject: LACC: TER_ror In-Reply-To: <199603080259.VAA05749@pipe2.nyc.pipeline.com> Message-ID: In message <199603080259.VAA05749 at pipe2.nyc.pipeline.com>, John Young writes > The Economist, March 2, 1996, pp. 23-25. With whose permission are you posting this copyrighted material? tbt -- | Bruce Tober - octobersdad at crecon.demon.co.uk - B'ham, Eng | | pgp key ID 0x9E014CE9, "Fear of corrupting the mind of the | | younger generation is the loftiest form of cowardice," | | The US Congress and President are guilty as hell of such. | From max.muzi at altair.it Fri Mar 8 12:49:25 1996 From: max.muzi at altair.it (Max Muzi) Date: Sat, 9 Mar 1996 04:49:25 +0800 Subject: question re. PGP CharSet Message-ID: <96030819291115648@altair.it> Apparently, the mechanism for overriding PGP configuration settings by means of command-line arguments does not work properly with the option "charset" (at least with version 2.6.1i). Anyone know why? Actually, PGP does understand the option "+charset", as it does not yield an "invalid argument" error message, but it looks like it does not take that option into consideration. While I know most people need not switch from one charset to another every day, some of them (like me) do not have completely migrated to Windows yet and would still like to use the MS-DOS standard charset (cp850) from time to time without having to re-edit or substituting the PGP config file each time. But I guess it's not possible, is it? Thanks, Max PS: [off-topic] Anybody know how one can have the MS-DOS keyboard driver use the standard Windows char table (LATIN1 aka iso-8859-1)? ~~ Massimiliano Muzi ['mu:tsi] http://www.geocities.com/Athens/2027/max-muzi.html PGP public key available on keyservers. "Eternal nothingness is OK if you are dressed for it" msg date/time: Friday 8 March 1996, 12:38 GMT+1 From hfinney at shell.portal.com Fri Mar 8 13:57:13 1996 From: hfinney at shell.portal.com (Hal) Date: Sat, 9 Mar 1996 05:57:13 +0800 Subject: Web of Trust vs other models Message-ID: <199603041818.KAA27672@jobe.shell.portal.com> From: Bill Stewart > > Meanwhile, Don Kitchen at one point collected all the data off the > MIT keyserver for analysis, which is a much different problem than > random signatures. I found that the chain from some middle point, > such as Phil Zimmermann's or Derek Atkins's key was about 12-14 levels > deep, averaging about 6, which compares interestingly with the > default PGP depth limit of4. From my key, it was pretty deep, > especially since my certification from Phil Karn was from one of > his older keys, which is why I asked Derek to sign my key... Let's not forget that the web of trust only works if you personally know and trust the next-to-last person in the chain (the one who signed the key you are interested in). Chain length doesn't matter if you've never heard of the last signer. Hal From djw at vplus.com Fri Mar 8 13:59:04 1996 From: djw at vplus.com (Dan Weinstein) Date: Sat, 9 Mar 1996 05:59:04 +0800 Subject: ANTI-CRYPTO CYPHERPUNKS In-Reply-To: <960308040202_240667145@emout07.mail.aol.com> Message-ID: <31408e5b.4022361@mail.vplus.com> On Fri, 8 Mar 1996 04:02:05 -0500, you wrote: >In a message dated 96-03-08 01:37:10 EST, you write: > >>Subj: ANTI-CRYPTO CYPHERPUNKS >>Date: 96-03-08 01:37:10 EST >>From: anonymous-remailer at shell.portal.com >>Sender: owner-cypherpunks at toad.com >>To: cypherpunks at toad.com >> >>This is the first in a regular series of postings of cypherpunks >>who have joined big brothers fight to deprive you from Unescrowed >>Crypto. Some of these pigs have come out in favor of the new anticrypto >>bill which makes it a crime to use crypto if big bro can't read it >>and also sets up key escrow but others have just said that they >>don't care if the government can read YOUR mail as long as they get >>what they want. > >I see the mentally impaired, chicken crap eating buttwipe that wrote this >drivel wasn't even brave enough to post his real email address. > >Jonathan Wienke Of course not, then he might be subjected to the treatment that he so callously suggests for those of us who are on the list. Proud to have made the list, Dan Weinstein djw at vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche From abostick at netcom.com Fri Mar 8 14:00:38 1996 From: abostick at netcom.com (Alan Bostick) Date: Sat, 9 Mar 1996 06:00:38 +0800 Subject: Looking for code to run an encrypted mailing list In-Reply-To: <199603060542.VAA28896@ix9.ix.netcom.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <199603060542.VAA28896 at ix9.ix.netcom.com>, Bill Stewart wrote: > On the other hand, it really only costs you one IDEA encryption if you > want to use the multiple-recipients options to PGP. With the current PGP, > this means you don't have to hack your own crypto code; the toolkits in PGP 3.0 > will make that easier, though. True, and reasonable. Suppose, though, that the Cypherpunks list was encrypted in this way. There are about a thousand listmembers. Using one IDEA key and the multiple-recipients option would mean that the encrypted message would consist of a thousand RSA-encrypted session keys followed by the IDEA-encrypted cyphertext. If everyone used a 1024-bit-or-longer key pair, then each message would be a megabyte long! ( (m**P) mod n is going to be log2(n) bits long, right?) BTW, it was pointed out to me in private email that while vanilla RSA commutes, the PKCS-compliant RSA in PGP which pads the session key with random data does not, so that my nifty trick to never expose cleartext in the list processor wouldn't work. That's why I'm just a loudmouth blowhard and not a real cryptographer. ;-) - -- Alan Bostick | "If I am to be held in contempt of court, Seeking opportunity to | your honor, it can only be because the court develop multimedia content. | has acted contemptibly!" Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMUB7v+VevBgtmhnpAQHKXwMAhcjT3R6hE8jtGBEY3uHZ7Y3cOycQEpXP dSQ2TsK27vYpCCjFBe3JauxLBBpM6yPqhPq8rSerNaQ7a8lhAWB4UwcUTwh9S7U3 PobslFhkFEwPd9jnZwY4g0ZZKb3iABIO =sLrM -----END PGP SIGNATURE----- From vznuri at netcom.com Fri Mar 8 14:16:55 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 9 Mar 1996 06:16:55 +0800 Subject: steganographic trick Message-ID: <199603072228.OAA24671@netcom18.netcom.com> here is an interesting trick/algorithm that I've not seen before, although I admit I'm not intimately familiar with all the crypto formulas that others here may be aware of, so this may have been toyed with before. in pondering steganography, it seems to me there could be made a distinction between two types. in the "classic" type, say hiding data in the low bits of a digitized image, the whole existence of an encrypted "covert" message is totally concealed. that is, not only is the message concealed but the existence of it is as well. now consider a different kind of steganography, in which it is clear there is an encrypted piece of data. the problem with all steganographic crypto is that to use your data, you have to have your stego tools handy, and the "feds" could see these tools and accuse you of hiding data. imagine an application where you freely admit that you have your cryptographic tools, and that you are even willing to tell the "feds" the key for your data. they run the crypto program, and indeed the file decrypts. however, unknown to them, you have given them a key that decrypts the file into something meaningful yet benign, such as a cookie recipe, not your plans for the overthrow of the state. in other words, "interlaced" or "coincident" within the same file is your secret data. given one key, it decrypts into one set of data, and given another key, it decrypts into another set of data. there are probably many different ways to do this. of course the distinction of what I am proposing and two different files, each with different keys (which is already feasible), is not all that crisp. anyway, I pursued this anyway to come up with an algorithm. pick a large prime, P. now pick two other large primes that are less than sqrt(P), P1, P2 (actually all that is required is that P1*P2 < P). the data in the file is organized into blocks of information modulo P. P1 is the "harmless" key for message 1 (M1), and P2 is the "real" key for message 2 (M2). now the trick is to put data into your file one "piece" at a time such that it decrypts into either the corresponding "piece" of M1 given decryption by P1, or M2 given P2. I think some people can anticipate what comes next: the encoding of the data for M1 is contained in the "segment M" modulo P1, and M2 is contained modulo P2. the chinese remainder theorem lets us find the unique number N such that N mod P1 = M1, and N mod P2 = M2. "N" is the data that is stored in the file. I'm being a little sloppy in notation here: the overall message is broken into segments mod P-- the above algorithm is simply repeated over each "segment". given all the caveats about complexity of factoring etc., if P1, P2 are large and not "close" to each other (i.e. one could find P1 by searching in the "vicinity" of P2), this would be a secure algorithm as far as I can tell. to decrypt, the file is broken up into pieces mod P, and then each of these pieces has a value mod P1 or mod P2 that is used as the value of that piece. hence, we have an algorithm in which data is stored "coincident" or "adjacent" in a file. the feds could potentially observe that the key you give them, P1 < sqrt(P), and realize that there is "room" left over to store a secret message. but if you store all your files that way, they have nothing to go on. in fact you could assert, "yes, that was once a file with two messages in it, but I deleted the other one. it's key used to be Px". Px is a random number. of course, this method could be expanded so that any file has any number of secret pieces interspersed in it, each only available given knowledge of its secret key. again, the same thing can be accomplished by concatenating multiple files, each with a different key, or even alternating bytes or bits in a file, but I thought it would be interesting to find something that had this "coincident" or "adjacent" property based on the modulo and large prime properties used everywhere in modern crypto. From djw at vplus.com Fri Mar 8 14:27:49 1996 From: djw at vplus.com (Dan Weinstein) Date: Sat, 9 Mar 1996 06:27:49 +0800 Subject: Leahy bill nightmare scenario? Message-ID: <199603081957.LAA26745@ns1.vplus.com> On 8 Mar 96 at 9:24, you wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > At 06:14 AM 3/8/96 GMT, Dan Weinstein wrote: > >On Wed, 06 Mar 1996 16:59:36 -0800, you wrote: > > > >>At that point, Bob is GUILTY of violation of the Leahy bill, > >>because his encrypted anonymous remailer: > >> > >>1. Uses encryption to thwart message tracing, and thus the > >>"criminal investigation." > >> > >>2. Bob has already been informed that his system will be used for > >>illegal purposes; the cops have the messages to prove he has been > >>told. He's GUILTY GUILTY GUILTY, he will definitely lose the > >>system and possibly whatever residence it runs in, and will > >>probably have to pay a huge fine to boot. > > > >This is not my understanding. I believe that Bob has to be > >commiting a felony himself before they can get him under the > >current phrasing. > > Well, first, the section's phrasing is screwed up. Whether this is > the fault of VTW, who posted the text, or the original bill I do not > know. I have yet to see the original bill myself, it is not posted on Thomas yet, but I too have ready the VTW version. > Second, if what they're charging is the hindrance of an > felony investigation, it isn't clear to me why they would be > limiting the charging of that "crime" to only those actually who > have committed a felony. (logic isn't the normal mode of thought for > a government employee, you realize.) I agree with your concerns here, but I find it hard to believe that the courts would allow a broader interpretation. > Third, all they have to do is to "suspect" the person of a felony, > and a > "felony investigation" starts. That would presumably make him > guilty of the Leahy bill's provision, regardless of whether he is > actually participating in the crime supposedly being investigated. Here you are dead wrong, the bill specifically states: "in furtherance of a felony." Its like those laws that let them charge someone with murder in the first if someone dies while you are commiting another felony. They must prove the original felony before they can get you on the murder one. The real purpose of this provision, as I read it, is to give longer sentences to criminals that use crypto. > Fourth, I gave what I considered to be a clear example of the > hypothetical misuse of an encrypted remailer by the cops, one that > would arguably make the remailer operator guilty of some > "reasonable" anti-kiddie-porn statute. At that point, _he_is_ the > target of the investigation. Unless you can show that this kind of > action by the government is impossible, I consider it to be not > merely possible but almost certain to occur. Again, the problem I see with your scenario is that I don't believe that the courts will interpret it that way. My interpretation is that if they serve a warrent and I don't decrypt for them and they can prove a felony, then I will be subject to the listed punishment. > Fifth, it isn't clear what amount of knowledge is necessary to > "trigger" this clause, especially in its current flawed state. > Since ISP's and encrypted remailers might know, in general, that > their systems can and probably are being used for SOME criminal > activity, even if they can't identify it or the user, or decrypt it, > etc, a broad interpretation of the resulting law could easily > de-facto prohibit any business practices (i.e., allowing users to > use encryption) that prevents full-scale monitoring and/or tracing. I disagree, it states you must "willfully endeavor" to use the encryption as a means of obstructing the investigation. To me, this means that it is the motivation for using the encryption. If I set up an encrypting remailer for the purpose of allowing free exchange of ideas, I don't believe I would be liable under this law. The only way I could see a remailer charged under this is if he had solid evidence that a specific user was violating the law, and took no action. > This is only the beginning of the problems with this section. If > you can explain why nothing I've described could possibly occur, I > welcome a contrary explanation. I see some real problems too, but I do not see the problems with this provision to be enough to condemn the entire bill. I would like to see this portion of the bill ammended to make it clear that only those actually involved in commiting the felony would be held responsible. > But I would also ask this: Why, exactly, do we need this section? > We've already been told that the opponents of this bill will fight > it tooth-and-nail under its current wording; if that's the case then > the presence of this section is inadequate to appease their > unhappiness. Therefore, we shouldn't include it in the bill at all; > it does no good. > > Any explanations, Dan? You are talking about the fringe, this, I think, was added as an attempt to bring in those that are in the middle. That is, Those that see the need to prevent the use of encryption as a means of obstructing justice, but feel that we should also have a right to privacy. To say that there is no delema here is ridiculous, crime is a serious problem that we are already having a terrible time dealing with. I think Leahy realizes that this provision will be about as useful as the "use a gun, go to jail" laws, but wants to give those in the middle to say that they bill will help prevent crime. > BTW, I'm not the source of those recent anonymous notes on > Cypherpunks criticizing you for the support of this bill. As you by > now have guessed, I'm not at all reticent about standing up and > being counted and identified. > > Jim Bell > jimbell at pacifier.com > > Klaatu Burada Nikto Good movie. Dan Weinstein djw at vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche From mccoy at communities.com Fri Mar 8 14:53:36 1996 From: mccoy at communities.com (Jim McCoy) Date: Sat, 9 Mar 1996 06:53:36 +0800 Subject: TCP/IP Stego (was CU-SeeMe) Message-ID: JonWeinke at aol.com writes: > >> -It can be applied by two routers which are in the middle >> of the connection. [...] > >You seem to be oblivious to the fact that this technique is only useful for >ISP's, corporate networks, etc. that the average home computer user will >never have access to. I know that, I was just pointing out advantages you overlooked. I guess that the fact that I probably know more ISP operators and techs then non-geeks who use the net made this part more obvious to me. The original technique of doing stego on packets is still valid, and by adding it in to a WinSock lib or linux tcp/ip implementation the user can send hidden messages just by connecting to a friendly stego-enhanced web server out on the net and doing some casual browsing. The difference between the two methods is, as I said before, exactly the same as the difference between TCP/IP and UUCP. Hiding info in images or sound files works fine for "email" or file storage but has no chance of being an interactive protocol, sometimes you need to get things done in real-time. > If I want to send a WAV file of my 2 year old son >saying "Hi, gramma" (or a 24-bit color TIFF of him practicing nose-picking >techniques) to my relatives, that is not overtly suspicious behavior, even if >it has a slight amount of background noise (or graininess). But your relatives are not the people who you need to communicate secrets with securely. These gross stego hacks to sound and image files are best used to make postings to various binary Usenet newsgroups. Broadcast the message and then put it in a place where many people will download it but only a few will know that it contains the hidden info. Sending this stuff via email is just begging for traffic analysis at the very least... >As long as I >don't stego too many bits in the file, and I strip out any overt "I'm crypto" >headers, it will be impossible to prove that stego techniques were used on a >file. Finding random bits where random bits normally live cannot be used to >prove anything. Provided the bits are random in the way that they should be... The low-order bits in such files were chosen by implementors of stego programs because modification would not be noticed by the person viewing or listening to the file, not necessarily because there was actually randomness at this level which could be replaced. Does anyone know of a survey of images or sound files which tested the statistical randomness of these bits? They may not be as random as people think they are. jim From frantz at netcom.com Fri Mar 8 14:57:50 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 9 Mar 1996 06:57:50 +0800 Subject: new netscape servers Message-ID: <199603072142.NAA16559@netcom7.netcom.com> At 3:14 PM 3/7/96 -0500, Michael Froomkin wrote: >What law applies to a certificate used in a multi-jurisdictional >transaction is less obvious to me than I would like. I think I have >talked a student in my seminar into writing a paper to educate me. Are your concerns international, interstate, or (it seems unlikely) intrastate? Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From m5 at dev.tivoli.com Fri Mar 8 14:57:53 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Sat, 9 Mar 1996 06:57:53 +0800 Subject: surfwatch filtering In-Reply-To: <199603072056.PAA05237@lemieux.compuville.com> Message-ID: <199603072144.PAA19620@kenya.tivoli.com> mutant at compuville.com writes: > >BTW, did you hear that IO got on the SurfWatch "bad list" ... > > A quick phone call to the Surf Watch people revealed that they rarely > block whole domains, and that they are not currently blocking all of > io.com. Yup, seems it was a flase alarm. Sorry gang. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From cp at proust.suba.com Fri Mar 8 15:46:29 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sat, 9 Mar 1996 07:46:29 +0800 Subject: Not a good idea... In-Reply-To: Message-ID: <199603081914.NAA02963@proust.suba.com> > Nice try. Wish my students were that creative. I don't think it works, > though, at least when CA's represent that their info is suitable for > relying parties to use in financial transactions (something Siskel & Ebert > do not do!). (Sorry, this ends up rambling way off topic at the end... it turns into a rant about preinstalled CAs.) But when did they make that representation? Is such a representation inherent in every CA? If it is, doesn't that imply that the only reason for a CA to exist is to provide trust for financial transactions? It's clear (to me, at least) that there are other uses for a CA. Netscape has represented its products as suitible for commerce, and it doesn't seem unreasonable to argue that this representation gives customers and banks an expectation that a certificate from a preinstalled CA confers a degree of trustworthiness on the cert holder. But a CA that doesn't come pre-installed shouldn't be viewed as having made any implied representations at all. If a CA controls the distribution of its key by asserting a copyright, and if it requires everyone who downloads it to click on a form that says they've read and understand what a cert from that CA means, then that's what it should mean. Suppose I run a Netscape Commerce server, and I set up a secure forms processing service. Anyone can anonymously pay me to set up a perl script on my SSL server to accept their form data. My script will take the data, encrypt it with PGP, and then mail to whatever email address my customer (the web page owner) has specified. Who's liable? Me, Verisign, or Netscape? All of us? I suspect that if I pass credit card numbers to thieves I'll get in trouble, but I don't have any assets. Verisign didn't make any representations directly to the public, and they probably followed the procedure they negotiated with Netscape when they issued me my cert. Netscape put together a complicated high-tech system and told the public (which doesn't understand cryptography) that their system was suitible for commerce -- it's even in the product's name! They didn't build in prudent safeguards to prevent me from running my forms processing service, which is such a trivial thing to set up that it should have been forseen. (Q: I've never gotten a real cert -- do I have to agree to something that would prohibit my forms processing business?) (Could a lawyer asking a jury for a judgment against Netscape show them the picture of Andressen from the cover of Time, the one where he's sitting on a throne, hubris personnified?) It seems to me that the claims of commerceworthiness, preinstalling CAs, and the like are going to turn out to be bad for everyone. They're bad for Netscape because they exposes them to liability unneccessarily. Why should they say their products are suitible for commerce when they can instead say that they encrypt the traffic using what are believed to be strong algorithms? Everyone will make the jump from that to commerceworthiness on their own. What does commerceworthiness mean, anyway? Transcations up to $1,000? $1,000,000? Remember that SSL web tools are begining to function more and more as front ends of other kidns of progrms -- there's more at stake here than credit card numbers typed into forms for consumer purchases. Preinstalling CAs is great if you want to relieve users of the necessity of deciding for themselves who they should trust. You, or a system that you designed, will make those hard decisions for them. But it's not so great if you don't want to be held accountable for almost every single decision regarding trust on the web. It's also bad for those of us who want to see crypto widely deployed on the net. Solid free code exists, but the cost of licensing the patents and buying certs is keeping crypto expensive and slowing deployment. Preinstalling CAs means that a would be commerce server operator has to buy a cert or operate from a competitive disadvantage. It's a significant cost -- the cert is more expensive than the RSA licence. It costs as much as a Fast Track server. The patents will go away. When that happens, the only thing preventing totally free crypto will be the cost of the certs. I suspect that Netscape started thinking about the CA system, they were selling SSL servers for around $2,000. A $300 cert isn't such a big thing in those circumstances -- there's not much of a marginal difference between $2,000 and $2,300. But now the price of a server is only 15% of that $2,000, and the price of the cert looks awfully high. What will it look like when SSL web servers are free? Finally, it's bad for consumers. Apart from the obvious observation that the cost of the certs will get passed on to consumers, it's important to note that it costs money to have someone else decide who you should trust. The quality of that decision making affects its cost, and it should be the marketplace, not a handful of corporate managers, that determines where the optimum price/quality point is. Different customers ought to be able to make different choices depending on their needs. That choice is possible now in an abolute sense, but managing CAs will be confusing for users, and Netscape's preferential treatment of certain CAs will clearly hinder open competition among CAs. It will also tend to impose an unnatural homogenity on users who have different security needs. A guy who never buys anything online but wants to be able to browse web pages without his ISP knowing what he's looking at has different security needs from another person who does most of his shopping on the web. Security *is* economics, and it's important to keep the floor as low as possible. The current CA system is one of the main things keeping the floor higher than it ought to be. From merriman at arn.net Fri Mar 8 17:03:07 1996 From: merriman at arn.net (David K. Merriman) Date: Sat, 9 Mar 1996 09:03:07 +0800 Subject: 2nd request for links, etc. Message-ID: <2.2.32.19960308085804.00688710@arn.net> -----BEGIN PGP SIGNED MESSAGE----- After too much coffee and not enough sleep, it looks like the (soon-to-be-named) shellback.com site will be going on-line on Monday, 11 March. Until InterNIC comes back and blesses us with permission to use the name, we'll be running as 204.177.232.150 I'd like to again ask anyone on the cypherpunks list that has a site, link, file, or other bit of info that they're willing to have us include please let me know via email. I've got some links from my (soon-to-be-former) home page, but I'd like to include a *lot* more stuff. To repeat an earlier offer, as postmaster, I'm offering the use of our email system for crypto/coder/privacy-related mailing lists, and our drives to store related files/archives. Dave Merriman postmaster at shellback.com, webmaster at shellback.com, janitor at shellback.com, and frazzled at shellback.com :-) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMT/aUsVrTvyYOzAZAQEK8wP9GvQtT3PF91xW38jKL7qWsH75fA0AJXVi fM4pVCDznFUk0DPla8tnBCzyBGQzklZH/217Yct26VvUZN4ZQ+BHkE/ZSkxkk1KQ i1PE1fzhGcVFhfySIMWi3o7+WeZoYOmdtFkMGEcTAsQkhR9FHvHm3oJlS7GY/R/p 2Hm3Wzjgabc= =c6ab -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> For privacy tools: http://www.geocities.com/capitolhill/1148 From mdiehl at dttus.com Fri Mar 8 17:52:08 1996 From: mdiehl at dttus.com (Martin Diehl) Date: Sat, 9 Mar 1996 09:52:08 +0800 Subject: Vexatious Litigants (was: SurfWatch) Message-ID: <9602088263.AA826327118@cc1.dttus.com> Henry Huang at INTERNET-USA wrote: > On Mar 7, 22:29, Timothy C. May wrote: > > At 2:38 AM 3/8/96, Bill Frantz wrote: > > >At 6:59 PM 3/7/96 -0800, Timothy C. May wrote: > > >>If SurfWatch can be sued for a "bad review," then Siskel and Ebert > > >>had better find a new line of work. > > > > > >As long as a reviewer corrects errors, as SurfWatch seems to be > > >willing to do, I think they are relatively suit-proof. If they don't, > > >well - anyone can be sued for anything. I'll let the lawyers comment > > >on the possibility of success. > [snip] > Thanks for the clarification. However, this line of argument applies > only to "third-party" ratings systems. Right now, > Microsoft/RSAC/SurfWatch and SafeSurf/Cybersitter/etc. are setting up > competing standards which would essentially force people to > "self-rate" their own sites, or else be blocked out by browsers > configured to reject unrated sites (a feature Microsoft plans to add > to its Internet Explorer). > The question I have is if these systems were widely implemented, could > an Web page author or provider of content be sued for "mislabeling" > their page? If so, under what circumstances? Could the RSAC attach > legal requirements to the use of their system, and open up such a > loophole (similar to how Sun attaches conditions to the use of its > "Java" logo)? Seems to me that if the Web page author labels his page conservatively, i. e. "materials may be unsuitable for non-adults; may contain controversial material, may contain views different from your own, etc.". How can the author be liable for mislabeling? Martin G. Diehl From djw at vplus.com Fri Mar 8 18:14:29 1996 From: djw at vplus.com (Dan Weinstein) Date: Sat, 9 Mar 1996 10:14:29 +0800 Subject: Not a good idea... In-Reply-To: <199603081914.NAA02963@proust.suba.com> Message-ID: <3140ad62.11966620@mail.vplus.com> On Fri, 8 Mar 1996 13:14:25 -0600 (CST), Alex Strasheim wrote: >Who's liable? Me, Verisign, or Netscape? All of us? > >I suspect that if I pass credit card numbers to thieves I'll get in >trouble, but I don't have any assets. > >Verisign didn't make any representations directly to the public, and they >probably followed the procedure they negotiated with Netscape when they >issued me my cert. "For secure servers, VeriSign currently offers a 'high-assurance' Class 3 Digital ID for electronic commerce servers. " This is from Verisign's home page. They are saying that this class of certificate is safe to do commerce with. >Netscape put together a complicated high-tech system and told the public >(which doesn't understand cryptography) that their system was suitible for >commerce -- it's even in the product's name! They didn't build in prudent >safeguards to prevent me from running my forms processing service, which >is such a trivial thing to set up that it should have been forseen. (Q: >I've never gotten a real cert -- do I have to agree to something that >would prohibit my forms processing business?) I would think that netscape would only make agreements with CAs that accepted liability. I would also think that Netscape would only be liable if they were found to have put in a CA that they had reason to believe was not taking due diligence to ensure that the key really belonged to the company that claimed to own it. Dan Weinstein djw at vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche From frissell at panix.com Fri Mar 8 18:17:05 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 9 Mar 1996 10:17:05 +0800 Subject: Review Litigation Message-ID: <2.2.32.19960308210308.007380d0@panix.com> At 06:59 PM 3/7/96 -0800, Timothy C. May wrote: >We need to be very careful here. A service like "SurfWatch," voluntarily >used by others, has entered into no contracts with sites to meet defined >standards of what should and shouldn't be blocked. It is essentially a >"review" service, like a reviewer of books, movies, restaurants, etc. Sure, >some books, movies, and restaurants are "hurt" by negative reviews, but >this is life in a free society. It has not yet reached the point in these >Beknighted States that a bad review can be the basis of a tort (though I >could be wrong...nothing would surprise me these days). There was a recent case of a restaurant suing over a bad review that did go to trial. The reviewer won. There has also been litigation against someone who wrote a letter to a scientific journal attacking someone else. The letter writer won. Of course both the letter writer and the reviewer had legal costs because they were unwilling to proceed in forma pauperis. DCF From EALLENSMITH at ocelot.Rutgers.EDU Fri Mar 8 18:23:17 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 9 Mar 1996 10:23:17 +0800 Subject: Fertilizer & fuel oil as cause for suspicion - similar to cryptography? Message-ID: <01I23P9QSQU8AKTTTI@mbcl.rutgers.edu> In the below article, the cops seem to be claiming that fuel oil, fertilizer, and bomb-making knowledge = illegal explosives possession. This idea doesn't make sense. Crypto relevance? An example of how governmental idiots are likely to take cryptography. -Allen ----------------- Copyright © 1996 Nando.net Copyright © 1996 The Associated Press CORVALLIS, Ore. (Mar 8, 1996 11:09 a.m. EST) -- Ingredients for a fertilizer bomb like the one that killed 169 people in Oklahoma City were found on a farm along with bomb-making instructions, guns and drugs, police said. Four people were arrested on weapons and drug charges. Charges involving illegal explosives were expected to be filed later, police Sgt. Dennis Carson said Thursday. Officers seized a large quantity of fuel oil and the fertilizer ammonium nitrate, two key ingredients in the April 19 Oklahoma City bombing. "My understanding is it could have made a large bomb and a rather large explosion had it been detonated," Carson said. "All they had to do was mix the parts. It would take just a few minutes." He wouldn't say how much fertilizer was found in the raid Wednesday night near this city about 80 miles south of Portland. The fertilizer, found in an 8,000-square-foot barn, was removed in a state police bomb-squad truck. Carson said investigators were trying to determine whether those arrested had plans to bomb a building or had ties to any anti-government groups. The federal Bureau of Alcohol Tobacco and Firearms is investigating. Along with the material for the fertilizer bomb, officers found 29 guns, including eight assault rifles, and material to make pipe bombs. Three ounces of marijuana and some methamphetamine were also found. [...] All were charged with drug possession and Luehring and the younger Bradley were also charged with being ex-convicts in possession of weapons. Carson didn't have details on their criminal past. [...] From jf_avon at citenet.net Fri Mar 8 18:55:46 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Sat, 9 Mar 1996 10:55:46 +0800 Subject: U.S. State Dept criticizes Chinese net-censorship Message-ID: <9603082204.AB04688@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- - From State dept about China: > Government control > of news media generally continues to depend on self-censorship to > regulate political and social content, but the authorities also > consistently penalize those who exceed the permissable. It is this kind of double talk, "self-censorship", that makes possible the US govt. to do the exact same as China's one does. There is no such thing as "self-censorship". Either you stick to your values, and then it is *not* censorship, or then you do not, and then, it is neither. The *only* ultimate tool of censorship is a gun. JFA -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMUBUDMiycyXFit0NAQExqQf+JxkWi4BhPwQSXtzscf+AGGA++5dZjTmP 3mkhsPzT1JKT1Pl4LXVLbCEJctv+yeLOq1sRYV3rcdIZOIwh1cvfPoWI8LFqfCH4 63nkX6eTG+6VR1uCOMCuTfJFx/f86v5Y34ehfQDzGzcN2SrxCSXpDFwHuTMpB6/g 6Zjhspfqz8PT7U9vHbyHkytXBI9BdR9b6+WUkJMHMpflrDDbSTrsR+C3XObIO4gu 85l4/HjUqSf+EyAw9/Bv3J5uUFF45o+ff6BvWt5eVUMTgWEBcJkjHbm/JYgj7lrK Bjm3oXboh940zHIRIkjb56SRFEb2ITNSfoKilXLgq3CV9r/+Wx5q4g== =UnIn -----END PGP SIGNATURE----- From sasha1 at netcom.com Fri Mar 8 19:09:36 1996 From: sasha1 at netcom.com (Alexander Chislenko) Date: Sat, 9 Mar 1996 11:09:36 +0800 Subject: Review Litigation Message-ID: <199603082133.NAA28415@netcom.netcom.com> What if somebody gets a positive review they do not deserve, or has incorrect data? Can somebody file a "public against reviewer" lawsuit? Who would collect damages (public, competitors)? ----------------------------------------------------------- | Alexander Chislenko | sasha1 at netcom.com | Cambridge, MA | | Home page: http://www.lucifer.com/~sasha/home.html | ----------------------------------------------------------- From MFN at FRCU.EUN.EG Fri Mar 8 19:18:08 1996 From: MFN at FRCU.EUN.EG (MFN at FRCU.EUN.EG) Date: Sat, 9 Mar 1996 11:18:08 +0800 Subject: Where to find krypto? Message-ID: <01I245H7CTVG005E8A@FRCU.EUN.EG> Dear friends, Can you advice where to find krypto or any good cryptanalysis software. Yours sincerely, Mohamed Farouk From adam at lighthouse.homeport.org Fri Mar 8 19:23:48 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 9 Mar 1996 11:23:48 +0800 Subject: News on RSA vs. Cylink Injunctions and Patents In-Reply-To: <9602088263.AA826308428@snail.rsa.com> Message-ID: <199603082231.RAA11593@homeport.org> baldwin wrote: | The following press release from RSA may be of interest to the | folks on this list. | --Bob | ----------------------------------- | In denying the motion the court found that "RSA has raised serious question | (sic) regarding the validity of the first of the Stanford patents, the | Diffie-Hellman patent." Is RSA now saying that the original Diffie-Hellman patent (#4,200,770) is not valid? I'm curious, because in the past, as I understand things, RSA has said that the DH patent covers El Gamal. If RSA no longer considers DH to be a valid patent, that would mean El Gamal is not patent encumbered. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From unicorn at schloss.li Fri Mar 8 19:29:58 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 9 Mar 1996 11:29:58 +0800 Subject: SLE_aze In-Reply-To: <199603081618.LAA21645@pipe4.nyc.pipeline.com> Message-ID: > > SLE_aze (for 3) From jf_avon at citenet.net Fri Mar 8 19:38:44 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Sat, 9 Mar 1996 11:38:44 +0800 Subject: hammers, crowbars and remailers & Leahy Message-ID: <9603082223.AA05907@cti02.citenet.net> What is the difference between an small hardware store owner selling a hammer and a crowbar to a guy that will commit burglary and a remailer owner providing services to , say, the same burglar who wants to sell his stolen goods. Would an anonymous phone call notifying the hardware store owner that somebody will buy tools that will be used to commit a crime be significant? Any comments? JFA Typical govt reasonning: The first cause of death is life, therefore life should be outlawed! Yeah, let make a new law! It'll be fun! From EALLENSMITH at ocelot.Rutgers.EDU Fri Mar 8 19:42:52 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 9 Mar 1996 11:42:52 +0800 Subject: Assassination Politics(tm) was V-chips, CC, and Motorcycle Helmets Message-ID: <01I23R7C8HFKAKTTTI@mbcl.rutgers.edu> From: IN%"jimbell at pacifier.com" "jim bell" 16-FEB-1996 03:25:12.58 >At 02:18 PM 2/15/96 -0800, Bill Frantz wrote: >BTW, for the record, just a couple of days ago Clinton probably passed >within a mile of my house, "Slant range", in a helicopter, with a day's >warning. (The term, "slant range", is a "term of art," for those not in the >know.) Yes; one could also take out a great deal of Washington DC via toxic gas. (If it weren't flammable, hydrogen cyanide would work nicely; just mix potassium cyanide and hydrochloric acid). Unfortunately, this would also kill a lot of innocent people (including, under my system of ethics at least, some governmental types. Look at Governor John P. Altgeld if you don't believe that any can exist; he pardoned the Haymarket riot scapegoats, and ruined his political career by doing so). >Now, imagine you were a government employee in this line of work, and a >fellow employee was bumped off due to a well-publicized incident. Next time >you're asked to engage in a Waco-like operation, what do you think you'll >say to your manager? "Is this trip necessary?" >This is called, "deterrence." You have a point. Of course, this gets back to the ever-present debate over whether the death penalty causes deterrence or not. I suspect it doesn't for most gang members; whether the actual (as opposed to rhetorical) psychology of governmental employees would predict the same is an interesting question. >Now, I think statistics show that each year, about 800 billion dollars in >individual income taxes are collected. If we assume that the equivalent of >only 1% of that value was donated to solve the "IRS problem," that's 8 >BILLION dollars, which at $10,000 per person would buy 800,000 deaths. >THat's 7 times the current employment of the IRS. >You tell me: What would the average person pay THIS YEAR to avoid paying, >say, a $100,000 tax bill NEXT YEAR? (Hint: How much do rich people pay >their accountants, TODAY, to avoid taxes?) You've got a "tragedy of the commons" problem. Everyone would assume that everyone else would do it. (Admittedly, that libertarians have among the highest charitable donation rates of any group may argue otherwise). Now, targeting whoever audited you is a quite likely possibility. >Another Hint: Consider Bill Gates. His wealth is variously estimated at >over 10 BILLION dollars, probably almost all of which is in long-term >capital gains (Microsoft stock), for which he will have to pay somewhere >around 30% in Federal income taxes if he should choose to cash out. He >would be 1.5 Billion dollars ahead if he donated $1.5 billion dollars to an >organization which would eliminate his requirement to pay the total 3 >billion dollar tax bill to the IRS. That alone is the equivalent of about >$14,000 for each IRS employee. You have an interesting point here. -Allen From frantz at netcom.com Fri Mar 8 20:10:13 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 9 Mar 1996 12:10:13 +0800 Subject: SurfWatch Message-ID: <199603082252.OAA03409@netcom7.netcom.com> At 3:27 PM 3/8/96 -0800, Timothy C. May wrote: >(By the way, adult magazines voluntary label themselves as "adult": my >understanding from several comments by lawyers and adult industry >spokesmen, is that they are under no obligation to "voluntarily label" >their stuff. And some libraries have an _explicit_ policy that says any >card-holder, of any age, may check out or look at _any_ item the library >carries.) IMHO Adult magazines label themselves "adult" as a form of advertising. In the same way, a site with a sufficiently hard core self-rating may attract customers specifically because of the rating. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From Goldberg at eit.com Fri Mar 8 20:15:23 1996 From: Goldberg at eit.com (Carole Goldberg) Date: Sat, 9 Mar 1996 12:15:23 +0800 Subject: Internet Commerce Message-ID: EIT/VERIFONE IS A RECOGNIZED PIONEER IN THE DEVELOPMENT OF SOFTWARE AND SERVICES FOR ELECTRONIC COMMERCE ON THE INTERNET. EIT IS A WHOLLY OWNED SUBSIDIARY OF VERIFONE, A LEADING GLOBAL PROVIDER OF TRANSACTION AUTOMATION. EIT/VERIFONE RECENTLY ANNOUNCED AN AGREEMENT WITH NETSCAPE COMMUNICATIONS TO CREATE COMPREHENSIVE INTERNET PAYMENT SOLUTIONS AND AN AGREEMENT WITH ORACLE TO COMBINE ORACLE'S POWERFUL WEBSERVER SOFTWARE WITH VERIFONE'S HIGHLY REGARDED AND SECURE PAYMENT SOFTWARE, TO PRODUCT THE FIRST PAYMENT-ENABLED WEBSERVER ON THE MARKET. LEARN MORE ABOUT EIT AT WWW.EIT.COM 1) Internet Engineer, SET Implementation Be a member of a team that will implement the SET protocol module (used for secure credit transactions over the Internet.) This candidate must have at least five years experience as a developer writing commercial grade software using C++. The minimum requirements are: * Knowledge of (and enthusiasm for) the World Wide Web * Experience writing software using ASN encoding rules * TCP/IP network programming * Significant cryptographic experience * Cross platform development experience using both Unix and NT. We will be pre-disposed to candidates who have significant experience in: * Internet protocols * Java * Financial networks * Site security work * Systems programming 2) Internet Engineer - SET Development Be a member of the SET development team. This candidate must have at least three years experience as a developer writing commercial grade software using C++. The minimum requirements are: * Knowledge of (and enthusiasm for) the World Wide Web * Cross platform development experience using both Unix and NT. and meets at least two of the three following requirements: * Experience writing software using ASN encoding rules * TCP/IP network programming * Significant cryptographic experience We will be pre-disposed to candidates who have significant experience in: * Internet protocols * Java * Financial networks * Site security work * Systems programming 3) QA Internet Engineer - SET Development Be a member of the SET development team. The candidate must have solid experience as a QA professional with at least five years of experience in commercial software development and testing. This position will entail test design, test writing, and code coverage analysis of the SET protocol modules. The minimum requirements are: * Knowledge of (and enthusiasm for) the World Wide Web * Cross platform development experience using both Unix and NT. * Working knowledge of C++ * Previous experience in White Box testing * Detailed understanding of modern QA processes We will be pre-disposed to candidates who have significant experience in: * Java * Financial networks * Systems programming * Communications Security and Data Security EIT offers a stimulating work environment along with competitive salaries and benefits. We are interested in full-time, contractors, and new graduates Please send your resume to Carole Goldberg via email, fax, or mail Fax: (415) 617-8019 e-mail: Goldberg at eit.com EIT, 800 El Camino Real, Menlo Park, CA 94025 From PADGETT at hobbes.orl.mmc.com Fri Mar 8 20:47:05 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Sat, 9 Mar 1996 12:47:05 +0800 Subject: Reasons for codes Message-ID: <960305201404.20203d67@hobbes.orl.mmc.com> >Totally untrue. The use of encryption for business purposes goes back >centuries, In fact there are lots of reasons for codes. One not mentioned that has a long and glorious history involve CHARLESTON, TABLEDRUGS, or BLACKHORSE and can be seen in commercial use today. Warmly, Padgett From alano at teleport.com Fri Mar 8 20:53:23 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 9 Mar 1996 12:53:23 +0800 Subject: WARES - random generator Message-ID: <2.2.32.19960305231417.009380a8@mail.teleport.com> This may be of interest to people on the list... >Keywords: madison hawai obsceni prising ridblood ribiliss >Subject: WARES - random generator >Reply-To: email at fringeware.com (FringeWare Inc) >Date: Tue, 5 Mar 1996 11:06:20 -0600 >Apparently-To: fwlist-daily at fringeware.com >X-UIDL: 4751f2738fffe6a83cf40be20fcd79a5 > >Sent from: email at fringeware.com (FringeWare Inc) > >A certain vendor of ours has approached FringeWare with an offer for >exclusive distribution a new product, which may be of general interest >to people reading this list. > >The product line is called Perfect Crypt Products and the new item >being considered is a random number generator which plugs into the >serial port of your PC/Mac/Sparcbook/Cray/etc., and pours out a stream >of random numbers. The process is based on thermal radiation, the >randomness looks quite good, and the product would retail for about us$50. > >If you have an interest in such a product, please let us know here >at: email at fringeware.com and we'll add it to our catalog. > >One-time pad enthusiasts and PGP officionados might consider this >offer especially. > > >----------------------------------------------------- >pxn * FringeWare Inc. * http://www.fringeware.com > > > > > --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon "I, Caligula Clinton... In the name of the Senate and the people of Rome!" - Bill Clinton signing the CDA with the First Amendment bent over. From registrar at switchboard.com Fri Mar 8 21:01:43 1996 From: registrar at switchboard.com (Switchboard Registrar) Date: Sat, 9 Mar 1996 13:01:43 +0800 Subject: Welcome to Switchboard Message-ID: <19960308191623236.AAA160@www2> Thank you for registering in the Switchboard database. Your Switchboard login is: Email: cypherpunks at toad.com Password: JimArts This password is case sensitive. Once you log in (set your browser to http://www.switchboard.com), your entry appears in the directory with your email address attached. You may then update your listing to show exactly the information you want and correct errors. Note that Switchboard waits until you log in to change the directory, because this step verifies that your email address is correct. Logging in also allows you to create an additional listing, change your password, list your home page URL, unlist your main listing, and access other features. Once you are logged in, please change your password to make it easier to remember. If you did not register in Switchboard and received this message erroneously, please Reply to Registrar at switchboard.com. From JMKELSEY at delphi.com Fri Mar 8 21:06:17 1996 From: JMKELSEY at delphi.com (JMKELSEY at delphi.com) Date: Sat, 9 Mar 1996 13:06:17 +0800 Subject: POTP Jr. Message-ID: <01I1YG0HUUZS9ELJNN@delphi.com> -----BEGIN PGP SIGNED MESSAGE----- [ To: cypherpunks ## Date: 03/04/96 07:59 pm ## Subject: POTP Jr. ] >Date: Sun, 18 Feb 1996 19:20:55 -0800 (PST) >From: Wink Junior >Subject: Internet Privacy Guaranteed ad (POTP Jr.) > If an individual, or any group of individuals, break the IPG > Privacy System, IPG will sell them the company for $1.00, and > even give them the dollar to buy it with. If you think you > can, just try and you find out that it is impossible. There > may be rumors that someone has broken the system, but that is > not possible, it will never happen. Surely I can't be the only person who's noticed the obvious--that if you break their system, their company is worth nothing, since this is their only shipping product. --John Kelsey, jmkelsey at delphi.com / kelsey at counterpane.com PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMTujK0Hx57Ag8goBAQHxBQQAkUKL0h0eqxJ5rNGg7dDF6Beskem/RUWA IZYNoHBG/WZYv86dDrFSVXOllqyumlo5enH0xwXBfDf0TN+kasjIaH/UYHncXYiL yw/31wBDt4H1PzmF7Yg5zfSBaN18l9dFT+rLGRJKRjWFgzGIAJZ6Jmga7RJ0P+/k TWCgt4AdIIc= =eI1Q -----END PGP SIGNATURE----- From rich at c2.org Fri Mar 8 21:09:27 1996 From: rich at c2.org (Rich Graves) Date: Sat, 9 Mar 1996 13:09:27 +0800 Subject: Bombings, Surveillance, and Free Societies Message-ID: <199603050416.UAA27860@Networking.Stanford.EDU> I believe this is where I came in... At 12:51 PM 3/4/96 -0800, tcmay wrote: > >Revolutionary theory says of course that this increased clampdown is a >desired effect of terrorist bombings and attacks. Fear and doubt. >Revolutionary ends rarely happen by slow, incremental movement. Hundreds of >examples, from the original "bomb-throwing anarchists" to the modern mix of >terrorist bands. The Red Brigade in Italy sought a fascist crackdown, and >the "strategy of tension" is common. (And even revolutionists of crypto >anarchist persuasion often think laws like the CDA are good in the long >run, by undermining respect for authority and triggering more extreme >reactions....) Well, I think they're wrong. Revolutionary theorists are right about the *beginning* of the dialectic. Action breeds reaction breeds counterreaction, and so on. Repression opens up all sorts of new opportunities. Ezekiel, St. John, Marx, Hitler, Winnie (not Nelson) Mandela, and so on were right about that. However, the dialectic eventually stabilizes; not every revolution is Armageddon. People get tired of revolution and counterrevolution, and yearn for stability, under *any* regime. That's why otherwise reasonable people let the Bolsheviks, Nazis, Napoleons, Democrats, and Republicans take power. Revolution is like a box of chocolates... you never know what you're going to get. I don't like extremists. But then, I'm a fucking statist. In South Africa, most of Latin America, and (until a few weeks ago) Palestine and Northern Ireland, tolerance has taken a few halting steps. You drop your gun, I'll drop mine. You open up the political process to let me participate, and I'll open up my processes so that you can trust me too. You purge the right-wing death squads on your side, I'll purge the left-wing terrorists on my side. I'm a firm believer in privacy for individuals, but for groups, of any kind, popular or unpopular, public or private, I'm not so sure. -rich http://www-leland.stanford.edu/~llurch/ From declan+ at CMU.EDU Fri Mar 8 21:09:40 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 9 Mar 1996 13:09:40 +0800 Subject: U.S. State Dept criticizes Chinese net-censorship In-Reply-To: <9603082204.AB04688@cti02.citenet.net> Message-ID: Excerpts from internet.cypherpunks: 8-Mar-96 Re: U.S. State Dept critici.. by JFA T. QC, Canada at citene > There is no such thing as "self-censorship". Either you stick to > your values, and then it is *not* censorship, or then you do not, > and then, it is neither. Self-censorship does happen, and it's a growing problem in the arts community. (I'm not a commercial artist, so this is my understanding from other panelists and speakers at a conference I spoke at last month.) Making art more palatable or less "extreme" to curry favor with corporate patrons, or to get that NEA grant, or to get that faculty position is self-censorship, and it does happen. -Declan From jya at pipeline.com Fri Mar 8 21:09:45 1996 From: jya at pipeline.com (John Young) Date: Sat, 9 Mar 1996 13:09:45 +0800 Subject: PET - The Path to Anonymity Message-ID: <199603050332.WAA17483@pipe1.nyc.pipeline.com> Tracing the lead from the Canberra/OECD paper to the excellent Ontario Privacy Commission site: http://www.ipc.on.ca/web_site.eng/matters/sum_pap/ summary.html This summary of privacy papers includes: Privacy-Enhancing Technologies: The Path to Anonymity (Volume 1): A Joint Project of the Office of the Information and Privacy Commissioner/Ontario and the Registratierkamer, The Netherlands discusses concerns associated with the trail of identifying information created by electronic transactions, and a number of techniques for introducing an identity protector into information systems. The paper provides background information, the details of the joint survey, and the conclusions and recommendations. (August 1995, 107 KB, 26 pages). Available through: ftp://ftp.ipc.on.ca/ftp/ftp_site.eng/matters/sum_pap/ papers ---------- In the Netherlands, two volumes are listed (along with other choice crypto books) at the most informative site: http://infolabwww.kub.nl:2080/infolab/netwerken/ scripties95/groep8/literatuurlijst.html Registratiekamer. Privacy-enhancing technologies: the path to annonimity, volume I, augustus 1995. ISBN 90 346 320 24. Registratiekamer. Privacy-enhancing technologies: the path to annonimity, volume II, augustus 1995. ISBN 90 346 320 24. _________________________________________________________ Links are provided to such privacy tools as the admirable "Identity Protector" at: http://infolabwww.kub.nl:2080/infolab/netwerken/ scripties95/groep8/ip.html DE IDENTITY PROTECTOR [Snip] De identity protector heeft de volgende functies: * rapporteert en controleert verzoeken wanneer de werkelijke identiteit bekend wordt; * genereert pseudo-identiteiten; * vertaalt pseudo-identiteiten naar werkelijke identiteiten; * converteert pseudo-identiteiten naar andere pseudo-identiteiten; * voorkomt verkeerd gebruik. De gebruiker kan, met behulp van de identity protector, zelf bepalen bij welke aanbieders van diensten zijn werkelijke identiteit mag worden onthuld. Het gebruik van een identity protector verdeeld het informatiesysteem in twee domeinen. E�n waarin de werkelijke identiteit van de gebruiker bekend of toegankelijk is, en ��n waarin deze door de identity protector is afgeschermd. Het domein waarin de werkelijke identiteit bekend is noemen we het identiteits-domein, het domein waarin deze is vervangen door een pseudo-identiteit noemen we het pseudo-domein. ... _________________________________________________________ The Australians, Canadians and Dutch seem far ahead of the US in promoting technologies for protecting privacy. It makes one wonder if it is the intrusive practices and technologies of the super-surveillance US that they fear even as most Americans ostrich the sand. From JMKELSEY at delphi.com Fri Mar 8 21:10:04 1996 From: JMKELSEY at delphi.com (JMKELSEY at delphi.com) Date: Sat, 9 Mar 1996 13:10:04 +0800 Subject: numbers don't lie Message-ID: <01I1YG03B2W29ELJNN@delphi.com> -----BEGIN PGP SIGNED MESSAGE----- [ To: cypherpunks ## Date: 03/04/96 07:59 pm ## Subject: Re: Numbers don't lie... ] >Date: Sun, 18 Feb 1996 11:18:57 -0500 (EST) >From: "A. Padgett Peterson P.E. Information Security" >Subject: Numbers don't lie... >In their figures, they do seem to gloss over a couple of minor points: >The most compelling to me is "how do you know when you broke it ?". >Bruce has always used the "known plaintext" approach, however using >modern techniques for messaging, *every* message has a different >session key, negotiated using assymetric keying so the only message >that will be broken is one that you already have - not terribly >helpful. Coming up with a short length of known plaintext isn't usually a big problem. For example, attacking DES, you need to know one 64-bit block. In many cases, this is easy to do. While it is possible (and a good idea) to build communications software so that it's relatively hard to get known plaintext, this shouldn't be necessary to use a cipher securely. And in any case, if you're encrypting ASCII text, the bit distributions give you a big clue about whether this is a reasonable key guess or not, after just a few decrypted plaintexts. This increases the cost of the search machines, but I'm not convinced that this will be an enormous increase in all cases. >This means that the strength of cryptography should be appropriate >to the value of the information protected. If less than U$10,000, >the message is individually encrypted, and has value only today, >then DES is probably "good enough". True, DES is probably good enough for the very lowest-value messages. But why use something that's barely acceptable, when it costs you almost nothing at all to make it really secure against keysearch attacks. Blowfish, SAFER-SK128, GOST, and 3DES are all apparently quite hard to break, and they are all far more resistant to keysearch attacks than DES. >Strategic information of higher value arguably needs "more" but how >much ? 64 bits is 256 times stronger than DES. This would indicate >effective security up to say U$2.5 million. More is better but I >would not be quite so alarmist nor would I dismiss the cost of >engineering. Non-trivial. The problem here is that it's not really reasonable to expect the users of a secure e-mail package to know what the state of the art is in terms of keysearch machines, and it's not always reasonable to expect the person that's sending some piece of information to know whether this is "you-bet-your-company" material. There's no excuse for leaving yourself vulnerable to keysearch attacks, when there are so many good, unpatented ciphers with key lengths of more than 100 bits. It's like building a car with an engine that you know will catch fire if it's ever run at more than 80 MPH, but justifying it by saying "well, most trips don't require more than 80 MPH to get where they're going anyway. In those special cases where greater speed is necessary, they'll just have to take a bullet train." >Still, at what point is it simply easier/cheaper to buy someone who >knows the secret ? Limiting your key to 56 bits means that an attacker has more options--if he can't bribe, blackmail, or threaten his way into your private communications, he can spend some money, and still get in. (Escrowing your key adds to the list, because he now has more people to bribe/threaten/blackmail, and he may also be able to carry out protocol attacks against the key escrow mechanism.) > Warmly, > Padgett --John Kelsey, jmkelsey at delphi.com / kelsey at counterpane.com PGP 2.6 fingerprint = 4FE2 F421 100F BB0A 03D1 FE06 A435 7E36 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMTujGkHx57Ag8goBAQElEwP/ZpzwCpwGUhbHJvEl+EiuseNEgy9To5yl RyX3VkdX+Xx6jksZeuLlSuRoMlahxyMHdH7uDY/8GFW2uxh8dFAJfwNdBCf3k0W8 aYml2Z/CCVadeuiSrKgZEMvE3F/LlDSCXQwuIde1Su7ICxQz9pd8ZbAqvOdQQWyZ ZQPr9TPCo/s= =zM5N -----END PGP SIGNATURE----- From adam at lighthouse.homeport.org Fri Mar 8 21:11:10 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 9 Mar 1996 13:11:10 +0800 Subject: NYT on Crypto Bills In-Reply-To: Message-ID: <199603050354.WAA06580@homeport.org> Dr. Dimitri Vulis wrote: | Yes - the Markoff quote is factually incorrect. I'm sure he knows better | than this. Must be the Times editing. This mistake has popped up multiple times in his work. I'm not sure he's aware of it. | What he probably meant (and perhaps wrote) was that the cyphers used in | business for centuries could be broken by governments. This started | changing only after WW I. Wasn't the Enigma marketed to businesses? Yes, the initail (failed) marketing was to business. Only when the Nazi's started buying did sales start to take off. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From EALLENSMITH at ocelot.Rutgers.EDU Fri Mar 8 21:12:24 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 9 Mar 1996 13:12:24 +0800 Subject: PGP to PC mail integration Message-ID: <01I23UGYZTP0AKTTTI@mbcl.rutgers.edu> From: IN%"willer at carolian.com" 1-MAR-1996 18:50:23.84 >I wrote: >> You'd put something into the mail message itself that would tell it >>"don't encrypt this" and/or "don't sign this". Hmm... you'd need to put in >>messages to be signed and/or encrypted your passphrase, or have it gotten >>some other way... which doesn't look very safe. >Not very user-friendly either. That depends on one's standards. I prefer text-based interfaces, and they are needed for many setups. >Usually the proxy would be on the same machine as the mail program (i.e. "your >machine"). That would mean the "attack proxy" would have to be installed on >the user's PC, and if someone has that kind of access to your machine, their >secret keyring is vulnerable anyway. Good point. This also argues against the passphrase into the mail being that much of a problem... with the massive exception of something going wrong with the mail proxy program so that it lets through the email, with the passphrase and possibly without any encryption. However, as has been pointed out on other aspects of this, one could have the passphrase entered once (in a special mail message with no valid To: address, for instance) per session. -Allen From jrochkin at cs.oberlin.edu Fri Mar 8 21:13:27 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Sat, 9 Mar 1996 13:13:27 +0800 Subject: Remailer Security Message-ID: At 11:06 PM 03/04/96, lmccarth at cs.umass.edu wrote: >Bottom line: if you can crack (say) the 8-character Unix passphrase for a >remailer account, you have full access to the remailer's secrets and all the >opportunities that presents. Good remailer account passphrases are >important. Um, there's no reason why your remailer's account needs to be logged into interactively, is there? Seems like remailer ops should disable login to remailer accounts, putting '*' into the password field in /etc/passwd, or however unix lets you disable login (I know it does). Obviously, the general security risk of someone gaining unauthorized access to the remailer executable or data files is still there, and important to keep in mind. But this would seem to be a fairly logical security measure. From cminter at mipos2.intel.com Fri Mar 8 21:44:28 1996 From: cminter at mipos2.intel.com (Corey Minter) Date: Sat, 9 Mar 1996 13:44:28 +0800 Subject: I don't think I'm on the mailing list anymore. What's going on? Message-ID: <199603090110.RAA10105@zws388.sc.intel.com> Hi, I'm not getting any more mail from this list. Does anyone know what could have happened? Maybe it's a CDA crackdown :) If anyone knows could you email me directly? From wlkngowl at unix.asb.com Fri Mar 8 22:33:15 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sat, 9 Mar 1996 14:33:15 +0800 Subject: hammers, crowbars and remailers & Leahy Message-ID: <199603090236.VAA01595@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Jean-Francois Avon (JFA Technologies, QC, Canada) wrote: > What is the difference between an small hardware store owner > selling a hammer and a crowbar to a guy that will commit burglary and > a remailer owner providing services to , say, the same burglar > who wants to sell his stolen goods.[..] Be wary. There are people who believe gun or ammo manufacturers (and even knife manufacturers) should be held responsible for criminal use of their products. Bartenders or party hosts are already responsible when one of their patrons or guests gets too drunk (though the connection with knowing that the person is wasted is a bit clearer there.) The people who support such liabilities think there is a clear connection and it isn't very good. You may as well argue about religion or how many angels can fit on the head of a pin with such people. They go by emotional arguments, in many cases because they've a personal connection as or with a victim of some crime. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUDuyCoZzwIn1bdtAQEqoQGAuU6nvataj6gt4VNUVjgyuYaTe8QxQ4Ww tPxTQiEvS/4C3C3vVUQ4QNWQbt5DxXzu =JRj/ -----END PGP SIGNATURE----- From wlkngowl at unix.asb.com Fri Mar 8 22:34:57 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sat, 9 Mar 1996 14:34:57 +0800 Subject: rhetorical trickery Message-ID: <199603090231.VAA01548@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Vladimir Z. Nuri wrote: [..] > there is an infamous case of a child pornographer or pedophile in > California that is sometimes cited by law enforcement representatives > as a good example of the evils of encryption: supposedly he encrypted > his diary and it couldn't be unlocked by them. this was mentioned in > the article. > > but I have a question: how did they know it was his diary? If I remember some earlier discussion about that case from a few years ago, the file was called "diary.pgp". What they don't mention is that they were still able to convict him. They were just under the belief that they could figure out who all the victims were they didn't know about from his alleged diary... so they could "help" the other victims or maybe get him ore jail time? Odd thing is he used PGP 1.0, which used Bass-O-Matic. > I've noticed that people tend to often make conceptual leaps like > this that are wholly unjustified. it is easy to get their opposition Yes. This is quite common in political/social discussions and argumentation. A big problem is that people are no longer taught rhetoric and argumentation in schools. Another problem is that it is a clear example the opponents of strong crypto can point to, with lots of emotional strings attached. The best you can do is to note that the case in question was still sucessfully prosecuted, and also to give counter-examples as to why PGP has helped people (cite the usual freedom fighters in Burma, Amnesty International examples, or cite the theft of records from the UN's investigation in Bosnia, noting that it wasn't encrypted....) - --Rob - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUDtbSoZzwIn1bdtAQGyLwGAu0nRv276K9cAmJslrl6HwW6m0YHWYKw/ mpZvHynKhfdNLRj6ghaHHH8V2DMDYrLO =SpjH -----END PGP SIGNATURE----- From wlkngowl at unix.asb.com Fri Mar 8 22:47:44 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sat, 9 Mar 1996 14:47:44 +0800 Subject: FCC v. Internet Phone? Message-ID: <199603090248.VAA01654@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- I've done a scan of the NYT web site (www.nytimes.com) and the AP and Reuters... no mention of this at all, though there's a new blurb about another company promopting an Internet Phone type technology. - --Rob - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUDxiSoZzwIn1bdtAQFduAGArzYvmvL26xUQiag6etkyg/ysh8RUhTqX s19MCcxWng+3T3frKu5P8eRju2XYBoF5 =Du5Z -----END PGP SIGNATURE----- From abostick at netcom.com Fri Mar 8 23:38:32 1996 From: abostick at netcom.com (Alan Bostick) Date: Sat, 9 Mar 1996 15:38:32 +0800 Subject: ANTI-CRYPTO CYPHERPUNKS In-Reply-To: <199603080239.SAA00668@jobe.shell.portal.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article <199603080239.SAA00668 at jobe.shell.portal.com>, anonymous-remailer at shell.portal.com wrote: > B. Schneier: bs208 at newton.cam.ac.uk, schneier at counterpane.com > M. Blaze: mab at crypto.com, mab at research.att.com > J. Bizdos: jim at rsa.com > S. Safaddar: shabbir at vtw.org > D. Weinstein: djw at vplus.com > P.. Peterson: padgett at hobbes.orl.mmc.com > > I wish to point out that some of these people are just probably misguided > and should be educated not hurt. A full mail spool is educatio[nal but > but it would IMHO be wrong to do mailbombing the postmaster or hacking > their accts etc. Give them a chance. > > Me, too! Please add me to the list! Alan "@aol.com" Bostick - -- Alan Bostick | "If I am to be held in contempt of court, Seeking opportunity to | your honor, it can only be because the court develop multimedia content. | has acted contemptibly!" Finger abostick at netcom.com for more info and PGP public key -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMUDjouVevBgtmhnpAQGX9AMAwxL8dT+mLlK4U81PMtF03JYNZMaImIMQ Srj1UKhV490BTHoqcfQZCg8eDiej5U9pniXwX8DSOJXV/vfuqi94dGOoxmqffa7+ p7nHKeEPItqTgvzJ8xJeS4NBk/Pd8xN4 =X6go -----END PGP SIGNATURE----- From anon-remailer at utopia.hacktic.nl Fri Mar 8 23:53:11 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Sat, 9 Mar 1996 15:53:11 +0800 Subject: No Subject In-Reply-To: <19960308191623236.AAA160@www2> Message-ID: <199603090455.FAA13361@utopia.hacktic.nl> >>>>> "Switchboard" == Switchboard Registrar writes: Switchboard> Email: cypherpunks at toad.com Password: JimArts I changed the password to cypherpunks. That's easier to remember. From nobody at REPLAY.COM Sat Mar 9 00:12:26 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sat, 9 Mar 1996 16:12:26 +0800 Subject: crash_netscape.html Message-ID: <199603081900.UAA13351@utopia.hacktic.nl> Netscape 1.12 core dumped on me while surfing today. Narrowed it down to this. (Don't try this at home, kids).
DIE
Crash! Core dump, sound of breaking code. Tested on HPUX only. Apparently doesn't crash Gold 2.0 on Win95. a From stewarts at ix.netcom.com Sat Mar 9 00:21:01 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 9 Mar 1996 16:21:01 +0800 Subject: News on RSA vs. Cylink Injunctions and Patents Message-ID: <199603090543.VAA06458@ix14.ix.netcom.com> At 10:06 AM 3/8/96 PST, "baldwin" wrote: > The following press release from RSA may be of interest to the >folks on this list. Thanks! It is of interest, but from one or two rounds of previous experience, I'd not want to draw any conclusions from either RSA's or Cylink's press releases about the content or meaning of a given court decision. They seem to inhabit different and not-quite parallel universes. >Cylink contends that RSA's software infringes its Stanford patents and that >licensing required an additional grant from Cylink, despite >the fact that RSA already has a license. After hearing oral arguments on >Feb. 29, Judge Williams denied Cylink's motion from the bench and later >issued a written order explaining that "several factors weigh against >finding that (Cylink) has shown a likelihood of success on >the merits." This sounds a lot like Cylink asked for a temporary restraining order blocking sales of BSAFE until the resolution of a lawsuit, and the judge rejected that request. If the quotations mean the same in context as they do in a press release (:-), they're moderately negative, though not a total rejection of the main case. It is pleasant to have RSA on the side of breaking the D-H patent and limiting the scope of H-M. Maybe this will help free the algorithms even before Roger Schlafly's suit does. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From frantz at netcom.com Sat Mar 9 00:57:36 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 9 Mar 1996 16:57:36 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guid Message-ID: <199603090640.WAA20305@netcom7.netcom.com> At 9:59 PM 3/8/96 -0800, Bill Stewart wrote: >The pizza guy was a thug, but twice as many third-strikers got >their third strike for marijuana as for all violent crimes combined. >I assume most of these had large quantities, possibly intended for sale, >and a number of them had real crimes as their previous felonies >rather than Prohibition-related offenses. But you can get legally >serious quantities of marijuana by just growing a couple of plants. I wonder how many of these drug dealers previous "real crimes" were related to using violence to protect their drug business, defense which would have used the courts and police had drug dealing been legal. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From stewarts at ix.netcom.com Sat Mar 9 01:00:43 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 9 Mar 1996 17:00:43 +0800 Subject: Net Day 96 and AOL Message-ID: <199603090613.WAA04960@ix13.ix.netcom.com> Heard on the radio today that AOL will be donating service for a year to the first 2000 schools that ask for it, as part of their contribution to Net Day. (For those of you not from California, an industry-led group has been coordinating volunteers and materials to wire up schools to the net; tomorrow's effort will be installing inside wiring so that schools that have computers will be able to get hooked up.) Does anybody know if there's an AOL-friendly version of PGP that we can donate to the schools, to help teach kids about proper encryption? If nothing else, some of the cut&paste interfaces will do, I suppose. AOL is fairly friendly about pseudonyms, and remailer support is a no-brainer except for documentation readily understandable to kids. Bill #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From thad at hammerhead.com Sat Mar 9 01:43:18 1996 From: thad at hammerhead.com (Thaddeus J. Beier) Date: Sat, 9 Mar 1996 17:43:18 +0800 Subject: News on RSA vs. Cylink Injunctions and Patents Message-ID: <199603090712.XAA01336@hammerhead.com> Adam, It is absolutely true that RSA has seen the light, and now believe that the DH and HM patents are not valid. I think that they had this realization on the day that they lost control of these patents, with the breakup of PKP. Roger Schlafly has been fighting these patents as well, and it appears to me that DH should be completely dead, it was widely publicized more than a year before the patent was filed. I don't believe RSA's interpretation of the judges ruling, though. Certainly they will twist the words in the most favorable way. RSA had been saying that Hellman-Merkle, not Diffie-Hellman, covered all public key patent ideas; but they were only saying that through PKP (which was a joint venture between themselves and Cylink) thad -- Thaddeus Beier thad at hammerhead.com Technology Development 408) 286-3376 Hammerhead Productions http://www.got.net/~thad From jf_avon at citenet.net Sat Mar 9 01:55:58 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Sat, 9 Mar 1996 17:55:58 +0800 Subject: U.S. State Dept criticizes Chinese net-censorship Message-ID: <9603090731.AA27437@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- >Excerpts from internet.cypherpunks: 8-Mar-96 Re: U.S. State Dept >critici.. by JFA T. QC, Canada at citene >> There is no such thing as "self-censorship". Either you stick to >> your values, and then it is *not* censorship, or then you do not, >> and then, it is neither. > >Self-censorship does happen, and it's a growing problem in the arts >community. (I'm not a commercial artist, so this is my understanding >from other panelists and speakers at a conference I spoke at last month.) > >Making art more palatable or less "extreme" to curry favor with >corporate patrons, or to get that NEA grant, or to get that faculty >position is self-censorship, and it does happen. No, it does not. Making art more palatable is simply the process of free trade between two uncoerced entities. If the artist does not offer what the corporate purchaser wants he will not sell. He thus adapt his style out to his customer. Nobody is threatening to use force to have the artist conform to the client. Nobody is forcing the client to buy what he does not like. The artist does not have to compromise, he simply have to refuse the contract. Anybody using the term "censorship" to describe that is in the following situation : he *wants* the advantages of the contract (money) without respecting the customer, therefore. He deplores the fact that somebody (the customer) can act to his best judgment. The fact that the artist calls that censorship shows that he have the same thought process as the true censorers, i.e. the conviction that the end justify the means, and more specifically, the feeling that *his* ends justify *any* means. The artist may not act on his feelings but nevertheless, they are, in essence, of this nature. And unfortunately, too many artists think that way. JFA Accepting a grant is accepting stolen money. The collectivists and their free-lunchers be DAMNED! Restore an objective monetary standard such as gold! -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMUDVbsiycyXFit0NAQHG0gf+P1rmX5xQiRo5sHpvYBlvvclVdGxJaJ6c E+n35ln3/FFMGiguk5TEr6tOG+vj6UNBW2VibggQ9HkMkQ+6yTeJRrWQVje+YxxY pygYrY6wfDB8F9aemkVIiypZqvo+UrG+IZwKSsuqZuFmyxu5VsnAzFB/NQS6z/fq WPnm23t51kj2d6e+1PDVJRmv1Gpjaj34xt9YIif7S7fXdMI8vRbopRkoFfbXcFsE +I+fzeIPINXde44duW/tUmVbPZcrwxNgL0xo7AZ3fwzYGqOw2cR3zNFH9iPWs6O5 iV+fNIx2f1sKl1MbkydEHtPVctLT3cqX0Bvi5f0k6XKdzmCMGSOr9g== =qWzV -----END PGP SIGNATURE----- Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 From jf_avon at citenet.net Sat Mar 9 02:00:09 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Sat, 9 Mar 1996 18:00:09 +0800 Subject: V-chips, CC, and Motorcycle Helmets Message-ID: <9603090731.AB27437@cti02.citenet.net> "E. ALLEN SMITH" wrote: > Has it? Currently, we've got the guys who deal with the public (the >politicians and the low-level bureaucrats) and the faceless drones (the rest >of the bureaucrats). The politicians can be protected, and already are to some >degree. The low-level bureaucrats aren't _that_ likely to be targeted by enough >people to make a difference, and the ones who go bad enough to do so can be >protected (or sacrificed, if that seems to be the way to keep the public >happy). The faceless drones can be even more faceless, and so very hard to >target. Just a question to you: What makes the faceless drones powerfull? JFA Over the clouds, the sun always shine. Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 From jsw at netscape.com Sat Mar 9 02:14:10 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Sat, 9 Mar 1996 18:14:10 +0800 Subject: SurfWatch In-Reply-To: <199603082252.OAA03409@netcom7.netcom.com> Message-ID: <31414295.4DBE@netscape.com> Bill Frantz wrote: > > At 3:27 PM 3/8/96 -0800, Timothy C. May wrote: > >(By the way, adult magazines voluntary label themselves as "adult": my > >understanding from several comments by lawyers and adult industry > >spokesmen, is that they are under no obligation to "voluntarily label" > >their stuff. And some libraries have an _explicit_ policy that says any > >card-holder, of any age, may check out or look at _any_ item the library > >carries.) > > IMHO Adult magazines label themselves "adult" as a form of advertising. In > the same way, a site with a sufficiently hard core self-rating may attract > customers specifically because of the rating. I predict that 6 months after the first internet rating system is widely deployed, the largest use of search engines such as altavista will be to look for pages with the most "naughty" ratings. Perhaps such services will allow text searches for free, but charge for searches based on the rating tag... --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From wlkngowl at unix.asb.com Sat Mar 9 02:27:58 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sat, 9 Mar 1996 18:27:58 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guid Message-ID: <199603090830.DAA02855@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Note: This post is 100% free of crypto. Bill Stewart wrote: [..] > And the guys who just got busted for having fertilizer, diesel oil, > and drugs on their farm had a whole three ounces of marijuana and > personal-use quantities of crank. Maybe they were planning to blow up > buildings rather than stumps; but the Feds are trying to paint them > as max evil just to build up their case. Perhaps they were going to use the fertilizer for the grass and the heating oil to keep warm (or to keep the plants warm). It's possible... - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUFBjyoZzwIn1bdtAQFAvgF/ZarRLbmt6KLiK3XPMWqdmPeGs5dg0Jpm aLndW+LmNJODCB2q4Xh9/IrCJ8awEvf9 =P4i6 -----END PGP SIGNATURE----- From furballs at netcom.com Sat Mar 9 02:31:27 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Sat, 9 Mar 1996 18:31:27 +0800 Subject: U.S. State Dept criticizes Chinese net-censorship In-Reply-To: Message-ID: On Fri, 8 Mar 1996, Declan B. McCullagh wrote: > Excerpts from internet.cypherpunks: 8-Mar-96 Re: U.S. State Dept > critici.. by JFA T. QC, Canada at citene > > There is no such thing as "self-censorship". Either you stick to > > your values, and then it is *not* censorship, or then you do not, > > and then, it is neither. > > Self-censorship does happen, and it's a growing problem in the arts > community. (I'm not a commercial artist, so this is my understanding > from other panelists and speakers at a conference I spoke at last month.) > > Making art more palatable or less "extreme" to curry favor with > corporate patrons, or to get that NEA grant, or to get that faculty > position is self-censorship, and it does happen. > To me this sounds more like an argument on perspective. IF you hold to the premise that self-censorship is based in a large part on witholding your natural inclination and/or reaction, then yes the argument can be made that self-censorship occurs all the time. However, I would submit that J.F.A. is correct and that your position is but a subset of the original statement. To wit: If I found myself in a situation where the person involved was behaving like a jerk - but I did not speak my mind (as to achieve some defind goal, favor, etc.) because my moral compass indicated that such an action was inappropriate to acheive said goal - then I can make the case of both self-censorship (by your definition) and non-censorship (as none was required) by J.F.A's definition. It's called personal restraint based upon the practice and acceptance of culturally defind rules of civil behavior within a particular community. As to the art community: I find pieces of "art", such as the cross in the urine, extremely distasteful and insulting to the christian sects who value that symbol as part of their religious culture. However, the NEA thought it was "brilliant" enough to warrant a grant to the artist in question - who profited by his work. Now, who, if anybody is correct in their stance about what is or is not "acceptable" material for publication and support with tax dollars ? Anwser? It's purely subjective. I choose to censor my viewing to not include works that I deem offensive or immaterial. Obviously, somebody thought it was wonderful enough to give the guy money for his effort. Different strokes for different folks. As to censorship itself: Censorship, IMO, is tool that we (as people) use every day to screen out unwanted or unnecessary information. It is not a bad thing - just a tool. Where things change with respect to it (as a tool) is in to what purpose it is put. When censorship is encouraged or utilized for the express purpose of controlling information content and/or flow so as to subjegate the will of another to your own control, then I personally view this as wrong. Others will disagree (especially in certain sections of UNCLE). They will make the case for service to the community based upon National Security interests, politcal cause, religious, etc. So be it. As it stands, even with the exercise of unrighteous dominion, we still have the agency to choose to accept or reject the conditions we find ourselves in. Rationalization only serves to salve our conscience when we tell ourselves there is no choice, when we have already made the choice and have resigned ourselves to it. The founding fathers wrote the Bill of Rights in the order of appearance for a specific purpose and intent. They did not enjoy the same freedom of discussion and representation as we do today (even with all the silly restrictions UNCLE seems to feel are necessary in legislating our morality). The First Amendment (free speech) was first because they felt it was more important than all the rest. Without it, the other amendments are without meaning and just execution. However, they did not intend that such rights as free speech be practiced without using common sense. It is one thing to hold a view repugnant to a community of your peers - but quite another to attempt to force that view upon them without their consent by court action or political coercision. The tired and worn example of shouting "FIRE!" in a crowded movie house is a perfect example of a bone-head manuever made to test the fence. In some other place or time, it may be considered funny or annoying - but in today's society (where people tend to get hyper-sensitive) it is considered criminal by statute of law as the potential consequence of such an action may inadvertantly bring harm to another. Hence - we as a culture have attempted to codify common sense into legal statute (which itself is a larger bone-head maneuver attempting to rectify the first). Where does this leave things: For society at large, the divisiveness of the actions promulgated by people looking for offense - coupled with the encouragement by lawyers to seek redress by way of tort (which profits them, but not the litigating parties), only serves to tear the fabric of the republic as it was created by the founding fathers. We will willingly GIVE UP our right to free speech in all it's forms over time because our selfish behavior encourages us to act unwisely to "get even" with the other guy. The government has to do nothing except sit back and encourage the trend, so that people will petition the very goverment that derives it power and authority from the governed to take it away from them. Then, when it is too late - they will realize that they gave away their most precious posession - as Esau gave up his birthright over a meal. I wouldn't worry about the art community and any perception of self-censorship. Historically, artisans, writers, scientists and other creative people tend to be among the first of the rats to flee the sinking ship and swim to places more tolerant of their world view. There will always be a home for such people as creativity is always appreciated in one form or another by somebody. ...Paul From declan+ at CMU.EDU Sat Mar 9 02:52:15 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 9 Mar 1996 18:52:15 +0800 Subject: FCC v. Internet Phone? In-Reply-To: <199603090248.VAA01654@bb.hks.net> Message-ID: Excerpts from internet.cypherpunks: 8-Mar-96 FCC v. Internet Phone? by Mutant Rob at unix.asb.com > I've done a scan of the NYT web site (www.nytimes.com) and the AP > and Reuters... no mention of this at all, though there's a new blurb > about another company promopting an Internet Phone type technology. I was contacted by a reporter from the Boston Globe who plans to write about it. Some net-publications have picked or soon will pick it up, I believe. -Declan From bryank at comtch.iea.com Sat Mar 9 03:08:13 1996 From: bryank at comtch.iea.com (Bryan Koschmann) Date: Sat, 9 Mar 1996 19:08:13 +0800 Subject: test Message-ID: <2.2.32.19960309094044.0069cef8@comtch.iea.com> just a test to see if my filter works..sorry3 for any inconvenience Gate| In a message dated 96-03-08 01:37:10 EST, you write: >Subj: ANTI-CRYPTO CYPHERPUNKS >Date: 96-03-08 01:37:10 EST >From: anonymous-remailer at shell.portal.com >Sender: owner-cypherpunks at toad.com >To: cypherpunks at toad.com > >This is the first in a regular series of postings of cypherpunks >who have joined big brothers fight to deprive you from Unescrowed >Crypto. Some of these pigs have come out in favor of the new anticrypto >bill which makes it a crime to use crypto if big bro can't read it >and also sets up key escrow but others have just said that they >don't care if the government can read YOUR mail as long as they get >what they want. I see the mentally impaired, chicken crap eating buttwipe that wrote this drivel wasn't even brave enough to post his real email address. Jonathan Wienke From wiz at c2.org Sat Mar 9 03:32:34 1996 From: wiz at c2.org (wiz) Date: Sat, 9 Mar 1996 19:32:34 +0800 Subject: Java and PGP Message-ID: <199603080846.AAA23594@infinity.c2.org> With all the current discussion on Java encryption api's, it got me thinking. Would it be possible to write a Java applet that provides secure email? By secure, I mean that nobody but the intended recipient of a letter can read it. And that the reader knows who wrote it. That is, encryption and signing a la PGP. Using https you would download a Java applet from your mail server. Https is needed so that a MITM can not give you a fake applet. The applet will fetch your secring.pgp from the mail server. It will fetch your mail by POP3 from same server and decrypt any PGP mail using the pass phrase you enter in the applet window. Problem with this setup, your mail server administrator could give you a fake applet that sends your pass phrase back to him. That means that the applet must be verified anyhow, so maybe https doesn't really help. Anybody see a solution to this? If the applet viewer (such as Netscape 2.0) would show an MD5 sum of the applet, we could verify that with a third party. But it should be done automatically, like the way Netscape verifys https. From WlkngOwl at UNiX.asb.com Sat Mar 9 03:33:27 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Sat, 9 Mar 1996 19:33:27 +0800 Subject: ANNOUNCE: NOISE.SYS v0.4.9-Beta /dev/random driver for DOS syste Message-ID: <199603080838.DAA11325@UNiX.asb.com> The latest version of NOISE.SYS (0.4.9) should be available "real soon now" at ftp.elf.stuba.sk in the ??/security directory [I don't remember the exact path...]. It should also be available at the ftp.wimsey.com and ftp.funet.fi sites soon. NOISE.SYS is a /dev/random driver for DOS systems, similar to the random.c implementation for Linux and FreeBSD. It sets up two devices, "random" and "urandom" which return streams of crypto- quality random bytes based on fast timings from the keyboard IRQ, disk access, Windows 3.x message broadcasts, mouse movement, and cpu clock drift, with some experimental kluges to sample the audio card input [to be improved in future versions]. The raw samples are mixed using a polynomial function and then hashed using SHA-1. Entropy estimation is based on arithmetic coding schemes and how often samples recur, rather than on the sample deltas themselves. The source is included (in 386 assembler) and is relatively easy to modify and experiment with [plenty of comments and macros]. Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From JonWienke at aol.com Sat Mar 9 03:36:15 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sat, 9 Mar 1996 19:36:15 +0800 Subject: steganographic trick Message-ID: <960308040205_240667097@emout04.mail.aol.com> In a message dated 96-03-07 23:02:48 EST, vznuri at netcom.com writes: >imagine an application where you freely admit that you have your >cryptographic tools, and that you are even willing to tell the >"feds" the key for your data. they run the crypto program, and >indeed the file decrypts. however, unknown to them, you have given >them a key that decrypts the file into something meaningful yet >benign, such as a cookie recipe, not >your plans for the overthrow of the state. in other words, >"interlaced" or "coincident" within the same file is your secret >data. given one key, it decrypts into one set of data, and given >another key, it decrypts into another set of data. The only computationally feasible way to accomplish this would be to use a variation of the one time pad (OTP) cipher, and use two keys: the genuine key, which is made by the random number generator of your choice, and a specially cooked key generated by XORing the encrypted message with an innocuous message. Decrypting with the random key will yield the real message, and decrypting with the cooked key will yield the innocuous message. The disadvantage to this system is that each key will be the same length as the message. The method you propose (using multiple RSA keys) is not workable. Finding 2 RSA keys that will decrypt a given ciphertext block to any 2 meaningful plaintexts is at least as difficult as breaking RSA, and expanding this concept to messages longer than 1 block moves it into the realm of impossibility. Jonathan Wienke From gary at kampai.euronet.nl Sat Mar 9 03:37:04 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Sat, 9 Mar 1996 19:37:04 +0800 Subject: U.S. State Dept criticizes Chinese net-censorship Message-ID: <199603081049.FAA26387@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- > The U.S. State Department's Human Rights Report for 1995 talks about > restrictions on new media in China, pointing out that Internet access is > now limited. But will they have the balls to criticise singapore? SINGAPORE CRACKS DOWN ON INTERNET The Singapore government has informed Internet content and access providers that it will hold them responsible for voluntarily restricting pornographic and politically objectionable material in transmissions to the country's 100,000 Internet accounts. The Singapore Broadcasting Authority is charged with enforcing the ban on materials that could "undermine public morals, political stability or religious harmony." Most content providers will be deemed "licensed" unless they violate the restrictions, but political and religious groups must register their online intentions with the SBA. Punishments for transgressions have not yet been determined. (Wall Street Journal 6 Mar 96 B6) Gary - -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUAQwioZzwIn1bdtAQHYrgF/ZsQe3y/aeQCoouoOJ7SnXSY4uVOkv3eP zPFB9+GjLuQ8xBDEzygjB5FnPkTcVnGI =nIgN -----END PGP SIGNATURE----- From tcmay at got.net Sat Mar 9 03:39:08 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 9 Mar 1996 19:39:08 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guid Message-ID: At 2:32 AM 3/8/96, Deranged Mutant wrote: >That aside, in running trials and in many other little things both >federal and non-federal judges have too much leeway in deciding what >evidence can be admitted, in some of the sentencing details and in >various forms of punishment and restitution, etc. > >But yes, you made a good reminder point about mandatory sentencing. I saw a report on CNN Thursday that a new study (done by some law industry body, I didn't note which) indicated that California's "Three Strikes and You're Out" sentencing law is having this effect: 85% of all of the felons sent away for 25-years-to-life were sent away in cases where there 3rd strike was for a drug deal, petty theft, etc. One guy featured had never committed any violent acts, and his 3rd strike was for lifing a pizza. Now I am generally for harsh punishment for true crimes (murder, rape, and even robbery), but many of the "felonies" are not in this class. Many are drug-related (you all have heard the many horror stories about 19-year-old Deadheads sentenced to 15 years for having blotter acid at Dead concerts). The relevance to this list, and to the CDA? The felonies the CDA defines are just that: felonies. Not misdemeanors. While sentencing guidelines have not been issued--a point Brian Davis reminded me of in a private communication--it is likely under California law that these felonies will count toward the "Three Strikes" sentencing. These fuckers in Congress are full of shit. There, I could be prosecuted under the CDA for "manifestly indecent" language, made available to minors (several high school students have identified themselves as being on the list, so it is highly likely minors are on the list at any given time). It's unlikely that mere indecent language would ever be prosecuted, but the CDA says it can be. I'd better not fuck up a third time....whoops. Oh shit. "25-years-to-life." Welcome once again to Amerika. --Tim May, a felon Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sat Mar 9 03:39:15 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 9 Mar 1996 19:39:15 +0800 Subject: Vexatious Litigants (was: SurfWatch) Message-ID: At 7:11 AM 3/8/96, Bill Frantz wrote: >I agree fully so far. However, when your TimWatch software takes action >based on your opinions, you may have crossed the line between speech and >action. Since you made the decision, rather than just provided an opinion, >you might, in our current legal climate, have caused a tort. So, when someone downloads the Siskel and Ebert list of thumbs up/thumbs down ratings, and then "lets the software decide" which movies to see, a tort has possibly occurred? I don't buy it. SurfWatch is just a ratings service. They aren't coercing people to use it. >It would be interesting to see if a HIV positive teen could sue SurfWatch >because it blocked him from getting information on safe sex. Presumably the owners of the machine he is using--maybe his parents, maybe his Catholic school, maybe his company--installed the SurfWatch or similar program and programmed the ratings. The teen should look to them. (Not that matters, but I really dislike using AIDS education as an example. Any person who claims to not know about AIDS prevention probably is either uneducable or doesn't want to know. A Web site isn't going to make a difference. I'm not arguing for censorship, nor would I ever install SurfWatch in my home, just saying that the hype about AIDS education is a hot button being used by arguers of all stripes to push their policy agendas. More heat than light.) >IMO our society has tilted too far away from caveat emptor toward "it's >someone else's fault". People who let a machine censor their data deserve >what they get. Parents who consistantly hide reality from their children, >instead of helping them learn how to deal with it, are crippling their >children. Well, they're my children to educate as I see fit. I view religions as more crippling than denying a child access to "The Gay Men's Safe Sex Site," but, fortunately, I cannot interfere with the upbringings others give their children. We may dislike the "programming choices" that the current instance of SurfWatch provides, but the solution is _competing_ ratings services, not talk of suing SurfWatch on the basis that it creates a tort, or denies children access to proper exposure to Gay Sex Lifestyles. Let a thousand ratings systems, including the No Rating System, bloom. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From PADGETT at hobbes.orl.mmc.com Sat Mar 9 03:39:20 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Sat, 9 Mar 1996 19:39:20 +0800 Subject: OK, just to incite the rabid... Message-ID: <960228184524.2023739f@hobbes.orl.mmc.com> Subj: Re: new "obscenity" law on the net inc si jnz 0166 dec bx Remember my Christmas Card ? Warmly, Padgett From JonWienke at aol.com Sat Mar 9 03:42:02 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sat, 9 Mar 1996 19:42:02 +0800 Subject: TCP/IP Stego (was CU-SeeMe) Message-ID: <960308043046_240672475@emout06.mail.aol.com> In a message dated 96-03-08 03:39:00 EST, you write: > -It can be applied by two routers which are in the middle > of the connection. The two endpoints of the TCP/IP > connection would not even notice. For example, if I control > a router "upstream" of a major connection point and the > site I wish to communicate with is in a similar position > then I can run the subliminal channel in a "spread spectrum" > mode across many connections and the packets can get reset > to their original settings by the other site. The user > whose stream we fiddled with does not even know that they > were used as carrier wave... You seem to be oblivious to the fact that this technique is only useful for ISP's, corporate networks, etc. that the average home computer user will never have access to. If I want to send a WAV file of my 2 year old son saying "Hi, gramma" (or a 24-bit color TIFF of him practicing nose-picking techniques) to my relatives, that is not overtly suspicious behavior, even if it has a slight amount of background noise (or graininess). As long as I don't stego too many bits in the file, and I strip out any overt "I'm crypto" headers, it will be impossible to prove that stego techniques were used on a file. Finding random bits where random bits normally live cannot be used to prove anything. From Q101NOW at st.vse.cz Sat Mar 9 04:00:32 1996 From: Q101NOW at st.vse.cz (Powers Glenn) Date: Sat, 9 Mar 1996 20:00:32 +0800 Subject: Looking for code to run an encrypted mailing list Message-ID: <116B1A04ADE@st.vse.cz> - > I'd like to run an encrypted mailing list contact colossus at colossus.net they've already hacked majordomo to do this. please mention gpowers at meaning.com sent you. yes, this is an ad. but, two people have already asked and i figured there might be more. glenn From nobody at REPLAY.COM Sat Mar 9 04:15:59 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sat, 9 Mar 1996 20:15:59 +0800 Subject: Artist self censorship (Was Chinese net-censorship) Noise Message-ID: <199603091145.MAA24434@utopia.hacktic.nl> Excerpts from internet.cypherpunks: 8-Mar-96 Re: U.S. State Dept critici.. by JFA T. QC, Canada at citene & later Declan B. McCullagh. >> There is no such thing as "self-censorship". Either you stick to >> your values, and then it is *not* censorship, or then you do not, >> and then, it is neither. >Self-censorship does happen, and it's a growing problem in the arts >community. (I'm not a commercial artist, so this is my understanding >from other panelists and speakers at a conference I spoke at last month.) >Making art more palatable or less "extreme" to curry favor with >corporate patrons, or to get that NEA grant, or to get that faculty >position is self-censorship, and it does happen. There is a photographer by the name of Jock Sturgis who is famous for his photographs of naturalists and their children on the beaches of California and France. Sturgis' home was raided by the FBI and all of his photographs, equipment, & records were seized under suspicion of producing child pornography The photo equipment, records, and photographs were returned but not after making Sturgis' life a living hell... Sturgis' work which has critical acclaim throughout art circles and has published two books profiling naturalists, has been quoted to saying that before taking a picture he usually asks himself about how this picture is percived, something the he never thought twice before the FBI raid. Mr. Avon should think twice before commenting on self censorship does not exist, for that could be the difference from having the door kicked in by the black ninja turtles with the FBI or toning down your work. -- From perry at piermont.com Sat Mar 9 05:38:17 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 9 Mar 1996 21:38:17 +0800 Subject: SEAL cipher info requested (something actually list related!) In-Reply-To: <199603060521.AAA15746@homeport.org> Message-ID: <199603060751.CAA09041@jekyll.piermont.com> Adam Shostack writes: > | * is there something better then SEAL available? > > How about Blowfish? I believe blowfish has been partially cracked, but I forget which conference the paper was presented at. .pm From mccoy at communities.com Sat Mar 9 05:42:23 1996 From: mccoy at communities.com (Jim McCoy) Date: Sat, 9 Mar 1996 21:42:23 +0800 Subject: Signature 2 Message-ID: >Hi, > >> Assumption 1 : a privacy key can become uncrackable. >> Assumption 2 : an individual signature can become immune to fraud. >> Posit : fuse the two together so that pseudonyms/aliases/online names ensure >> complete privacy, but ensure that you talk to the same person >> everytime. >> Probably proposed already. > >Unforutnately both of your assumptions are wrong. A key cannot be >100% uncrackable, and a signature cannot be 100% immune to fraud. >With electronic security, there is always a chance that a key can be >cracked or a signature forged. The question is how hard is it to >crack the key or forge the signature? You need to balance the >security with the price. Derek is correct in that your use of the words "uncrackable" and "immune to fraud" were a bit over the top (in recent years everyone in the security and crypto community has become very nervous whenever anyone says things like this; they are usually trying to sell you something which is neither.) OTOH, he might want to temper his statement with a reference to fail-stop signatures... Just because someone with a lot of computational resources can produce a private key which matches your public key does not necessarily mean that they are the same ones that you generated, only that they found a set which work for the particular modulus which was chosen... In the "real world" there is nothing to prevent someone from forging your real signature on a check or document or from disguising themselves as you and taking your place at an important business meeting. The digital equivalents can be slightly more secure, but nothing is ever perfect. jim From bs208 at newton.cam.ac.uk Sat Mar 9 05:46:46 1996 From: bs208 at newton.cam.ac.uk (B. Schneier) Date: Sat, 9 Mar 1996 21:46:46 +0800 Subject: This is my support letter to Sen Leahy Message-ID: <199603060930.EAA04703@gibbs.newton.cam.ac.uk> ************************************************************************* This is a temporary e-mail address; I am in Cambridge until 12 March. Continue to send mail to schneier at counterpane.com; it forwards by itself. ************************************************************************* March 1, 1996 Hon. Patrick Leahy United States Senate Dear Senator Leahy, I would like to thank you for introducing the Encrypted Communications Privacy Act. As a member of the computer and information security research community, I am keenly aware of the vital role of cryptography in fostering the development of our information infrastructure. As the author of the book, "Applied Cryptography", I have unusual insights into the absurdity of cryptography export restrictions. It is not without irony that one may export my book in paper format, but not electronically. Presumably no rational person believes that the current restrictions actually prevent the spread of cryptography. I believe you recognize this, as evidenced from the strong stance taken in your bill. As the bill recognizes, we can no longer afford to hold on to the obsolete notion that cryptography is the sole province of government communications; the growth of modern networks has irrevocably pushed it into the mainstream. I applaud you leadership towards codifying these principles in a balanced and responsible way. In particular, the bill: o Removes the regulatory strangle-hold that has encumbered the development of mass-market security solutions; o Recognizes the futility of applying regulations intended to control the international arms trade to even the most mundane and commonly available software; o Encourages public confidence in encryption by allowing the marketplace to provide a full range of choices for privacy and security needs; o Recognizes the special obligations of keyholders to be vigilant in safeguarding the information entrusted to them, without imposing hurtles on the use of cryptography; o Allows the United States to continue its leadership role as a technological innovator; o Acknowledges the pivotal role of cryptography in electronic commerce. I continue to have concerns that the new criminal obstruction provision will discourage law abiding citizens from using cryptography. I hope that legislative history and further discussion will demonstrate the narrow intent of this crime. Overall, your bill takes very necessary strides towards ensuring that the protections we take for granted in traditional media keep pace with technology, and I commend your efforts. Sincerely, /s/ Bruce Schneier From eggplant at inlink.com Sat Mar 9 05:48:59 1996 From: eggplant at inlink.com (eggplant) Date: Sat, 9 Mar 1996 21:48:59 +0800 Subject: Jump Start ecash With IPhone Message-ID: How about...only paying for the initial investment of the phone program and hardware. No more costs to pay, get rid of long distance charges all-togther. Except for the ISP charge of course. And how about the ISP's setting up a special account for people only needing the Iphone. That way all the revnue that generates (well most of it) can go to increasing the bandwith. Increased bandwith (fibre?) is the key factor here, both your scenario and mine. Also, what companies want to invest in a dedicated internet phone? How about a combination...all-in-one web browsing (that's what many people will wnt in the future for sure), internet phone and CD-ROM playing system. That way people who don't want a full-scale computer can get something cheaper than a computer that will do all they need it to do. Of course the system should allow for email (including PGP, etc) and some text editing. Just a thought.... -- "... In Germany they first came for the Communists and I didn't speak up because I wasn't a Communist. Then they came for the Jews, and I didn't speak up because I wasn't a Jew. Then they came for the trade unionists, and I didn't speak up because I wasn't a trade unionist. Then they came for Catholics, and I didn't speak up because I was a Protestant. Then they came for me-and by that time no one was left to speak up..." Pastor Martin Niemoller ++++++++++++ ************************************** * Matthew Murphy ------------ eggplant at inlink.com * ---------- * http://www.inlink.com/~eggplant * The Web page is under construciton at this time though.. * Please don't mind the mess.... * ************************************** ++++++++++++ finger eggplant at inlink.com for my PGP key. From jsw at netscape.com Sat Mar 9 05:49:06 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Sat, 9 Mar 1996 21:49:06 +0800 Subject: new netscape servers In-Reply-To: <199603052036.OAA04200@proust.suba.com> Message-ID: <313D5C6A.6A4A@netscape.com> Alex Strasheim wrote: > > From the Netscape home page: > > "Netscape also announced FastTrack Server 2.0, an entry-level Web server > that combines all the new capabilities of the next-generation Netscape > Servers into one easy-to-use package. FastTrack comes with SSL security, > Java and JavaScript support, and Netscape Navigator Gold content-creation > software - for only $295." > > There are two reactions we can have to this. On the one hand, it's a > good thing because it's going to make SSL servers a lot more popular. > > But at the same time, it raises some serious questoins about how Netscape > plans on dealing with competitors. It's not clear whether or not the > $295 price tag includes a certificate or not. But is it coincidental > that people who want to use alternative technology like apacheSSL will > have to pay the same price for the cert along as Netscape's customers > will have to pay for a plug and play package? As far as I know we are not bundling a certificate. It doesn't say so in the press release either, so I wonder what made you think that we were? > (The rest of this post is based on the assumption that you do get a cert > with the "fast-track" server. That's not clear, so if I'm wrong, I > apologize to the folks at Netscape.) > > There are two things keeping an organization like c2.org from competitng > with Netcape on price: verisign and the licensing fees on rsaref. Both > companies have close ties to Netscape. What do you mean by "close ties to Netscape"? You are making this sound like some sort of conspiracy. We are customers of RSA and Verisign, just like c2.org or microsoft.com. > It's imperative that we challenge Netscape's control over the CAs. > Obviously they can preinstall whatever CAs they want in their browsers. > > But that doesn't mean we're powerless. I think we ought to: > > (1) form a new non-profit low cost CA I encourage you and anyone else who is interested to do this if you want to. However I do suggest that you consult a lawyer, since there may be liability issues involved. There are a lot of big and medium sized companies that are entering or about to enter this market. I'm sure there is room for some lean low cost ones too. > (2) make a concerted effort to explain the issue to the public and > encourage people to ok the new CA. Again I encourage you to help in educating the public about the issues involved. > (3) try to create a sense that using a preinstalled CA is a form a > collaboration (this will be hard, but I think it's true). If enough > people will use a new CA, then it will be as good as one of the > pre-installed ones. > > We can't let this sort of power concentrate in Netscape's hands. It's > not a question of whether or not they're good people. It's just a bad > development for everyone. You seem to be under the incorrect impression that Netscape is in some conspiracy with verisign to control the market for certificates. Nothing is further from the truth. We are taking steps to increase competition in the market and give users the ultimate choice about who they want to trust. The ability to add and delete trusted CAs in the 2.0 Navigator is just the first step. We are also working on a written criteria for including CA certs in the "Netscape provided" set. I've been involved in writing the criteria, and have tried to push it in a direction that will allow little guys to compete on even ground with the big guys. I don't know when it will be available since the whole process involves lawyers and issues of liability, so we just have to wait until they bless it. As soon as we can make it available we will. I recently created a document that describes how our current products deal with certificates. This should be enough on the technical side to allow anyone to create a CA. That document can be found at: http://home.netscape.com/newsref/std/ssl_2.0_certificate.html I hope I have addressed your concerns. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From nobody at REPLAY.COM Sat Mar 9 05:58:38 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sat, 9 Mar 1996 21:58:38 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guid Message-ID: <199603091257.HAA03427@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- jamesd at echeque.com wrote: > In theory one would expect the law to have this unjust effect, > but in practice most of the poster boys that people give as > examples of the injustice of this law are folk that one would > like to see taken behind a barn and shot out of hand. Three strikes you're fried eh? Dont even bother cutting off their hands - straight to old sparky thats what I say! In theory one would expect the law to deter folk from committing crimes, but in practice folk (a) don't expect to get caught which means there aint no deterrent, or (b) the folk don't consider the crime to be serious, eg. smoking pot. Mutant Rob wrote: > Bill Stewart wrote: > [..] > > And the guys who just got busted for having fertilizer, diesel oil, > > and drugs on their farm had a whole three ounces of marijuana and > > personal-use quantities of crank. Maybe they were planning to blow up > > buildings rather than stumps; but the Feds are trying to paint them > > as max evil just to build up their case. > > Perhaps they were going to use the fertilizer for the grass and the > heating oil to keep warm (or to keep the plants warm). It's possible... Yeah, but it don't go off by itself, it needs a big kick. Did they find any dynamite or other real explosives? I doubt it. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUGAOSoZzwIn1bdtAQH73gGAhV1UF2rU4lYz2Dc1jEi+GnYIds6aDOsX ymKYkdjoDo6+z4ypYbLJsOq9eM6es/AS =TvUJ -----END PGP SIGNATURE----- From nobody at REPLAY.COM Sat Mar 9 06:02:26 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sat, 9 Mar 1996 22:02:26 +0800 Subject: Boycott TCSM Message-ID: <199603091330.OAA27374@utopia.hacktic.nl> Posted to alt.security: Crypto relevance - TSCM are a counter-intelligence site with an attitude. I need some advise of Latent prints. Just got a assignment from a client concerning a large qty of empty "Ziploc" and Glazine packets found around the plant. Most of the packets test positive (Nik-Kit) for Meth (Biker Crank), the problem is that I am having a tough time pulling decent prints off the little envelopes. Any suggestions?? I am going to try Nile Red (530nm) in ethanol instead of Rhodamine 6G, any thoughts or experiences?? And yes the plant has a full ten finger set on all employees, all we have to do is provide photos of any (9 point) prints -jma =============================================================== James M. Atkinson "...Shaken, not Stirred..." TSCM.COM 127 Eastern Avenue #291 Gloucester, MA 01931-8008 URL: http://www.tscm.com/ E-Mail: jmatk at tscm.com =============================================================== The First, The Largest, The Most Popular, and the Most Complete TSCM Counterintelligence Site on the Internet =============================================================== From tcmay at got.net Sat Mar 9 07:00:26 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 9 Mar 1996 23:00:26 +0800 Subject: SurfWatch Message-ID: At 5:53 PM 3/8/96, Henry Huang wrote: >Thanks for the clarification. However, this line of argument applies >only to "third-party" ratings systems. Right now, Microsoft/RSAC/SurfWatch >and SafeSurf/Cybersitter/etc. are setting up competing standards which would >essentially force people to "self-rate" their own sites, or else be blocked ^^^^^ >out by browsers configured to reject unrated sites (a feature Microsoft plans >to add to its Internet Explorer). "Force"? Are Cypherpunks now using the language of those who talk about how Safeway's or KMart's choice of products to carry "forces" customers to buy certain products? What sort of "force" is being used? Mere handguns, or is heavy artillery also being used? Are the police called out to raid the houses of those who refuse to "self-rate"? Ah, then it really isn't force, is it? The proper solution is for people unhappy with SurfWatch, ChristianGuardian, JewScape, and AllahAllowed services is to boycott places that insist on ratings, create multiple ratings, etc. (Frankly, with several ratings schemes, and with more coming every day, just how is Microsoft supposed to "demand" that all posts be rated or they won't carry them? Or that all sites be labelled as Allah-friendly, Homo-hostile, whatever? The Usenet is the Usenet, for example, and if Microsoft cuts its customers off from entire threads, or gaps in threads interfere with the ability to follow discussions, then they'll clamor for Microsoft to get the fuck out of interfering. >The question I have is if these systems were widely implemented, could >an Web page author or provider of content be sued for "mislabeling" >their page? If so, under what circumstances? Could the RSAC attach Again, I ask about what sort of _contract_ is involved? (In my case, none. So, suppose I decide that my post, explaining the fraud that is Islam, should be read by all Muslims. AllahAllowed, an Islamic rating service, is upset. Just what is their recourse? I have no contract with them and have not arranged to label my posts. So, who can sue? The government? Try the First Amendment. (By the way, adult magazines voluntary label themselves as "adult": my understanding from several comments by lawyers and adult industry spokesmen, is that they are under no obligation to "voluntarily label" their stuff. And some libraries have an _explicit_ policy that says any card-holder, of any age, may check out or look at _any_ item the library carries.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From vznuri at netcom.com Sat Mar 9 07:00:28 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 9 Mar 1996 23:00:28 +0800 Subject: rhetorical trickery Message-ID: <199603082153.NAA28521@netcom4.netcom.com> I noticed a rhetorical trick/trap that I've seen a lot lately, in the recent article posted about Phil Zimmermann. there is an infamous case of a child pornographer or pedophile in California that is sometimes cited by law enforcement representatives as a good example of the evils of encryption: supposedly he encrypted his diary and it couldn't be unlocked by them. this was mentioned in the article. but I have a question: how did they know it was his diary? I've noticed that people tend to often make conceptual leaps like this that are wholly unjustified. it is easy to get their opposition to bite down on the trap, when they start arguing about things like "well, everyone should be free to encrypt whatever they like". the next time you run into someone using arguments with words like "criminals" in it, ask them, "how do you know they are criminals"? when you use their terminology, and argue in terms of it, you have almost already lost the argument. there is a big mindset in law enforcement to see "suspects" as "criminals". but that is mistaking means and ends. the process identifies criminals in the end, after a trial, but at no prior date. here's another example: I was watching a talk show in which the recent Israeli bombing was discussed by a bunch of very obviously frenzied commentators who were calling for Arafat's head on a stick. one of them insisted that our government had given the names of the involved terrorists to Arafat some time ago and that he did nothing. well, the question is: how do we know those names on the list are the actual terrorists? how do we know Arafat did nothing? but the other commentators were totally lost this basic rhetorical trap. they said, "well, assuming what you say is true, then... blah blah". but the obvious question is, "how do we know these names mean anything"? there is an amazing tendency in our culture in elsewhere not to question authority. when we see some law enforcement agent at a press conference, and they talk about "criminals", the press immediately latches onto the terminology and asks things like "when will they be caught"? etc. instead of, "how do you know they are culpable?" in crypto arguments as well where there is a lot of emotional rhetoric, I have noticed people have a tendency to try to debunk things that require no debunking, such as the FUD that has been sown over that infamous CA pedophile. the test is avoiding tricky rhetorical traps. there are some battles that don't need to be fought. just remember that calm, deadly retort whenever you hear someone getting excited, and ask them, "how do you know they are his diaries?" From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 07:00:43 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 9 Mar 1996 23:00:43 +0800 Subject: V-chips, CC, and Motorcycle Helmets Message-ID: <01I23QL2OC22AKTTTI@mbcl.rutgers.edu> From: IN%"jimbell at pacifier.com" "jim bell" 14-FEB-1996 05:12:52.66 >At 07:36 PM 2/13/96 -0800, Bill Frantz wrote: >>At 8:15 PM 2/13/96 -0500, Declan B. McCullagh wrote: >Actually, I think the primary targets will be either the middle level >manager types, or the ones who have attracted a substantial amount of bad >publicity by "following orders." Lon Horiuchi (the sniper who shot Vicki >Weaver) for example, would be a excellent example of a person who'd try to >claim, "I was just following orders." Okay, maybe he was, but so was Adolph >Eichmann. >Once the tax collectors/enforcers were targeted, the rest of the government >wouldn't be able to operate, and would collapse. One difficulty in this is that the middle managers - the most vital ones in the long run - are also the ones that can best protect themselves using the net and various cypherpunks techniques - partial (not to their superiors) anonymnity with persistent, verifiable pseudonyms. If they don't directly deal with the public, they're kind of hard to target. >>If, after a couple of the Waco people had been hit, I was given the >>responsibility to protect them I would proceed as follews: >> >>(1) Gather them and their families onto some Army base and step up the >>patrols. Now I have them safe. >And, of course, you've just ruined their lives. Think about it. By doing >this, it is made absolutely, completely, and abundantly clear to them that >THEY are considered "the enemy" and that their lives are forever put at >risk. Previously, government employees could hold their heads up high and >be proud of their "public service." Now, if they're discovered, they have >to disappear. Does this treatment sound familiar? Their job description >and circumstances will more closely resemble that of a Mafia enforcer than a >proud public servant. They'll have to teach their children to lie about >what their parent does, rather than risk getting exposed. You have an interesting point about motivations and the likely psychological effects. Given the headaches that counterintelligence goes through in wars - nobody wants to shut up - such secrecy would be difficult. >Who, exactly, would want to work for the government under such >circumstances? Remember, we're not just talking about a tiny fraction of >their number; if the most egregious ones were hidden the ones that were less >secure would be killed in their place. Would they? You appear to be assuming that with less targets available, people will start being less selective. You may be correct. >>(3) Make sure that the names/faces of the cannon fodder in future actions >>are not available to make it harder to target the guilty. >Then they'll target the "names," the ones who show their faces. See how this >works? If the only way you can maintain the government is to keep them all >absolutely anonymous, then that government has FAILED. Has it? Currently, we've got the guys who deal with the public (the politicians and the low-level bureaucrats) and the faceless drones (the rest of the bureaucrats). The politicians can be protected, and already are to some degree. The low-level bureaucrats aren't _that_ likely to be targeted by enough people to make a difference, and the ones who go bad enough to do so can be protected (or sacrificed, if that seems to be the way to keep the public happy). The faceless drones can be even more faceless, and so very hard to target. >Furthermore, this system's anonymity allows disgruntled public employees the >chance to collect money by "turning in" their bosses to the public's ire; if >the personnel list for the government is nominally a secret, it will "leak" >eventually and those on the list will be followed, confirmed, and targeted. That's an interesting point. I can see some sort of Blacknet-variety system developing to distribute information and get paid for it, even if the employee in question doesn't want to do the hit themselves, although the payment part could be a problem. Even with the partial anonymnity protections I mention above, _somebody_ will know who the person who ordered another Ruby Ridge is - I doubt a government could operate with full internal anonymnity. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 07:00:57 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 9 Mar 1996 23:00:57 +0800 Subject: Assasination Politics Message-ID: <01I23PYHZPC4AKTTTI@mbcl.rutgers.edu> From: IN%"jimbell at pacifier.com" "jim bell" 13-FEB-1996 14:53:40.39 >From: Me >> A. My previously mentioned problem with a limited but non-libertarian >>organization. >I don't deny that such an organization might spring up. (Anti-abortion >activists are the group which come most immediately to my mind, BTW. I'm >not in sympathy with them; quite the opposite.) I've never claimed that >this system is totally immune to such abuse, in the same way that the seller >of a gun can certify that it will never be used to commit a crime. I understand and agree with the gun argument. However, it's still a matter of whether Assasination Politics will overall be better or worse than the current system. If better, then I'll support it if it becomes necessary (I still hope for peaceful (or at least relatively peaceful) change - hopefully, it has not become necessary for the Declaration of Independence's justification of revolution to be reused). If worse, I won't. I won't try to stop you from doing so, however (currently, there's no way that I could, for instance). Incidentally, by "support" I am meaning making suggestions for technical improvements. Admittedly, the degree to which I can do so is limited by my lack of technical knowledge, but I believe I have thought of some workable refinements. As well as the obvious problem of unethical assasinations, there is also that of a negative reputation being given to various cypherpunk-liked ideas (anonymous remailers, fully anonymous digital cash, etcetera) if someone notices this. >> B. I don't trust the average person to look ahead enough to make this >>(or other Anarcho-Capitalist) schemes work. >Fortunately, "Assassination Politics" will achieve this "crypto anarchy" >even if only a tiny fraction of the population participate and use it. The >reason is that the number of decision-maker government employees is >comparatively small and most will resign before being "terminated." (with >extreme prejudice.) The total cost to bring down the US government will >probably be substantially less than $100 million. >> In other words, the average person >>has to be able to see that a non-limited organization is a danger to them, >>etcetera. >I realize that this takes a bit of thinking to recognize. I've thought >about this whole thing for nearly a year, now, and it is still a fascinating >and yet a bit terrifying subject. >> Moreover, Jim Bell is ignoring the other sources of propaganda than >>government in convincing the average person that someone is doing something >>wrong (when, by my ethics at least, they aren't) - such as religion and >>various organizations like the PFDA. >Again, only a tiny fraction of the population needs to participate... However, if more of the population participates, they may do stupid things like using an organization that might strike at them - just as they currently support a government that can crack down on them. The minority of intelligent people - the tiny fraction needed for this to potentially work - isn't a factor for this part. In other words, I'm more worried about too _many_ people - the wrong people - participating rather than too few. >> Admittedly, as I've stated before, the >>requirement for some money would help, at least to the degree that our >>economy is meritocratic. (A growing tendency, fortunately.) If most people >>are on a subsistence wage (the result of free trade & automation with >>varying human abilities), they can't afford enough money for Assasination >>Politics. (Yes, I'm an intellectual Elitist. Deal with it.) >Since "Assassination Politics" is based on a combined-donation system, even >people on a subsistence wage could contribute; a quarter here, a dollar >there, pretty soon it turns into real money. That is an argument against it. Do you want the people who give to televangelists being able to more directly have people killed than in the current system (when at least you've got votes by others to take care of the problem)? Unfortunately, the same system of ethics that would make one's targets the right ones also excludes the targets (non-governmental figures) that can create the problems under this system - like the PFDA leaders. >I understand your concern. I wish there was some simple argument I could >give which would assuage your fears. However, I look at it this way: The >Federal government (and all other governments, around the world) are >curently parasites on the rest of the population. Now "parasite theory" is >that the parasite has some sort of optimum "parasite level" above which he >cannot go. Once the cost for such parasitism is removed, there will be an >economic boom for those "hosts" of the parasite. Naturally, the parasite >will be in trouble, but that's only justice. Yes, there would be an economic boom under Anarcho-Capitalism - but for whom? All the population, or just the intellectual Elite? Now, so long as the masses (the non-Elite) have at least enough to survive - a subsistence wage - I wouldn't call this a problem. (Liberals should see Mickey Kaus' _The End of Equality_ for some liberal arguments to this effect). It's when you go below that that it's an ethical problem, at least under my ethical system. (Incidentally, a similar argument can be made about some other issues, such as campaign finance reform. Equality before the law means equality before the judiciary, not equality before the legislature or the executive. Otherwise, how could one have media that weren't government-controlled?) -Allen From lull at acm.org Sat Mar 9 07:27:36 1996 From: lull at acm.org (John Lull) Date: Sat, 9 Mar 1996 23:27:36 +0800 Subject: SEAL cipher info requested (something actually list related!) In-Reply-To: Message-ID: <313dc864.7818147@smtp.ix.netcom.com> On Tue, 05 Mar 1996 01:27:24 -0800 (PST), Wei Dai wrote: > On Mon, 4 Mar 1996, Christopher Allen wrote: > > > At 4:27 PM 1/27/96, Anonymous wrote: > > >Anybody have info on the SEAL cipher? I can't find any > > >descriptions or analysis of it. Refs, proceedings or URLS > > >would be a good thing. > > > > I also am interested in references to it. > > I believe it was presented at the first Cambridge security workshop on > fast software encryption. Correct. The paper is "A Software Optimized Encryption Algorithm", by Phillip Rogaway and Don Coppersmith, pp 56-63 of the proceedings. It is a fast stream cipher. The paper reports encryption rates of 7.2 MBytes/Second on a 486-50. From rich at c2.org Sat Mar 9 07:34:32 1996 From: rich at c2.org (Rich Graves) Date: Sat, 9 Mar 1996 23:34:32 +0800 Subject: Switchboard Message-ID: <199603072343.PAA18580@Networking.Stanford.EDU> At 10:05 PM 3/6/96 -0800, Steven Weller wrote: >Check out www.switchboard.com. From the blurb: > >find people [...] > find > businesses [..] They forgot "Change the entry for any person or business in the US from a throwaway AOL trial account, or using an anonymous web proxy and pseudonymous remailer." Hope this helps. >Is this the same data that was supposed to go on that Lotus CD-ROM? Is this >publicly available info? It's from the Database America CD-ROM, which is one of the cheaper and less complete ones. It's all publicly available information, or was. There are probably tens of thousands of numbers that have been changed or unlisted recently. Unlike the original CD-ROM, Switchboard does not provide a (easy) way to build large mailing lists or do reverse address lookups (like "who lives at this address on Pennsylvannia Avenue" or "who might be on vacation in a building with line of sight to this place"). -rich From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 07:36:51 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 9 Mar 1996 23:36:51 +0800 Subject: Paint Your Own Scarlet Letter (Was: Edited Edupage, 29 Feb 1996) Message-ID: <01I23V0GL0YMAKTTTI@mbcl.rutgers.edu> From: IN%"frantz at netcom.com" 1-MAR-1996 21:54:54.53 >From SafeSurf Rating Page via lmccarth at cs.umass.edu wrote: >>Thank you for making the Internet a safer place without censorship. >>Until later, SafeSurfing to you! Incidentally, the strategy of simply rating one's page all 9's, if one is required through some means of rating it at all, has the distinct advantage of making any system using such filters more annoying to use. (One would, of course, except any page making a political statement or other material that one wanted to get out to as wide a number of people as possible). >(I think I want to start a web search engine looking for pages rated >SS~~002 9, SS~~004 9, SS~~005 <5, and all the others don't care.) A configurable search engine on this basis could be very nice. -Allen From declan+ at CMU.EDU Sat Mar 9 07:37:01 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 9 Mar 1996 23:37:01 +0800 Subject: hammers, crowbars and remailers & Leahy In-Reply-To: <9603082223.AA05907@cti02.citenet.net> Message-ID: Excerpts from internet.cypherpunks: 8-Mar-96 hammers, crowbars and remai.. by JFA T. QC, Canada at citene > Would an anonymous phone call notifying the hardware store owner that > somebody will buy tools that will be used to commit a crime > be significant? I don't think so, or at least I'd argue that it's not sufficient. I think the legal concept is _scienter_, or "guilty knowledge." Is an anonymous phone call sufficient to establish that? -Declan From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 07:37:14 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 9 Mar 1996 23:37:14 +0800 Subject: Remailers not heard from; info? Message-ID: <01I23RKTOST2AKTTTI@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 20-FEB-1996 09:24:11.00 >(There are wrinkles that work, such as adding a subject line based on stuff >stored inside the encrypted block a remailer opens for furhter processing. >The nth remailer can add a suject line that may be different for every hop, >or only added near or at the end of the remailings...) Adding a new subject line for each hop has the advantage that one can't pick out messages to examine (for use in traffic analysis) simply because they don't have subject lines. (I realize that lots of messages go through without subject lines; one could, however, use such a filter as the initial thing to look at before one checks whether a message appears to be something encrypted. Steaography won't work to conceal such because of the multiple encryption, unless the remailer combined decryption with steaography extraction and later "packing". One problem with the latter solution, which does have its points, would be the need for lots of different things with which to use steaography. Otherwise, you could track remailers by that they kept sending out almost exactly the same file over and over again; using the same one as was sent in would be a variety of "barium-tagging". Hmm... you could have a setup that added the message's steaographic concealment to the end of a "stack", and picked up the new image/sound/whatever off of the start of the "stack." Could be a bit expensive in disk space, though. -Allen From hwh6k at fulton.seas.virginia.edu Sat Mar 9 07:37:28 1996 From: hwh6k at fulton.seas.virginia.edu (Henry Huang) Date: Sat, 9 Mar 1996 23:37:28 +0800 Subject: FCC Sets Comment Date for Internet Phone Call Rulemaking (fwd) Message-ID: <199603082153.QAA36908@fulton.seas.Virginia.EDU> ------- Start of forwarded message ------- Date: Fri, 8 Mar 1996 15:33:21 -0600 Errors-To: borton at macc.wisc.edu Reply-To: telecomreg at relay.doit.wisc.edu Originator: telecomreg at relay.doit.wisc.edu Sender: telecomreg at relay.doit.wisc.edu Precedence: bulk From: "Neal J. Friedman" To: Multiple recipients of list Subject: FCC Sets Comment Date for Internet Phone Call Rulemaking X-Listprocessor-Version: 6.0b -- ListProcessor by Anastasios Kotsikonas X-Comment: Requests (UNSUBSCRIBE/HELP) to: listserver at relay.doit.wisc.edu X-Mailer: Windows Eudora Light Version 1.5.4b11 (32) The FCC has acted with astonishing speed in setting a date for comments on the ACTA petition to regulate telephone calls via the Internet. It is not uncommon for rule making petitions to sit for weeks, months, even years without action. ACTA filed its petition on March 6th and two days later the FCC issued a Public Notice seeking comment. The deadline for comments is April 8, 1996 with reply comments due 15 days later. After reviewing the comments, the FCC will either terminate the proceeding without further action or issue a Notice of Proposed Rule Making seeking further comments on a proposed rule. Time is of the essence for those who may be interested in opposing the Notice. Our law firm would be available to represent parties who may wish to file joint comments in opposition. Please contact me privately if you have any interest. _____________________________________________________________ |Neal J. Friedman | Pepper & Corazzini, LLP |Voice: | | njf at commlaw.com | 1776 K Street, N.W. | 202-296-0600| |Telecommunications| Suite 200 |Fax: | |& Information Law | Washington, D.C. 20006 | 202-296-5572| | | | Web Server: http://www.commlaw.com/ | |____________________________________________________________| ------- End of forwarded message ------- From janzen at idacom.hp.com Sat Mar 9 07:37:30 1996 From: janzen at idacom.hp.com (Martin Janzen) Date: Sat, 9 Mar 1996 23:37:30 +0800 Subject: Vexatious Litigants (was: SurfWatch) Message-ID: <9603090028.AA10079@sabel.idacom.hp.com> "Martin Diehl" wrote: >Henry Huang at INTERNET-USA wrote: >> The question I have is if these systems were widely implemented, could >> an Web page author or provider of content be sued for "mislabeling" >> their page? If so, under what circumstances? Could the RSAC attach >> legal requirements to the use of their system, and open up such a >> loophole (similar to how Sun attaches conditions to the use of its >> "Java" logo)? > > Seems to me that if the Web page author labels his page > conservatively, i. e. "materials may be unsuitable for non-adults; may > contain controversial material, may contain views different from your > own, etc.". How can the author be liable for mislabeling? I read Henry's question to refer to the case in which the Web page author rates a page "too low"; that is, in such a way that despite the use of RSAC/SurfWatch/etc. software, "undesirable" material gets through the filter. Suppose that an author provides a page which lists, say, clothing- optional beaches, complete with pictures. The author rates it as "suitable for family viewing" -- either naively, believing that no one will be offended; or deliberately, to make the point that the content is harmless and _should_ be considered suitable for family viewing; or simply in order to widen the potential audience. Henry's question (as I interpret it) is this: If prudish parents now catch their kid looking at a page with pictures of barenaked people, figure out why the page wasn't filtered out, and file suit against the author, what is likely to happen? ObCrypto, sort of: What if the page were retrieved through an HTTP proxy which, unbeknownst to the author (and the filtering service/SW), deliberately removes or alters the PICS-Label or other rating information? The author did, after all, _provide_ the "undesirable" material.... To what extent does the author's intent matter? Must Web authors now add a digital signature to each page (including its rating info), to prevent tampering? -- Martin Janzen janzen at idacom.hp.com ObRant: Or, before it comes to that, will people learn to take just the tiniest shred of [Exon]ing responsibility for themselves and their [Exon]ing kids? From declan+ at CMU.EDU Sat Mar 9 08:29:07 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sun, 10 Mar 1996 00:29:07 +0800 Subject: Artist self censorship (Was Chinese net-censorship) Noise In-Reply-To: <199603091145.MAA24434@utopia.hacktic.nl> Message-ID: <0lEO9C600YUu43T39v@andrew.cmu.edu> Excerpts from internet.cypherpunks: 9-Mar-96 Artist self censorship (Was.. by Anonymous at REPLAY.COM > Mr. Avon should think twice before commenting on self censorship does not > exist, for that could be the difference from having the door kicked in by the > black ninja turtles with the FBI or toning down your work. Here's some info from http://world.std.com/~kip/ on the Angeli "child porn" case that's going on now in Cambridge, MA. I was visiting Harvey Silverglate's law offices last week and saw the photographs, and they're anything but pornographic. They're essentially the same as the photos my grandparents have of me and my cousins naked in the tub. But that's cold comfort when you're locked up and doing time. -Declan Toni Marie Angeli, for a Harvard photography course, decided to make her four-year-old son Nico the subject of her final class project, The Innocence of a Child's Nudity. After discussing the project with her professor, Angeli began her project with a few shots of Nico and made the fatal mistake of taking her roll of film to Zona Photographic Labs on Rogers Street in Cambridge, Massachusetts. The Zona owners were "alarmed" and called the Cambridge police, who went to Zona, looked at contact sheets prepared by Zona without Angeli's authorization, and decided that the pictures were "gross." Zona and the Cambridge police set up a sting operation, requiring Zona employees to lie, so that the police could come to Zona and confront her about her "pornography" when she came to pick up her negatives. On November 2, Angeli went to Zona, accompanied by Nico and by her husband, Luke D'Ancona. An altercation ensued when Angeli realized why the police were there. Angeli was handcuffed, manhandled into a back room, beaten and choked. During the scuffle a lamp was knocked over, and a picture fell off the wall. A hollow core door was also damaged when Angeli kicked out as she was being escorted to the police van. Angeli was never charged with child pornography, but she was charged with disorderly conduct, malicious destruction of property under $250, and assault and battery with a dangerous weapon. (The police claimed that Angeli threw the lamp.). Angeli's trial began on January 24, 1996, and a verdict was brought in on January 30. She was acquitted of the assault-and-battery charges, but convicted on the two other counts. The judge sentenced her to pay damages, to 50 hours community service, and to 18 months of probation. Angeli refused to sign the probation contract, stating that she wished to make no admission of guilt. The judge then sentenced her to 30 days at MCI Framingham. We are currently trying to raise money to pay for her appeal. It now appears that Angeli's conviction was based on perjured testimony from Detective William Phillips. From declan+ at CMU.EDU Sat Mar 9 08:44:12 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sun, 10 Mar 1996 00:44:12 +0800 Subject: Petty Civil Disobedience In-Reply-To: <199603091317.IAA12223@yakko.cs.wmich.edu> Message-ID: Excerpts from internet.cypherpunks: 9-Mar-96 Petty Civil Disobedience by Damaged Justice at yakko.cs > Not much crypto relevance, but the CDA has had much more effect than we may > realize at first. I regularly read about 25 newsgroups with an extremely wide > range of subject matter, and over the last few weeks I have seen literally > hundreds of people with things in their .sigs like, "Please excuse this CDA- > required obscenity: FUCK." [...] > Obviously, very few people feel truly threatened by CDA penalties. That's because of a few possible reasons: a) Portions of the CDA are enjoined from being enforced and we have a legally-binding agreement with the DoJ covering the rest. So the fear of prosecution is not great. b) We expect to win court challenge, so fear of prosecution is not great. c) Nobody seriously believes the government will prosecute people using word "FUCK," so fear of prosecution is not great. The CDA is overbroad, and must be struck down. But at the same time, the DoJ initially would use it to go after those who have otherwise Constitutionally-protected porn publicly-available online. (Obscenity is already illegal.) I'd be more interested in tracking the actions of owners of adult web sites and those with explicit sexual images... Perhaps we should put up our own protest web sites with one or two explicit sexual images as real civil disobedience? -Declan From roger at coelacanth.com Sat Mar 9 09:34:46 1996 From: roger at coelacanth.com (Roger Williams) Date: Sun, 10 Mar 1996 01:34:46 +0800 Subject: Net Day 96 and AOL In-Reply-To: <199603090613.WAA04960@ix13.ix.netcom.com> Message-ID: <9603091634.AA0549@sturgeon.coelacanth.com> >>>>> Bill Stewart writes: > Does anybody know if there's an AOL-friendly version of PGP that > we can donate to the schools... Private Idaho is probably the best bet for AOL email. So far as I know, only cut-n-paste shells work with the wacky AOL mail editor. -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From pclow at pc.jaring.my Sat Mar 9 09:36:22 1996 From: pclow at pc.jaring.my (Peng-chiew Low) Date: Sun, 10 Mar 1996 01:36:22 +0800 Subject: S/MIME outside the US? In-Reply-To: <199602290845.AAA03948@ix4.ix.netcom.com> Message-ID: <2F550373.CEA@pc.jaring.my> Bill Stewart wrote: > > At 10:49 PM 2/24/96 -0500, Lewis wrote: > I'm assuming from volley's address that he or she is in Sweden, > and thus not directly limited by US export laws. Write what you want, > and post it somewhere outside the US; we can import it legally. > As a non-American, you probably couldn't get US export permission for > even 40-bit RC4, and maybe not even for rot13. Lurk Mode Off....... I don't suppose there's anyone out there who may be interested in working with an non-american InfoSec integrator in integrating encryption with email /messaging and other applications? I assume that there is a legal difference between "working with" and "developing for" AFA ITAR is concerned. Thanks........Lurk Mode On....... From ylo at cs.hut.fi Sat Mar 9 09:37:06 1996 From: ylo at cs.hut.fi (Tatu Ylonen) Date: Sun, 10 Mar 1996 01:37:06 +0800 Subject: A brief comparison of email encryption protocols In-Reply-To: <199602292139.QAA18366@toxicwaste.media.mit.edu> Message-ID: <199603012035.WAA12723@trance.olari.clinet.fi> > > Now, consider adding a URL to every signature. Lets even use your > > URL, which is 35 characters long (and lets not even count the NULL or > > length byte). Adding this URL to 30000 signatures would add 1050000 > > bytes, or just over 1MB. This is an increase in 12% of the keyrings! > > Yes, but we have to assume that the need for central key servers would > go away if we had a way of distributing the data around, which would > reduce the problem substantially... > > > On the other hand, using my method and your "URL" (clark.net) would > > add only 10 bytes per sig, or 300k. This is only a 4% increase. The current PGP keyring model does not scale anyway. Suppose one day every user on the Internet will have a key... It is not relevant whether the space per key is 100 bytes, 1000 bytes, or 10000 bytes. All of these sizes are small enough for it to be quick to transfer a single key. There will soon be no way to transfer and store the entire key ring. In the long run, the problem must be solved using an entirely different, distributed architecture. Tatu From housley at spyrus.com Sat Mar 9 09:38:06 1996 From: housley at spyrus.com (Housley, Russ) Date: Sun, 10 Mar 1996 01:38:06 +0800 Subject: [ Death of MOSS? ] Message-ID: <9601298256.AA825628673@spysouth.spyrus.com> Jim: >> And if you look at what I've said previously, it is my firm belief >>that if we are to succeed in giving users a truly interoperable secure >>email standard, then said standard must be fully and completely >>integrated into MIME and do everything it does in the proper MIME way, >>as opposed to just being security grafted on. > >Allow me to make a contentious statement: > > MOSS is the only secure email protocol integrated with MIME. > >You see, integrated to me means that the base is security aware. MIME is >only security aware when the security multiparts are used. In all other >cases, MIME is not security aware. > >The use of the application content-type with experimentally defined >subtypes gives the appearance of MIME being security aware, but it >provides nothing more than a mechanism for carrying a protected object. >In addition, the fact that the security service itself must do a callback >in order to support recursive services, unlike MOSS which uses the >security multiparts framework and thus lets MIME do all the work it was >designed to do, further supports my position. Jim, in what way does the end user distinguish between the MOSS-like integration and the S/MIME-and-MSP-like integration? It seems to me that a good user agent implementation provides the same services to the user. Russ From lmccarth at cs.umass.edu Sat Mar 9 09:38:28 1996 From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu) Date: Sun, 10 Mar 1996 01:38:28 +0800 Subject: key cert. distrib. and management (Was: A brief comparison of email encryption protocols) In-Reply-To: <199603011603.IAA16596@slack.lne.com> Message-ID: <199603012228.RAA21541@thor.cs.umass.edu> [I've changed the Subject: because this now has very little to do with email encryption protocols] Eric Murray writes: > Finally, a question: should the keyserver be able to serve > keys in a way that is secure from a MITM attack, or can it depend > on the certificate chain in the key certificate itself to > validate the key certificate? I think it can, but I am not > sure, The certificate should be able to stand on its own. Anyone can already feed arbitrary certificate data to you via the keyserver, just by submitting it to the keyserver in the usual way. However, a MITM can mount some denial-of-service attacks by removing sigs. from a cert., or substituting some certs. for others, or stopping the delivery of some certs. If the keyserver signs responses by default, then an ordinary active attacker (non-MITM) couldn't do DoS at finer granularity than the scope of each signed piece. > so perhaps someone smarter than I can explain why, or why not. Disclaimer: My decision to reply to your message should in no way be construed as implying a judgment on my part about our relative intelligence :) -Lewis "You're always disappointed, nothing seems to keep you high -- drive your bargains, push your papers, win your medals, fuck your strangers; don't it leave you on the empty side ?" (Joni Mitchell, 1972) From rah at shipwright.com Sat Mar 9 09:55:33 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sun, 10 Mar 1996 01:55:33 +0800 Subject: Switchboard Message-ID: At 2:27 AM 3/7/96, Bill Frantz wrote: > I checked them out and the couldn't find my record. Since I have a listed > telephone number, I can only assume that their records do not include GTE > local service records or some other equally huge gap. I was messing around with this a year and a half ago (woulda shoulda coulda), and my guess is they're using Reuben Donnelly's database. They're the largest phonebook printer, and they even go so far as to OCR a lot, but apparently not all, of their competition. They say 90 million names, and that seems to be the number I was quoted... Cheers, Bob ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From PADGETT at hobbes.orl.mmc.com Sat Mar 9 10:24:22 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Sun, 10 Mar 1996 02:24:22 +0800 Subject: FCC & Internet phones Message-ID: <960309121242.2020bb3e@hobbes.orl.mmc.com> >"Long-Distance Dueling. Free Dialing Via Internet Faces a Challenge From >Small Phone Firms." You seem to forget that the Internet is just about the *only* electronic communications media not controlled/licensed by the FCC in the US. The FCC also prohibits use of cryptography by those with amateur licenses. Warmly, Padgett From jimbell at pacifier.com Sat Mar 9 10:37:53 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 10 Mar 1996 02:37:53 +0800 Subject: Assassination Politics(tm) was V-chips, CC, and Motorcycle Helmets Message-ID: At 10:42 PM 3/8/96 -0800, Bill Frantz wrote: >Since my name keeps getting dragged into this discussion, I will share with >youall the conclusions I reached after my last set of exchanges with Jim >Bell. > >(1) Assassination Politics (AP) will be most useful to a fired-up group of >people who want to silence a single person. Madeline Murray O'Hare comes >to mind. (She was a Texas atheist who challenged school prayer and won.) I think that's a misleading conclusion. While it may, arguably, be "most useful" useful to one kind of person or another, that doesn't mean that it won't be, cumulatively, vastly more useful to the rest of the population. To carry the gun analogy a bit further, somebody might argue that "a handfun will be most useful to a criminal in the commission of a robbery." Aside from gloriously ignoring the self-defense issue, this interpretation falsely implies that the fact that SOME bad person might benefit from it justifies banning them. >(2) Jim Bell and I disagree strongly on the market price for assassinations. Is this relevant? And I don't recall where the "disagreement" you describe exists: I think there will be some people killed for $1000, some won't be killed for less than $100,000. >(3) Jim Bell and I disagree on the number of deaths needed to deter someone >who believes in what they do. In our discussion, this question comes down >to: are IRS employees more like corporate consultants or like soldiers. It's far easier to "believe in what they do" when nobody is out there planning to kill them for doing it. >(4) I think that if someone can be traced as profiting from a AP death, >e.g. through winning a gamble on the date/time of death, that person's >whereabouts at the time of death will be carefully investigated. By whom will it be investigated? And it's merely a matter of ensuring that the payments can be made anonymously; I would consider anyone who tried to do such traces to be an enemy, and I'm sure anyone who believed in the underlying idea would as well. >(5) While killing someone whose name and residence are known is easy, and >the killer is likely to get away with it, does that mean that killing >someone who has been marked as having a price on her head is as easy? I >assume her friends and neighbors will protect her. Question: Let's suppose your neighbor had a $20,000 price on his head. Even if, arguably, you didn't want to see him die, you also wouldn't want somebody to drive a car through his front wall, filled with 1000 pounds of ANFO, and blow his house up, along with doing tens of thousands of dollars of damage to your house as well. I would say you would have somewhat of a motivation to ensure that when the killing eventually occurred, it occurred in a way that wouldn't negatively affect you. > The TV cameras will be >running 24 hours a day. This will, at a minimum raise the price of >assassinations. That won't mean much if the "minimum price" went to $20,000. This could easily be raised for many government employees. Jim Bell jimbell at pacifier.com From tcmay at got.net Sat Mar 9 10:44:41 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 10 Mar 1996 02:44:41 +0800 Subject: Artist self censorship (Was Chinese net-censorship) Noise Message-ID: At 3:22 PM 3/9/96, Declan B. McCullagh wrote: > guilt. The judge then sentenced her to 30 days at MCI Framingham. We ^^^^^^^^^^^^^^ > are currently trying to raise money to pay for her appeal. Man, making someone work for one of the Phone Companies...that's a pretty harsh sentence! Maybe that's how that cute "MCI girl" we see on television got assigned to MCI? (Or is this MCI an example of AOL, Acronym OverLoading?) --Klaus! From tallpaul at pipeline.com Sat Mar 9 11:22:55 1996 From: tallpaul at pipeline.com (tallpaul) Date: Sun, 10 Mar 1996 03:22:55 +0800 Subject: Bootable disks Message-ID: <199603070447.XAA27950@pipe11.nyc.pipeline.com> My understanding was that the parallel-port version of the Syquest drive would also be bootable. That is, you would boot the driver off a floppy and then the rest of the boot sequence would be handled by whatever was on the Syquest drive. THis, I thought, would let you install something like linux and the various other software to give you a very portable anon server, neatly containing a separate OS and all the "incriminating evidence" while the regular hard disk held nothing other than Windows and Doom. Is this not the case? --tallpaul On Mar 06, 1996 14:55:44, 'JonWienke at aol.com' wrote: >I recently installed an IDE version of the Syquest EZ 135 hard drive for a >client. Since it is a fully functional hard drive, it is bootable, unlike >the parallel port model. The biggest advantage to this type of drive is that >the cartridge (and any potentially incriminating data) can be quickly removed >and destroyed (burn it, smash it with a large heavy object, insert it into a >bulk eraser) or taken to a secure location for storage. Also, this type of >drive provides an excellent place to put swap files, which have an annoying >tendency to pick up sensitive data. That is less of a problem if you can >remove the cartridge and store it in a secure location when not processing >sensitive data. > >Jonathan Wienke > From wlkngowl at unix.asb.com Sat Mar 9 11:24:28 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sun, 10 Mar 1996 03:24:28 +0800 Subject: FCC & Internet phones Message-ID: <199603091747.MAA04258@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- A. Padgett Peterson P.E. Information Security wrote: > You seem to forget that the Internet is just about the *only* electronic > communications media not controlled/licensed by the FCC in the US. The > FCC also prohibits use of cryptography by those with amateur licenses. Yes... but the Internet is not like HAM radio. The FCC has no jurisdiction outside the US, and it would cause various problems for them to try to regulate the use of IPhone or how ISPs operate. On another note, I wonder how the Leahy bill would affect use of crypto by HAMs.... - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUHENyoZzwIn1bdtAQE1XwF9EP/jLWWk2gd41oNnkNF88lhTpa7PvGEU iEBdP8oalQfanQz/WcBjYQ9ilXEXxOqo =+FDh -----END PGP SIGNATURE----- From maldrich at grctechs.va.grci.com Sat Mar 9 11:25:53 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Sun, 10 Mar 1996 03:25:53 +0800 Subject: http://www.grfn.org/~blacktar/KilltheNewbies.htm In-Reply-To: <313DE81A.6403@grfn.org> Message-ID: On Wed, 6 Mar 1996 warwick.com!uunet!in2.uu.net!newsfeed.internetmci.com!gordius!news.service.uci.edu!usenet at virginia.va.grci.com wrote: > http://www.grfn.org/~blacktar/KilltheNewbies.htm It appears that we're not only the UUCP test bed of choice, but are expected to test mysterious JAVA scripts when grabbing this web page.... ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From jya at pipeline.com Sat Mar 9 11:26:08 1996 From: jya at pipeline.com (John Young) Date: Sun, 10 Mar 1996 03:26:08 +0800 Subject: EXR_ciz Message-ID: <199603070309.WAA18720@pipe1.nyc.pipeline.com> 3-5-96. TWP: "Untangling the Spy Network's Webs." Chairman Combest of the House intelligence committee yesterday proposed making the CIA's DO into a separate service and splitting the NRO into two giant technical agencies to handle satellites. The CIA would control most long-range intelligence work, some of which is now handled by the CIO and some by the NSA. The biggest change in terms of size would put the NSA, which has more than 25,000 analysts, in a new Technical Collection Agency that would also take in the managerial functions of NRO and parts of imagery analysis from CIO. 3-5-96. NYT: "Proposal Would Reorganize U.S. Intelligence Agencies." The intelligence services are held in low regard by the public and some leaders -- State complains about the quality of analytical papers; Defense bad-mouths the quantity of intelligence; and Congress gripes about too many secrets and not enough accountability. Rep. Goss, a former member of the CIA's DO, said the proposal aimed to rebuild the credibility of the agency's spies: "The whole exercise we're going through is meant to restore that." EXR_ciz From jimbell at pacifier.com Sat Mar 9 11:27:15 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 10 Mar 1996 03:27:15 +0800 Subject: (INFO) Leahy/Goodlatte introduce crypto bill Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 12:17 PM 3/5/96 -0500, Voters Telecommunications Watch wrote: Dear Mr. Sadfar, By now I'm sure you've read a few items that I posted not only to you, but also to the cypherpunks mailing list, as well as the NWLIBERTARIANS at teleport.com list. I believe you have made a grievous error in your position apparently supporting the Leahy bill. As you presumably understand by now, based on your description of the bill it contains an extraordinarily serious flaw, in that it makes a new crime concerning the USE of encryption. Ostensibly, this is "reasonable," but I've already presented a scenario on Cypherpunks (also posted to you; as I write this it may not yet have appeared there, but I copied you) in which the government uses this provision maliciously to go after anonymous remailers. While that was merely a specific example, almost any service that protects the identity of its customers and allows them network access is potentially at a serious risk, because the US government has been known to fabricate a crime (for example, the "Amateur Action" BBS case from a few years ago) in order to make criminals out of non-criminals. As you have quoted it, Leahy's bill allows the government to, in effect, "stalk" a service provider (anonymous encrypted remailer, anonymous digital cash bank, Internet access provider, etc) and create a crime that involves the provider well beyond the standards described in this bill. The government can CREATE a crime, "to order" as it were, and snare the service provider in the net, despite the fact he has done nothing wrong. (In fact, he could be "guilty" even if there was no way, short of going out of business, to avoid the "crime.") This, I hope you agree, is totally unacceptable, but despite this, you said: >This provision only applies to you if you are using encryption to >specifically foil a law enforcement investigation AND the communication >relates to a felony AND you are using the communication to commit the >felony. VTW feels this is a fairly narrowly drawn statute that is not >likely to be easily abused. Frankly, you made an error, and "it was a doozy!" But what I fear is that you will "dig your heels in" and hesitate to admit it, and continue on calling this "a good bill." You _would_ be right about that, except for the specific portion that is referred to above. (In addition, as Padgett Petersen noticed on Cypherpunks, that portion of the bill seemingly contains an error of phrasing, although we can't tell and we are depending on your quoting of that bill. Please verify that the quotation you made was accurate, and please carefully read that portion to see if you can identify the problem both Mr. Petersen and I observed. Since it just about reverses the entire meaning of the paragraph, it is vital to know what the actual bill said and meant.) I strongly recommend that you _DRAMATICALLY_ change the tone of your support: Please make it clear that your support for this bill is ENTIRELY conditional on removing the offending section. (I see little or no problem with your description of the rest of the bill, except for a few items I mention below.) I certainly invite any challenge you'd care to make to my reasoning and logic: If you feel I'm wrong in my estimation of what the government could do with that portion of the bill, say so and back up your analysis. If, on the other hand, you recognize that I'm right, or at least on the right track, I think you have a certain moral responsibility to ensure that this "wolf in sheep's clothing" doesn't get by the shepherd. Remember, in your press release you said: >VTW believes this legislation is an excellent initiative. It would be far more accurate to say, "This legislation COULD BE an excellent initiative, if a short section were removed." >We predict that the White House will do everything in their power to >prevent Senator Leahy from liberating PGP. He will need your help to >push forward. If this is REALLY true, then he will have to listen to our suggestions, right? People listen WHEN THEY HAVE TO CONVINCE YOU OF SOMETHING. Failing to make Leahy aware of what we consider terribly wrong with that bill would be irresponsible. If Leahy REALLY wants the bill passed, and "all" the potential supporters insist on the removal of the offending section, he will have no choice but to do so, since it has already been widely predicted that the administration will oppose it. If, indeed, they will oppose it, they will oppose it REGARDLESS of whether it contains that bad spot or not. >Over the next few months, VTW will be coordinating a coalition of >names, many of which are already familiar to you. This coalition will >ask you to call and write to Congress, expressing your opinion, and >threatening to back it up with the ultimate legitimate weapon of >democracy, your vote in this election year. While I do indeed intend to vote in this election year, as you may be aware I believe there are other weapons the public will eventually be able to use against recalcitrant politicians and government employees of all types. The government is presumably well aware of my position, and it would certainly not be unexpected if they were desperately trying to avoid what I consider to be an inevitable conclusion. This particular bad section, in what is probably an otherwise-good bill, seems tailor-made to fight against developments that I think this society and "our" government can't avoid, and shouldn't avoid. I'm not asking you to endorse, or for that matter even acknowledge, my theories. However, you should at least take notice of the fact that Congress' motivations are clearly to maintain its power over the citizenry, and they will presumably act in predictable fashion to achieve this goal. We've already got them on the run; they can't pass Clipper and they knew they couldn't prosecute Zimmermann, and their position on ITAR is resoundingly criticized by individuals and industry alike. Most people agree that these rules have to change; it would be a tragedy if we "gave away the store" just to get a few trinkets. The fact is, this bill didn't have to contain the offending section, and it doesn't have to keep it. If we make our absolute opposition to that portion clear, who will stand up and support it? Only those people within government who secretly want this bill to pass, that's who! ____________________________________________________________ >A FEW QUESTIONS AND ANSWERS > >Q: Wasn't Goodlatte one of the bad guys on the Communications Decency Act? > Why is he sponsoring this bill, and can we trust him? >A: Goodlatte did indeed introduce the fatal amendment that made the House > version of the Telecomm Bill unsupportable. Nevertheless, VTW has found > that a Congressperson's vote on one sort of bill is little indication of > his or her stand on others. VTW wil closely examine any change in the > language of the bill throughout its Congressional life. Well, frankly, it looks like SOMEBODY managed to sneak in a pit into the cherry pie. (or a worm into the apple!) I wonder who could have done this? What do you want to bet that there aren't any fingerprints on it?!? >Q: Does this create a new obligations for key holders to disclose keys that > they wouldn't have to comply with before? >A: No. In fact, this bill makes it harder for a law enforcement official to > retrieve a key from a key holder, by requiring a wiretap request instead > of a simple search warrant. In my opinion, key escrow agents should be required to inform THEIR CLIENT, the actual user of the key, BEFORE giving the key to the cops. They should also be obligated to fight any such request if the key holder requests it. (Remember, if key-escrow is really voluntary, then it is a contract between the encryption-user and the key escrow agent, and the encryption user should be able to put whatever conditions he wishes on that relationship. Presumably, he would not have entered into that relationship unless he was able to control the disposition of the key.) Furthermore, the cops should not be allowed to do any decryption of any material wiretapped before they possess the key itself. In summary, I think you really need to revisit your support for this bill. It is only a short distance away from being a good bill, but that is a trip we must make if we are to protect and even expand our freedom. Jim Bell jimbell at pacifier.com Klaatu Burada Nikto -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMT5aHPqHVDBboB2dAQEACwP/eDky+Gi0kebbAWPYO9dX9HCQTzac3m3v YVyW4iEtGrQE78/Hmi4M2m9l4sDA3qOaFZtFhImRc4JVVWNy1Yp8JzTPbjESiB4M Q3ppLV7S9sQmYQnHIHbpJu9YVQ/j+cMIwp9tOI0FNLbXIKWhZz4t+6bfiqJWUgZK awsbDpXjYaU= =3HJl -----END PGP SIGNATURE----- From choi at virtu.sar.usf.edu Sat Mar 9 11:35:19 1996 From: choi at virtu.sar.usf.edu (Charles Choi (SAR)) Date: Sun, 10 Mar 1996 03:35:19 +0800 Subject: Integrity in the arts In-Reply-To: <9603090731.AA27437@cti02.citenet.net> Message-ID: > >Making art more palatable or less "extreme" to curry favor with > >corporate patrons, or to get that NEA grant, or to get that faculty > >position is self-censorship, and it does happen. > > No, it does not. Making art more palatable is simply the process of > free trade between two uncoerced entities. If the artist does not offer > what the corporate purchaser wants he will not sell. He thus adapt his > style out to his customer. Nobody is threatening to use force to > have the artist conform to the client. Nobody is forcing the client > to buy what he does not like. > > The artist does not have to compromise, he simply have to refuse the > contract. > Well, my did is an artist, and I have to say that you really have to consider the "human" aspects of it before you rattle off refusing contracts for art. Artists do art because they think they're good at it, or prefer art as a career field more than any other, presumbably. When you have to feed a) yourself b) your family, taking contracts seems that much more palatable. I admit, I don't like it either, but, to use a far more philosophical arena, sometimes people make the sacrifices that they do ( in terms of integrity and pride ) for the long run. Sometimes people feel they have no choice at any point in their lives. Sometimes people have nothing BUT artistic integrity. Those who take the latter often get the respect of other artists, but respecting one's example is not the same as following one's example; who knows how many years of suffering you have to go through before you make it, if you make it at all ( case in point; Van Gogh, who only sold 1 painting his entire life ). This argument may not seem all too relevant to this forum until you consider integrity of information, and start to consider how much one is and is not willing to sacrifice to others, say the authorities or to a society, in the first place. It becomes quite important then; admittedly in a roundabout way. Sincerely. Quentin Holte. ( aka Charles Choi. ) You are all the Buddha. - Last words of Buddha. If you see the Buddha, kill him. - Zen proverb. On Sat, 9 Mar 1996, Jean-Francois Avon wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > >Excerpts from internet.cypherpunks: 8-Mar-96 Re: U.S. State Dept > >critici.. by JFA T. QC, Canada at citene > >> There is no such thing as "self-censorship". Either you stick to > >> your values, and then it is *not* censorship, or then you do not, > >> and then, it is neither. > > > >Self-censorship does happen, and it's a growing problem in the arts > >community. (I'm not a commercial artist, so this is my understanding > >from other panelists and speakers at a conference I spoke at last month.) > > > Anybody using the term "censorship" to describe that is in the following > situation : he *wants* the advantages of the contract (money) without > respecting the customer, therefore. He deplores the fact that somebody > (the customer) can act to his best judgment. The fact that the artist > calls that censorship shows that he have the same thought process as > the true censorers, i.e. the conviction that the end justify the means, > and more specifically, the feeling that *his* ends justify *any* means. > > The artist may not act on his feelings but nevertheless, they are, in > essence, of this nature. > > And unfortunately, too many artists think that way. > > JFA > Accepting a grant is accepting stolen money. > The collectivists and their free-lunchers be DAMNED! > Restore an objective monetary standard such as gold! > > > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2i > > iQEVAwUBMUDVbsiycyXFit0NAQHG0gf+P1rmX5xQiRo5sHpvYBlvvclVdGxJaJ6c > E+n35ln3/FFMGiguk5TEr6tOG+vj6UNBW2VibggQ9HkMkQ+6yTeJRrWQVje+YxxY > pygYrY6wfDB8F9aemkVIiypZqvo+UrG+IZwKSsuqZuFmyxu5VsnAzFB/NQS6z/fq > WPnm23t51kj2d6e+1PDVJRmv1Gpjaj34xt9YIif7S7fXdMI8vRbopRkoFfbXcFsE > +I+fzeIPINXde44duW/tUmVbPZcrwxNgL0xo7AZ3fwzYGqOw2cR3zNFH9iPWs6O5 > iV+fNIx2f1sKl1MbkydEHtPVctLT3cqX0Bvi5f0k6XKdzmCMGSOr9g== > =qWzV > -----END PGP SIGNATURE----- > > Public Key at http://w3.citenet.net/users/jf_avon > Jean-Francois Avon > 2048 bits key ID:C58ADD0D 1996/03/01 > fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 > > From jimbell at pacifier.com Sat Mar 9 11:56:18 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 10 Mar 1996 03:56:18 +0800 Subject: Leahy bill nightmare scenario? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 12:19 PM 3/8/96 -0800, Dan Weinstein wrote: >> Second, if what they're charging is the hindrance of an >> felony investigation, it isn't clear to me why they would be >> limiting the charging of that "crime" to only those actually who >> have committed a felony. (logic isn't the normal mode of thought for >> a government employee, you realize.) > >I agree with your concerns here, but I find it hard to believe that >the courts would allow a broader interpretation. Unfortunately, what you find "hard to believe" I find easy to believe. Remember, if this bill is passes, it doesn't merely affect YOU, it affects ME. So I suggest the burden of proof is on YOU to show that these provisions aren't going to be maliciously interpreted by the courts. >> Third, all they have to do is to "suspect" the person of a felony, >> and a >> "felony investigation" starts. That would presumably make him >> guilty of the Leahy bill's provision, regardless of whether he is >> actually participating in the crime supposedly being investigated. > >Here you are dead wrong, the bill specifically states: "in furtherance >of a felony." Its like those laws that let them charge someone with >murder in the first if someone dies while you are commiting another >felony. They must prove the original felony before they can get you >on the murder one. The real purpose of this provision, as I read it, >is to give longer sentences to criminals that use crypto. I'm not a lawyer, but I assume neither are you. Please explain the LEGAL DEFINTION of "in furtherance of a felony." If you can't, then you simply don't know how far they will go. And you're depending on the reasonableness of the government for the interpretion. >> Fourth, I gave what I considered to be a clear example of the >> hypothetical misuse of an encrypted remailer by the cops, one that >> would arguably make the remailer operator guilty of some >> "reasonable" anti-kiddie-porn statute. At that point, _he_is_ the >> target of the investigation. Unless you can show that this kind of >> action by the government is impossible, I consider it to be not >> merely possible but almost certain to occur. > >Again, the problem I see with your scenario is that I don't believe >that the courts will interpret it that way. What you think is irrelevant. Most people probably didn't realize what the government did in the Amateur Action BBS case was "legal," either. But they did it anyway. > My interpretation is that >if they serve a warrent and I don't decrypt for them and they can >prove a felony, then I will be subject to the listed punishment. Are you assuming that you have the key? Remember, if you run an encrypted anonymous remailer, and assuming you do it honestly, you won't be keeping records as to the source of the note. Thus, if they "serve a warrant" and you CAN'T decrypt the message (or tell them where it came from) then why aren't you already guilty? Remember, the wording of the proposed law doesn't require that you have full knowledge of the crime involved, merely that you act "in furtherance" of it... If you don't possess the key, but you explicitly ran your remailer so that you never it, just so you couldn't relinquish it, you have structured your operation too thwart any investigations. You are ALREADY guilty. This may not sound reasonable, but the government no longer (if it ever did) considers "reasonableness" to be an impediment to their actions. >> Fifth, it isn't clear what amount of knowledge is necessary to >> "trigger" this clause, especially in its current flawed state. >> Since ISP's and encrypted remailers might know, in general, that >> their systems can and probably are being used for SOME criminal >> activity, even if they can't identify it or the user, or decrypt it, >> etc, a broad interpretation of the resulting law could easily >> de-facto prohibit any business practices (i.e., allowing users to >> use encryption) that prevents full-scale monitoring and/or tracing. > >I disagree, it states you must "willfully endeavor" to use the >encryption as a means of obstructing the investigation. To me, this >means that it is the motivation for using the encryption. Question: What, exactly, is the motivation of a person running an anonymous remailer? His motivation is clear: To allow people to send anonymously untraceable messages. Assuming he's of ordinary levels of intelligence or beyond, he is aware that somebody may some day use his system for illegal purposes. You're going to have to explain why a court _CAN'T_ interpret this as being in violation of the law. > If I set >up an encrypting remailer for the purpose of allowing free exchange >of ideas, I don't believe I would be liable under this law. Your optimism is touching. It is also vastly misguided. >The >only way I could see a remailer charged under this is if he had solid >evidence that a specific user was violating the law, and took no >action. Gee, I wish you were right, but my experience with government thugs says that they will do anything they think they can get away with. >> This is only the beginning of the problems with this section. If >> you can explain why nothing I've described could possibly occur, I >> welcome a contrary explanation. > >I see some real problems too, but I do not see the problems with this >provision to be enough to condemn the entire bill. I don't "condemn the entire bill." I would, however, reject the entire bill if that provision remains. And morever, if we make a serious attempt to have it removed, the more they resist removing it the more we should insist it go. >I would like to >see this portion of the bill ammended to make it clear that only >those actually involved in commiting the felony would be held >responsible. There would still be a problem. What's the definition of "actually involved in committing the felony"? Are you aware, for example, that manufacturers of small plastic screw-top vials have been prosecuted and convicted simply because their vials could be used to hold small quantities of drugs such as cocaine and crack? This was a case from a few years back, BTW. I wish I could remember the cite. If you're not aware of these things, WAKE UP! Your optimism disgusts me, because it is entirely unrealistic and based on a rose-colored-glasses view of the government. >> But I would also ask this: Why, exactly, do we need this section? >> We've already been told that the opponents of this bill will fight >> it tooth-and-nail under its current wording; if that's the case then >> the presence of this section is inadequate to appease their >> unhappiness. Therefore, we shouldn't include it in the bill at all; >> it does no good. >> >> Any explanations, Dan? > >You are talking about the fringe, this, I think, was added as an >attempt to bring in those that are in the middle. Why would "those that are in the middle" object to a bill which is little more than a re-statement of rights we already believe we have?!? > That is, Those >that see the need to prevent the use of encryption as a means of >obstructing justice, but feel that we should also have a right to >privacy. There is no viable middle ground here. Any tool can be abused. > To say that there is no delema here is ridiculous, crime is >a serious problem that we are already having a terrible time dealing >with. On the contrary, my opinion is "The _government_ is a serious problem that we are already having a terrible time dealing with." Fortunately, I've found a solution, and the government is trying as hard as it can to prevent it (and "crypto-anarchy" in general) from taking root. > I think Leahy realizes that this provision will be about as >useful as the "use a gun, go to jail" laws, but wants to give those >in the middle to say that they bill will help prevent crime. Ha ha! That's rich! There is no reason that a "pro-encryption" bill has to contain any general "anti-crime" clauses. The average person is afraid of burglars, muggers, murderers, rapists, car thieves. When is the last time the average person was the victim of a crime whose investigation could be "thwarted" by the use of encryption? If you can't think of an example, you've just proved my point: This provision is entirely irrelevant to the average citizen (at least in a "positive" way) and can't be considered a "win" for him. >> Jim Bell >> jimbell at pacifier.com >> >> Klaatu Burada Nikto > >Good movie. I'm working on the real-life sequel. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUG+9fqHVDBboB2dAQFd+QP/SwSs1R7dV7tStxg9Hs7Sf9X+q6rWNfa/ d9xWPRpCS81TRhRnpKUxqJu0HZsGQphaEyPRLm1G4f6Z/ZCWsnzR+0XNv6H+FPMG QKSbCLmgGxnfNEWQmB3BDDJS0KEkNGs6slUvcUS9aRBuKbW6Optu3rYgM/7DCPAq M1QkmlpC2EU= =YeFw -----END PGP SIGNATURE----- From black at eng.usf.edu Sat Mar 9 12:00:56 1996 From: black at eng.usf.edu (James Black (CS)) Date: Sun, 10 Mar 1996 04:00:56 +0800 Subject: Looking for code to run an encrypted mailing list In-Reply-To: Message-ID: Hello, On Fri, 8 Mar 1996, Alan Bostick wrote: > Bill Stewart wrote: > > Suppose, though, that the Cypherpunks list was encrypted in this way. > There are about a thousand listmembers. Using one IDEA key and the > multiple-recipients option would mean that the encrypted message would > consist of a thousand RSA-encrypted session keys followed by the > IDEA-encrypted cyphertext. If everyone used a 1024-bit-or-longer key > pair, then each message would be a megabyte long! The way to do it is for the system (listserver) to have everyone's public key, and just encrypt every message for that person. If this isn't done already I could get around to writing the program to do this. ========================================================================== James Black (Comp Sci/Comp Eng sophomore) e-mail: black at eng.usf.edu http://www.eng.usf.edu/~black/index.html "An idea that is not dangerous is unworthy of being called an idea at all." Oscar Wilde ************************************************************************** From jf_avon at citenet.net Sat Mar 9 12:09:29 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Sun, 10 Mar 1996 04:09:29 +0800 Subject: U.S. State Dept criticizes Chinese net-censorship Message-ID: <9603091820.AB14468@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- "Paul S. Penrod" wrote to Declan: >IF you hold to the premise that self-censorship is based in a >large part on witholding your natural inclination and/or reaction >, then yes the argument can be made that self-censorship occurs >all the time. However, I would submit that J.F.A. is correct and >that your position is but a subset of the original statement. One problem that arise in all of the discussion around this theme is that peoples have very different ideas of the terms "self- interest" and "selfishness". The collectivists and mystics have made us accept the basic premise that selfishness means "acting in a way harmfull to others". They just trained us to blank out the fact that, as rational animals who love life, our best inte- rest might very well coincide with the one of our neighboor. Man, after being a rational animal is also a social animal. There is plenty of crypto relevency in this discussion and it lies in the basic view of Man of the individuals in such discussion. Is Man an intrinsical blood thirsty beast that either kills or cry or is Man a rational animal that can enjoy life in a peaceful and constructive and exciting way? The one who have the first opinion wants more govt, more laws and GKE. The others wants freedom. JFA -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMUGA6MiycyXFit0NAQGlLQf8DxmsCoNvqlmbsvb87/IS5UsZOVFXgdG+ cdLSY9A0UDl7bCPtyKJ5V/kvA8VDiL5H4K/Le9yRD6pYcLWf5S9sHdMhM24odhqy 7/7lIK0ud1+4oD0SIfZyPNcSpJc0AWIMn6E6Xa2K/khtjl9qtKvS+byRyZumExrS p3ScxHPe2WJvR2wCN7lnrwzLoj8MA8+XaHomOa7pQme7z+YjmM76gi/8lzt9i+J7 tmGz39UfDQx8QAaq0NfVmUelmT80xsDxCmWU19lgdCoY2P8QGjR8pie/gZPdJiXl LtutVcefHb7cP9gKYXPHwxV4krM2urMhBM2cS469lwQqZY8VYN5NaQ== =SVWp -----END PGP SIGNATURE----- Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 From jf_avon at citenet.net Sat Mar 9 12:19:32 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Sun, 10 Mar 1996 04:19:32 +0800 Subject: Artist self censorship (Was Chinese net-censorship) Noise Message-ID: <9603091820.AA14468@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- nobody at REPLAY.COM (Anonymous) said: >before taking >a picture he usually asks himself about how this picture is percived, something >the he never thought twice before the FBI raid. > >Mr. Avon should think twice before commenting on self censorship does not >exist, for that could be the difference from having the door kicked in by the >black ninja turtles with the FBI or toning down your work. OK. *THAT* might be interpreted, wrongly, as self-censorship. But words have a *precise* meaning, which unfortunately, I sometimes miss in the english language. The opinion I wrote was in the *context* of the interaction of an artist with a purchaser. In that context, what govern the events is consensuality: everybody acts *uncoerced* to his best advantage. In the case you cite, the *context* is very different. But still, I would not call it "self-censorship". I do not have, on the top of my head, any precise term for it, but maybe FUD, fear of physical violence, survival tactics while harrassed by a thuggish assaulter, etc., would apply... I did not think twice, I thought about it several hundred times... Your comment is *very* interesting. It point out how peoples can so easily blank out contextual information. Forgive my bias but I personnally makes a big distinction between the volitional initiation of physical violence (or menace of) and other situations where it is absent. Regards! JFA -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMUF6K8iycyXFit0NAQFoBgf/Tt0zFCaRNJFBwZcxsV/v5ABnjjnAtqoT EDF0OA7+UogWT1MXL8RP58tQ2vTwUWJ1PdK/gdnwlkjpwxC0i4gRx1HpnCLOjRlL UgkUKu5qiyIWKd6upCYCMd1NCbqaffHjWr3pWxVFE/zPaCQ7mlrZZV4QBeV/bKbU djt70BQTa7WFvQwZWkVO7QcxOawjzItyZErusdEIvPz03MqbcqSaQu0NgtEy/Zwu 82CSF10uTL96TzjXm1icASiquDk8Tj+go8WqC1FZ8uK3kFHDDkEuLqzXdtG6sJKK hV4PPfehyjXXXB2CADmXMnXZVLkWU0x5Ig7l/bdOETrPhfl07Di9tQ== =1OeX -----END PGP SIGNATURE----- Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 From tcmay at got.net Sat Mar 9 12:30:52 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 10 Mar 1996 04:30:52 +0800 Subject: art-stego Message-ID: This is a very good idea. I wish I'd thought of it. Just bear in mind that this form of steganography is getting further away from conventional hiding, and into "pure plausible deniability." In fact, one need not even make a serious attempt to hide the encrypted bits: just call the encrypted file "art" and be done with it! (I'm not saying stego is worthless, just that there's a slippery slope one can get on, with one extreme being this fiction that "this is not an encrypted file, this is _art_!") At 7:18 PM 3/4/96, Jim Miller wrote: >The recent discussion "Chaff in the Channel" got me thinking about an >alternative to hiding random bit streams in picture files. The goal of >steganography, as I see it, is to provide plausible deniability. The Yes, all those critics who point out that steganography (not to mention stenography) is an example of the rightly-maligned "security through obscurity" are missing this point, that steganography arises in situations where the mere act of communicating is itself actionable. (Get caught in Berlin during the war with invisible ink or microdots and get hanged the next morning, whether or not the SS can read the traffic.) >problem with hiding bit streams is that you can never be sure if the >opponent has developed an analysis technique to prove a particular file >contains a suspicious bit pattern. Yes, this is why I suggested (some years back, originally) that noise be deliberately added to even images not intended for communication, as "chaff" to confuse traffic analysts. Your approach is a better one, as the "art stego" market, while small, could be self-sustaining. >The alternative to hiding bit streams is to not hide them. Use them to >generate pretty pictures. For example, modify a fractal image generator >to accept a bit stream as input. Use the bit settings to influence the >values used to iterate the fractal function. You don't have to use >fractals, any function that produces pretty pictures would probably work >as long as there was a way to extract the bit stream from the final >picture. Brute force would probably work fast enough for humans. > >One possibility is a screen saver that produces an "infinite" variety of >pretty pictures by generating a pseudo-random bit stream and using it to >help generate the next background picture. Occasionally, the picture >might be so cool you will want to send it your friends or post it on the >Net or just keep it around to look at. > >The goal is to create an innocent reason for passing around unique images >that contain random bit streams so we don't have to worry if somebody >finds the bit stream. If you live in a country that doesn't outlaw >abstract art you have plausible deniability. Now it's just up to someone to implement this. I don't expect this to be a huge market--remember what's happened to all those Mandelbrot images that were once the rage--but there's a chance it will get established as one of those "cool" apps that are tres trendy for a while. I still would expect that when the Hamas leaders in Gaza are picked up for questioning and "ArtStego" is found on their systems, along with various "abstract artworks" on their disk drives, that Mossad will not be fooled. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From drose at AZStarNet.com Sat Mar 9 12:37:26 1996 From: drose at AZStarNet.com (drose at AZStarNet.com) Date: Sun, 10 Mar 1996 04:37:26 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guid Message-ID: <199603091840.LAA21661@web.azstarnet.com> On Sat, 9 Mar 1996, "Dave Emery" wrote: >The article also points out that in a state with a 7% black population 43% of the >three time losers are black. Right on, bro! This is the kind of institutionalized racism that we all deplore! In fact...hey, wait a sec. Hmmm, 7% of the population; what was the percentage of black rioters in the "motorist" Rodney "Why can't we all live together?" King "peace demonstration"? Yo, homes: of the 50K gang members in L.A., what percentage is non-black? Give it a f... (oops) I mean, gosh darn rest. ObCrypto: Perry, please consult Dave Emery. Thanks! --David M. Rose From jimbell at pacifier.com Sat Mar 9 12:50:03 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 10 Mar 1996 04:50:03 +0800 Subject: Assasination Politics Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 04:51 PM 3/8/96 EDT, E. ALLEN SMITH wrote: >From: IN%"jimbell at pacifier.com" "jim bell" 13-FEB-1996 14:53:40.39 >>From: Me >>> A. My previously mentioned problem with a limited but non-libertarian >>>organization. > >>I don't deny that such an organization might spring up. (Anti-abortion >>activists are the group which come most immediately to my mind, BTW. I'm >>not in sympathy with them; quite the opposite.) I've never claimed that >>this system is totally immune to such abuse, in the same way that the seller >>of a gun can certify that it will never be used to commit a crime. +__________^^^ Ooops! my error, I meant "can't." > I understand and agree with the gun argument. However, it's still a >matter of whether Assasination Politics will overall be better or worse than >the current system. The one thing that disappoints me about the result of my presentation of this idea is that I haven't heard any intelligent arguments quantitatively arguing that things will be worse. Other proponents simply agree that the system would be better; most of the opponents don't take the trouble to quantify their objections. >If better, then I'll support it if it becomes necessary (I >still hope for peaceful (or at least relatively peaceful) change - hopefully, >it has not become necessary for the Declaration of Independence's justification >of revolution to be reused). If worse, I won't. I won't try to stop you from >doing so, however (currently, there's no way that I could, for instance). What's interesting is that you see this; yet there are a number of opponents who can't seem to realize that what THEY want (or, for that matter, what _I_ want) may be absolutely irrelevant to what is actually going to happen. > Incidentally, by "support" I am meaning making suggestions for >technical improvements. Admittedly, the degree to which I can do so is limited >by my lack of technical knowledge, but I believe I have thought of some >workable refinements. These are the kind of discussions I'd most want to have. I understand, however, that anybody might hesitate a bit to appear to be actively encouraging such a system. That's why I've decided my best function is to be the initiator of the idea, and the primary educator. Somebody else will actually develop the system, probably without telling me anything. > As well as the obvious problem of unethical assasinations, there is >also that of a negative reputation being given to various cypherpunk-liked >ideas (anonymous remailers, fully anonymous digital cash, etcetera) if someone >notices this. Perhaps, but most (non-net-using) people are so unaware of encryption as to make this irrelevant, I think. >>> Moreover, Jim Bell is ignoring the other sources of propaganda than >>>government in convincing the average person that someone is doing something >>>wrong (when, by my ethics at least, they aren't) - such as religion and >>>various organizations like the PFDA. > >>Again, only a tiny fraction of the population needs to participate... > > However, if more of the population participates, they may do stupid >things like using an organization that might strike at them - just as they >currently support a government that can crack down on them. The minority of >intelligent people - the tiny fraction needed for this to potentially work - >isn't a factor for this part. In other words, I'm more worried about too _many_ >people - the wrong people - participating rather than too few. Well, there's not a great deal that we can do to prevent it. Five years ago, I'm sure the then-users of the Internet were fearful of all the newbies to come; even today, we may subtly fear those to come. In other words, once WE'RE on the lifeboat, we don't want anyone else to show up! >>Since "Assassination Politics" is based on a combined-donation system, even >>people on a subsistence wage could contribute; a quarter here, a dollar >>there, pretty soon it turns into real money. > > That is an argument against it. Do you want the people who give to >televangelists being able to more directly have people killed than in the >current system (when at least you've got votes by others to take care of the >problem)? Unfortunately, the same system of ethics that would make one's >targets the right ones also excludes the targets (non-governmental figures) >that can create the problems under this system - like the PFDA leaders. Have you forgotten what might happen to those same televangelists? While I'd sure like to be able to design a system where only the "right" people die (by my own opinion), I'm under no illusion that this would be anything other than a dictatorship under "Jim Bell" or whoever happened to be in control. I think I've done a fairly good job of designing (anticipating?) a system that will do a lot of good, hopefully without doing a lot of bad. There may be nothing I can do about the negatives, unfortunately. Jim Bell jimbell at pacifier.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUHG/vqHVDBboB2dAQHitAP/VT/c++g81sgzDPHh2d6wcSmmHgQQg0Rz Vr3sQt2RYoEZBdLG267IxQw0aYAQvQv2KARD7A+nlbXlM7XR6xQYdjhXQ47hEel0 OBG//UI3XcA8TcdIqOuREi1T+AAWpYYyTz1YpGGR1oMZp6Mv/jjHoZ6f6i2XGY6u sjHfSLcd5Dg= =ICpg -----END PGP SIGNATURE----- From rich at c2.org Sat Mar 9 12:57:45 1996 From: rich at c2.org (Just Rich) Date: Sun, 10 Mar 1996 04:57:45 +0800 Subject: FCC & Internet phones In-Reply-To: <960309121242.2020bb3e@hobbes.orl.mmc.com> Message-ID: There's also an article in today's San Jose Mercury News. I'm just wondering how the hell they would enforce regulations on carrying voice over the Internet. Are they going to analyze every packet? What happens when someone makes a trivial modification to the code, or adds a gateway, so that the voice call uses a different UDP (or more likely RTP) port and header format? They could try to make a frontal assault by regulating the Internet itself, but they should know better. -rich From sameer at atropos.c2.org Sat Mar 9 12:59:29 1996 From: sameer at atropos.c2.org (sameer at atropos.c2.org) Date: Sun, 10 Mar 1996 04:59:29 +0800 Subject: SurfWatch In-Reply-To: <31414295.4DBE@netscape.com> Message-ID: <199603091850.KAA28923@atropos.c2.org> the big web engines already are getting their most hits for the words on the http://www.c2.org/ page (see the source, it's in comments.) I still need to write mod_hotbabes.c for apache, though. > > I predict that 6 months after the first internet rating system is widely > deployed, the largest use of search engines such as altavista will be to > look for pages with the most "naughty" ratings. Perhaps such services will > allow text searches for free, but charge for searches based on the rating > tag... > > --Jeff > > -- > Jeff Weinstein - Electronic Munitions Specialist > Netscape Communication Corporation > jsw at netscape.com - http://home.netscape.com/people/jsw > Any opinions expressed above are mine. > -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From jf_avon at citenet.net Sat Mar 9 13:06:27 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Sun, 10 Mar 1996 05:06:27 +0800 Subject: Assassination Politics(tm) was V-chips, CC, and Motorcycle Helmets Message-ID: <9603091853.AA15821@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- >At 10:42 PM 3/8/96 -0800, Bill Frantz wrote: >>(1) Assassination Politics (AP) will be most useful to a fired-up group of >>people who want to silence a single person. Madeline Murray O'Hare comes >>to mind. (She was a Texas atheist who challenged school prayer and won.) I quote this text as an example of an ongoing thought process in the analysis of the AP scheme. A little statistical mechanics would not hurt here. The above example shows *one* possible interaction between two entities, each having their own charac- teristics leading to a given inter- action. But in all theses examples, the specific variables that is forgotten is the time variable. What will be the *dynamic* characteristics of such a system. - the above paragraph describe an interaction in a given direction. - what are the others interactions that could *speed up* the above process - what are the others interactions that could *slow down* the above process Any analysis of the problem that blanks out the probability of occurence (which happens in the time domain) of each partial reaction cannot describe the outcome of the scheme. Proponents of such a scheme should stick a bit more to crypto... Ehhhh... What can I say? Physics is everywhere :) JFA B. Sc. physics A physicist is a guys/gal that cannot help but see a dance floor in a crowded bar as an interesting thermodynamical system... -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMUGK/MiycyXFit0NAQFZeAf+JzOfyxmQHBw5E6ATx4dYUMXabUTTbt1r 5ifyuwYPQ9Urwz3ONHbOOI7O2CRkBcHfvYalIFvKFwKH4oQGsf/s2mGqKDi1bVX7 hUwk5oKTFPYeBHnrI2i4LglQPiBQMJJsi+ISkKujtCnE6UHR8XHjuPfnQ1FV8amA o5KF8HJlkVgKMCEiJSsHGBmVQl/WbhM8JIJnPy+iteC+d0wEljr9tCMIxJJ6JWza r4dzLAP9VPDoSkhK7qSh5AWUVp2Wh0v3p9M4wuE7WzI+Gbha0KgKht9ZEZOx3oVH SuA0yZ+zfVVib1x4UedG/9rKQ5m0fiYDqJ8xPOWMPXTmo2Ecqad9zA== =DSc6 -----END PGP SIGNATURE----- Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 From rich at c2.org Sat Mar 9 13:09:16 1996 From: rich at c2.org (Just Rich) Date: Sun, 10 Mar 1996 05:09:16 +0800 Subject: Minor challenge: Running IIS on NT Workstation (fwd) Message-ID: Meanwhile, back in my other life... any ideas? This could save small business a lot of money. -rich ---------- Forwarded message ---------- To: hackmsoft at c2.org I was at Microsoft the other day and one of the sales guys told me that there is a fix for the IIS (Internet Information Server) that makes it run on Windows NT Workstation. There is something in the registry that the application checks. He backed out from giving me the fix. I guess they want to sell more NT Server than Workstation. It maybe something you may want to watchout for. From jya at pipeline.com Sat Mar 9 13:11:48 1996 From: jya at pipeline.com (John Young) Date: Sun, 10 Mar 1996 05:11:48 +0800 Subject: SLE_aze Message-ID: <199603081618.LAA21645@pipe4.nyc.pipeline.com> 3-8-96. FT: "Asean forum to fight Internet sleaze." The Association of South-East Asian Nations agreed yesterday to censor "negative elements" of the Internet. Information ministers are concerned about "information contamination" and agreed on the need for regulation and to learn from each other's experience, particularly from Singapore. 3-6-96. WSJ: "Singapore Unveils Sweeping Measures To Control Words, Images on Internet." Singapore said it will concentrate on individuals or organizations putting content on the Internet and the country's three access providers. Only public forums, or electronic spaces where people can converse or create displays visible to others who journey there, will fall under the regulations. 3-8-96. TWP: "FBI Advertises for Tips On Spies From Vietnam." FBI officials said the advertisements were prompted by an increase in activity by Vietnam's intelligence agents impersonating relatives of Vietnamese Americans to sneak into the country and steal high-technology secrets. SLE_aze (for 3) From tbyfield at panix.com Sat Mar 9 13:23:08 1996 From: tbyfield at panix.com (t byfield) Date: Sun, 10 Mar 1996 05:23:08 +0800 Subject: FCC & Internet phones Message-ID: At 12:47 PM 3/9/96, Mutant Rob wrote: >Yes... but the Internet is not like HAM radio. The FCC has no >jurisdiction outside the US, and it would cause various problems >for them to try to regulate the use of IPhone or how ISPs operate. Question of how practical enforcement would be haven't been big in a lot of the legislation we've seen coming out of various capitals, so I doubt the situation for bureaucratic rule-mongering would be much different. The WP article said that has ACTA has "asked the [FCC] to stop this kind of communications and study how to regulate it," probably--and not surprisingly --in that order. It looks like another case of trying to saddle ISPs with impossible enforcement burdens, though in this case one that a lot of ISPs might not mind so much, given the bandwidth that netphone usage eats up (cf. xs4all, I hear, has forbidden users to run CU-SeeMe). Q: Is it practically possible to find netphone traffic on a generic network at any level above the source and target addresses? Ted From mnorth at netcom.com Sat Mar 9 13:35:06 1996 From: mnorth at netcom.com (Marc North) Date: Sun, 10 Mar 1996 05:35:06 +0800 Subject: Index of Coincidence Message-ID: I'm new to the mailing list, but I have grep'd tcmay's CP-FAQ and all related FAQs for this, but have yet to find anything. I'm looking for detailed information on a statistical tool to aid in cryptanalysis called an "index of coincidence". I would appreciate it if someone could please explain what this is, how one builds such an index against a given ciphertext, and how it is valuable in the cryptanalysis of said ciphertext. Many thanks, Marc -- .--------------------------------------------------------. | Marc North <*> mnorth at netcom.com <*> San Jose, CA. | `--------------------------------------------------------' From perry at piermont.com Sat Mar 9 13:41:50 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 10 Mar 1996 05:41:50 +0800 Subject: News on RSA vs. Cylink Injunctions and Patents In-Reply-To: <199603082231.RAA11593@homeport.org> Message-ID: <199603092000.PAA16523@jekyll.piermont.com> Adam Shostack writes: > Is RSA now saying that the original Diffie-Hellman patent > (#4,200,770) is not valid? A hoot, ain't it? > I'm curious, because in the past, as I understand things, RSA has > said that the DH patent covers El Gamal. If RSA no longer considers > DH to be a valid patent, that would mean El Gamal is not patent > encumbered. It all matters very little to me, as the patents expire next year. Perry From froomkin at law.miami.edu Sat Mar 9 13:44:15 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Sun, 10 Mar 1996 05:44:15 +0800 Subject: frequency of remailer use? Message-ID: I would be very grateful for pointers to data concerning the number of messages that pass through remailers. (Not anon.penet.fi -- real remailers.) I am currently in a conversation with a journalist who should know better, but claims that secure anonymous remailers are never used by anyone -- just a curiosity. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From JonWienke at aol.com Sat Mar 9 13:56:29 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sun, 10 Mar 1996 05:56:29 +0800 Subject: TCP/IP Stego (was CU-SeeMe) Message-ID: <960309162011_346243269@mail02.mail.aol.com> In a message dated 96-03-08 15:17:39 EST, you write: >The difference between the two methods is, as I said before, exactly >the same as the difference between TCP/IP and UUCP. Hiding info in >images or sound files works fine for "email" or file storage but has >no chance of being an interactive protocol, sometimes you need to >get things done in real-time. Haven't you ever heard of IPhone, Nautilus, or PGPfone? Jonathan Wienke From dimitrt at dcs.rhbnc.ac.uk Sat Mar 9 14:06:44 1996 From: dimitrt at dcs.rhbnc.ac.uk (Dimitris Tsapakidis) Date: Sun, 10 Mar 1996 06:06:44 +0800 Subject: Square pegs in round holes, matchmaking, corporate mailservers Message-ID: <199603092150.VAA08613@alice.cs.rhbnc.ac.uk> Let's stick one thread this time. I lost track when the Subject header was changed. Twice! :-) The original definition of the problem: >>Bob must find out whether Alice has declared (commited) her interest >>in him, if and only if he has declared (commited) his interest in her. >>Before he does so, he can at most know that a girl is interested in >>him. Another description: Bob and Alice can have a date if they both >>commit to each other. If only one commits, nobody will ever find out >>about it. (PADGETT at hobbes.orl.mmc.com) wrote: >Instead of using a binary assymetric key, why not a triple ? (Just >because I do not know of any does not mean that one does not exist). >Given a triple (tertiary ?) function each individual would only need >their receive key and a "post office" transmit key. On sending a >message, it would be encrypted with a session key and the session key >encrypted with the post office key. You got me confused. Does this thing exist, or you would like it to exist? :-) Bill wrote: >If Bob wants to talk to Alice, he sends Trent B = g**b, marked >"For Alice", optionally anonymously. Trent calculates >X = B**t == g**bt, and sends it to Alice. Alice calculates >K = X**a == g**bat, calculates H = Hash(K) and posts it anonymously, >or sends it to Trent to post or mail to Bob. If Alice wants to talk >to Bob, she calculates A = g**a mod p, sends it to Trent, optionally >anonymously, marked "For Bob". Trent calculates Y = A**t == g**at , >and sends it to Bob. Bob calculates K' = Y**b == g**abt, calculates >H' = Hash(K') and notices that it's the same as the H he pulled off >the net earlier. Bob says "Oh, wow! Alice wants to talk to me!", >encrypts some lame drivel of a message M with key K'==K, and mails >it to Alice if he knows her address or posts it with Subject: H', >which Alice receives. on which Hal commented: >I don't think this satisfies the requirements. Once Bob calculates H' >and sees that it matches H, he knows that Alice likes him, but Alice >doesn't know that he likes her. The whole point of the protocol was to >be fair. Bob must only learn that Alice likes him if Alice is >guaranteed to learn that he likes her. Correct. I believe my hash_k is equivalent to your **t (which I thought as well, but preferred to use hash_k in my original description). Hence, my "mediated off-line" protocol can also be written as: - Bob, who likes Alice, sends [g**ab, pseudo(B)] to Trend who posts [g**abt, pseudo(B)]. Alice learns nothing at this point. - If she ever decides she likes Bob, she sends [g**ab, pseudo(A)] to Trend, who posts [g**abt, pseudo(A)]. So Bob and Alice notice g**abt, pseudo(B) and g**abt, pseudo(A) being posted so they know they have a match. Somebody who knows t can only find out who is interested in them. Nothing more. T could possibly be replaced by n T(i)'s each of whom has a secret key t(i). But this is another thread. Hal added: >The easiest formulation is pairwise: >Alice and Bob mutually engage in the calculation of "Alice loves Bob" >AND "Bob loves Alice". Each inputs his feelings as an input bit, and >the output will be true only if they have mutual feelings. >Each pair of potential lovers would then go through the protocol with ^^^^^^^^^^ >each other. Assuming we have a fair AND protocol, Alice cannot initiate it with Bob, because this would demontrate her interest. Solutions: 1) You can force all possible pairs to execute the protocol, as you said, but is not very practical. 2) Alice could initiate the protocol even if she is not interested, in order to "hide" the cases when she is genuinely interested. Not very practical, either. 3) My proposal (protocol 3 in my previous posting) is that Alice approaches Bob anonymously. But they can't execute the AND gate, because Bob doesn't know who she talks to. What they compare is: Alice's number: g**ab and Bob's number: g**bx where x is the girl he likes. >This problem is solved in "Multiparty Computations Ensuring Privacy of >Each Party's Input and Correctness of the Result", by Chaum, Damgard, >and van de Graaf, in the proceedings of the Crypto 87 conference. They >even discuss this application directly: "Note that this AND-gate >computation, where both parties want to hide their input from each >other, has a meaningful application: consider the situation where Alice >and Bob have just met, and each considers dating the other. Neither >wishes to lose face in the following sense: if Alice wants a date but >Bob doesn't, Alice does not want to let Bob know that she wanted the >date. And the same holds for Bob. In other words: if a party does not >want the date it does not find out the other party's decision." Thanks, I will have a look. This will only work if there is a law forcing newly met pairs of people to enter the protocol, as in (1) above, right? Dimitris -- Dimitris Tsapakidis PGP keyID: 735590D5 dimitrt at dcs.rhbnc.ac.uk MSc in Information Security, This space reserved Royal Holloway, University of London for future use. Origin: Thessaloniki, Macedonia, Hellas From furballs at netcom.com Sat Mar 9 14:18:46 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Sun, 10 Mar 1996 06:18:46 +0800 Subject: U.S. State Dept criticizes Chinese net-censorship In-Reply-To: <9603091820.AB14468@cti02.citenet.net> Message-ID: On Sat, 9 Mar 1996, Jean-Francois Avon wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > "Paul S. Penrod" wrote to Declan: > > >IF you hold to the premise that self-censorship is based in a > >large part on witholding your natural inclination and/or reaction > >, then yes the argument can be made that self-censorship occurs > >all the time. However, I would submit that J.F.A. is correct and > >that your position is but a subset of the original statement. > > One problem that arise in all of the discussion around this theme > is that peoples have very different ideas of the terms "self- > interest" and "selfishness". The collectivists and mystics have > made us accept the basic premise that selfishness means "acting > in a way harmfull to others". They just trained us to blank out > the fact that, as rational animals who love life, our best inte- > rest might very well coincide with the one of our neighboor. Well, I'll accept the premise at face value for the moment - as per our discussion. The argument points out the blatant spin control exercised on the language by those who would "manage" our daily affairs. Orwell was correct in his "Newsspeek". What I can't understand is why it is so difficult for some people to understand the difference between discipline and control. Discipline to time proven principles of social behavior begets freedom and allows one to control themselves rather than the state making it their pervue. Self-mastery does at least two things (germain to this discussion). First, it promotes and awareness in an individual that they can not make it alone - thus addressing the social nature of Man. It engenders a desire to render service to one's neighbor as it is intuitively understood that benefit to one's self is derived from the benefit enjoyed by one's neighbor. There is another topical digression I wont go into here. Second, it reduces the need for governmental control and regulation, because order is kept by all, rather than enforced by the few within the community. Thus it reduces government pervue to those problems and issues that requires a much larger scale of economy than can be achieved effectively by the local enclave. The Interstate highway system, communication infrastructure, trading policies and national defense are items that can be justified at this level of view. While a bit utopic in view, such a system properly employed would not require cryptography to handle communications as the trust would exist in the confidential delivery of such communique. However, this world being what it is promotes the use of trusted agents for delivery because of Man's selfish tendencies... > > Man, after being a rational animal is also a social animal. The first I would dispute, the second is apparent... :-) > > There is plenty of crypto relevency in this discussion and it lies > in the basic view of Man of the individuals in such discussion. > > Is Man an intrinsical blood thirsty beast that either kills or cry > or is Man a rational animal that can enjoy life in a peaceful and > constructive and exciting way? > > The one who have the first opinion wants more govt, more laws and > GKE. The others wants freedom. > > JFA I would answer the question this way: Look at a child when it is a newborn. It is innocent, completely dependant, and loves unconditionally (relatively so). By age 5, at least half the learning this person will do in their life time has been accomplished. IT is at this stage that one can look at predict the behavior for some time to come (assuming nothing drastic changes in the child's next few years of life). Over time they loose that natural curiosity and innocence that in large part drove them to explore. They form opinions right or wrong about issues both tangible and intangible. In my estimation, the nature of man is clearly delineated by the behavior displayed when he first comes into this world: curious, selfish, loving, and needy for social contact. All attributes of his character can be defined and shaped by these things, the experiences in life and the examples set for him by those who are his mentors. If man turns predatory, it is because he found that set of behaviors best suit his needs of the moment - otherwise he would seek other ways of fullfilling those needs. Hence - we are not rational creatures. ...Paul From jimbell at pacifier.com Sat Mar 9 14:46:10 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 10 Mar 1996 06:46:10 +0800 Subject: Assassination Politics(tm) was V-chips, CC, and Motorcycle Helmets Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 01:45 PM 3/9/96 -0500, Jean-Francois Avon (JFA Technologies, QC, Canada) wrote: >>At 10:42 PM 3/8/96 -0800, Bill Frantz wrote: >>>(1) Assassination Politics (AP) will be most useful to a fired-up group of >>>people who want to silence a single person. Madeline Murray O'Hare comes >>>to mind. (She was a Texas atheist who challenged school prayer and won.) > >I quote this text as an example of an ongoing thought process in >the analysis of the AP scheme. A little statistical mechanics >would not hurt here. The above example shows *one* possible >interaction between two entities, each having their own charac- >teristics leading to a given inter- action. But in all theses >examples, the specific variables that is forgotten is the time >variable. > >What will be the *dynamic* characteristics of such a system. > - the above paragraph describe an interaction in a given > direction. > - what are the others interactions that could *speed up* the > above process > - what are the others interactions that could *slow down* the > above process >Any analysis of the problem that blanks out the >probability of occurence (which happens in the time domain) of >each partial reaction cannot describe the outcome of the scheme. Ever since I started publicizing my "Assassination Politics" idea, I've noticed that self-selected opponents of this idea frequently invent these hypothetical scenarios to try to criticize it. Now, I can't deny that any given scenario can happen, but I respond that I don't believe that it would occur very frequently, and I usually give reasons why. I don't normally get any kind of challenge to this: They've shot their wad, so to speak. >Proponents of such a scheme should stick a bit more to crypto... Well, I agree, but keep in mind that the text you quoted above was apparently written by a critic, not a proponent. Jim Bell jimbell at pacifier.com Klaatu Burada Nikto -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUH8TPqHVDBboB2dAQG68QP/Uzlblek07Fihu73pDWw/Tf50QK92x4hY j6qeP0lgnFjn4Y2k3ELYv4DbxpJi5vJM4Z/7CIZZaWJnHSeoT9QBF9D3GG88N/5q OjGN1Wwe3b4wHmuaEPen5CWEUfAFFE51zdlBknjYWUBqBKOsZ9lfqoMCKGysqshR gW9UH9zicsA= =qubI -----END PGP SIGNATURE----- From markm at voicenet.com Sat Mar 9 14:50:06 1996 From: markm at voicenet.com (Mark M.) Date: Sun, 10 Mar 1996 06:50:06 +0800 Subject: frequency of remailer use? In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 9 Mar 1996, Michael Froomkin wrote: > I would be very grateful for pointers to data concerning the number of > messages that pass through remailers. (Not anon.penet.fi -- real > remailers.) I am currently in a conversation with a journalist who should > know better, but claims that secure anonymous remailers are never used by > anyone -- just a curiosity. For most remailers, you can get the usage statistics by sending a message to the remailer with the subject line "remailer-stats." - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMUH3YLZc+sv5siulAQESwQQAsA7VqqGi1la+4/jcMG7Qqz3jAVLSU0+x CR0TCJE7DPxY+C+IscBTv98BB0z9NiJei/kNgJnIjJze4xLBXj1AHJ4W5O8WRkjV HMJTawXiCbkvaJ1NztyQwBDsgJkmkWg3kFSR8HQUyRXaaB3+11zyg2poZf4aSu1e XrK2C/5j0oc= =DtAu -----END PGP SIGNATURE----- From perry at piermont.com Sat Mar 9 14:51:35 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 10 Mar 1996 06:51:35 +0800 Subject: Index of Coincidence In-Reply-To: Message-ID: <199603092025.PAA16611@jekyll.piermont.com> Marc North writes: > I'm looking for detailed information on a statistical tool to aid in > cryptanalysis called an "index of coincidence". I would appreciate it if > someone could please explain what this is, how one builds such an index > against a given ciphertext, and how it is valuable in the cryptanalysis of > said ciphertext. There is a fairly good general description in "The Codebreakers"; there is also a book by Friedman available from Agean Park Press that covers the topic. I don't know of any public tools to do the work, but it isn't very hard... Perry From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 14:54:53 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 10 Mar 1996 06:54:53 +0800 Subject: Why the phone companies are going after Internet phones? Message-ID: <01I255H0C7HCAKTUFI@mbcl.rutgers.edu> I suspect that the below bit of information may explain why the phone companies are going after regulation of the Internet phone market. -Allen ----------------- Reuters New Media [...] _ Friday March 8 6:04 PM EST _ Firms to Offer Computer to Telephone System [...] NEW YORK (Reuter) - Two New Jersey companies said Friday they have developed technology that will allow voice conversations via the Internet between users of computers and ordinary telephones. The two companies, VocalTec Inc. of Northvale, and Dialogic Corp. of Parsippany, said they expect the system to be available in the next few months. The company said the computer-to-telephone connection, known as the Internet Phone Telephony Gateway, will allow computer users to place calls to normal local, long-distance or international telephone users. Internet-based phone communication presents a low-cost alternative to traditional telephone communications handled by local and long-distance carriers. It enables callers to combine the low cost of Internet connections, the convenience of initiating calls from either PCs or telephones, and the ability to communicate with anybody with a telephone via the public switched telephone network. However, the Internet poses technical problems such as variable voice quality and momentary speaking delays that preclude, at least for now, any widespread replacement of existing phone networks by Internet telephone communications. VocalTec chairman Elon Ganor said the software provides the conversational quality of a good cellular phone connection, but the quality may vary depending on the sophistication of the Internet access company providing the local connections. He said the Internet telephone gateway is expected to be available as a complete system in the second quarter of this year. [...] The product will be available to third party product developers to incorporate into their own products. Ganor said the products will be sold through Dialogic and Vocaltec's existing networks of resellers, system integrators and direct channels. VocalTec said the Internet Phone Telephony Gateway will enable new applications that use the Internet as a low-cost network for computer-to-telephone and phone-to-phone calls. Calls to wireline and cellular phones are possible. The system is comprised of a PC running Windows 95 and the VocalTec gateway software and a Dialogic computer telephone adapter card and linked to the telephone network and the Internet through a 28.8 kilobit or faster modem connection. The new software complements the company's existing Internet telephone software, which currently can only connect one personal computer user to another. ``The availability of the Internet as an open, global information network has generated considerable interest from our customers,'' said Bob Heymann, vice president of business development at Dialogic. ``The Internet Telephony Gateway will enable (resellers) and systems integrators to offer innovative applications such as international 'hop off' and Internet-based customer service,'' he said. Dialogic is a leading maker of add-on computer hardware circuit boards that enable computers to function as telephones. [...] VocalTec is headquartered in Herzliya, Israel and has U.S. offices in Northvale, N.J. It went public Feb. 7, 1996. From markm at voicenet.com Sat Mar 9 15:01:27 1996 From: markm at voicenet.com (Mark M.) Date: Sun, 10 Mar 1996 07:01:27 +0800 Subject: FCC & Internet phones In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 9 Mar 1996, Just Rich wrote: > There's also an article in today's San Jose Mercury News. > > I'm just wondering how the hell they would enforce regulations on carrying > voice over the Internet. Are they going to analyze every packet? What > happens when someone makes a trivial modification to the code, or adds a > gateway, so that the voice call uses a different UDP (or more likely RTP) > port and header format? I wonder what exactly the FCC means by the term "Internet Phone." Does this just mean that software like IPhone will be regulated, or will this also apply to RealAudio and sending uuencoded .WAV files through e-mail. Also, will this regulation apply to video and audio software like CuSeeMe and Mbone software? - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMUIIBLZc+sv5siulAQGTbQQAhlNhKIDKfAnRS4gPXCtTmpcGwBZyHM+4 xQ6/Zvcep8V9xcGayNcA1RT7HFD1qpqIq7Xojgbg76Bv5mK9g4GEVvZN18tFeaDF gcYYG4qO0Wz681D4KsAaeC9OZ8n59StjLGAn/CVmCgI31LCWr/oUYcN31E4+r3gM QU7Ag55idnE= =WFIz -----END PGP SIGNATURE----- From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 15:12:37 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 10 Mar 1996 07:12:37 +0800 Subject: Someone in a goverment with something close to the right idea... Message-ID: <01I2565G8OEEAKTUFI@mbcl.rutgers.edu> Well, he at least has part of the right idea. -Allen +++++++++++++++++++ Reuters New Media [...] _ Friday March 8 2:41 PM EST _ Malaysia Is Against Curbs On Internet Debate KUALA LUMPUR, Malaysia - Censoring Internet access will not solve concerns over privacy and individual freedom in cyberspace, Malaysia's Deputy Prime Minister Anwar Ibrahim said. "Censoring the Internet is not the solution. Simply closing our doors will not only hurt us but push us back in the race for growth and prosperity," he said in a speech at the launching of the Internet World '96 conference (http:/www.asiaconnect.com.my/asia-internet/) Countries concerned with such issues should instead utilize the Internet to reinforce social responsibility, he added. "Let us not forget that an informed citizenry is also a responsible citizenry," Anwar said. Copyright, Reuters Ltd. All rights reserved From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 15:31:06 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 10 Mar 1996 07:31:06 +0800 Subject: Remailer Security Message-ID: <01I25746VK34AKTUGH@mbcl.rutgers.edu> From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) >Um, there's no reason why your remailer's account needs to be logged into >interactively, is there? Seems like remailer ops should disable login to >remailer accounts, putting '*' into the password field in /etc/passwd, or >however unix lets you disable login (I know it does). This depends on the setup at the remailer machine. If I'm operating a remailer off of a rented account on a commercial machine, how am I going to maintain the remailer when it crashes if I can't get into that account? This would work to some degree if the machine in question had the remailer program in a publically-accessible account, and all the remailer account was doing was A. acting as a forwarding account and B. containing info like the private key of the remailer. But it could still go wrong in a way such that you'd need to get into the account (or have root access, which is equivalent from what I know of the subject). -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 15:38:15 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 10 Mar 1996 07:38:15 +0800 Subject: Virtual Magistrate Project Message-ID: <01I257AWTBEEAKTUGH@mbcl.rutgers.edu> Unfortunately, the below system seems a bit civil liberties-unfriendly in some ways (deeming laws against "obscenity" ever to be justified, for instance). On the other hand, it's an arbitration mechanism - which should have competitors and different contracts using different arbitratiors. Of course, Phil Agre tends to want the "whole community" involved with stuff instead of, as is proper in most cases, the people involved. Progressive liberals... sigh. -Allen From: IN%"rre at weber.ucsd.edu" 5-MAR-1996 03:35:20.71 [Is this scheme too naive to work? Well, if we want cyberspace to be self-governing then surely we need something like this. What's important, I think, is legitimacy. That is, people should regard it as having the moral stature to actually make judgements and have them stick. Certainly *I* think that Bob Gellman is a good person to have in charge of a project like this. But it's the whole community's opinions that matter, not just mine. Should we have elections on the net for jobs like this? Or what?] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Mon, 4 Mar 1996 10:18:04 -0500 (EST) From: Paul Evan Peters To: Multiple recipients of list Subject: Announcement of the Virtual Magistrate Project Dear cni-announce subscribers: Attached please find a press release announcing the establishment of the Virtual Magistrate Project. CNI is facilitating discussion of this project, and I encourage your attention to it. Let me know if you have any observations or suggestions that you would like me to pass on the project's organizers. Best, Paul Paul Evan Peters Executive Director Coalition for Networked Information 21 Dupont Circle Washington, DC 20036 Voice: 202-296-5098 Fax: 202-872-0884 Internet: paul at cni.org URL: ftp://ftp.cni.org/ URL: gopher://gopher.cni.org:70/ URL: http://www.cni.org/CNI.homepage.html PRESS RELEASE PRESS RELEASE PRESS RELEASE PRESS RELEASE For Immediate Release, March 4, 1996 Virtual Magistrate Established for the Internet Voluntary Dispute Resolution for Network Conflicts A newly established Virtual Magistrate Project will assist in the rapid, initial resolution of computer network disputes. The specialized system of online arbitration and fact-finding was announced by Timothy C. Leixner, Chairman of the Board of the National Center for Automated Information Research (NCAIR) which is funding the pilot project. The Fellows of the Cyberspace Law Institute helped in the development of the project. "Millions of people around the world communicate and conduct business on computer networks," said Mr. Leixner in announcing the project. "Disputes are inevitable, and existing courts can be too slow, too cumbersome, and too local to have global effect. We need to explore new forms of dispute resolution, provide timely relief, and develop appropriate sanctions that are suitable for worldwide computer networks. That is the purpose of the Virtual Magistrate Project." A pool of neutral arbitrators with experience in the law and in the use of computer networks will serve as the Virtual Magistrates. The magistrates (who do not have to be lawyers) will be selected jointly by the American Arbitration Association and the Cyberspace Law Institute, and will undergo training in arbitration techniques. Complaints will be accepted through either through electronic mail or through a form on the Virtual Magistrate's World Wide Web site. Internet users, system operators, and others affected by network messages, postings, and files may be the source of complaints. Initially, the Virtual Magistrate will decide whether it would be reasonable for a system operator to delete or otherwise restrict access to a challenged message, posting, or file. Objections may be based on copyright or trademark infringement, misappropriation of trade secrets, defamation, fraud, deceptive trade practices, inappropriate (obscene, lewd, or otherwise violative of local system rules) materials, invasion of privacy, and other wrongful content. At a later date, the Virtual Magistrate may accept complaints about other network- related activities. The need for a fast and accessible resolution of disputes is highlighted by ongoing litigation involving Netcom On-Line Communications Services and the Church of Scientology. The Church alleged that postings made by a Netcom user infringed on the Church's copyrights. The case is before federal district court, and a lengthy proceeding is expected. Arbitration though the Virtual Magistrate Project might have been able to offer an independent assessment of whether there was infringement. Prompt identification of reasonable responses for system operators would clearly be beneficial to all. Use of the Virtual Magistrate for immediate resolution of disputes would not preclude traditional litigation. An impartial magistrate will be assigned to each complaint. Proceedings will normally take place through electronic mail. The goal is to reach a decision within 72 hours (three business days) whenever possible. Information on cases decided by the Virtual Magistrate will be publicly available at a World Wide Web site maintained by the Villanova Center for Information Law and Policy at . Other documentation for the Project is available at the same Web site. David Johnson, Co-Director of the Cyberspace Law Institute said: "The Virtual Magistrate Project is not a solution to all network problems. Some matters will inevitably end up in traditional courts. If the Virtual Magistrate Project can contribute to the swift, inexpensive, and fair resolution of some disputes, then it will be a success." Paul Evan Peters, Executive Director of the Coalition for Networked Information, a diverse partnership of over two hundred institutions and organizations promoting the scholarly and intellectually productive uses of the Internet commented: "This project promises an extremely important and much needed alternative to legislation, contract negotiation, and litigation for addressing the uncertainties that we should all face together in the rapidly evolving networked resource and service environment." The Virtual Magistrate Project is a pilot project. Adjustments to the rules and procedures will be made based on experience. The Project will be evaluated by the participants at a conference to be convened by NCAIR and CLI in May 1996, and decisions will be made about finding a more permanent structure and funding. NCAIR has made $75,000 available for the operation of the pilot. NCAIR is a non-profit, educational corporation actively engaged in the study and application of technology to the to the legal and accounting professions since 1966. The American Arbitration Association (AAA) is a public-service, not-for-profit organization offering a broad range of dispute resolution services to corporations, attorneys, insurers, individuals, trade associations, unions, consumers, and all levels of government. AAA has been an international focal point for private dispute resolution since arbitration became an acceptable alternative to courts in the 1920s. George Friedman, Senior Vice President of AAA said: "Given the increasing inaccessibility of the court system and the explosive growth of online technology, it is quite appropriate that an effort would be made to develop a means of resolving disputes simply and quickly online. The American Arbitration Association is delighted to be a founding partner of the Virtual Magistrate Project, which will undoubtedly pave new ground in advancing alternative dispute resolution." The Villanova Center for Information Law and Policy will maintain a public online repository of Virtual Magistrate complaints, decisions, and documents. The Villanova Center will also maintain electronic discussion groups for magistrates, participants, and other interested parties, and it will work jointly with AAA to prepare training materials. The Villanova Center is at Villanova University School of Law, near Philadelphia. Contacts: Virtual Magistrate Project, Robert Gellman, Executive Director, 202-543-7923, rgellman at cais.com Cyberspace Law Institute, David R. Johnson, 202-496- 9523, djohns06 at counsel.com; David Post, 202-364-5010, dpostn00 at counsel.com Villanova Center for Information Law and Policy, Henry H. Perritt, Jr., Professor of Law, 610-519-7078, perritt at law.vill.edu National Center for Automated Information Research: Timothy C. Leixner, Chairman of the Board, 954-462-3300 emoleixner at aol.com American Arbitration Association: George Friedman, Senior Vice President, 212-484-4120, usadrghf at arb.com Electronic Addresses for the Virtual Magistrate Project VM Web Page: http://vmag.law.vill.edu:8080/ AAA Web Page http://www.adr.com Complaints: vmag at mail.law.vill.edu Help: vmag-question at mail.law.vill.edu vmag-help at mail.law.vill.edu VM Operations: vmag-admin at mail.law.vill.edu vmag-owner at mail.law.vill.edu AAA Administrator: vmag-aaa at mail.law.vill.edu VM Executive Director: rgellman at cais.com From jamesd at echeque.com Sat Mar 9 15:46:27 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sun, 10 Mar 1996 07:46:27 +0800 Subject: News on RSA vs. Cylink Injunctions and Patents Message-ID: <199603092330.PAA25299@dns1.noc.best.net> At 05:31 PM 3/8/96 -0500, Adam Shostack wrote: > Is RSA now saying that the original Diffie-Hellman patent > (#4,200,770) is not valid? I'm curious, because in the past, as I > understand things, RSA has said that the DH patent covers El Gamal. > If RSA no longer considers DH to be a valid patent, that would mean El > Gamal is not patent encumbered. That is what this court decision says: If Diffie-Hellman does not cover RSA, then it does not cover El Gamal either. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 16:08:57 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 10 Mar 1996 08:08:57 +0800 Subject: Edited Edupage, 5 March 1996 Message-ID: <01I258226POUAKTUGH@mbcl.rutgers.edu> From: IN%"educom at elanor.oit.unc.edu" 7-MAR-1996 16:54:24.02 >***************************************************************** >Edupage, 5 March 1996. Edupage, a summary of news items on information >technology, is provided three times each week as a service by Educom, >a Washington, D.C.-based consortium of leading colleges and universities >seeking to transform education through the use of information technology. >***************************************************************** Unless all they're doing is putting an (incredibly expensive) front end on PGP, these people appear to be reinventing the wheel. >OPEN MARKET OFFERS SAFE MESSAGING >Open Market Inc. has developed a new class of Web software designed with >built-in message-checking to ensure the integrity of messages and make the >network safe for financial transactions. OM-Transact doesn't come cheap -- >it's priced at $250,000 per license. Another new product, OM-Axcess, allows >companies to monitor and control access to the Internet by both employees >and customers. It costs $35,000 a copy. (Investor's Business Daily 5 Mar >96 A8) >Edupage is written by John Gehl (gehl at educom.edu) & Suzanne Douglas >(douglas at educom.edu). Voice: 404-371-1853, Fax: 404-371-8057. >Technical support is provided by the Office of Information Technology, >University of North Carolina at Chapel Hill. >*************************************************************** >EDUPAGE is what you've just finished reading. To subscribe to Edupage: send >a message to: listproc at educom.unc.edu and in the body of the message type: >subscribe edupage Feodor Dostoevski (assuming that your name is Feodor >Dostoevski; if it's not, substitute your own name). ... To cancel, send a >message to: listproc at educom.unc.edu and in the body of the message type: >unsubscribe edupage. (Subscription problems? Send mail to >educom at educom.unc.edu.) From abostick at netcom.com Sat Mar 9 16:32:22 1996 From: abostick at netcom.com (Alan Bostick) Date: Sun, 10 Mar 1996 08:32:22 +0800 Subject: Fractals, Cellular Automata, and Encryption In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article , tcmay at got.net (Timothy C. May) wrote: > Steven Wolfram had some speculations about using fractal or cellular > automata-based systems for a new kind of cipher. His paper is in one of his > books ("Theory and Application of Cellular Automata"), but it doesn't > really get beyond just speculating. And, I recall that someone proved > several years ago that Wolfram's CA-based encryption scheme was formally > equivalent to a linear congruential generator. > > I think I included a few paragraphs on this topic in my Cyphernomicon. Schneier has a few words to say about cellular automata in the first edition of APPLIED CRYPTOGRAPHY (I don't have the 2nd, shame on me). Howard Gutowitz published and patented in 1992 a symmetric block cipher algorithm, based on cellular automata, called CA-1.1 . There are a couple of CA-based hash algorithms. CA-based PRNGs have been shown to be isomorphic to linear feedback shift register RNGs (not linear congruential generators, despite what Tim says) and so are subject to the same security woes as LFSRs. - -- Alan Bostick | I'm laughing with, not laughing at. mailto:abostick at netcom.com | The question is, laughing with WHAT? news:alt.grelb | James "Kibo" Parry http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMUIZgeVevBgtmhnpAQG3YQL+PUxnW30lCOTfqN5JmrB6RSWD0c/pZbNU 0qijNq0Ka0i+yDBVkbgR8Gdd+vyS6gZKzpbWQxuvv1Xrqg7aeuh/0nEnTLSclpfB AJShGFEVN1+XSs7zLWIHdQ0CdM/ZSuKL =JuFk -----END PGP SIGNATURE----- From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 17:06:37 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 10 Mar 1996 09:06:37 +0800 Subject: SurfWatch Message-ID: <01I259NQ7CKWAKTUGH@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 8-MAR-1996 20:20:53.36 >>The question I have is if these systems were widely implemented, could >>an Web page author or provider of content be sued for "mislabeling" >>their page? If so, under what circumstances? Could the RSAC attach >Again, I ask about what sort of _contract_ is involved? (In my case, none. >So, suppose I decide that my post, explaining the fraud that is Islam, >should be read by all Muslims. AllahAllowed, an Islamic rating service, is >upset. Just what is their recourse? I have no contract with them and have >not arranged to label my posts. So, who can sue? The government? Try the >First Amendment. Given various anti-obscenity laws that the idiot Supreme Court has already found constitutional (including those against providing "indecent" material to minors), I wouldn't depend on the First Amendment. Here are some scenarios under which rating services could turn into bona-fide censorship (by the governmental limiting of information access definition): A. The government threatens ISPs with more direct censorship (a la the CDA) unless they force their users to rate their pages with some such service. B. The government finds someone guilty of providing indecent materials to minors for not having put a rating on their web pag using some such company - or even all the companies' rating systems. I.e., under nonsense such as attractive nuisance laws. C. The government (a la the V chip) requires a rating system, or one of a collection of "government-approved" rating systems, for all web pages. D. The government in a country such as China uses rating systems to help them filter. E. The government uses already-existing ratings to easier find web pages to shut down upon its instituting a censorship plan. (This is the gun registration argument). These last two don't mean that people shouldn't be permitted to create rating systems for obscenity/whatever - just that responsible people shouldn't encourage them in doing so. Now, except for the last two, these can be gotten around by being in the right country (one not doing such evil acts), but it would be preferable if that weren't the only way to avoid them. Discouraging rating systems in the first place can help to do so. Please note that I'm making a distinction between rating systems involving placement on the web page to be rated, and other ones. The keyword-based ones get around the above arguments (except possibly D and E). as do the central database ones in which someone else is doing the rating. (They do not get around the question of whether parents should be permitted to restrict children's information access on grounds such as obscenity at all. Given that no harm has ever been proven from children's viewing such material (_possibly_ unlike the data on violence, although that is quite disputable and not an argument for censorship), whether parents properly have that degree of sovereignty over their children is questionable. Children are not the property of their parents. -Allen From alanh at larry.infi.net Sat Mar 9 17:07:58 1996 From: alanh at larry.infi.net (Alan Horowitz) Date: Sun, 10 Mar 1996 09:07:58 +0800 Subject: steganographic trick In-Reply-To: <199603072228.OAA24671@netcom18.netcom.com> Message-ID: Vladimir, Imagine you're an FBI agent or something like that. You've been assigned to investigate some guy, to include sniffing out any data he may have stored in encrypted format to keep private. You de-crypt the data from some elaborate stego scheme, and find - a recipe for chocolate cookies. The federal agents I know, are clever enough to say to themselves: "what's wrong with this picture?" From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 17:09:47 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 10 Mar 1996 09:09:47 +0800 Subject: The attempt to limit Internet phoning Message-ID: <01I2595560U2AKTUGH@mbcl.rutgers.edu> I somewhat doubt the below is correct in their believing their actions are the reasons for the anti-Internet-phone move. The recent announcement by 2 New Jersey companies of a service whereby someone with a computer linkup can call someone without it (on Reuters on Yahoo) would appear to be a better explanation. -Allen From: Francisco Lopez Date: Thu, 7 Mar 1996 23:31:18 -0600 From: Gleason Sackman To: Multiple recipients of list NET-HAPPENINGS Subject: MISC> 'VON/FWD/IPHONE' ACTIVITIES CONSIDERED "MISUSE OF THE INTERNET" - BY ACTA (130 USA Long Distance Telephone Carriers) Date: Wed, 6 Mar 1996 21:00:08 -0500 (EST) From: Jenny Jacobson ---------- Forwarded message ---------- Date: Wed, 6 Mar 1996 15:03:07 -0500 (EST) From: Sandy Combs To: free-world-dialup at pulver.com Subject: [Free World Dialup]: 'VON/FWD/IPHONE' ACTIVITIES CONSIDERED "MISUSE OF THE INTERNET" - BY ACTA (130 USA Long Distance Telephone Carriers) ******************************************************* VON ALERT -- FWD ALERT --IPHONE ALERT -- NETWATCH ALERT ******************************************************* It appears that our recent FREE WORLD DIALUP press release was the straw that broke the camel's back. The FCC was petitioned yesterday by ACTA "TO STOP MISUSE OF THE INTERNET". The sale and use of Voice-On-the-Net (VON) software is being challenged by 130 of the USA's largest long distance telephone carriers. Among them, MCI, SPRINT, and LDDS. According to the ACTA press release: "A growing number of companies are selling software programs with ancillary hardware options that enable a computer to transmit voice conversations. This, in fact, creates the ability to "by-pass" local, long distance and international carriers and allows for calls to be made for virtually 'no cost.'" And also, "...the misuse of the Internet as a way to "by-pass" the traditional means of obtaining long distance service could result in a significant reduction of the Internet's ability to transport its ever enlarging amount of data traffic." 'VON' COALITION BEING FORMED A VON Coalition is currently being formed and members will testify at the spring meeting of the FCC when they discus telephony issues. If you don't want to loose your right to VON technology, NOW is the time to be counted. WHAT CAN I DO? We need an immediate head count of those on these lists that CARE ENOUGH TO BECOME INVOLVED! Subscribe RIGHT NOW to this SPECIAL VON Coalition list: vonYES at pulver.com To subscribe: VON Coalition List 1) send E-MAIL to: majordomo at pulver.com 2) leave the SUBJECT blank 3) in the BODY write - subscribe vonyes To subscribe: VON Coalition List Digest 1) send E-MAIL to: majordomo at pulver.com 2) leave the SUBJECT blank 3) in the BODY write - subscribe vonyes-digest Further discussions regarding the VON Coalition will be posted to the above only. If you DO NOT act TODAY, your rights and FREE TELEPHONE via the internet may well be lost! Jeff Pulver Sandy Combs [your name here] (Press Release distribution authorized by, Jennifer Durst-Jarrell, Executive Director, ACTA 3/5/96) From tcmay at got.net Sat Mar 9 17:25:56 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 10 Mar 1996 09:25:56 +0800 Subject: Fractals, Cellular Automata, and Encryption Message-ID: At 11:35 PM 3/9/96, Alan Bostick wrote: >Howard Gutowitz published and patented in 1992 a symmetric block cipher >algorithm, based on cellular automata, called CA-1.1 . There are a >couple of CA-based hash algorithms. CA-based PRNGs have been shown to >be isomorphic to linear feedback shift register RNGs (not linear >congruential generators, despite what Tim says) and so are subject to >the same security woes as LFSRs. Yeah, that sounds like what it is. This is what I get for answering a question without checking reference sources and/or FAQs, including my own FAQ, wherein it is written: 18.6.2. "Can cellular automata, like Conway's "Game of Life," be used for cryptography?" - Stephen Wolfram proposed use of cellular automata for crytography some years back; his collection of essays on cellular automata contains at least one such mention. Many people suspected that 1D CAs were no stronger than linear feedback shift registers (LFSRs), and I recally hearing a couple of years ago that someone proved 1D CAs (and maybe all CAs?) are equivalent to LFSRs, which have been used in crypto for many years. - Wolfram's book is "Theory and Applications of Cellular Automata," 1986, World Scientific. Several papers on using CAs for random sequence generation. P. Bardell showed in1990 that CAs produce the outputs of LFSRs.) Wolfram also has a paper, "Cryptography with cellular automata," in Proc. CRYPTO 85. - Intuitively, the idea of a CA looks attractive for "one-way functions," for the reasons mentioned. But what's the "trapdoor" that gives the key holder a shortcut to reverse the process? (Public key crypto needs a trapdoor 1-way funtion that is easy to reverse if one has the right information). On the other hand, if more people asking questions about fractals, chaos, quantum cryptography, etc., would check the usual places, others would not have to do this searching for them. (To his credit, the guy who asked today if anyone knew anything about the "index of coincidence" did say that he first grepped through my FAQ.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 18:04:51 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 10 Mar 1996 10:04:51 +0800 Subject: SurfWatch Message-ID: <01I25AB1E1DIAKTUGH@mbcl.rutgers.edu> From: IN%"jsw at netscape.com" "Jeff Weinstein" 9-MAR-1996 04:41:47.02 > I predict that 6 months after the first internet rating system is widely >deployed, the largest use of search engines such as altavista will be to >look for pages with the most "naughty" ratings. Perhaps such services will >allow text searches for free, but charge for searches based on the rating >tag... Unfortunately, AltaVista doesn't index based on comments field (in which category the SafeSurf ratings fall). Opentext, given that one supposedly can search for links to a page, may be able to do it on the other hand. Putting together a web spider that would search for such could be a profitable undertaking. I did some checking on AltaVista and found one service by the name of "Naughty Lynx" which automatically checks all of its links every hour or so - one problem with "adult-oriented" sites is that they disappear a lot. Some such feature would probably be necessary. Seems to be a good potential use of the DigiCash system, since one doesn't need merchant anonymnity that much until someone comes up with anonymous-location web pages; the Naughty Lynx system appears to support itself via advertising). Combining this with a web proxy would also be good. -Allen From m5 at dev.tivoli.com Sat Mar 9 18:14:39 1996 From: m5 at dev.tivoli.com (Mike McNally) Date: Sun, 10 Mar 1996 10:14:39 +0800 Subject: PLEASE REPLY!! In-Reply-To: <4hkdsc$fvd@jade.emeraldis.com> Message-ID: <199603061654.KAA11308@kenya.tivoli.com> David G. Cannon writes: > Did this message make it out to the "real" world?? Please reply to > this message if it did. Thankyou. I generally don't comment on noise like this, but I'm getting curious. Did somebody advertise cypherpunks at toad.com as a uucp configuration tester? ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 18:14:48 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 10 Mar 1996 10:14:48 +0800 Subject: Assasination Politics Thread #3 Message-ID: <01I25A47RE3MAKTUGH@mbcl.rutgers.edu> From: jf_avon at citenet.net (Jean-Francois Avon (JFA Technologies, QC, Canada)) >"E. ALLEN SMITH" wrote: >> Has it? Currently, we've got the guys who deal with the public (the >>politicians and the low-level bureaucrats) and the faceless drones (the rest >>of the bureaucrats). The politicians can be protected, and already are to >>some degree. The low-level bureaucrats aren't _that_ likely to be targeted >>by enough people to make a difference, and the ones who go bad enough to do >>so can be protected (or sacrificed, if that seems to be the way to keep the >>public happy). The faceless drones can be even more faceless, and so very >>hard to target. >Just a question to you: >What makes the faceless drones powerfull? The classification of low-level bureaucrat known as a cop. See above for the problems with them. -Allen From vznuri at netcom.com Sat Mar 9 18:19:29 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sun, 10 Mar 1996 10:19:29 +0800 Subject: rhetorical trickery In-Reply-To: <199603090231.VAA01548@bb.hks.net> Message-ID: <199603100055.QAA22483@netcom12.netcom.com> >> there is an infamous case of a child pornographer or pedophile in >> California that is sometimes cited by law enforcement representatives >> as a good example of the evils of encryption: supposedly he encrypted >> his diary and it couldn't be unlocked by them. this was mentioned in >> the article. >> >> but I have a question: how did they know it was his diary? > >If I remember some earlier discussion about that case from a few years >ago, the file was called "diary.pgp". how did they know it was *his* diary? granted, this is highly suggestive, but again not conclusive. it could be his friend's diary, or a diary of his flowertending, or whatever. sure, a government agent could insist, "well, don't be a bonehead. it's obviously his diary, and surely contains all his crimes against children". ah yes, just as, obviously, even before trial, "the man is a criminal" From tcmay at got.net Sat Mar 9 18:27:43 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 10 Mar 1996 10:27:43 +0800 Subject: SurfWatch Message-ID: I plan to taper off on all responses to this thread about SurfWatch and ratings services. Various sides have expressed their opinions about what courts and governments will demand, and others respond by saying, "I disagree. They can pass a law..." or "I disagree. The government is powerless," etc. At 11:25 PM 3/9/96, E. ALLEN SMITH wrote: > Given various anti-obscenity laws that the idiot Supreme Court has >already found constitutional (including those against providing "indecent" >material to minors), I wouldn't depend on the First Amendment. Here are some Finding something to be obscene, or treasonable, or actionable in other ways, ex post facto, is significantly different from a requirement _in advance_ that words be "rated." (Before anyone cites the MPAA movie ratings, an old war horse often trotted out as proof that the government requires ratings, let me again point out that the MPAA ratings are not required by the government and that the MPAA is nominally a private organization. Now, what the government _might_ have done back in the 60s had the movie industry not acted to "police themselves" is unknown to us. The Supremes might have overturned any mandatory rating on movies, just as they almost certainly would for words.) In the terms of the lawyers--from what I picked up during my time on the Cyberial list--a requirement that words be rated before they can be distributed would not pass Constitutional muster. This does not mean that one's words will not trigger prosecutions, lawsuits, treason trials, etc. What it means is that "prior restraint" is frowned upon (recall "The Progressive" H-bomb case of about 15 years ago, where a court subjected this magazine to prior restraint...a rare occurrence, later overturned. A more recent case involves "Business Week," and is still unresolved). >scenarios under which rating services could turn into bona-fide censorship >(by the governmental limiting of information access definition): > A. The government threatens ISPs with more direct censorship (a la the >CDA) unless they force their users to rate their pages with some such service. See above. Books are not rated. Even the "parental advisories" on CDs are ostensibly voluntary (granted, because noises were made about government ratings...but the point remains that a good, solid Constitutional test has not yet happened). > C. The government (a la the V chip) requires a rating system, or one >of a collection of "government-approved" rating systems, for all web pages. By the way, who does the rating in this scenario? As others have also noted, if I am rating my own pages, and rate them as "suitable for all ages," but Jesse Helms disagrees, what charges can be filed? That I was not a good enough judge of the material? That my opinions differed from Senator Helms'? "Voluntary self-rating" runs into problems, such as this example. One is left with ratings by _others_, e.g.. ratings boards, and even then there are variations of this same problem. The "Lesbian Alliance" is going to have different ideas of what children should be exposed to than the "Christian Crusade" will ideas about. Who is right? ("What is truth?") So, one is then left with government censors. And the Constitution is pretty clear about this. > D. The government in a country such as China uses rating systems to >help them filter. Doesn't have much to do with _my_ words or pages. It ain't the business of the U.S. court system--which is what we're talking about here--to worry about what some Maoists think is proper for young cadres to read. >(They do not get around the question of whether parents should be permitted to >restrict children's information access on grounds such as obscenity at all. >Given that no harm has ever been proven from children's viewing such material >(_possibly_ unlike the data on violence, although that is quite disputable and >not an argument for censorship), whether parents properly have that degree of >sovereignty over their children is questionable. Children are not the property >of their parents. I disagree with the overall conclusions of this line of reasoning. (Though the "children are not the property of their parents" point is heavy phrasing, and hard to take issue with directly, due to the language.) I don't know if exposure to sex is good or bad. I see a lot of aimless souls. I see a lot of AIDS. I'm unpersuaded that the proper solution is just to teach "safe sex" and proper condom-donning behaviors to fourth graders. If my neighbor wants to expose her children to this, that's her business. In any case, while children are not for their parents to do with as they please, a reasonable Schelling point has been that I will not force other parents to expose their children to the teachings of Cthulhu if they will not demand that my children sit through propaganda tapes about the joys of homosexual sex. The status of children in a free society is a thorny issue, but I reject the increasingly-prevalent notion that society knows what's best and the government will decide what influences can be used with children. A society which takes away this parental choice is a terrible society. I see much of the debate about violence and sex in society and in the media as being this kind of "battle for the hearts and minds" of children. I don't want some sociologist telling me that "Terminator II" is "bad" for my child but that "The Story of O" should be mandatory for my 11-year-old to watch. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 18:30:56 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 10 Mar 1996 10:30:56 +0800 Subject: Cryptanalysis Message-ID: <01I25ASYNMT6AKTUGH@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 9-MAR-1996 12:05:04.70 >There are very good reasons to say little about "conventional >cryptanalysis": it just doesn't matter much with modern ciphers, such as >public key systems. Modern ciphers don't fall to conventional attacks based >on word frequency, pattern analysis, etc. I realize that this may also be considered an out of date subject, but what's a good reference for codes as opposed to cyphers (other than the one reference in the Cyphernomicon which includes "codes" in its title)? Thanks, -Allen From jf_avon at citenet.net Sat Mar 9 18:53:54 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Sun, 10 Mar 1996 10:53:54 +0800 Subject: U.S. State Dept criticizes Chinese net-censorship Message-ID: <9603100116.AA29320@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- Paul said: >examples set for him by those who are his mentors. If man turns >predatory, it is because he found that set of behaviors best suit his >needs of the moment - otherwise he would seek other ways of fullfilling >those needs. >Hence - we are not rational creatures. Well, I do not agree with that statement. Even if most individuals are not acting on rational basis, it does not mean that Man is not a rational animal. Man exercise thought and reason in a volitional manner. Wether he decides or not to do it is another thing. So many peoples *actively* avoid thinking and yet, it is the only way they could survive if it were not of others... In a sense, they are free-riders. To think and use reason requires efforts. I guess that they just do not like exercising... Regards JFA -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMUHk4siycyXFit0NAQG9rwgAngIpFTTbaJXBG+u3fiLPdMhDl9VOTHAW nIxuRZ1AkMbXZbJXYeY97C0BLxMt7PqQInDUL0eW68GwAt2F7LqUuhdKh64QXwi+ 7jHas+/RCDj/CkxifHZv67uNPuIb7k0mDH8hHumsF0rUXT93P8yNWAMeL6z7dBnG M2vapstNpxwhmX+u9La3smoGDQniJ2XkQ7VDIcM9rfDrIl1Z3lmuzmpxn+HuxMJm i38fbmBuouL7WtxRhv0F8qVdz05O21+3tn7L303UWS21ffw8Su970gvHwDr6F0HU vLmpN6zv/s1mgqF7gTAb5GUizmH2vwjgR7/5kzH7GViKl4ZI5cY1EA== =JmUo -----END PGP SIGNATURE----- Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 From tcmay at got.net Sat Mar 9 19:04:24 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 10 Mar 1996 11:04:24 +0800 Subject: Cryptanalysis Message-ID: At 11:57 PM 3/9/96, E. ALLEN SMITH wrote: >From: IN%"tcmay at got.net" 9-MAR-1996 12:05:04.70 > >>There are very good reasons to say little about "conventional >>cryptanalysis": it just doesn't matter much with modern ciphers, such as >>public key systems. Modern ciphers don't fall to conventional attacks based >>on word frequency, pattern analysis, etc. > > I realize that this may also be considered an out of date subject, >but what's a good reference for codes as opposed to cyphers (other than >the one reference in the Cyphernomicon which includes "codes" in its title)? The usual: Kahn, Denning, and some of the old Dover Press books on crypto. Also, Herbert Zim wrote a nice little book about 40-50 years ago on codes. Some of the standard crypto textbooks will of course have more pointers to cryptanalysis. (Not to sound harsh to Allen, but why would anyone ask here on the list for recommendations to such a standard subject when Schneier, Garfinkel, Denning, etc. all have books listed?) Again, the reason stuff like "word frequency counts" and "index of coincidence" notions are so seldom involved in modern crypto--which is what all public key systems involve--is that they are essentially of no use. There is no point in doing statistical analysis of patterns on the ciphertext in an RSA or similar encryption. (Because any "patterns" discovered are meaningless.) And there are so many interesting areas to pursue with using and furthering modern crypto, that I just can't understand how people can think that classical cryptanalysis is useful. It might be fun, as a hobby, but it has no bearing on modern systems. (Well, I'm exaggerating a bit. I suspect that classical cryptanalysts at the NSA or GCHQ might have some insights into some problems with modern systems, such as traffic analysis. So I shouldn't say there is "no use" for it. But I hope you all understand my point in general. It is unlikely in the extreme that anyone who fools around a little with classical cryptanalysis will have anything important to contribute as a result of this.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Sat Mar 9 19:08:12 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 10 Mar 1996 11:08:12 +0800 Subject: Leahy's guillotine. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- To: All Recent Senate crypto bill Mr. LEAHY (for himself, Mr. BURNS, and MRS. MURRAY) introduced the following bill; which was read twice and referred to the Committee [stuff deleted] 2804. Unlawful use of encryption to obstruct justice Whoever willfully endeavors by means of encryption to obstruct, impede, or prevent the communication of information in furtherance to a felony which may be prosecuted in a court of the United States, to an investigative or law enforcement officer shall... I think we may reasonably assume that this section was very carefully written, and thus it may contain meanings (or avoid containing meanings) that only a careful reading will disclose. Contrary to some other sloppy interpretations that I've seen here recently from organizations that ought to know better, I see nothing in this section that limits the prosecution on this law to people who are actually participating in a crime. This distinction is vital. While the sentence is not diagrammed, it appears to be the INFORMATION which is in "furtherance to a felony," not the "obstructing" of that communication. The implication is that it is not necessary that a person know the exact information involved or be able to decrypt it; he needs only be deliberately using encryption to prevent the knowledge of what the information is about, or its routing. (As in an encrypted anonymous remailer, for instance.) Moreover, the errors among the organizations that are now apparently declaring their general support for this amendment are apparently based on a false view of the effects of this section. Aside from this, it isn't clear what is meant by the phrase, "obstruct, impede, or prevent the communication of information in furtherance to a felony." An obvious problem is this: How will they know if the use of encryption actually had that effect? If it was UNsuccessful, then obviously that encryption did not prevent the government from obtaining information. If it was SUCCESSFUL, then how is the government to know that the communication in question was "in furtherance to a felony"? Even if they can prove the felony by other means, how can they show that the communication actually had anything to do with the crime? Another problem: Encryption, per se, does not "prevent the communication of information." What it does, of course, is to prevent the UNDERSTANDING of that information. Do the writers of this bill intend to use this law to punish the LATTER effect, rather than the former? Further, how is the person to be charged to know if his use of encryption had the effect of "obstruct[ing], imped[ing], or prevent[ing] the communication of that information? If he encrypts a file to his hard disk, and he doesn't intentionally send the file to the cops, how is he supposed to anticipate that the use of encryption had this effect? As far as HE knows, it was simply his decision to not send the file to the cops; he can't be expected to know that they'll show up the next morning with a search warrant and take his computer, can he? Would his refusal to provide the decrypt key constitute a violation of this section? Or, if he sends that file to another person, and the cops happen to be (secretly) listening in, how is he to know? Does their inability to decrypt that information constitute a violation of this section? After all, the cops did indeed get the encrypted file; they simply don't know what to do with it! They are already "impeded" in UNDERSTANDING that file; a broad interpretation of this law would make the person who is wiretapped, as well as the person to/from whom the file is send, guilty of this crime. I'll be blunt, because it's what I do best: Anybody who reads this section of the bill and is NOT worried about its myriad possible interpretations is a fool or worse. I'd welcome a lawyer's interpretation of this law, but I suspect he'd be just as worried as I am: This section is a disaster waiting to happen; it is genuinely a Pandora's box that is just waiting to be opened by some sleazy prosecutor. Further, any organization with even a shred of credibility that does not condition its support for this bill on the complete removal of this section is doing the rest of us an extreme disservice: It is trading on and risking its reputation, because many of them are issuing opinions of this section of the bill with assurances that it will only be used against "guilty" people, when there is simply no way to know if this is going to be true. Wake up, people. These days, the only difference between a limousine and a tumbrel is the destination... Jim Bell jimbell at pacifier.com Klaatu Burada Nikto -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUIpdPqHVDBboB2dAQHoxgP/W3QVLGB4xfRQVVf/Udh+sa72Jhy64ON1 Gp2tfiTRYN1LkbpicZI84Hl2m0P2+D3cCCwEL87FDJgKOz2VFHowhGB+cQYIbw5X te3JNT+DFJQ5y+rdDptnraZkToWJIqVFohOguKP3uPi0lQVK5J331QlfQrt1Fuxi qpVf/zAE5yI= =dpTg -----END PGP SIGNATURE----- From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 19:28:14 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 10 Mar 1996 11:28:14 +0800 Subject: Assasination Politics Message-ID: <01I25C3C4MW8AKTUGH@mbcl.rutgers.edu> From: IN%"jimbell at pacifier.com" "jim bell" 9-MAR-1996 13:28:53.37 >The one thing that disappoints me about the result of my presentation of >this idea is that I haven't heard any intelligent arguments quantitatively >arguing that things will be worse. Other proponents simply agree that the >system would be better; most of the opponents don't take the trouble to >quantify their objections. _Quantitatively_? How could such arguments be quantitative? The only quantitative arguments that seem to be applicable appear to be over whether or not it could work, not whether or not it would result in an ethically better situation (assuming close to congruent ethical principles, such as agreement on civil liberties). >What's interesting is that you see this; yet there are a number of opponents >who can't seem to realize that what THEY want (or, for that matter, what _I_ >want) may be absolutely irrelevant to what is actually going to happen. Whether it will work is a seperate question from whether, if it will work, the consequences are preferable. I'm discussing the first question on a linked thread. Admittedly, one topic that should be brought up in this (and in case of others having skipped this message, one that I'll bring up in that thread) is whether the possible weaknesses of the system (the number of persons in the government, et al) may result in its having an ethical result, if possibly not the one for which you had the original idea. I suspect most people aren't going to want to eliminate every IRS agent from the face of the earth, given currently present moral standards. Some other branches of the govenrment may be a different possiblity. (As well as cases outside of the government such as O.J. Simpson). >Perhaps, but most (non-net-using) people are so unaware of encryption as to >make this irrelevant, I think. It's still a worry; if moves were made to put it into practice, it could be used by a government to take various means to crack down on the use of encryption, et al. How much they could suceed in doing so is another question, and one that is frequently debated on this list. >Have you forgotten what might happen to those same televangelists? Yes, they might be targeted also. Essentially, this comes down to an ends-justify-the-means problem, and one on which I'd come down on the "no" side of the question - I wouldn't want the televangelists killed just because they called for the assasination of someone who shouldn't be assasinated, even though this would turn out the best result in the end. (I am willing to see Iran's government killed, on the other hand, since I _know_ they're participants in a system which kills or tries to kill innocent people (i.e., Rushdie). That sort of proof wouldn't be present under Assasination Politics for televangelists.) >While I'd sure like to be able to design a system where only the "right" >people die (by my own opinion), I'm under no illusion that this would be >anything other than a dictatorship under "Jim Bell" or whoever happened to >be in control. I think I've done a fairly good job of designing >(anticipating?) a system that will do a lot of good, hopefully without doing >a lot of bad. I once sent back to someone who was asking "What would you do to improve the world" a response of "put me in charge, if you're going to ask that general a question." I will leave the reader to conclude whether I was kidding. I understand the basic problem of "will it be better than the current system or not" as not being "which is perfect." -Allen From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 19:28:15 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 10 Mar 1996 11:28:15 +0800 Subject: FCC & Internet phones Message-ID: <01I25C5K07CEAKTUGH@mbcl.rutgers.edu> From: IN%"rich at c2.org" "Just Rich" 9-MAR-1996 15:03:20.78 >I'm just wondering how the hell they would enforce regulations on carrying >voice over the Internet. Are they going to analyze every packet? What >happens when someone makes a trivial modification to the code, or adds a >gateway, so that the voice call uses a different UDP (or more likely RTP) >port and header format? I believe the companies are mainly worried about other companies doing such phone service, not about the individual. However, they may also go after those selling equipment (inc. programs) for such competition. -Allen From stevenw at best.com Sat Mar 9 19:31:34 1996 From: stevenw at best.com (Steven Weller) Date: Sun, 10 Mar 1996 11:31:34 +0800 Subject: SurfWatch Message-ID: >> I predict that 6 months after the first internet rating system is widely >> deployed, the largest use of search engines such as altavista will be to >> look for pages with the most "naughty" ratings. Perhaps such services will >> allow text searches for free, but charge for searches based on the rating >> tag... >> -- >> Jeff Weinstein - Electronic Munitions Specialist >> Netscape Communication Corporation >> jsw at netscape.com - http://home.netscape.com/people/jsw >> Any opinions expressed above are mine. In the mid-eighties in the UK they adopted the idea of a red triangle continuously displayed on the screen of movies shown on TV that were considered to have more than the normal share of wobbly pink bits, airborne blood, etc. Viewing figures for obscure 70's French movies shown at 1:30am soared as all the horny geeks sat through two hours of forest/eating/traffic or whatever scenes waiting for the 7 seconds of nudity. I'm sure that far more children saw these movies than would have without the government sponsored red flag with the words "Get It Here" being waved like crazy as the movie rolled. ------------------------------------------------------------------------- Steven Weller | "The Internet, of course, is more | than just a place to find pictures | of people having sex with dogs." stevenw at best.com | -- Time Magazine, 3 July 1995 From wlkngowl at unix.asb.com Sat Mar 9 19:58:49 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sun, 10 Mar 1996 11:58:49 +0800 Subject: Bootable disks In-Reply-To: <960306145542_239131693@emout09.mail.aol.com> Message-ID: <31423C9C.41E0@unix.asb.com> In Mar. 5 (?) Edupage, there's a blurb about a floppy drive that is compat with 1.44M disks but can also handle special 80M disks, allegedly available in April. If so, there's some nice potential here. From wlkngowl at unix.asb.com Sat Mar 9 20:00:44 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sun, 10 Mar 1996 12:00:44 +0800 Subject: FCC & Internet phones Message-ID: <199603100222.VAA06105@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- t byfield wrote: [..] > doubt the situation for bureaucratic rule-mongering would be much > different. The WP article said that has ACTA has "asked the [FCC] to stop > this kind of communications and study how to regulate it," probably--and > not surprisingly --in that order. I noticed they complainted about IPhone "giving away our product for free" or something like that. Bad implications. Imagine MS going after the FreeDOS people, or Novel or AT&T or whoever owns Unix now going after Linux or the FSF/GNU... [..] > Q: Is it practically possible to find netphone traffic on a > generic network at any level above the source and target addresses? Good question. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUI89CoZzwIn1bdtAQFXBAF/RSoygg/szTsrtI+Ds512YDV3KswRP43r 4HfgV+PHex3JqnhOWNbWuNga05EsFDJp =EcBe -----END PGP SIGNATURE----- From sasha1 at netcom.com Sat Mar 9 20:16:09 1996 From: sasha1 at netcom.com (Alexander 'Sasha' Chislenko) Date: Sun, 10 Mar 1996 12:16:09 +0800 Subject: Stego - images and sounds Message-ID: <2.2.32.19960310030830.00ec2fc8@netcom.com> At 12:19 PM 3/8/96 -0800, Jim McCoy wrote: > >Provided the bits are random in the way that they should be... The low-order >bits in such files were chosen by implementors of stego programs because >modification would not be noticed by the person viewing or listening to >the file, not necessarily because there was actually randomness at this >level which could be replaced. Does anyone know of a survey of images or >sound files which tested the statistical randomness of these bits? They >may not be as random as people think they are. > This should depend on how the image/sound was obtained, though I am pretty sure in most cases there would be easily detectable patterns. They would be the strongest in software-generated files, smaller in good reproductions of precise recordings, and very small in noisy recordings. In all cases, the number of lower bits used for stego-messages may be chosen lower than the existing noise of the signal. Changing all lower bits in a good rendered image may still be unnoticeable for the human viewer, but really easy to detect to a program. ------------------------------------------------------------- Alexander Chislenko Home: http://www.lucifer.com/~sasha/home.html ------------------------------------------------------------- From anonymous-remailer at shell.portal.com Sat Mar 9 20:33:06 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sun, 10 Mar 1996 12:33:06 +0800 Subject: jim bell Message-ID: <199603100358.TAA09779@jobe.shell.portal.com> * WARNING * This post may contain offensive materials including the names of certain Senators. Parental supervision is highly advised. * WARNING * I think I have a problem. Jim Bell's assasination politics rants are beginning to make sense. I can't believe I said that. Time to see a shrink. Bye. ObPerry: None. So EXON off. From ses at tipper.oit.unc.edu Sat Mar 9 21:19:38 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 10 Mar 1996 13:19:38 +0800 Subject: SurfWatch In-Reply-To: Message-ID: On Sat, 9 Mar 1996, Steven Weller wrote: > In the mid-eighties in the UK they adopted the idea of a red triangle > continuously displayed on the screen of movies shown on TV that were > considered to have more than the normal share of wobbly pink bits, airborne > blood, etc. I seem to remember this being something Channel 4 introducted on there own to try and deflect criticism (and probably saved the station). Probably saved the station, and introduced a lot of people to the art of subtitles :-) Has anybody registered CrotchWatch as a trademark? Simon --- i gotta say this you're acting blameless you're making bucks like you're fucking shameless i'm coming hard it won't be painless coding styles of the rich and brainless From roger at coelacanth.com Sat Mar 9 21:22:24 1996 From: roger at coelacanth.com (Roger Williams) Date: Sun, 10 Mar 1996 13:22:24 +0800 Subject: anonymous web pages (Was: SurfWatch) In-Reply-To: <199603100222.UAA03114@proust.suba.com> Message-ID: <9603100428.AA1031@sturgeon.coelacanth.com> >>>>> Alex Strasheim writes: > Has anyone ever considered setting up anonymous web sites on top > of usenet? People could post pages anonymously to usenet, and the > web sites could grab them and put them up automatically. I see two problems right off the top: 1. Given the number of images, sound files, and movies that the most popular web pages will invariably have, the load incurred by propagating the associated files all over the net would be tremendous; 2. If CDA begins to be seriously enforced, Usenet will suffer as much as the Web: as soon as ISPs have reason to believe that such and such a newsgroup is carrying unlawful material, they'll have to stop spooling those groups. The material will move into off-topic groups, ISPs will get tipped off, and they'll have to shut those off too. I can imagine a whole army of busybodies scanning the comp.* hierarchy for pictures of tits... -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From jimbell at pacifier.com Sat Mar 9 21:25:29 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 10 Mar 1996 13:25:29 +0800 Subject: Leahy bill nightmare scenario? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 06:23 PM 3/9/96 -0800, Dan Weinstein wrote: >On 9 Mar 96 at 9:26, you wrote: > >> >I agree with your concerns here, but I find it hard to believe that >> > the courts would allow a broader interpretation. >> >> Unfortunately, what you find "hard to believe" I find easy to >> believe. Remember, if this bill is passes, it doesn't merely affect >> YOU, it affects ME. So I suggest the burden of proof is on YOU to >> show that these provisions aren't going to be maliciously >> interpreted by the courts. > >Burden of proof? Sorry, I do not have to justify my views to anyone. > I am trying to have a reasonable discussion of this issue, thus, the >"burden of proof" lies equal on each of us. Well, you're arguing in apparent favor of a segment of a bill which CHANGES current law. Moreover, you're suggesting that we should trust the government's biased future interpretation of the ambiguous wording. Since that clause doesn't really have to be there for the rest of the bill to stand by itself, I'd say it's fairly obvious that the burden of proof is on you. I'm arguing, on the other hand, that there is danger in ambiguity, and there is! >> >Here you are dead wrong, the bill specifically states: "in >> >furtherance of a felony." Its like those laws that let them charge >> >someone with murder in the first if someone dies while you are >> >commiting another felony. They must prove the original felony >> >before they can get you on the murder one. The real purpose of >> >this provision, as I read it, is to give longer sentences to >> >criminals that use crypto. >> >> I'm not a lawyer, but I assume neither are you. Please explain the >> LEGAL DEFINTION of "in furtherance of a felony." If you can't, then >> you simply don't know how far they will go. And you're depending on >> the reasonableness of the government for the interpretion. > >True, I am not a lawyer. I would like to hear from one of the >lawyers on the list for a more deffinitively. Since you also admit >you are not a lawyer, I do not accept your opinion as superior to >mine. Please note my more recent commentary to "all" where I point out that it is the INFORMATION which is to be "in furtherance of a felony," not the action of the person doing the encryption. Like I pointed out, the sentence is not diagrammed, but I think it's fair to conclude that knowledge of the details of the information is unnecessary to be guilty under this section of the bill, merely the fact that you're using encryption to hide SOMETHING WHICH _MIGHT_ BE INFORMATION "IN FURTHERANCE OF A FELONY." We're getting into pretty dangerous territory, I think. > I was pointing it out as something that I believed you had >missed. I find it hard to believe that anyone can further a felony >when their is no felony. They used to prosecute conspiracies when there was no crime! Did you know that? In the late 1800's, it was not illegal for a worker to endeavour to have his salary increased, but union membership ("a conspiracy") was ILLEGAL! In other words, a conspiracy to do a legal thing was illegal. > In addition, this is VTW's interpretation >based on the analysis that they have posted to their home page. I >would presume that they were using lawyers to analyze the bill. I seriously doubt it. I haven't gotten a response from Mr. Safdar, yet, which I consider to be suspicious. If he's confident of his position he'll back up his interpretation with whatever legal advice he used to decide on his original support. My guess is that he simply read the bill in a sloppy fashion, jumped to the conclusion that the writers of the bill hoped we'd do, and wrote up his support without a lawyer's advice. >> >> Fourth, I gave what I considered to be a clear example of the >> >> hypothetical misuse of an encrypted remailer by the cops, one >> >> that would arguably make the remailer operator guilty of some >> >> "reasonable" anti-kiddie-porn statute. At that point, _he_is_ >> >> the target of the investigation. Unless you can show that this >> >> kind of action by the government is impossible, I consider it to >> >> be not merely possible but almost certain to occur. >> > >> >Again, the problem I see with your scenario is that I don't believe >> > that the courts will interpret it that way. >> >> What you think is irrelevant. Most people probably didn't realize >> what the government did in the Amateur Action BBS case was "legal," >> either. But they did it anyway. > >Yes, this case was certainly a travesty. The thing about it was that >it violated the law. Their actions took place in California, but >they were tried in Tennessee. This is a violation of U.S. law. >Again, this is my non-professional opinion, but I have heard several >professionals proclaim that the governments actions seriously >violated its own laws. Yes, it was a "travesty." But it was a travesty because the people involved simply didn't care whether what they did looked kosher to the average BBS/net user, and figured the average citizen wouldn't care. >If your point is that the government does >not obey its own laws, then all I can say is that if that is how you >feel then why oppose the bill? Won't they end up doing what they >want anyway? Not if I have my way about it. I assume you are aware that I'm the author and primary proponent of my "Assassination Politics" essay. I consider it essentially inevitable. Moreover, with the exception of a few killings done by perfectly anonymous people, it should be entirely legal by current black-letter law. This should eventually eliminate the ability of the government to cause the kind of outrages we've all heard about, such as the SJ Games case, Amateur Action case, and of course Waco and Ruby Ridge, along with many others. Once adopted, any government employee who pisses off even a tiny fraction of the population would either resign or die, or both, and you'd never have to wonder whether a government-hired murderer would get away with his crimes. You need to understand that long before I started publicizing this idea, I was fully aware that the government would have to do something to prevent this from happening: They'd have to write new laws to make crimes out of things that were not formerly crimes. I believe that they are trying to do exactly this with this new law: What they want to do is to be able to prosecute people who are doing nothing more than collecting "bets" and paying off "winners" in a "lottery" that government employees can only lose, fatally. In short, the government is trying to head off "crypto-anarchy," which I guess is Tim May's trademark. I suggest that we don't allow them to; it will merely make the government's eventual end even bloodier. >> Are you assuming that you have the key? Remember, if you run an >> encrypted anonymous remailer, and assuming you do it honestly, you >> won't be keeping records as to the source of the note. >> >> Thus, if they "serve a warrant" and you CAN'T decrypt the message >> (or tell them where it came from) then why aren't you already >> guilty? Remember, the wording of the proposed law doesn't require >> that you have full knowledge of the crime involved, merely that you >> act "in furtherance" of it... If you don't possess the key, but >> you explicitly ran your remailer so that you never it, just so you >> couldn't relinquish it, you have structured your operation too >> thwart any investigations. You are ALREADY guilty. This may not >> sound reasonable, but the government no longer (if it ever did) >> considers "reasonableness" to be an impediment to their actions. >> > >I don't but this. If I am a reporter if I receive an anonymous tip, >a court could order me to tell who my source was, but I couldn't and >they couldn't do anything about it unless they could prove that I >knew who the source was. If I knowingly aranged for the source not >to reveal himself to me, could I them be charged with obstruction of >justice or contempt of court? Again it is my non-profesional >opinion, but I really doubt this. Comment from a lawyer would be >appreciated. You shouldn't use the example of a "reporter." See, due to the 1st amendment (and the fact that news organizations are rich and influential) the law tends to defer to the media in situations where it shouldn't. For example, a reporter can usually refuse to give sources for information, but ordinary citizens can't refuse to testify against other people in an analogous way. (I'm not saying the reporter should be forced to testify; I'm saying the average citizen should NOT be!) Citing the example of a reporter is therefore misleading, because you could be correct about the current interpretation in that instance but not if you tried to apply this analogy to the operator of an anonymous remailer. >> >I disagree, it states you must "willfully endeavor" to use the >> >encryption as a means of obstructing the investigation. To me, >> >this means that it is the motivation for using the encryption. >> >> Question: What, exactly, is the motivation of a person running an >> anonymous remailer? His motivation is clear: To allow people to >> send anonymously untraceable messages. Assuming he's of ordinary >> levels of intelligence or beyond, he is aware that somebody may some >> day use his system for illegal purposes. You're going to have to >> explain why a court _CAN'T_ interpret this as being in violation of >> the law. >> > >If I rent cars, someone might one day use a car rented from me in a >robbery. Does that make my an accessary? NO. Again, your example is misleading. Manfacturers and suppliers of goods and services that are rich and have been around a long time have hired lobbyists to get politicians to formulate laws that are "friendly" to their particular business. Anonymous remailers, on the other hand, have little budget, none for lobbying, and they have no "history" of court cases that back up their rights in these matters. Cite all the cases you want from "smokestack America" and it'll get you nowhere: Juries may sympathize with car rental places (who at least do a credit check on their customers, BTW) but there's no guaranteee they'll sympathize with a remailer whose "only" function is to disguise the source of a message. >> > If I set >> >up an encrypting remailer for the purpose of allowing free exchange >> > of ideas, I don't believe I would be liable under this law. >> >> Your optimism is touching. It is also vastly misguided. > >If you think I am optimistic, you must think just about everyone is >an easy dupe. Well, so far, a number of organizations seem to have fallen for this bill. Most of them are smart enough to be worried about this section, but the problem is that they are not aware of how bad the problems are. They have no imagination; they don't try to answer the question, "How can this law be abused?" > If I do not quite reach your level of paranoia, I >apologize; I will try to get to where I distrust everyone like you. >Or are you just plotting to make me paranoid? If you've already admitted that the Amateur Action BBS case was a "travesty," then how in the world can you call me "paranoid"? As the saying goes, "You're not paranoid if the ARE out to get you!" >> >The >> >only way I could see a remailer charged under this is if he had >> >solid evidence that a specific user was violating the law, and took >> >no action. >> >> Gee, I wish you were right, but my experience with government thugs >> says that they will do anything they think they can get away with. >> > >Their is certainly A LOT of that with in our government, but to claim >everyone in the government is a jack-booted thug is just too far over >the top for me. (Yes, yes I realize you think this is niave.) It doesn't take "all" of them to be thugs for a bill such as this to be abused. The scum rises to the top, or floats to the bottom. >> >I see some real problems too, but I do not see the problems with >> >this provision to be enough to condemn the entire bill. >> >> I don't "condemn the entire bill." I would, however, reject the >> entire bill if that provision remains. And morever, if we make a >> serious attempt to have it removed, the more they resist removing it >> the more we should insist it go. > >I don't want it removed, I think it is an important bone to through >to those in the middle. In the "middle" of what? The public? Or a few self-interested politicians? If it's the latter, I'd say "fuck 'em!" If the only way they'll pass the rest of the bill is to have that portion of the bill there, then they must think that portion of the bill is REAL IMPORTANT! And if they think that, you need to ask yourself WHY is it so important to them? Sorry, but _I_ know why it's so important to them; the power and even their very lives are on the line. > I would like the phrasing tightened up so >that it could only be used against those that deserve it. Who "deserves it"? And why wouldn't you be satisfied with convicting them of whatever crime they are presumably already guilty of?!? >> There would still be a problem. What's the definition of "actually >> involved in committing the felony"? Are you aware, for example, >> that manufacturers of small plastic screw-top vials have been >> prosecuted and convicted simply because their vials could be used to >> hold small quantities of drugs such as cocaine and crack? This was >> a case from a few years back, BTW. I wish I could remember the >> cite. > >I was not proposing that exact language, I am not a lawyer and don't >imagine I could come up with the bullet-proof wording that is >required. > >> If you're not aware of these things, WAKE UP! Your optimism >> disgusts me, because it is entirely unrealistic and based on a >> rose-colored-glasses view of the government. > >I am not aware of the vial case; I certainly would find such a thing >interesting to read. That's the problem: These kinds of cases are often not well publicized. People like you get a vastly over-optimistic view of "the law" when you don't know the distances the thugs will go to persecute and prosecute people. > If this was what happened, and laws exist that >allow this, then we ought to repeal those laws, but I don't see the >baring that has on this case; I have already said that they should >narrow the language so that it will not be used to the ridiculous >extream. Question: let's suppose the wording of this section of this bill CAN be "used to the ridiculous extreme"? If we presume that the people who wrote this bill were intelligent and knew what they wanted, why would not not conclude that "the ridiculous extreme" is EXACTLY what they wanted? And if that's the case, then we'd damn well better figure out just how "ridiculous" those extremes are! >> >> Any explanations, Dan? >> > >> >You are talking about the fringe, this, I think, was added as an >> >attempt to bring in those that are in the middle. >> >> Why would "those that are in the middle" object to a bill which is >> little more than a re-statement of rights we already believe we >> have?!? > >I am not talking about reality; I am talking about what they can tell >the voters if they are beat up over passing such a bill. You seem to >over rate the average voters grasp of the issues. It doesn't matter >that the bill really creates or diminishes crime, it is how the >voters can be made to perceive it. I've already pointed out that "the average citizen" is unaffected by crime whose investigation can be "thwarted" by the use of encryption. You're going to have to explain why such a section is even there: Who is it going to appease, and why? >> > That is, Those >> >that see the need to prevent the use of encryption as a means of >> >obstructing justice, but feel that we should also have a right to >> >privacy. >> >> There is no viable middle ground here. Any tool can be abused. >> > >If that is true, than you are left with those that are the oppressed >and the jack-booted thugs. I do not believe that the only motivation >of those that are opposed to strong encryption is to oppress me. >Many are trying to do what they think is right, this provision is >their to give those that are tetering between the two options an easy >way to move to our side. You mean POLITICIANS, don't you? Not ordinary citizens! >> > To say that there is no delema here is ridiculous, crime is >> >a serious problem that we are already having a terrible time >> >dealing with. >> >> On the contrary, my opinion is "The _government_ is a serious >> problem that we are already having a terrible time dealing with." >> Fortunately, I've found a solution, and the government is trying as >> hard as it can to prevent it (and "crypto-anarchy" in general) from >> taking root. >> > >Good premise, now if you could sell that premise to everyone in >Congress than your right this provision is useless. Unfortunately, I >don't think you will have much luck with this. The reason I can't "sell this premise to everyone in Congress" is that it is exactly those people who are the problem! And my solution involves either 535 resignation letters or 535 coffins, whichever. And they are reacting predictably. >> > I think Leahy realizes that this provision will be about as >> >useful as the "use a gun, go to jail" laws, but wants to give those >> > in the middle to say that they bill will help prevent crime. >> >> Ha ha! That's rich! There is no reason that a "pro-encryption" >> bill has to contain any general "anti-crime" clauses. The average >> person is afraid of burglars, muggers, murderers, rapists, car >> thieves. When is the last time the average person was the victim of >> a crime whose investigation could be "thwarted" by the use of >> encryption? If you can't think of an example, you've just proved my >> point: This provision is entirely irrelevant to the average citizen >> (at least in a "positive" way) and can't be considered a "win" for >> him. > >You talk about my being naive, this takes the cake. Do you really >believe that any pro-crypto bill could make it through Congress with >out some sort of anti-crime clause? That might be the "realistic" position, but it's a position which assumes that the government employees have their own agenda and interests, and will act on those interests and against those of the average citizen. This is certainly true, obviously, but that is exactly where the problem lies! Jim Bell jimbell at pacifier.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUJWh/qHVDBboB2dAQGo9QP/XKQ9EqAZ60muoZNE7QD9m0U5B12c8Fav ECVNObImJ+Y6hTniq43MHx6WoCQ+hOEZqWmLN7WDK9NkylnsOcveuUinrRnfJq97 cRmhqHuxSvBVnfzjfXW2RNUmLG+BcGCh88uSTeznEol9djQiMxPr7tOugB2AW5+u 3okUcP31ZBE= =CR2B -----END PGP SIGNATURE----- From ses at tipper.oit.unc.edu Sat Mar 9 21:31:07 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 10 Mar 1996 13:31:07 +0800 Subject: FCC & Internet phones In-Reply-To: <199603100222.VAA06105@bb.hks.net> Message-ID: The real complaint of the telephone companies seems to be not that the calls are free, but that the 'whatevers' are not subject to the same tariff regulation that they are. I'm sure it's because they want to be able to lower their fees to the same level to compete. Quit sure. Simon --- i gotta say this you're acting blameless you're making bucks like you're fucking shameless i'm coming hard it won't be painless coding styles of the rich and brainless From owner-cypherpunks at toad.com Sat Mar 9 21:41:41 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Sun, 10 Mar 1996 13:41:41 +0800 Subject: No Subject Message-ID: Jonathon Fletcher writes: > Can anyone tell me anything about a product called "Entrust", by Nortel > (Northern Telecom). The notes talk about the software using DES ("which > employs a 56-bit key") so I guess it's single DES, not triple DES. It also > mentions a proprietary algorithm called CAST. > > Is this worthy of further investigation, or is it suspect ? What is > CAST, and would it be classed as snake oil ? "Entrust" was built by Smart People. Of course, any given component of it is only as strong as the underlying algorithms; you yourself are probably aware of the problems associated with DES vs 3DES and such. I would suggest examining the documents. I don't know anything about CAST. Perry From pmonta at qualcomm.com Sat Mar 9 21:53:00 1996 From: pmonta at qualcomm.com (Peter Monta) Date: Sun, 10 Mar 1996 13:53:00 +0800 Subject: FCC & Internet phones Message-ID: <199603100444.UAA02758@mage.qualcomm.com> Allen Smith writes: > I believe the companies are mainly worried about other companies doing > such phone service, not about the individual. However, they may also > go after those selling equipment (inc. programs) for such competition. Perhaps, but free software, for example, does not offer much of a target. Internet<->PSTN gateways sound more like a commercial venture, but even here we may start to see "free" services, such as the fax service that's been around for some time. Cheers, Peter Monta pmonta at qualcomm.com Qualcomm, Inc./Globalstar From lmccarth at cs.umass.edu Sat Mar 9 21:58:38 1996 From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu) Date: Sun, 10 Mar 1996 13:58:38 +0800 Subject: PGP to PC mail integration In-Reply-To: <199603010652.WAA00782@cryptical.adnetsol.com> Message-ID: <199603011533.KAA11422@opine.cs.umass.edu> Mike Ingle writes: > Exactly. Yes, it will at least have to have a config screen. It will > probably have to prompt for a passphrase on the fly, unless you want to > store it. It can ask to encrypt or not, or it can have a header in the > message. The important thing is I don't care about the user interface > of the mail program. This has been the big barrier so far. In spite of my previous grouchiness on this issue, I like the idea and I think it's worth pursuing. -Lewis From cross at math.psu.edu Sat Mar 9 22:00:54 1996 From: cross at math.psu.edu (Dan Cross) Date: Sun, 10 Mar 1996 14:00:54 +0800 Subject: anonymous web pages (Was: SurfWatch) In-Reply-To: <199603100222.UAA03114@proust.suba.com> Message-ID: <199603100450.XAA16800@hausdorff.math.psu.edu> A non-text attachment was scrubbed... Name: not available Type: application/pgp Size: 14 bytes Desc: not available URL: From tcmay at got.net Sat Mar 9 22:01:16 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 10 Mar 1996 14:01:16 +0800 Subject: Cryptanalysis Message-ID: At 6:32 PM 2/29/96, Alan Olsen wrote: >Here is the problem... I am looking for texts on the breaking >of cyphers. (I want to show him WHY the cypher is insecure and >not just say "It's crap!".) >I have done a couple of searches and have come up fairly dry. There are several places to look: * The Aegean Park Press line of books on military cryptanalysis, mostly the books by Friedman and his associates. Computer Literacy (on the Web) carries most of them. (Also mentioned in various crypto FAQs, as I recall.) However, these books are based on work done in WWII and the following decade(s), so the stuff is pretty dated. Still, nearly any "snake oil crypto" system, such as it sounds like your friend is building, will likely be far weaker than the ciphers the NSA was attacking back in the early days. (I just noticed that Bill Frantz made the same comments about the Friedman books. By the way, our own John Gilmore was instrumental in getting one of the last ones out into print; as I recall, he found one of them in a public library, and thus Aegean Park Press was able to republish it without the NSA stopping them.) * Several textbooks have good chapters on cryptanalysis, often buried in the "problems" section. I think Denning's book has a good chapter on the methods. * The journal "Cryptologia" is largely devoted to amateur cryptanalysis. >The Cyphernomicon has a couple of paragraphs, but nothing on >techniques or pointers to other references. RSA's FAQ has >little to nothing as well. A web search turned up little >useful. Most of the other references I have found have been for >current cyphers, but next to nothing about breaking them. There are very good reasons to say little about "conventional cryptanalysis": it just doesn't matter much with modern ciphers, such as public key systems. Modern ciphers don't fall to conventional attacks based on word frequency, pattern analysis, etc. Your friend is on a hopeless task. If he doesn't understand just how hopeless it is to develop a homegrown, conventional cipher then he's certainly not likely to take the time to become a skilled amateur cryptanalyst. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sat Mar 9 22:01:39 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 10 Mar 1996 14:01:39 +0800 Subject: Chaff in the Channel (Stealth PGP work) Message-ID: At 9:32 PM 2/29/96, Bruce Zambini wrote: >Well, that's what I want to avoid; I think the issue is that as long as >stego is predictable, there's a problem, ie a message to a certain party >can be shown to exist, even if it's not readable. This might prove more >than ample evidence in certain circumstances. > >You shouldn't be able to recover the stego'd message without special >knowledge. This isn't addressed by current software, to my knowledge. Sorry if I haven't been following the latest "stego" messages too closely. If it is desired that an image, say, carry a steganographic message that is "undetectable" to adversaries, then much more than just stripping off the PGP markers (headers, identifying bits, whatever) must be done: the LSB bit plane, if this is the stego channel, must have statistics which are indistinguishable from "normal" LSB bit planes of images. (Not an easy thing to define or to implement, but there you go.) So, when the Khmer Rouge People's Enforcement Division looks at the image they have confiscated from your computer and examines the LSB bit plane for evidence of human rights files encrypted steganographically, that bit plane had better not have unusual statistics...it had better not look "too" random, as real life LSB randomness may not have nearly the entropy of PGP randomness, say. What can be done? One emergent standard could be to the following: - when images are sent, or stored, replace the true LSB bit plane (I say "true" to distinguish the actual "grey levels" of one or more of the color bit planes from RGB encodings in which the nominal LSB is not at all the minimum brightness changes) with a "PGP chaff image." - this PGP chaff image could be randomly generated, or chosen from a library, or (surprise, surprise) actually be an encoded message. - the point is that some percentage of all images would have this chaff present, so that mere possession of an image with the offending statistics would not ipso facto be proof of possession of an encrypted/stegoized message. (Of course, the Khmer Rouge People's Enforcement Division might simply kill you anyway, but then they might kill you for merely having a computer. One would hope that Reno's Raiders would not do likewise, and that the existence of multiple images with "chaff" image planes would be sufficient to confuse things.) - the adversary may know you have an image with a chaff plane, but he doesn't know that you actually know how to decode that chaff, that that chaff is not chaff to you. [How is this any different from simply sending chaff messages conventionally, without using steganography? Why not use the full bandwidth? Answer: Stego provides some plausible deniability, more important in court cases in the U.S. than to the Khmer Rouge, of course. Having random messages filling up one's hard disk is suspicious, but having images of the Mona Lisa which _may_ contain stego bits and which _may_ be readable by the owner is considerably less suspicion-arousing.] This is my take on fixing the stego situation. Instead of worrying about a "stealth PGP version," which is likely to be only a slight speed bump (because of the statistics), think about flooding the detection channels. Longterm, however, I certainly think that cryptographic messages can be made virtually indistinguishable from low-order bit noise. (I have argued this since the late 1980s, so I'm not changing my views now.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Sat Mar 9 22:07:41 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 10 Mar 1996 14:07:41 +0800 Subject: rhetorical trickery Message-ID: At 09:15 PM 3/9/96 +0000, Deranged Mutant wrote: >"Vladimir Z. Nuri" wrote: > >> >> but I have a question: how did they know it was his diary? >> > >> >If I remember some earlier discussion about that case from a few years >> >ago, the file was called "diary.pgp". >> >> how did they know it was *his* diary? > >Well, nobody *knows*. But if you've got a file called diary.pgp on >your hard drive, chances are it's a diary of some sort. It's a >reasonable guess. Or it's the list of local dairies, and the guy can't spel.... Jim Bell jimbell at pacifier.com From EALLENSMITH at ocelot.Rutgers.EDU Sat Mar 9 22:17:01 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 10 Mar 1996 14:17:01 +0800 Subject: Vexatious Litigants (was: SurfWatch) Message-ID: <01I25AISROZKAKTUGH@mbcl.rutgers.edu> From: IN%"janzen at idacom.hp.com" "Martin Janzen" 9-MAR-1996 09:48:42.59 >ObCrypto, sort of: What if the page were retrieved through an HTTP >proxy which, unbeknownst to the author (and the filtering service/SW), >deliberately removes or alters the PICS-Label or other rating >information? The author did, after all, _provide_ the "undesirable" >material.... To what extent does the author's intent matter? Must Web >authors now add a digital signature to each page (including its rating >info), to prevent tampering? Good idea, and one that I should have remembered thinking of before with my comments on a "rating-searching" search engine. If it's providing web proxying on such links, including removal of potentially-exclusive ratings would be a good idea. (Running the system on a secure server would also be a good idea). -Allen From dlv at bwalk.dm.com Sat Mar 9 22:26:52 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 10 Mar 1996 14:26:52 +0800 Subject: rhetorical trickery In-Reply-To: <199603082153.NAA28521@netcom4.netcom.com> Message-ID: <5s9HkD33w165w@bwalk.dm.com> Lance Deitweller posting as Vladimir Z. Nuri writes: > I noticed a rhetorical trick/trap that I've seen a lot lately, in the > recent article posted about Phil Zimmermann. > > there is an infamous case of a child pornographer or pedophile in > California that is sometimes cited by law enforcement representatives > as a good example of the evils of encryption: supposedly he encrypted > his diary and it couldn't be unlocked by them. this was mentioned in > the article. Did this really happen? I've never seen any concrete references to this incident and strongly suspect it's another urban legend. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From ses at tipper.oit.unc.edu Sat Mar 9 22:26:57 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 10 Mar 1996 14:26:57 +0800 Subject: Leslie Fish address? In-Reply-To: <199603040608.WAA13704@netcom20.netcom.com> Message-ID: On Sun, 3 Mar 1996, Marianne Mueller wrote: > That's a wonderful notion - I think a Zappa tune would fit - > > (Pretty Good Music, the CD...) .. "RSA can you see, By the DN's early light" .. "People try to put us down Modular Exponentiation" .. "Well we squared the accum And halved the exponent And people could see I was a proponent of Big Nums Big Bad Nums" ... --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From frantz at netcom.com Sat Mar 9 22:27:53 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 10 Mar 1996 14:27:53 +0800 Subject: No Subject Message-ID: <199603042219.OAA16557@netcom7.netcom.com> Date: Fri, 1 Mar 1996 10:26:14 -0800 (PST) Errors-To: gklein at willamette.edu Reply-To: cda96-l at willamette.edu Originator: cda96-l at willamette.edu Sender: cda96-l at willamette.edu Precedence: bulk From: Peter Saint James To: Multiple recipients of list Subject: Fwd: Freedom to Read Week (CA) and "Black Thursday" WWW page X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas This appeared on another list I'm on. Besides giving you a view of a (bad) future, it is an example of an HTTP proxy which could also be used for anonymous browsing. - Bill > ELECTRONIC FRONTIER CANADA (EFC) --- PRESS RELEASE > >(For immediate release --- February 27, 1996) > > > "Freedom to Read" in Cyberspace > > A few members of Electronic Frontier Canada have > developed an amusing and interactive Web page > to celebrate 'Freedom to Read Week'. > >The Internet, some people say, is out of control and in need >of strict government regulation. But just what might a censored >Internet look like? > >One possible answer to that question is given by the "Black Thursday Machine", >an interactive Web page that was the brainchild of three multimedia designers: >Brian Hall, Andrew Chak, and Rob Stanley. Stanley is also a member of the >online civil-liberties organization Electronic Frontier Canada. > >"Black Thursday Machine" Web pages: http://www.vex.net/~brian/Censored > http://www.hyperactive.net/censored > >The "Black Thursday Machine" invites Internet surfers who visit the site >to type in the address of their favourite Web page, to see what it might >look like if a Canadian version of the new and controversial American >"Communications Decency Act" were put into effect. > >The "Black Thursday Machine" will fetch any page you request, but it >presents you with a censored version. The algorithm it uses is simple >and unsophisticated -- but these are the same kinds of rules recently >used by America Online and CompuServe when they blocked access to >discussions including the words "gay", "sex", or "breasts". > >"Any naughty word is replaced by the word 'CENSORED' in bright red," >says Rob Stanley, who was the chief programmer. Which words are on >the forbidden list? "It works just like government censorship," >says Stanley, "you don't get to choose. It's an arbitrary process." > >The Web site has links to a few representative examples, including pages >about "Breast Feeding", "Safe Sex", "Planned Parenthood", and help for >troubled "Gay Youth", that are rendered almost unintelligible by the >crude censorship. > >"Despite well-intentioned desires to protect children," >says Jeffrey Shallit, vice-president of Electronic Frontier Canada, >"adults need to be able to communicate freely about controversial issues. >Otherwise, we'll reduce the level of discussion on the Net to >Winnie-the-Pooh." Paraphrasing a U.S. Supreme Court Justice, >Shallit said that censoring the net to protect children is >like "burning down your house in order to roast a pig". > >"The 'Black Thursday Machine' demonstrates the ravages of censorship >in an amusing and provocative manner", says David Jones, president of EFC. >"I hope people will take a moment during 'Freedom to Read Week' to visit >the web site because it illustrates what the wired world might look like >if artistic expression, vigourous debate, and all the subtley of human >communication and interaction were subjected to the cold, calculating, >and heartless scrutiny of a machine that filters out what the government >might deem as controversial, offensive, or just plain inappropriate for >the eyes of its citizens." > > > * Why "Black Thursday" ? > >New and harsh restrictions on what can be communicated through American >computer networks were signed into law on Thursday, February 8th, 1996 >-- "Black Thursday". "This sent a shock wave through the Internet, >where concerned individuals around the world "Painted the Web Black" >for 48 hours as a sign of protest," says David Jones, EFC president. > > > * About "Freedom to Read Week" in Canada (February 26 to March 3) > >"The purpose of 'Freedom to Read Week'," says Sandra Bernstein, >"is to encourage Canadians to think about and reaffirm their commitment >to intellectual freedom, as guaranteed under the Charter of Rights and >Freedoms." Sandra Bernstein, also a member of Electronic Frontier Canada, >represents the Periodical Writers Association of Canada on the >Book and Periodical Council's Freedom of Expression Committee, >which sponsors 'Freedom to Read Week' each year. > >Bernstein also maintains an online "Chronicle" which documents challenges >to Freedom of Expression in Canada: > > http://www.efc.ca/pages/chronicle > >-30- > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >EFC Contact Information: > > >Electronic Frontier Canada > > Dr. David Jones phone: (905) 525-9140 x24689 fax: (905) 546-9995 > email: djones at efc.ca > > Dr. Jeff Shallit phone: (519) 888-4804 fax: (519) 885-1208 > email: shallit at efc.ca > > Dr. Richard Rosenberg phone: (604) 822-4142 fax: (604) 822-5485 > email: rosen at efc.ca > > >Electronic Frontier Canada, online archives: > > URL: http://www.efc.ca/ > > >- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >Other Contact Information: > >- - - - - > >Multimedia designers who dreamed up the "Black Thursday Machine": > > -- programming, engine development. >Rob Stanley, phone: (416) 928-9503 (home), (416) 960-8400 (work) > email: themaxx at io.org > > -- graphical look, interface, design, and copy >Andrew Chak, phone: (416) 469-4154 (home), (416) 448-2403 (work) > email: chak at magic.ca fax: (416) 469-0914 > > -- concept development, design >Brian Hall, phone: (416) 504-0908 (home), (416) 351-1040 (work) > email: brian at hyperactive.net, pager: (416) 337-3377 > >These fellows also dreamed up the award-winning "Canadianizer" >at the following URL: http://www.io.org/~themaxx/canada/can.html > >- - - - - > >Additional sponsors of the "Black Thursday Machine: > > >HyperActive NetMedia http://www.hyperactive.net >Vex.Net http://www.vex.net >Passport Online http://www.passport.ca > >- - - - - > >Further Contact Information for 'Freedom to Read Week' in general > > >Freedom to Read Week -- Web page URL: http://www.cycor.ca/pwac/freeweek.htm > >Freedom to Read Week -- Publicist, Sarah Thring >phone: (416) 480-2533, fax: (416) 480-2434. > >Sandra Bernstein, phone: (416) 465-0798 >email: sandrab at inforamp.net, URL: http://www.inforamp.net/~sandrab/home.htm > >Book and Periodical Council, 35 Spadina Road Toronto, ON Canada M5R 2S9 >email: bkper at interlog.com >phone: (416) 975 9366, fax: (416) 975 1839 > >Periodical Writers Assoc. of Canada, 54 Wolseley St, 2nd Floor, Toronto M5T 1A5 >email: pwac at cycor.ca URL: http://www.cycor.ca/PWAC/Words.htm >phone: (416) 504-1645, fax: (416) 703-0059 From uunet!in1.uu.net!gwu.edu!dazed at warwick.com Sat Mar 9 22:28:21 1996 From: uunet!in1.uu.net!gwu.edu!dazed at warwick.com (John Nowicki) Date: Sun, 10 Mar 1996 14:28:21 +0800 Subject: If yer a fan of Matt Meow Meow Bruce, Pee Pee Herman, Rush Limbaugh, Grillo, Mark Staloff, Charles Nelson Reilly, Meg Tilly, Naomi Judd, Larry Storch, O. J. Simpson, Liberace, Judy Garland, or George Kirby, you won't want to miss this! In-Reply-To: <4h0f9e$p4f@guitar.sound.net> Message-ID: <4hl127$2b2@cronkite.seas.gwu.edu> : If it is some college prank, I think that the people responsible should : make an apology to Dr. Alan Keyes, who is a candidate for the presidency : of the United states and a rare vioce of sanity in a world of braying : jackasses like Slick Willie Clinton and his boss. I say impeach them both : and kick wiesenheimers like the idiot who started this thread into jail : where they belong and let them work for a living. Uh...this seems to be x-posted to my group as well...but I couldn't let this slip by... Alan Keyes associated with sanity?!?!?? Bwahahahahahahahahahahhahahahahahahahahahaahhahahahahahahahaha Please, a theocratic moron who thinks we should all live in accordance with his little monotone view of the world? You may now return to your normal lives. ------------------------------------------------------------------------- John Nowicki (dazed at gwis2.circ.gwu) : "There's one way to find out if a 1818 Kalorama N.W. #23 : man is honest- ask him. If he says Washington D.C. 20009 : yes, you know he is crooked"- GM ----------------------------------(7x1)---------------------------------- From stewarts at ix.netcom.com Sat Mar 9 22:28:37 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 10 Mar 1996 14:28:37 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guid Message-ID: <199603090558.VAA18420@ix7.ix.netcom.com> At 07:33 PM 3/8/96 -0800, jamesd wrote: >Also he did not steal the pizza. He destroyed it in the course of >intimidating some kids who were eating pizza. > >In theory one would expect the law to have this unjust effect, >but in practice most of the poster boys that people give as >examples of the injustice of this law are folk that one would >like to see taken behind a barn and shot out of hand. The pizza guy was a thug, but twice as many third-strikers got their third strike for marijuana as for all violent crimes combined. I assume most of these had large quantities, possibly intended for sale, and a number of them had real crimes as their previous felonies rather than Prohibition-related offenses. But you can get legally serious quantities of marijuana by just growing a couple of plants. >Perhaps the prosecutors are exercising prosecutorial discretion? Not much - Government Radio said tonight that they're not allowed to plea-bargain third strike felonies down to misdemeanors. The LA public defender's office is absolutely swamped, partly because third-strike cases are supposed to get diligent support, and partly because they have to go to trial rather than plea-bargaining a guilty, which is less work. The county jails are also having serious crowding problems, because prospective third-strikers are being kept in them pending trial to avoid risk of flight, so non-third-strike jailees are getting out early (especially drug violators.) And the guys who just got busted for having fertilizer, diesel oil, and drugs on their farm had a whole three ounces of marijuana and personal-use quantities of crank. Maybe they were planning to blow up buildings rather than stumps; but the Feds are trying to paint them as max evil just to build up their case. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From WlkngOwl at UNiX.asb.com Sat Mar 9 22:30:25 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Sun, 10 Mar 1996 14:30:25 +0800 Subject: FCC & Internet phones Message-ID: <199603100534.AAA17091@UNiX.asb.com> Simon Spero wrote: > The real complaint of the telephone companies seems to be not that the > calls are free, but that the 'whatevers' are not subject to the same > tariff regulation that they are. I'm sure it's because they want to be > able to lower their fees to the same level to compete. Quit sure. How can one compare the fees, though? You buy the software (or use a free version of similar software) and get an account with an ISP, and maybe an IRC-type network devoted to Internet phone. Telephone/conferencing over the 'net is different technology than standard telephone. How can they be compared? (The exception maybe if one can route an Internet phone call to regular phone switches.) I notice it's the small LD companies too. The biggies like AT&T and MCI are getting into the ISP business, so they probably don't feel threatened by it. ObCrypto: I don't know. I'm wondering how the FCC or DT Bill will affect the use of uch technologies, since it's pretty easy to plug in good crypto. Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From jamesd at echeque.com Sat Mar 9 22:31:52 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sun, 10 Mar 1996 14:31:52 +0800 Subject: Petty Civil Disobedience Message-ID: <199603100537.VAA24499@mail1.best.com> At 10:31 AM 3/9/96 -0500, Declan B. McCullagh wrote: > Perhaps we should put up our own protest web sites with one or two > explicit sexual images as real civil disobedience? Major problem here is that ten million horny geeks are likely to bring your server to its knees, but if one only has one image, and it is moderately small, say thirty thousand bytes, perhaps the flood would taper off eventually. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From mgursk1 at gl.umbc.edu Sat Mar 9 22:32:31 1996 From: mgursk1 at gl.umbc.edu (Mike Gurski) Date: Sun, 10 Mar 1996 14:32:31 +0800 Subject: Chaff in the Channel (Stealth PGP work) In-Reply-To: <199603010418.VAA02087@nelson.santafe.edu> Message-ID: On Thu, 29 Feb 1996, Nelson Minar wrote: > As noble as "flood the detection channels" sounds, has it really ever > succeeded? Do people who don't care about privacy day to day ever go > through extra trouble to make other people's privacy easier? I can > think of two public efforts to increase noise that have failed: > putting Spook keywords in all Usenet posts, and using PGP email for > normal day to day traffic. The failure of the second channel-flooding > is especially notable: even people doing serious crypto hacking, with > well established public keys, don't seem to PGP encrypt normal day to > day traffic. It's just not convenient enough. At one point I'd thought about setting up a "random" crontab on my local machine to send out encrypted junk to remailers over the net via a SLiRP connection. It made a little more sense when I was connected 24/7. I'm still planning on doing this sometime, probably during Spring Break or this summer. I don't know how useful it would be, though. -- |\/|ike Gurski mgursk1 at gl.umbc.edu http://www.gl.umbc.edu/~mgursk1/ finger or mail subject "send pgpkey" or "send index" Hail Eris! |Member, 1024/39B5BADD PGP Keyprint=3493 A994 B159 48B7 1757 1E4E 6256 4570| Team My opinions are mine alone, even if you should be sharing them. | OS/2 From jimbell at pacifier.com Sat Mar 9 22:37:55 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 10 Mar 1996 14:37:55 +0800 Subject: Leahy's guillotine. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 11:44 PM 3/9/96 -0500, Chris Townsend wrote: >> 2804. Unlawful use of encryption to obstruct justice >> Whoever willfully endeavors by means of encryption to obstruct, >> impede, or prevent the communication of information in furtherance >> to a felony which may be prosecuted in a court of the United States, >> to an investigative or law enforcement officer shall... >> >> >> I think we may reasonably assume that this section was very carefully >> written, and thus it may contain meanings (or avoid containing meanings) >> that only a careful reading will disclose. >> >> Contrary to some other sloppy interpretations that I've seen here recently >> from organizations that ought to know better, I see nothing in this section >> that limits the prosecution on this law to people who are actually >> participating in a crime. This distinction is vital. While the sentence >> is not diagrammed, it appears to be the INFORMATION which is in "furtherance >> to a felony," not the "obstructing" of that communication. The implication >> is that it is not necessary that a person know the exact information >> involved or be able to decrypt it; he needs only be deliberately using >> encryption to prevent the knowledge of what the information is about, or its >> routing. (As in an encrypted anonymous remailer, for instance.) > > >??? Your third sentence doesn't make any sense. Well, I'll separate it for closer review: >> While the sentence >> is not diagrammed, it appears to be the INFORMATION which is in "furtherance >> to a felony," not the "obstructing" of that communication. The problem is that the original sentence (in the proposed law) is ambiguous. But I think the most likely interpretation is that it is the "information" which is in "furtherance of a felony," and "obstructing the commmication" of that information is the crime they define. > While I agree with your >position, why would it *possibly* be a crime to interefere with felonious >communcations? The law is POORLY worded. Padgett Peterson noticed this yesterday, BTW, and commented on it on Cypherpunks. You've stumbled on the alternate meaning that he complained about. Realistically, however, I think we can probably agree that this meaning was not the one they intended; that's why for purposes of analysis I study the other meaning. > The lanuguage is lamentably unambiguous about the >fact that it is the obstruction and not the information that is >in furtherance of a felony... I think I disagree. What we need, however, is an "emergency-call English major" who could diagram the various possibilities for us and we could study them separately. There's plenty of ambiguity in this sentence; but I think that is absolutely intentional. >> Aside from this, it isn't clear what is meant by the phrase, "obstruct, >> impede, or prevent the communication of information in furtherance to a >> felony." An obvious problem is this: How will they know if the use of >> encryption actually had that effect? If it was UNsuccessful, then obviously >> that encryption did not prevent the government from obtaining information. >> If it was SUCCESSFUL, then how is the government to know that the >> communication in question was "in furtherance to a felony"? Even if they >> can prove the felony by other means, how can they show that the >> communication actually had anything to do with the crime? > >It is quite conceivable that an unsuccessful attempt to obstruct >justice might cause additional trouble, time, and expense to the >guys in the white hats. That depends on who you believe actually wears the white hats... > Note that the language does not distinguish >between successful and unsuccessful attempts...though you're right >that it seems that only unsuccessful attempts could be verified... >the rest is clouded by your assumption that the information, rather >than the obstruction, must be in furtherance of the crime... Well, I invite you to try to construct an interpretation of the sentence in as many ways as you can imagine. I think you'll discover that it is practically intended to mislead. >> Another problem: Encryption, per se, does not "prevent the communication of >> information." What it does, of course, is to prevent the UNDERSTANDING of >> that information. Do the writers of this bill intend to use this law to >> punish the LATTER effect, rather than the former? >> >> Further, how is the person to be charged to know if his use of encryption >> had the effect of "obstruct[ing], imped[ing], or prevent[ing] the >> communication of that information? If he encrypts a file to his hard disk, >> and he doesn't intentionally send the file to the cops, how is he supposed >> to anticipate that the use of encryption had this effect? As far as HE >> knows, it was simply his decision to not send the file to the cops; he can't >> be expected to know that they'll show up the next morning with a search >> warrant and take his computer, can he? Would his refusal to provide the >> decrypt key constitute a violation of this section? > >Probably. That's what the word "willful" is doing in there. Read >carefully: it's willful obstruction, not willful encryption... Justa sec... I think you've forgotten that merely running an anonymous encrypted remailer could be considered "willful obstruction." Now, if the communication wasn't "in furtherance to a felony" then it wouldn't be criminal (it would be a LEGAL "willful obstruction, right?) , but then again the operator wouldn't know that, would he? Which brings us to yet another ambiguity: The operator of an anonymous encrypted remailer wouldn't know that any given packet was "in furtherance of a felony" but he MIGHT be absolutely aware that any one of them COULD be! Does this rise to the level of violating the law? If not, why not? >I am not a lawyer, although I play one on the net. > >I agree with your position, but you're not reading as closely >as the enemy will... Who, in this case, is "the enemy"? As far as I can see, "the enemy" are the people who wrote this section of the bill. While it's been a few decades since I last diagrammed a sentence, I will start by putting parentheses around sections of this sentence to separate it into what I believe is its "intended" meaning. >> 2804. Unlawful use of encryption to obstruct justice >> Whoever willfully endeavors (by means of encryption) to (obstruct, >> impede, or prevent) the communication of (information in furtherance >> to a felony) (which may be prosecuted in a court of the United States), >> to an investigative or law enforcement officer shall... I challenge anyone to re-write this section to: 1. Achieve what he believes to be a "reasonable" result and 2. Avoids the criticisms that I've previously mentioned WRT this portion of the bill. Also, I think anyone who supports this kind of section should be able to give me a few examples of crimes whose investigation has (or could be) thwarted in a way that would violate this section. I've said it before and I'll say it again: The average citizen is essentially never the victim of a crime of this type. For whom, then, is this law written? I think it's written for the benefit of the politicians alone. They want to live. Jim Bell jimbell at pacifier.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUJryfqHVDBboB2dAQEZ1wQAhDS3fEz1Q8QaoZCf3c6W6e5fCDbfsz4J 3smXEMg/28xGyiwMiUN1gUjbVOYZKNdczaAMzIKx3I53Reig+9DQnc5CTGHqigaV y1yeiKdV1XKaZk9vV0ZCaTQ31Gv2/GV45eOVKoZRQOtQI+W6AgnrsegLH4TRBxkk NzQv2kNN4Hc= =dBew -----END PGP SIGNATURE----- From jamesd at echeque.com Sat Mar 9 22:39:23 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sun, 10 Mar 1996 14:39:23 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guid Message-ID: <199603090339.TAA15249@dns1.noc.best.net> At 03:59 AM 3/8/96 -0800, Timothy C. May wrote: > California's "Three Strikes and > You're Out" sentencing law is having this effect: > [...] > One guy > featured had never committed any violent acts, and his 3rd strike was for > lifing a pizza. This is incorrect: If you read the famous pizza guy's career, you are likely to wind up calling for "Three strikes and hang them from the lampost." Also he did not steal the pizza. He destroyed it in the course of intimidating some kids who were eating pizza. In theory one would expect the law to have this unjust effect, but in practice most of the poster boys that people give as examples of the injustice of this law are folk that one would like to see taken behind a barn and shot out of hand. Perhaps the prosecutors are exercising prosecutorial discretion? --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From anonymous-remailer at shell.portal.com Sat Mar 9 22:39:28 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sun, 10 Mar 1996 14:39:28 +0800 Subject: Boycott "Applied Cryptography" and AT&T and RSA Message-ID: <199603062140.NAA03115@jobe.shell.portal.com> Bruce Schnier (Author of applied cryptography) and Matt Blaze (Who is a crypto bigwig at at&t) have made it clear that they support key escrow. Both have written letters in favor of the new crypto law, it creates a key escrow system and also other restricts on crypto. The letters are on the CDT homepage and i think were posted here. WHAT THE FUCK?????????????????????????????????????????? EFF, EPIC, VTW and almost everyone else (except for Bizdos at RSA, hmmmm) have all come out against this piece of shit. But with these so called experts baking it it could pass anyway. Maybe the ltrs are a forgery? We should ask them, and if this is true, LETS SEND THEM A MESSAGE!!!!!!!! SWITCH YOUR PHONE SERVICE AND TELL AT&T WHY!!! STOP RECOMMENDING APPLIED CRYPTO (THERE ARE EASIER BOOKS ANYWAY). DEMAND THAT THESE PEOPLE STOP GIVING AWAY YOUR RIGHTS!!!!!!!!!!!!!!!!!!!!!!!!!!! their addresses are schneier at counterpane.com mab at crypto.com jim at rsa.com From bdavis at thepoint.net Sat Mar 9 22:47:10 1996 From: bdavis at thepoint.net (Brian Davis) Date: Sun, 10 Mar 1996 14:47:10 +0800 Subject: SurfWatch In-Reply-To: Message-ID: On Sat, 9 Mar 1996, Timothy C. May wrote: > ... > In the terms of the lawyers--from what I picked up during my time on the > Cyberial list--a requirement that words be rated before they can be > distributed would not pass Constitutional muster. This does not mean that > one's words will not trigger prosecutions, lawsuits, treason trials, etc. > What it means is that "prior restraint" is frowned upon (recall "The > Progressive" H-bomb case of about 15 years ago, where a court subjected > this magazine to prior restraint...a rare occurrence, later overturned. A > more recent case involves "Business Week," and is still unresolved). ... The Sixth Circuit recently held that the prior restraint by the idiot district judge was wrong. EBD From nelson at santafe.edu Sat Mar 9 23:04:31 1996 From: nelson at santafe.edu (Nelson Minar) Date: Sun, 10 Mar 1996 15:04:31 +0800 Subject: anonymous web pages (Was: SurfWatch) In-Reply-To: <199603100222.UAA03114@proust.suba.com> Message-ID: <199603100645.XAA00982@nelson.santafe.edu> cp at proust.suba.com (Alex Strasheim) writes: >Has anyone ever considered setting up anonymous web sites on top of usenet? I proposed this a couple of months ago, there should be a bit of discussion left over in the archives. My idea was to have an account keyed to a password - if you emailed the server with the right password, it would take the text of your email and put it in the specified URL. Then you can use remailers to preserve anonymity with the server. It's sort of like the alias.c2.org accounts. It seems like a workable, not-too-difficult idea. Not much interest in it, though. Sameer pointed out that a full c2.org account, if used properly, allows anonymous web pages. >Right now a news administrator isn't held responsible of there's some >"bad" information in his news spool -- copyright violations, obscenity, >etc. If the link between physically hosting a web page and being >responsible for its contents could somehow be broken, then anonymous web >pages would be possible. In trying to shape the policy at various places where I've installed web servers, I urge them to think of allowing users to post web pages to be the same as allowing them to send email or post to Usenet. They're all (potentially) media with lots of exposure and instiutional identification, so why treat them differently? The argument seems to work, and users are allowed to have their own web pages. The problem, of course, is that people do tend to associate the opinions in web pages to the company that owns the web server more than they do with Usenet posts or email. Furthermore, WWW is a permanent medium, where as email and Usenet are commonly perceived to be transitory (this is changing). I decided that if I were to set up an anonymous web server, I as administrator would have to retain absolute control of what is on the server, just to protect whomever my ISP is. The aim would be to weed out any and all potentially illegal text: draconian, but probably necessary to keep the remailer safe. I'd also filter out all CGI and images over some small (icon) size. These days, I'd prevent Java and JavaScript, too. I'm interested in discussing implementation issues in more detail with someone if they think this would be a fun project. I might yet get to it myself in the next few months. From tbyfield at panix.com Sat Mar 9 23:22:20 1996 From: tbyfield at panix.com (t byfield) Date: Sun, 10 Mar 1996 15:22:20 +0800 Subject: FCC & Internet phones Message-ID: At 12:07 AM 3/10/96, Adam Shostack wrote re the Q: >| > Q: Is it practically possible to find netphone traffic on a >| > generic network at any level above the source and target addresses? >Presumably, the signal has a number of charictaristics. Some of them >have a central switchboard, where preople go to set up calls. Most >presumably use a mix of a UDP data connection and tcp for control >functions. They all consist of high volume, long duration connections >(or data flows in the case of UDP.) Many probably use a standardized >destination port. They might use the urgent pointer to force data up >the stack quickly. > > In short, yes the data streams can be easily found, if one can >tap and grep a T3 in real time. That's a big if, given the priority such a tap would likely merit. Of the Mac apps I've seen (Maven, Cu-SeeMe Talk, and Netphone), the last is by far the best. On startup it verifies registration by querying the company's site, so it'd be easy enough to shut down at, at least for now; but strangling it at that level would likely kill the company, which would effectively orphan the code--a real factor, imo. In any case, there's a crack floating around that circumvents this verification; obviously, then, it'd also circumvent that method of enforcement. As for traffic characteristics, I've never seen one of these apps work in full-duplex mode--just the allegedly fallback "push to talk" mode (i.e., hold down the button while you yak, release it to listen), which really changes the texture of a conversation--so the signal tends to be a kind of high-volume call/response "negotiation" in slow-mo, with ~10-20 secs of transmission punctuated by null periods of about the same duration. Ports are no problem, since the disassembly it'd take to rewrite the call to another port would be minimal (and it'd be easy enough to make hack a configurable port call to be arranged by mutual consent through plain old UN*X Talk). The upshot being that signal analysis would be nontrivial--and, from what I've read, the major telecom players aren't especially worried that they'll lose business to this, so they'd likely resist getting saddled with burdensome sniffing duties. And there's always PGPfone, which obviously flattens out signal characteristics... heh heh. I think ACTA will make a valiant effort to ban this stuff, and the FCC might listen--if only to safeguard its purview--but the only "effective" way to enforce such a ban would be to impose yet another policing duty on ISPs. Bandwidth aside, they've got better things to worry about. And it'd be damned hard to work the public into a frenxy over free long-distance phone calls. Basically, I think we got ourselves a winner. Ted From JonWienke at aol.com Sat Mar 9 23:30:43 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sun, 10 Mar 1996 15:30:43 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guid Message-ID: <960310020618_242145364@emout06.mail.aol.com> In a message dated 96-03-09 03:42:04 EST, you write: >And the guys who just got busted for having fertilizer, diesel oil, >and drugs on their farm had a whole three ounces of marijuana and >personal-use quantities of crank. Maybe they were planning to blow up >buildings rather than stumps; but the Feds are trying to paint them >as max evil just to build up their case. Who says they were going to blow anything up? It is perfectly legit for farms to have large quantities of fertilizer around--they use it all the time. Same with diesel fuel--what are they supposed to run the tractors and combines with? Dog piss? DUHHHH! As far as having the instructions for mixing them to go boom, who the hell made that a crime? You could bust most of the farmers in this country if you criminalize simultaneous posession of fertilizer and diesel fuel. Did these people ever actually mix any of the fert. and fuel together? Did they threaten to blow up anything? This whole situation is nothing more than jackbooted thugs getting a rush by stomping on people. FTJBT Jonathan Wienke From JonWienke at aol.com Sat Mar 9 23:34:53 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sun, 10 Mar 1996 15:34:53 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guid Message-ID: <960310020800_242145444@emout09.mail.aol.com> In a message dated 96-03-09 04:05:26 EST, you write: >At 9:59 PM 3/8/96 -0800, Bill Stewart wrote: >>The pizza guy was a thug, but twice as many third-strikers got >>their third strike for marijuana as for all violent crimes combined. >>I assume most of these had large quantities, possibly intended for sale, >>and a number of them had real crimes as their previous felonies >>rather than Prohibition-related offenses. But you can get legally >>serious quantities of marijuana by just growing a couple of plants. > >I wonder how many of these drug dealers previous "real crimes" were related >to using violence to protect their drug business, defense which would have >used the courts and police had drug dealing been legal. What difference does that make? If you are deranged enough to murder someone because they are selling crack in your territory, you are deranged enough to shoot your manager after getting fired from McDonalds, or to do any number of heinous things that ahve nothing to do with drug laws. Sick people will still do sick things, even if some of them are legalized. Jonathan Wienke From stewarts at ix.netcom.com Sun Mar 10 00:21:25 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 10 Mar 1996 16:21:25 +0800 Subject: Encrypted Communications Privacy Act of 1996 (fwd) Message-ID: <199603100754.XAA10576@ix12.ix.netcom.com> >> S 1587 IS >> 104th CONGRESS >> 2d Session >> To affirm the rights of Americans to use and sell encryption >> products, to establish privacy standards for voluntary escrowed >> encryption systems, and for other purposes. >> IN THE SENATE OF THE UNITED STATES >> March 5, 1996 >> Mr. LEAHY (for himself, Mr. BURNS, Mr. DOLE, Mr. PRESSLER, and Mrs. MURRAY) ^^^^^^^^ Interesting that Bob Dole is supporting it! It's certainly not a perfect bill, and will presumably be less perfect by the time it's passed. But it's a nice alternative to Clinton, who was happy to buy in to the previous Administration's anti-crypto efforts. (I'll presumably be voting for Harry Browne or some other Libertarian, unless I get fed up and vote for Frank Zappa or Hugh Romney; the Democrats can look me up some year if they decide to run a genuine liberal :-) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From sakarias at tripnet.se Sun Mar 10 00:22:53 1996 From: sakarias at tripnet.se (Bjorn Asman) Date: Sun, 10 Mar 1996 16:22:53 +0800 Subject: keystroks Message-ID: <199603100754.IAA25888@heron.tripnet.se> Is there anbody out there happens to now a keystroke recorder thats record keystroks from dos to windows. please contact me if you know. "It is the real, and not the map, whose vestiges subsistr here and there, in the deserts which are no lionger those of the Empire, but our own. The desert of the real itself." J. Baudrillard From stewarts at ix.netcom.com Sun Mar 10 00:34:03 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 10 Mar 1996 16:34:03 +0800 Subject: FCC & Internet phones Message-ID: <199603100813.AAA13246@ix9.ix.netcom.com> At 12:12 PM 3/9/96 -0500, Padgett Peterson wrote: > >"Long-Distance Dueling. Free Dialing Via Internet Faces a Challenge From > >Small Phone Firms." > You seem to forget that the Internet is just about the *only* electronic > communications media not controlled/licensed by the FCC in the US. The > FCC also prohibits use of cryptography by those with amateur licenses. Oh, we remember it :-). But actually, large chunks of the Internet's facilities _are_ on controlled or semi-controlled media, such as frame relay (which the Feds just insisted had to be tariffed) or local private-line (which is often regulated by state PUCs.) But in those cases, the regulation is at the price/quantity/schedule layer, rather than the content layer. And according to someone I talked to recently, the Network Access Points, MAE-East/West, (though not CIX), are still NSF-funded, even though they're often built and run by folks like PacBell - I'd thought we'd gotten rid of those guys a couple of years ago except for the NIC and Internic. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From blancw at accessone.com Sun Mar 10 00:50:07 1996 From: blancw at accessone.com (blanc) Date: Sun, 10 Mar 1996 16:50:07 +0800 Subject: Petty Civil Disobedience Message-ID: <01BB0E1B.8337D200@blancw.accessone.com> From: jamesd at echeque.com Major problem here is that ten million horny geeks are likely to bring your server to its knees, but if one only has one image, and it is moderately small, say thirty thousand bytes, perhaps the flood would taper off eventually. ................................................................................... Here James has stated the crux of the problem in its basic, elementary form. Why cannot legislators, the courts, and all those socially responsible individuals promoting the CDA and their other complaints against indecency recognize the obvious: that the problem of the presence of (and the success of) alarmingly objectionable material on the internet is all due to the existence of all those "ten million horny geeks", who en masse can actually "bring servers to their knees". I think this is a Male vs Male problem, and personally I think the mature and wise men of the world should take the case in hand and deal with it on a Man-to-Man basis. Or, they could just adopt Assassination Politics and do away with all those "other people's" (horny) internet-addicted male children. (Ha-ha. Really, Jim - any "democratic society" where one group elects a governor and another group votes to to shoot that person down sounds more like a Bosnian/Serv "society". It wouldn't make sense to become a member of such a disfunctional, self-defeating group of misfits in the first place.) .. Blanc From tcmay at got.net Sun Mar 10 01:02:58 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 10 Mar 1996 17:02:58 +0800 Subject: Cryptanalysis Message-ID: At 2:37 AM 3/10/96, Adam Shostack wrote: >Timothy C. May wrote: > >| cryptanalysis. (Not to sound harsh to Allen, but why would anyone ask here >| on the list for recommendations to such a standard subject when Schneier, >| Garfinkel, Denning, etc. all have books listed?) > > Niether Schneier nor Garfinkel really talk about analysis. >The only book I can think of is Biham's "Cryptanalysis of the DES," >and thats on a single technique. I said "....all have books listed," not that they are textbooks on cryptanalyis. My point was that Schneier, for example, has extensive bibliographic pointers. For example, and relevant to another recent thread, Ref. 355 (1st Ed.) is to Friedman's "The Index of Coincidence and Its Applications in Cryptography," 1920. And more Friedman, and Biham, and even reference to our very own Bob Baldwin's Crypt Breakers Workbench (dare I point out that this is probably a very educational tool for those seeking to play with cryptanalysis?). Likewise, Garfinkel gives a bunch of pointers. (Not that I hold it out as a textbook on crypto, but it's one of several recent semi-popular crypto books.) (And in recent days there have been pointers to the Aegean Park Press series of books, available at "Computer Literacy" (http://www.clbooks.com/), and the database may be browsed, books ordered, etc.) (One more note. The question that came up recently about "does anyone know what the "index of coincidence" is?" is readily answered with Alta Vista. More than two dozen hits, including definitions, papers, homework assignments, etc. The point being that between the Web, search engines, archives, FAQs, searchable library catalogs and retail bookstore databases, and the many hundreds of books and papers listed in Schneier, there is no reason people need to say they "can't find anything.") > I don't know of any books on 'applied cryptanalysis.' The >public knowledge is all in the heads of a few practitioners, and the >papers they've written. > I think there's no single book on cryptanalysis for the various reasons I've mentioned recently. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From WlkngOwl at UNiX.asb.com Sun Mar 10 01:30:41 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Sun, 10 Mar 1996 17:30:41 +0800 Subject: rhetorical trickery Message-ID: <199603100221.VAA13733@UNiX.asb.com> "Vladimir Z. Nuri" wrote: > >> but I have a question: how did they know it was his diary? > > > >If I remember some earlier discussion about that case from a few years > >ago, the file was called "diary.pgp". > > how did they know it was *his* diary? Well, nobody *knows*. But if you've got a file called diary.pgp on your hard drive, chances are it's a diary of some sort. It's a reasonable guess. Whether there's anything incriminating in it for him or anyone else is another matter, of course. Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From cp at proust.suba.com Sun Mar 10 01:32:45 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sun, 10 Mar 1996 17:32:45 +0800 Subject: anonymous web pages (Was: SurfWatch) In-Reply-To: <01I25AB1E1DIAKTUGH@mbcl.rutgers.edu> Message-ID: <199603100222.UAA03114@proust.suba.com> E. Allen Smith said, > ... until someone comes up with anonymous-location web pages... Has anyone ever considered setting up anonymous web sites on top of usenet? People could post pages anonymously to usenet, and the web sites could grab them and put them up automatically. The pages could expire just like usenet. And just as there are many nntp servers that contain more or less the same informaton, there could be many of these anonweb servers with essentially the same information. Right now a news administrator isn't held responsible of there's some "bad" information in his news spool -- copyright violations, obscenity, etc. If the link between physically hosting a web page and being responsible for its contents could somehow be broken, then anonymous web pages would be possible. If an anonweb server was just a robot that reads usenet, maybe anonweb operators could slide in under the usenet tradition. The distributed nature of the usenet model would also solve another problem with anonymous web pages, namely that it costs money to serve them, and there's no way to tell how popular an anonymous web page will be until you put it out there. Individual ISPs would host anonweb servers for the benefit of their customers (web page readers) rather than the anonymous publishers. If someone puts up an anonweb page that gets 100,000 hits a day, an ISP with 2,000 customers will only have to shoulder a small part of that burden. -- alex From djw at vplus.com Sun Mar 10 01:32:57 1996 From: djw at vplus.com (Dan Weinstein) Date: Sun, 10 Mar 1996 17:32:57 +0800 Subject: Leahy bill nightmare scenario? Message-ID: <199603100201.SAA16619@ns1.vplus.com> On 9 Mar 96 at 9:26, you wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > At 12:19 PM 3/8/96 -0800, Dan Weinstein wrote: > > > >> Second, if what they're charging is the hindrance of an > >> felony investigation, it isn't clear to me why they would be > >> limiting the charging of that "crime" to only those actually who > >> have committed a felony. (logic isn't the normal mode of thought > >> for a government employee, you realize.) > > > >I agree with your concerns here, but I find it hard to believe that > > the courts would allow a broader interpretation. > > Unfortunately, what you find "hard to believe" I find easy to > believe. Remember, if this bill is passes, it doesn't merely affect > YOU, it affects ME. So I suggest the burden of proof is on YOU to > show that these provisions aren't going to be maliciously > interpreted by the courts. Burden of proof? Sorry, I do not have to justify my views to anyone. I am trying to have a reasonable discussion of this issue, thus, the "burden of proof" lies equal on each of us. > >> Third, all they have to do is to "suspect" the person of a > >> felony, and a > >> "felony investigation" starts. That would presumably make him > >> guilty of the Leahy bill's provision, regardless of whether he is > >> actually participating in the crime supposedly being > >> investigated. > > > >Here you are dead wrong, the bill specifically states: "in > >furtherance of a felony." Its like those laws that let them charge > >someone with murder in the first if someone dies while you are > >commiting another felony. They must prove the original felony > >before they can get you on the murder one. The real purpose of > >this provision, as I read it, is to give longer sentences to > >criminals that use crypto. > > I'm not a lawyer, but I assume neither are you. Please explain the > LEGAL DEFINTION of "in furtherance of a felony." If you can't, then > you simply don't know how far they will go. And you're depending on > the reasonableness of the government for the interpretion. True, I am not a lawyer. I would like to hear from one of the lawyers on the list for a more deffinitively. Since you also admit you are not a lawyer, I do not accept your opinion as superior to mine. I was pointing it out as something that I believed you had missed. I find it hard to believe that anyone can further a felony when their is no felony. In addition, this is VTW's interpretation based on the analysis that they have posted to their home page. I would presume that they were using lawyers to analyze the bill. > >> Fourth, I gave what I considered to be a clear example of the > >> hypothetical misuse of an encrypted remailer by the cops, one > >> that would arguably make the remailer operator guilty of some > >> "reasonable" anti-kiddie-porn statute. At that point, _he_is_ > >> the target of the investigation. Unless you can show that this > >> kind of action by the government is impossible, I consider it to > >> be not merely possible but almost certain to occur. > > > >Again, the problem I see with your scenario is that I don't believe > > that the courts will interpret it that way. > > What you think is irrelevant. Most people probably didn't realize > what the government did in the Amateur Action BBS case was "legal," > either. But they did it anyway. Yes, this case was certainly a travesty. The thing about it was that it violated the law. Their actions took place in California, but they were tried in Tennessee. This is a violation of U.S. law. Again, this is my non-professional opinion, but I have heard several professionals proclaim that the governments actions seriously violated its own laws. If your point is that the government does not obey its own laws, then all I can say is that if that is how you feel then why oppose the bill? Won't they end up doing what they want anyway? > > > My interpretation is that > >if they serve a warrent and I don't decrypt for them and they can > >prove a felony, then I will be subject to the listed punishment. > > Are you assuming that you have the key? Remember, if you run an > encrypted anonymous remailer, and assuming you do it honestly, you > won't be keeping records as to the source of the note. > > Thus, if they "serve a warrant" and you CAN'T decrypt the message > (or tell them where it came from) then why aren't you already > guilty? Remember, the wording of the proposed law doesn't require > that you have full knowledge of the crime involved, merely that you > act "in furtherance" of it... If you don't possess the key, but > you explicitly ran your remailer so that you never it, just so you > couldn't relinquish it, you have structured your operation too > thwart any investigations. You are ALREADY guilty. This may not > sound reasonable, but the government no longer (if it ever did) > considers "reasonableness" to be an impediment to their actions. > I don't but this. If I am a reporter if I receive an anonymous tip, a court could order me to tell who my source was, but I couldn't and they couldn't do anything about it unless they could prove that I knew who the source was. If I knowingly aranged for the source not to reveal himself to me, could I them be charged with obstruction of justice or contempt of court? Again it is my non-profesional opinion, but I really doubt this. Comment from a lawyer would be appreciated. > > >> Fifth, it isn't clear what amount of knowledge is necessary to > >> "trigger" this clause, especially in its current flawed state. > >> Since ISP's and encrypted remailers might know, in general, that > >> their systems can and probably are being used for SOME criminal > >> activity, even if they can't identify it or the user, or decrypt > >> it, etc, a broad interpretation of the resulting law could easily > >> de-facto prohibit any business practices (i.e., allowing users to > >> use encryption) that prevents full-scale monitoring and/or > >> tracing. > > > >I disagree, it states you must "willfully endeavor" to use the > >encryption as a means of obstructing the investigation. To me, > >this means that it is the motivation for using the encryption. > > Question: What, exactly, is the motivation of a person running an > anonymous remailer? His motivation is clear: To allow people to > send anonymously untraceable messages. Assuming he's of ordinary > levels of intelligence or beyond, he is aware that somebody may some > day use his system for illegal purposes. You're going to have to > explain why a court _CAN'T_ interpret this as being in violation of > the law. > If I rent cars, someone might one day use a car rented from me in a robbery. Does that make my an accessary? NO. > > > If I set > >up an encrypting remailer for the purpose of allowing free exchange > > of ideas, I don't believe I would be liable under this law. > > Your optimism is touching. It is also vastly misguided. If you think I am optimistic, you must think just about everyone is an easy dupe. If I do not quite reach your level of paranoia, I apologize; I will try to get to where I distrust everyone like you. Or are you just plotting to make me paranoid? > >The > >only way I could see a remailer charged under this is if he had > >solid evidence that a specific user was violating the law, and took > >no action. > > Gee, I wish you were right, but my experience with government thugs > says that they will do anything they think they can get away with. > Their is certainly A LOT of that with in our government, but to claim everyone in the government is a jack-booted thug is just too far over the top for me. (Yes, yes I realize you think this is niave.) > > >> This is only the beginning of the problems with this section. If > >> you can explain why nothing I've described could possibly occur, > >> I welcome a contrary explanation. > > > >I see some real problems too, but I do not see the problems with > >this provision to be enough to condemn the entire bill. > > I don't "condemn the entire bill." I would, however, reject the > entire bill if that provision remains. And morever, if we make a > serious attempt to have it removed, the more they resist removing it > the more we should insist it go. I don't want it removed, I think it is an important bone to through to those in the middle. I would like the phrasing tightened up so that it could only be used against those that deserve it. > >I would like to > >see this portion of the bill ammended to make it clear that only > >those actually involved in commiting the felony would be held > >responsible. > > There would still be a problem. What's the definition of "actually > involved in committing the felony"? Are you aware, for example, > that manufacturers of small plastic screw-top vials have been > prosecuted and convicted simply because their vials could be used to > hold small quantities of drugs such as cocaine and crack? This was > a case from a few years back, BTW. I wish I could remember the > cite. I was not proposing that exact language, I am not a lawyer and don't imagine I could come up with the bullet-proof wording that is required. > If you're not aware of these things, WAKE UP! Your optimism > disgusts me, because it is entirely unrealistic and based on a > rose-colored-glasses view of the government. I am not aware of the vial case; I certainly would find such a thing interesting to read. If this was what happened, and laws exist that allow this, then we ought to repeal those laws, but I don't see the baring that has on this case; I have already said that they should narrow the language so that it will not be used to the ridiculous extream. > >> But I would also ask this: Why, exactly, do we need this > >> section? We've already been told that the opponents of this bill > >> will fight it tooth-and-nail under its current wording; if that's > >> the case then the presence of this section is inadequate to > >> appease their unhappiness. Therefore, we shouldn't include it in > >> the bill at all; it does no good. > >> > >> Any explanations, Dan? > > > >You are talking about the fringe, this, I think, was added as an > >attempt to bring in those that are in the middle. > > Why would "those that are in the middle" object to a bill which is > little more than a re-statement of rights we already believe we > have?!? I am not talking about reality; I am talking about what they can tell the voters if they are beat up over passing such a bill. You seem to over rate the average voters grasp of the issues. It doesn't matter that the bill really creates or diminishes crime, it is how the voters can be made to perceive it. > > That is, Those > >that see the need to prevent the use of encryption as a means of > >obstructing justice, but feel that we should also have a right to > >privacy. > > There is no viable middle ground here. Any tool can be abused. > If that is true, than you are left with those that are the oppressed and the jack-booted thugs. I do not believe that the only motivation of those that are opposed to strong encryption is to oppress me. Many are trying to do what they think is right, this provision is their to give those that are tetering between the two options an easy way to move to our side. > > > To say that there is no delema here is ridiculous, crime is > >a serious problem that we are already having a terrible time > >dealing with. > > On the contrary, my opinion is "The _government_ is a serious > problem that we are already having a terrible time dealing with." > Fortunately, I've found a solution, and the government is trying as > hard as it can to prevent it (and "crypto-anarchy" in general) from > taking root. > Good premise, now if you could sell that premise to everyone in Congress than your right this provision is useless. Unfortunately, I don't think you will have much luck with this. > > > I think Leahy realizes that this provision will be about as > >useful as the "use a gun, go to jail" laws, but wants to give those > > in the middle to say that they bill will help prevent crime. > > Ha ha! That's rich! There is no reason that a "pro-encryption" > bill has to contain any general "anti-crime" clauses. The average > person is afraid of burglars, muggers, murderers, rapists, car > thieves. When is the last time the average person was the victim of > a crime whose investigation could be "thwarted" by the use of > encryption? If you can't think of an example, you've just proved my > point: This provision is entirely irrelevant to the average citizen > (at least in a "positive" way) and can't be considered a "win" for > him. You talk about my being naive, this takes the cake. Do you really believe that any pro-crypto bill could make it through Congress with out some sort of anti-crime clause? > >> Jim Bell > >> jimbell at pacifier.com > >> Dan Weinstein djw at vplus.com http://www.vplus.com/~djw PGP public key is available from my Home Page. All opinions expressed above are mine. "I understand by 'freedom of Spirit' something quite definite - the unconditional will to say No, where it is dangerous to say No. Friedrich Nietzsche From stewarts at ix.netcom.com Sun Mar 10 01:37:02 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 10 Mar 1996 17:37:02 +0800 Subject: Vexatious Litigants (was: SurfWatch) Message-ID: <199603100912.BAA18270@ix4.ix.netcom.com> >From: IN%"janzen at idacom.hp.com" "Martin Janzen" 9-MAR-1996 09:48:42.59 >>ObCrypto, sort of: What if the page were retrieved through an HTTP >>proxy which, unbeknownst to the author (and the filtering service/SW), >>deliberately removes or alters the PICS-Label or other rating >>information? Sure, you could probably write http://www.g-rated.com/. At least with movie ratings, the MPAA has trademarked the G, PG, PG-13, R, NC-17 ratings so that producers can't self-rate their own movies (though they can self-rate them as X.) But you could delete the ratings. Presumably, almost nobody in Europe is going to add these silly Yankee rating labels to their web pages, except a few commercial content providers who want to sell advertising or services into markets that block un-rated web pages. So schoolkids behind rating-mandatory sites will have to ask their teachers why the "World-Wide-Web" is just American --- "It's got All 50 States, Johnny!" ! >> Must Web authors now add a digital signature to each page (including its rating >> info), to prevent tampering? Tamper-proofing is a far more general issue than just ratings. Most of the tampering today is either political protest (the see-your- favorite-web-pages-after-censorship site), quasi-silliness (the Great Web Canadianizer, eh?), or advertising addition from commercial sites or deletion from de-commercialization software. Imagine if your movie rating web page gets linked up by some studio-owned web site (www.disney.not/reviews/siskel+ebert/Rocky23 says "Two Thumbs Up!" "Rave!") Or your stock picking service gets arbitraged a bit on fast.make.money.com. Or the ExonOnLine webserver starts deleting all links to unrated pages from pages it serves. If you don't need it now, you'll need it soon enough. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From stewarts at ix.netcom.com Sun Mar 10 01:37:04 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 10 Mar 1996 17:37:04 +0800 Subject: Leahy's guillotine. Message-ID: <199603100911.BAA18260@ix4.ix.netcom.com> Leahy et al.: > Whoever willfully endeavors by means of encryption to obstruct, > impede, or prevent the communication of information in furtherance > to a felony which may be prosecuted in a court of the United States, > to an investigative or law enforcement officer shall... ! Let's look at the word "willfully". Among other things, it implies knowledge; under US law, to be guilty you have to know you did something that you at least reasonably believe is an activity that you're not supposed to do. Yes, cops can send you email threatening to use your remailer for felonious purposes, but if you don't know they've actually done it, and you haven't agreed with them to provide your encryption services in support of their felonious action, you're not a willing participant. Especially if you've got the welcome banner on your remailer page saying "You may not use this email encryption service for thoughtcrime, violations of the verbal morality act, idea laundering, anti-abortion activism, or other felonious or Un-American activities." You're no more a willful participant than the guy who receives an unordered package of child pornography mailed by a postal inspector. Now, if they make this a felony, surely conspiracy to participate in such activities could eventually be made illegal, and if the DemoPublicrats get re-elected, it probably will be some day. But this law doesn't do that yet. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From stewarts at ix.netcom.com Sun Mar 10 01:38:06 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 10 Mar 1996 17:38:06 +0800 Subject: News on RSA vs. Cylink Injunctions and Patents Message-ID: <199603100911.BAA18256@ix4.ix.netcom.com> At 03:00 PM 3/9/96 -0500, Perry wrote: >> I'm curious, because in the past, as I understand things, RSA has >> said that the DH patent covers El Gamal. If RSA no longer considers >> DH to be a valid patent, that would mean El Gamal is not patent >> encumbered. >It all matters very little to me, as the patents expire next year. Yeah, but that's still a year and a half till they're gone. Having them gone now (for some relatively small value of "now") would be especially pleasant, because we can start totally ignoring them (except for the RSA and Schnorr patents) rather than mostly ignoring them. Unfortunately, the somebody-at-Siemens-in-Paderborn patent on using Diffie-Hellman with hashed shared secrets for authentication is (minimally) good until something like 1994+17, even though it's so obvious to the skilled practitioner that I thought of it independently myself. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From tcmay at got.net Sun Mar 10 01:52:10 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 10 Mar 1996 17:52:10 +0800 Subject: Explosives, Criminality, and Preemptive Action Message-ID: At 7:06 AM 3/10/96, JonWienke at aol.com wrote: >Who says they were going to blow anything up? It is perfectly legit for >farms to have large quantities of fertilizer around--they use it all the >time. Same with diesel fuel--what are they supposed to run the tractors and >combines with? Dog piss? DUHHHH! As far as having the instructions for >mixing them to go boom, who the hell made that a crime? You could bust most >of the farmers in this country if you criminalize simultaneous posession of >fertilizer and diesel fuel. Did these people ever actually mix any of the >fert. and fuel together? Did they threaten to blow up anything? My personal belief, from the news reports I've read (which may be incorrect, of course), is that the ingredients were for use in a bomb, whether or not they'd ever have gone through with it or not. The ancillary items found (dozens of assault rifles, weapons manuals, patriot literature, crank, meth, etc.), and the stockpiling of ANFO precursors, suggests an Oklahoma City-type scenario. This is what I think was objective reality. Now, before certain readers go ballistic, start foaming about how TCMay and his Tentacles of Medusa are pawns of Bill and Hillary, not to mention spawn of Satan, etc., I'm not saying that what they did is criminal. Having the potential to build a bomb or other deadly gadget is not the same as actually building and using one. But should law enforcement have waited until the bomb was actually built? Or actually loaded onto a truck? Or actually placed in a target area? Or actually detonated? Mightn't it be argued that until the bomb actually explodes, no crime has occurred? (A fine line. A topic oft-debated in libertarian discussion talkathons: if you see your neighbor preparing what you think will ultimately endanger you or your neighbors, at what point are you justified in taking premptive action? Certain extremists argue that at no point prior to your own death, for example, has an "assault" occurred. Less extreme folks argue that the assault happens when your neighbor begins to turn his gun in your direction. And extremists at the other end believe that potentially dangerous objects must be taken away from people long before they could ever put them to use. Ergo, gun control, restrictions on bomb-making info/anfo, etc. I take a stance closer to the first example, though I feel no qualms about hitting first if I really think I'm about to be attacked.) The argument that because farmers can use these products that the use must have been an innocent use is a weak one. Anyone with any common sense can see what they were up to. Who's kidding whom? But, like I said, this may not be criminal. And courts routinely have to deal with "conspiracy" cases to decide just how real the conspiracy was. (I don't care for "conspiracy" charges...too much chance for abuse.) Certainly the folks in Oregon will not face much prosecution, as near as I can figure. The weapons charges may affect their parole (some of them are ex-cons). The drug amounts are small. And the ANFO precursors....not clear to me at all that having these is a violation of the laws about explosives, but maybe it is. >This whole situation is nothing more than jackbooted thugs getting a rush by >stomping on people. FTJBT Overly simplistic. Don't misunderstand me: I share your anger at Waco, Ruby Ridge, gun confiscation, tens of thousands of laws, high taxes, etc. But I doubt the Oregon bust was a bunch of Waco Warriors assaulting the compound with tanks and helicopters. --Tim May, probably just added to Jim Bell's list of people he plans to have killed Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From wlkngowl at unix.asb.com Sun Mar 10 02:11:56 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sun, 10 Mar 1996 18:11:56 +0800 Subject: FCC Sets Comment Date for Internet Phone Call Rulemaking (fwd) Message-ID: <199603090239.VAA01613@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Henry Huang wrote: > ------- Start of forwarded message ------- > From: "Neal J. Friedman" [..] > > The FCC has acted with astonishing speed in setting a date for comments > the ACTA petition to regulate telephone calls via the Internet. It is > uncommon for rule making petitions to sit for weeks, months, even years > without action. ACTA filed its petition on March 6th and two days [..] Odd that I have yet to see this in any business news. Has it made the WSJ, NYT, Bloomberg or TWP? Also odd that the FCC could try to regulate it. Not much they can do if someone outside the US uses IPhone or the like. - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUDveCoZzwIn1bdtAQHRkQF/U9Ypd5hAkoY86fF8e4pW9HLtVVvrRTVz GqxrRoq12MRtfQZqtD5q0u7VY6gJgR3Y =T64o -----END PGP SIGNATURE----- From AFDA2 at aol.com Sun Mar 10 02:12:02 1996 From: AFDA2 at aol.com (AFDA2 at aol.com) Date: Sun, 10 Mar 1996 18:12:02 +0800 Subject: CRIMINAL LAW SEMINAR Message-ID: <960308200934_441681488@emout05.mail.aol.com> On Friday, April 19, 1996, the Association Of Federal Defense Attorneys (AFDA) will present a one-day seminar, "The Key Fundamentals of Federal Sentencing." The seminar will be held at the Los Angeles Airport Marriott Hotel, from 9:00 am to 4:30 pm. Fee: $125 for AFDA members; $175 for non-members. Handout materials will include case law outlines and the sentencing guidelines. This seminar is specially designed for state court attorneys who handle occasional federal cases, for new federal defense attorneys, and for those who want a primer on the mechanics of the federal guidelines. For the experienced federal practitioner, AFDA will present its Third Annual Seminar, "Federal Sentencing Updates & Strategies," in the fall of 1996. For more information, click the Reply button and send a brief email requesting a fax-flyer. Remember to include your fax number. The Association's email address is: AFDA2 at AOL.com From EALLENSMITH at ocelot.Rutgers.EDU Sun Mar 10 02:12:35 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sun, 10 Mar 1996 18:12:35 +0800 Subject: Paint Your Own Scarlet Letter (Was: Edited Edupage, 29 Feb 1996) Message-ID: <01I23UUCPDM2AKTTTI@mbcl.rutgers.edu> From: lmccarth at cs.umass.edu >I couldn't resist the temptation. I rushed out and rated my home page >as evil incarnate, at least according to the SafeSurf rating system. No >innocent rugrats are gonna be learning anything about my work in crypto and >symbolic computation on the web ! I have noticed that they ask for one's URL on the page in question. This information gathering brings to mind the question of if they plan on also keeping some sort of database. While private rating efforst are not directly wrongful, given the circumstances involved they may be attempting to mandate some such (either directly or through lawsuits) via governmental pathways. >It's, uh, interesting to note that "homosexual themes" gets a whole >separate category from "heterosexual themes". :[ Quite. (Incidentally, that the CyberAngels are associated with SafeSurf, which has this distinction in their material also, gives the lie to many of the CyberAngels' claims). I am currently in the process of writing a response to this proposal, and will post the initial version to cypherpunks. >Here's the reply I received after filling out the SafeSurf web form. It looks >as though anyone can use the code below by sticking it in their HTML as >directed: They supposedly have the code in question copyrighted. I suspect that such an attempt will not be valid without changes to copyright laws, but I am not a lawyer. (It does not appear to me, at least, to have any degree of true and original creativity involved). -Allen From qut at netcom.com Sun Mar 10 02:14:43 1996 From: qut at netcom.com (Dave Harman) Date: Sun, 10 Mar 1996 18:14:43 +0800 Subject: LACC: TER_ror In-Reply-To: Message-ID: <199603090225.SAA19368@netcom15.netcom.com> > > In message <199603080259.VAA05749 at pipe2.nyc.pipeline.com>, John Young > writes > > The Economist, March 2, 1996, pp. 23-25. > > With whose permission are you posting this copyrighted material? Who cares about protecting The fucking Economist? If I find any relevent articles, I'll post 'em here. > > tbt > -- > | Bruce Tober - octobersdad at crecon.demon.co.uk - B'ham, Eng | > | pgp key ID 0x9E014CE9, "Fear of corrupting the mind of the | > | younger generation is the loftiest form of cowardice," | > | The US Congress and President are guilty as hell of such. | > -- Imagine yourself as a picture machine From tcmay at got.net Sun Mar 10 03:08:19 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 10 Mar 1996 19:08:19 +0800 Subject: Vexatious Litigants (was: SurfWatch) Message-ID: At 2:38 AM 3/8/96, Bill Frantz wrote: >At 6:59 PM 3/7/96 -0800, Timothy C. May wrote: >>If SurfWatch can be sued for a "bad review," then Siskel and Ebert had >>better find a new line of work. > >As long as a reviewer corrects errors, as SurfWatch seems to be willing to >do, I think they are relativly suit-proof. If they don't, well - anyone >can be sued for anything. I'll let the lawyers comment on the possibility >of success. OK, OK, I did not stick enough qualifiers in my "If SurfWatch can be sued" point. I should have said, in gory detail, "If SurfWatch can be successfully sued and found liable," etc. It is true that "anyone can be sued for anything" in these BS. I can sue Bill for writing the post he wrote. However, such a suit would definitely never reach trial. My point was that "opinions" (such as movie reviews) are not "tortable" (don't know the legal name), unless specific inaccuracies can be demonstrated, and even then it is hard. Siskel and Ebert have undoubtedly destroyed the box office prospects of many a movie with their "thumbs down" diss of death, but I know of no successful (or even adjudicated) lawsuits on this basis. One of the few cases of a reviewer being successfully sued involved the Bose Corporation, maker of the once-trendy Bose 901 speakers. It seems that around 1970 or so, at the height of popularity of the 901s, one of the stereo mags, or maybe it was "Consumer Reports," ran a review of the 901s and (correctly) criticized them as being not worth the high price (and maybe a comment that Bose's "direct-reflecting" snake oil was just that). Bose sued, and the case dragged on for many years. I think Bose eventually won. Too bad. Opinions are opinions, and a free society has no business suppressing opinions by use of torts. (Another related area is the use of torts to halt public comment on controversial development plans. These are called "SLAPP" suits--"Strategic Lawsuits Against Public Participation." For example, where AT&T sues "the Cypherpunks" to shut them up about their anti-Clipper feelings. Some judges are awarding large damages to the groups hit with the SLAPP suits.) So, while it is technically true that "anyone can sue anyone else," having the case get to trial is a different thing. And the law actually means what it says, in some cases. The First Amendment, for example, will stop Bill from successfully suing me because he dislikes my use of the word "tortable." If he files some number of these frivolous suits, he may find himself on a list of "vexatious litigants" (one of my favorite phrases of all time!). --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From wlkngowl at unix.asb.com Sun Mar 10 03:28:36 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sun, 10 Mar 1996 19:28:36 +0800 Subject: keystroks In-Reply-To: <199603100754.IAA25888@heron.tripnet.se> Message-ID: <3142B958.483C@unix.asb.com> Bjorn Asman wrote: > Is there anbody out there happens to [k]now a keystroke recorder thats > record keystroks from dos to windows. There are quite a few. Check the usual DOS ftp-sites or lurk around alt.2600. Note that you'll have a much harder time under Windows, since it takes over the keyboard IRQ (though it might be possible to monitor Int 16h). Also note that some programs like SFS and a few network logins take over the keyboard so as to prevent this. (You can check out my kbisr sources for non-enhanced keyboards if you're looking for a way around keyboard sniffers... also floating around on ftp somewhere.) > "It is the real, and not the map, whose vestiges[..] > J. Baudrillard Ack. A Baudrillard quote! --Rob From eagle at armory.com Sun Mar 10 05:45:18 1996 From: eagle at armory.com (Jeff Davis) Date: Sun, 10 Mar 1996 21:45:18 +0800 Subject: Bell, Detweiler, Ravings, and Whatnot In-Reply-To: Message-ID: <9603100533.aa15975@deepthought.armory.com> > And your insulting comments about people whom you disagree with, or people > whom you think are not taking your ideas seriously enough, are reminiscent > of the ravings of the last victim here of late stage Detweiler's Syndrome. > --Tim May Bell's ding-a-ling aside, the active verb would be Detwielling, while the past perfect tense is Detwielled. -- According to John Perry Barlow: *What is EFF?* "Jeff Davis is a truly gifted trouble-maker." *email * *** O U T L A W S On The E L E C T R O N I C F R O N T I E R **** US Out Of Cyberspace!!! Join EFF Today! *email * From JonWienke at aol.com Sun Mar 10 05:54:43 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sun, 10 Mar 1996 21:54:43 +0800 Subject: What's anyone know about Teledyne Electronic Technologies? Message-ID: <960307014224_343625326@mail04.mail.aol.com> >Teledyne (TET) is out marketing a "new" crypto system as a competitor >against DES and what TET calls "linear" cryptosystems. They are claiming >a non-linear approach in which (as best I can tell) they are permuting >the s-boxes and using 4 bit/16 entry substitution tables. Dont trust it unless you are a good cryptanalyst and have a copy of the source code. Most commercial crypto products are crap. Jonathan Wienke From frantz at netcom.com Sun Mar 10 05:54:53 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 10 Mar 1996 21:54:53 +0800 Subject: Switchboard Message-ID: <199603070725.XAA10999@netcom7.netcom.com> At 10:05 PM 3/6/96 -0800, Steven Weller wrote: >Check out www.switchboard.com. From the blurb: > >find people ... I checked them out and the couldn't find my record. Since I have a listed telephone number, I can only assume that their records do not include GTE local service records or some other equally huge gap. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From stevenw at best.com Sun Mar 10 05:54:58 1996 From: stevenw at best.com (Steven Weller) Date: Sun, 10 Mar 1996 21:54:58 +0800 Subject: Switchboard Message-ID: Check out www.switchboard.com. From the blurb: find people Find friends, colleagues, and old roommates for free. Any time, nationwide. Look up over 90 million names and get fast response to addresses, phone numbers, and personalized updates. Even send email to registered users. find businesses Find over 10 million businesses across the U.S.A. for free. Whether or not they're on the web. Day or night with immediate results. Is this the same data that was supposed to go on that Lotus CD-ROM? Is this publicly available info? ------------------------------------------------------------------------- Steven Weller | "The Internet, of course, is more | than just a place to find pictures | of people having sex with dogs." stevenw at best.com | -- Time Magazine, 3 July 1995 From ncognito at gate.net Sun Mar 10 05:55:30 1996 From: ncognito at gate.net (Ben Holiday) Date: Sun, 10 Mar 1996 21:55:30 +0800 Subject: TCP/IP Stego (was CU-SeeMe) Message-ID: It seems to me that it would be possible to squeeze one bit of subliminal data into each tcp packet if you were willing to sacrifice a few cpu cycles in the process: A tcp header contains quite a bit of useful information.. but most of it wouldnt be easily manipulated (by me) to get a bit. You cant very well alternate the port number you are using, or change the packet sequence numbers. However, the tcp protocol forces each tcp header to contain a 'checksum' field.. which is (more or less) the sum of all the octets in the packet. This is used as error correction for the protocol. It shouldn't be too difficult to force TCP to fiddle with the data in the packet a bit to force the checksum to be a particular sort of thing (i.e. even or odd number) .. 0 for even and 1 for odd would get us our one bit of data per packet. I may be wrong, but im pretty certain that you could hack your client (an ftp client would be a good choice since it can easily be made to receive vast numbers of packets without attracting attention) and leave the basic tcp/ip stack untouched. If your client figured out what sort of packet needed to be sent to get the right bit before passing it to the tcp stack then voila you have a subliminal channel. Of course there are alot of other ways to go about it, im sure.. Benji From stewarts at ix.netcom.com Sun Mar 10 05:55:41 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 10 Mar 1996 21:55:41 +0800 Subject: Steganography idea: CU-SeeMe Message-ID: <199603070739.XAA23010@ix2.ix.netcom.com> At 08:28 AM 3/6/96 +0000, Ed Carp wrote: >On Wed, 6 Mar 1996, Nelson Minar wrote: >> So here's one idea I've had as a place to hide a channel: network >> video, in particular CU-SeeMe video streams. CU-SeeMe is a lowtech > >I think it likely that people will be sending GIFs and JPEGs to each >other far more often than video. Video is far more an "uncommon >communications channel" than is a uuencoded picture. The Quickcam videocameras are $100; they're the next toy to buy after you've got the Soundblaster, CDRom, and 100MB Zip drive. The Macintosh folks will buy them first (:-), but pretty soon they'll be very common, especially for business LAN users to have desktop video. The problem is that, unlike GIFs, CU-SeeMe and other low-bit-rate video compression schemes are _very_ lossy. You can't just put the stego bits in the raw image before running the compression, because they'll get lost, and if you try to fit them in to the compressed image, you've got to do it very carefully or they'll really drastically affect the image. I don't know CU-SeeMe's compression algorithm, but imagine putting bits into a run-length-encoded file: if you put them in the run-length, you'll change the lengths of the runs a lot. If you put them in the color, you'll get lots of streaks of random-looking noise. Either way, it's quite noticeable. So you've got to work very carefully with the algorithm. The other problem with CU-SeeMe is dropped frames, which someone mentioned. That's easier; any email system, especially a stego type, has to deal with lost message. So try to fit your messages into single CUSM frames, and build some tracking or ack messages or maybe message numbering, so you can detect lossage and request retransmits. It can be as complex as X.25-over-stego-over-CU-SeeMe, or as simple as "Message 14 of 32, RSVP". (If you _do_ implement X.25-over-stego-over-CU-SeeMe, you've got a fine April 1 RFC :-) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # From stewarts at ix.netcom.com Sun Mar 10 05:57:00 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 10 Mar 1996 21:57:00 +0800 Subject: Square pegs in round holes, matchmaking, corporate mailservers Message-ID: <199603070738.XAA22980@ix2.ix.netcom.com> At 08:01 PM 3/5/96 -0500, "A. Padgett Peterson P.E. Information Security" wrote: [>>Dimitris Tsapakidis wrote:] > >Bob must find out whether Alice has declared (commited) her interest > >in him, if and only if he has declared (commited) his interest in her. > >Before he does so, he can at most know that a girl is interested in him. > >Another description: Bob and Alice can have a date if they both commit > >to each other. If only one commits, nobody will ever find out about it. > >- T is the trusted third party. > > Well if we *must* use D-H that is a way, but why do that ? Instead of > using a binary assymetric key, why not a triple ? (Just because I do not > know of any does not mean that one does not exist). > > Consider a function such that Alice has a key such that given a message M, > when encrypted by Alice may be manipulated by T such that Bob can decrypt > it. Similarly, Bob has a key that when manipulated by T' can be read by > Alice. Assymetric but not binary. The advantage here is that while "T" > is trusted by both, he/she/it/other is not able to read either message, > rather acts as a catalyst. Oh, that would work fine. Let a, b, and t be Alice, Bob, and Trent's secret DH keys, and g and p be the generator and prime (all math below is mod p.) If Bob wants to talk to Alice, he sends Trent B = g**b, marked "For Alice", optionally anonymously. Trent calculates X = B**t == g**bt, and sends it to Alice. Alice calculates K = X**a == g**bat, calculates H = Hash(K) and posts it anonymously, or sends it to Trent to post or mail to Bob. If Alice wants to talk to Bob, she calculates A = g**a mod p, sends it to Trent, optionally anonymously, marked "For Bob". Trent calculates Y = A**t == g**at , and sends it to Bob. Bob calculates K' = Y**b == g**abt, calculates H' = Hash(K') and notices that it's the same as the H he pulled off the net earlier. Bob says "Oh, wow! Alice wants to talk to me!", encrypts some lame drivel of a message M with key K'==K, and mails it to Alice if he knows her address or posts it with Subject: H', which Alice receives. Comments: 1) If Alice doesn't also want to talk to Bob, or Bob doesn't want to talk to Alice, they don't both come up with H == H', so they only know that _some_ shy person wanted to talk to them but not who it is. 2) Why does Alice reply to the anonymous message? Maybe just because she's free that evening, or maybe because it included a note with it that made her think the sender is a Nice Guy. 3) Under this method, Alice, Carol, Eve, and Greta can get together and notice that they've all gotten mail with keys X; they don't know who X is, but they know he's interested in all of them and he's probably a trolling loser :-) So they all dump him. However, even though they know Bob's public key B, they don't know t, so they can't tell from g**bt mod p that it's Bob, so they can't send him email saying "Get lost, loser" without revealing their identity. So Trent is providing anonymity, and needs to be trusted. Without Trent, you could do a two-way version of the protocol - if Bob wants to talk to Alice, he posts Hash(A**b), and vice versa, but Alice can go evaluate Hash(B**a), Hash(C**a), Hash(D**a), etc., for everyone in the phone book, and find out that it was Bob. 4) If Bob wants to reduce the level of trust he needs to have in Trent, he can create a bunch of keys b1, b2, b3, ...., bk in addition to b, and use a different one for each note. If I remember correctly, he can often calculate the inverse of b, b1,... (??????) So he sends Trent B1=g**b1, Trent sends Alice X1=B1**t == g**b1t, Alice calculates K1=X1**a == g**b1at, H1=Hash(g**b1at), and posts/sends. Since she's also interested in Bob, she does the same with key a, so Trent gives Bob K'g**bat. Bob calculates Z = K'**binv == g**at(b*binv) mod p == g**at, and then calculates Hash(Z**b1), Hash(Z**b2), Hash(Z**b3)..., and notices that H1 = Hash(X**b1) and says "Oh, it's Alice!" On the other hand, this doesn't appear to work if Alice is also using multiple identities. 5) If Trent is a really trustable guy, he can offer meeting services for people who have unusual tastes, such as liking (Exon) and Duct Tape and Political Party Z and (for bipartite variants) suppliers and consumers of various substances. So he could broker a list of (Exon)fans, as long as the activity is not criminal enough to lead to subpoenas or warrants for his transactions (if he keeps them) or his key t (or t1, t2, t3... if he's running multiple lists.) Dimitris's approach of using Hash(message) could be used to exchange preference here as well. If Alice checks the message for Hash("Duct Tape"), she can decide that she and the unknown sender would be a great match, and if she hadn't thought to check Hash((Exon)) she wouldn't know that Bob enjoyed that also. So it's at least some privacy for low-popularity unusual activities :-) 6) Of course, Trent really could be a front for Blacknet :-) Or Trent's key could be stolen and published, embarassing all his customers. > As to why you would want such a curiosity, consider a corporation with 80,000 > mailboxes. It would be desirable for each person to be able to send E-Mail > to any other person but not desirable for each person to have to hold all > 80,000 keys. Given a triple (tertiary ?) function each individual would only > need their receive key and a "post office" transmit key. On sending a message, > it would be encrypted with a session key and the session key encrypted with the > post office key. The post office would have all 80,000 receive functions but > through the assymetic keying would only be able to convert the session key to something > each intended recipient could decode but not be able to decode the message > itself. > This would meet both criteria (not key escrow but that is under "management") > D-H is wonderful but has difficulties with scalability. If such a function > existed (has anyone looked ?) it would solve the problem. Ah. The method I described above doesn't solve your problem; it just solves the original Shy-People's-Dating problem. If your only concern is scalability, and you don't mind doing the multiple-message handshaking Diffie-Hellman requires (<=SPD...), you can use either a signed-keypart Diffie-Hellman or just use PGP with the mailserver signing keys and keyserving. PGP approach: Bob has Public/private keys B/b, Alice A/a, Trent T/t, Sam S/s. Trent is the mail agent at Alice's company, T is well-known. Sam is the mail agent at Bob's company, S is well-known. "Well-known" means that all the mail servers know each other's pubkeys. If Alice and Bob both use the same postoffice, Sam==Trent, so it's simpler. Bob to Sam: Fetch Alice's Key Sam to Trent: Fetch Alice's Key Trent to Sam: A (signed by T) Sam verifies and caches A(signed by T), and already knows T. Sam to Bob: A (signed by T), T (signed by S). Bob verifies T's signature on A, S's on T. Bob to Sam: To: Alice at trent.aliceco.com, PGPEncrypted(Message,A) Bob either caches A, or caches T, or doesn't bother. Sam to Trent: (ditto) Trent to Alice: (ditto) Alice decodes the message. If she needs Bob's keys, she asks Sam to fetch them. So there's basically a key-fetching handshake, with Trent and Sam acting as CAs as well as keyservers, and then regular PGP. Clean, simple, and all your regular tools work, except of course that the keyservers use some database to store keys in instead of a big hulking PGP keyring. A Diffie-Hellman relative is a bit messier, because it's Diffie-Hellman. Assume that the modulus and generator p and g are agreed on (e.g. Photuris's.) Alice and Bob have their PGP public keys A, B. Trent and Sam have their PGP public keys T and S, well-known. Bob generates a random x, calculates X = g**x mod p. Bob to Sam: To: alice at trent.aliceco.com, X signed B. Sam to Trent: To: alice at trent.aliceco.com, X signed B, B signed S. Trent to Alice: To: alice, X signed B, B signed S, S signed T. Alice generates random y, calculates Y = g**y mod p, also K = X**y mod p. Alice to Trent: To: bob at sam.bobco.com, Y signed A Trent to Sam: To: bob at sam.bobco.com, Y signed A, A signed T Sam to Bob: To: bob, Y signed A, A signed T, T signed S Bob verifies Y, A, T, calculates K' = Y**x mod p == K. Bob to Sam: To: alice at trent.aliceco.com, Encrypted(Message,K). Sam to Trent: (ditto) Trent to Alice: (ditto) Alice decodes the message using K. To make things simpler, Bob might include Hash(K) or some other message identifier. In this case, the key-fetching handshake is piggybacked along with the DH key-exchange halves, and then Bob uses the jointly derived session key to send a conventionally-encrypted message (which he _could_ use PGP for...) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # From adam at lighthouse.homeport.org Sun Mar 10 06:58:27 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sun, 10 Mar 1996 22:58:27 +0800 Subject: Jump Start ecash With IPhone In-Reply-To: Message-ID: <199603070006.TAA18662@homeport.org> Jim McCoy wrote: | Two problems: | | 1- Chaum did not have the clue to pick up on this when two | cypherpunks (who shall remain nameless...) pitched this | and several other ideas to involve ISPs in jump-starting | ecash almost two years ago, so why would he figure it out | now? But now we don't need no stinkin' license. We just use Mark Twain ecash. The big problem with this is that net phones can be subject to delay & drop out, and I don't want to deal with that when I'm talking on the phone. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From uunet!in2.uu.net!newsfeed.internetmci.com!info.ucla.edu!ihnp4.ucsd.edu!pwa.acusd.edu!news at warwick.com Sun Mar 10 06:58:44 1996 From: uunet!in2.uu.net!newsfeed.internetmci.com!info.ucla.edu!ihnp4.ucsd.edu!pwa.acusd.edu!news at warwick.com (uunet!in2.uu.net!newsfeed.internetmci.com!info.ucla.edu!ihnp4.ucsd.edu!pwa.acusd.edu!news at warwick.com) Date: Sun, 10 Mar 1996 22:58:44 +0800 Subject: test Message-ID: A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1570 bytes Desc: not available URL: From uunet!in2.uu.net!munnari.OZ.AU!news.mel.connect.com.au!harbinger.cc.monash.edu.au!usenet at warwick.com Sun Mar 10 06:59:04 1996 From: uunet!in2.uu.net!munnari.OZ.AU!news.mel.connect.com.au!harbinger.cc.monash.edu.au!usenet at warwick.com (uunet!in2.uu.net!munnari.OZ.AU!news.mel.connect.com.au!harbinger.cc.monash.edu.au!usenet at warwick.com) Date: Sun, 10 Mar 1996 22:59:04 +0800 Subject: PLEASE REPLY!! Message-ID: <4hl854$npd@harbinger.cc.monash.edu.au> david at emeraldis.com (David G. Cannon) wrote: >Did this message make it out to the "real" world?? Please reply to this message >if it did. Thankyou. > >*David* > Your message did make it David. Hi from Australia!! Jim / jaar1 at student.monash.edu.au From anonymous-remailer at shell.portal.com Sun Mar 10 07:04:14 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sun, 10 Mar 1996 23:04:14 +0800 Subject: No Subject Message-ID: <199603101450.GAA16048@jobe.shell.portal.com> Hi! There was a discussion on How to install phone extension sometimes ago. Is there any appropriate URL or Usenet or Newsgroup or Mailing List available? Please email directly to: Durian at alpha.c2.org Thank you. From habs at warwick.com Sun Mar 10 07:11:31 1996 From: habs at warwick.com (Harry S. Hawk) Date: Sun, 10 Mar 1996 23:11:31 +0800 Subject: FCC & Internet phones In-Reply-To: Message-ID: <199603101456.JAA08887@cmyk.warwick.com> > I wonder what exactly the FCC means by the term "Internet Phone." > Does this just mean that software like IPhone will be regulated, or > will this also apply The thing is that at "best" the Iphone people (et al), are sell Equipment!. NO ONE is SELLING phone service.. I mean Selling phone service means some guy in NYC putting a sign on a store front offering 10 cents a minute calls "anyway where in the world." When you or I use Iphone (etc), we are not selling anything.. Tarrifs are for Selling.. Not "personal use." The only one selling anything is IDT with there plans to have Iphone like calls start in the US go to europe via the Internet and then switch them to regular POTS lines for the call completion.. Any Legal options here? Btw. the worst thing is all the phone companies are very very good a lobbying... congress, the FCC, etc. ALso once FCC regulations something commmerical speach becomes "restricted." Eg., tobbaco ads.. /hawk From dlv at bwalk.dm.com Sun Mar 10 08:10:31 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 11 Mar 1996 00:10:31 +0800 Subject: Petty Civil Disobedience In-Reply-To: <199603100537.VAA24499@mail1.best.com> Message-ID: jamesd at echeque.com writes: > At 10:31 AM 3/9/96 -0500, Declan B. McCullagh wrote: > > Perhaps we should put up our own protest web sites with one or two > > explicit sexual images as real civil disobedience? > > Major problem here is that ten million horny geeks are likely to bring > your server to its knees, but if one only has one image, and it is > moderately small, say thirty thousand bytes, perhaps the flood would > taper off eventually. That's a good idea for a civil disobedience campaign: get a picture you like from alt.binaries.pictures.erotica.*, shrink it to 20K or 30K, and make it available on your homepage as ObCDA. Everybody who's got a home page should display one. :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From stewarts at ix.netcom.com Sun Mar 10 08:18:15 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 11 Mar 1996 00:18:15 +0800 Subject: crypto ++ where? Message-ID: <199603080547.VAA27469@ix7.ix.netcom.com> At 01:32 AM 3/7/96 -0500, you wrote: >How can I obtain crypto++, I seem to have deleted the email I had reguarding it. The Cypherpunks mailing list is archived on *.hks.net. You can read it with a news reader on nntp.hks.net, or check www.hks.net (which tends to run a few weeks behind since it's indexed monthly so the current partial-month isn't indexed yet.) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # From stewarts at ix.netcom.com Sun Mar 10 08:18:20 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 11 Mar 1996 00:18:20 +0800 Subject: FCC and Internet telephones Message-ID: <199603080547.VAA27453@ix7.ix.netcom.com> At 06:16 PM 3/6/96 -0800, you wrote: > >Dost my ears deceive me? Is this true? >-------- INCLUDED MESSAGE > FCC Asked to Stop Net Phones True that some organization is asking the _government_ to stop their competition? I'm shocked! Why, next thing you know people will be asking the government to restrict imports of small cars, restrict who can run radio stations, ban the hemp industry, tax imported sugar, or limit campaign contributions to non-incumbents. ("Not possible", you say - "that would be Un-American!") Of course it's true. Will the FCC do what they want? Who knows; it's stupid enough that they just might, but it may end up like the Craig Shergold O'Hair Memorial Modem Tax with people writing them crank letters for years after they've decided not to. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # From cp at proust.suba.com Sun Mar 10 08:18:27 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Mon, 11 Mar 1996 00:18:27 +0800 Subject: Not a good idea... In-Reply-To: Message-ID: <199603080546.XAA00397@proust.suba.com> > If SurfWatch can be sued for a "bad review," then Siskel and Ebert had > better find a new line of work. I might be stretching things a bit, but couldn't you call a CA a "review service"? Essentially instead of having a banned list, you have an "accepted list". Right now, CAs seem to be all using the same narrow critera for putting someone on the accepted list -- knowledge about the identity of someone running the site. If CAs are liable, then why not SurfWatch? Or better yet, if SurfWatch isn't liable, then why should a CA be? The problem of liability is a real one, at least with a protocol like X.509. Sites need to have certs to interoperate with the rest of the world, and CAs seem to expose themselves to liability by issuing certs. That means that certs are going to cost money, or at least more than they would otherwise. And that could have a chilling effect on the widespread deployment of crypto. As was recently pointed out in another context, security is economics, and anything that adds cost to security means less security for everyone. I think in general we ought to oppose laws which expand liability for things people do online; liability can almost be viewed as another form of regulation. A judgment against a tobacco company would probably have the same effect as an outight ban on cigarettes. What's more, protocols which force authentiion on people who might only want or need encryption aren't good. With liability figured in authentication costs a lot more money than basic encryption. Say what you want about patents, the other main hurdle standing between us and really free crypto, but if we're willing to wait, they'll go away. Our goal ought to be totally free access to crypto tools without legal interferrence, cost (even for commercial applications), incompatibility with dominant standards, or risk of liability. From tj_lists at prado.com Sun Mar 10 08:19:38 1996 From: tj_lists at prado.com (tj_lists at prado.com) Date: Mon, 11 Mar 1996 00:19:38 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guidelines) Message-ID: <199603080654.WAA21592@zoe.prado.com> ** Reply to note from Deranged Mutant 03/07/96 7:06pm +0000 > Yes and no. Depends on the judge. Some are hard-assed about granting > waivers, others aren't. Part of the problerm is that judges have too ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > much discretion. ^^^^^^^^^^^^^^^^^ Couldn't help noticing this, presume you mean Federal Judges since the waiver would be from aspects of GCA 1968, a Federal law. The fact is, at least in sentencing, Federal Judges now have very little discretion. The Federal Sentencing Guideline structure established in the 1980's provides "guidelines" for a given defendant convicted of a given set of charges. Things like prior offenses add "points", ratting on your friends takes away "points". In this case less is better than more. Anyway, a low level bureaucrat fills out a presentence investigation report on the basis of complicated, arcane rules it is easy to get wrong. This report goes to the judge who can pass sentence only within a narrow range, say 6 months 1 way or the other on a 5 year sentence (very few new Federal "crimes" carry less than this). Any departure from this range, either upward or downward, must be justified in a formal opinion, & can be appealed by either party. Very few judges bother. This system is cookie cutter in-justice at it's finest, & only a lack of bureaucratic imagination has prevented it from being computerized beyond the use of word processors to write the report. Since well over 90% of Federal Criminal cases end in guilty pleas, this method has the effect of transferring discretion that formerly belonged to the judge to the prosecutor, who gets to pick from a variety of charges covering the same offense, and the low level flunkey who gets to fill out the forms. This is exactly the big problem with the new "crime" of using encryption in a felony in the Leahy bill. Assuming for a moment this new law is tailored very narrowly & is only used on people who 1. Commit without governmental entrapment an underlying felony. 2. Exclusively use encrypted traffic in direct furtherance of the underlying felony, (example: murder for hire is negotiated via encrypted messages) there still remains the fact that this is simply another tool of prosecutorial discretion, of which there is way to much already. The problem with prosecutorial discretion is that it is always used to encourage snitching, turning this country into a nation of Pavel Mozorov's (12 year old Hero of the Soviet Union who ratted out his parents to the Cheka for concealing a pig from collectivization. His uncles did as should be done in such cases & cut him up with an axe). However, I do agree that in setting conditions other than fines & prison time, Federal Judges do have too much discretion. Chris Lambert (mthreat, Minor Threat) a 21 year old Austin cracker now doing time in Bastrop FCI, as part of his sentence is forbidden to own or work with any computer w/ modem or network card/connection. This of course is to apply after he gets out. Traditionally, counterfeiters, who come from the ranks of printers, merely have to report to their parole officer & get his ok in order to own or go to work for a print shop. cc: cypherpunks at toad.com mthreat at paranoia.com From jimbell at pacifier.com Sun Mar 10 08:19:44 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 11 Mar 1996 00:19:44 +0800 Subject: Anonymous remailers and Leahy bill Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 08:03 PM 3/7/96 -0500, Jonathan Rochkind wrote: >At 5:22 PM 03/07/96, jim bell wrote: >>Wouldn't help "Bob" in the least. And you didn't read what I wrote very >>carefully, either: Notice that I said, "under a different name." In other >>words, the source of the note does not identify the user name under which >>the illegal activity is promised to occur. Cancelling this particular >>fellow's account does NOTHING to prevent the illegal activity from >>occurring by other, unidentified users, and "Bob" knows it. > >How is this differnet then me calling up AOL and saying "Using a friend's >account whose password I have, I'm going to send child pornography out to >many people sometime tommorow"? It may be similarly illegal, but it's still a bit different. See below. > >I don't know if it is or not, but hopefully it's the same. As long as >anonymous remailers are legally identical to ISPs, I think we don't have to >worry too much becuase ISPs are now serious money-making businesses with >lots to spend on lobbying and legal fees, and will fight any laws that >effect them such. It is occasionally argued that business doesn't like regulation. That observation is misleading: It turns out that _big_ business actually benefits, at least differentially, from regulation: If it costs a fixed amount to keep a corporation on the right side of the regulation, that's the same for a tiny company and a large company, in fixed dollars. However, as a fraction of sales, it can be vastly different. "Big business" is well aware that regulations keep down the competition. "Big business" wants JUST ENOUGH regulation to achieve its ends of reducing competition, but without being too expensive for itself. > Whether this Leahy bill is passed or not, clearly AOL >is not going to quietly shut down their entire company after receiving such >a phone call. And they can't really do anything to stop the theoretical >next-day child porn mailing either. One big advantage that AOL, or for that matter ANY online service has, is that its customers (or the customers of a competing big service) will be on any jury. They are familiar with how such an organization operates, and they can sympathize a bit with the difficulty of monitoring all this material. They may, in fact, want to KEEP AOL from doing this monitoring, and thus they'll cut AOL some slack when it comes to any decision. Prosecutors know this, judges know this, etc. In this case, familiarity breeds tolerance. Encrypted anonymous remailers, however, are more of a shady, fly-by-night sort of operation. The average AOL user may not even have HEARD about them, let alone actually used them or depended on their continued existence. It is far less likely that a juror will understand why they exist, and will be more likely to think the remailer is responsible for any illegalities committed with that service. Besides, any prosecutor is fully aware that AOL has enough money to defend itself fully, and has the ability to generate angry publicity from its customers against its harassers. Essentially by definition, an anonymous remailer can't count on anyone stepping forward and saying, "I use this encrypted anonymous remailer a lot..." >So it would be beneficial to present anonymous remailers as just another >sort of internet service provider. And we only really have to worry when >there are laws that seem to apply to anon remailers but not AOL. On the contrary: It is the application of any such law which is critical, and that can't be accurately gauged until the law is actually passed and it is in the hands of prosecutors. I'm not willing to give them that chance. I'm certain they will abuse the law. But if you doubt their motivations, I recommend that you try to have that section removed. If that section was put there just as a "throwaway," they won't squawk. But I predict they will be extremely reluctant to remove it, because that's exactly the portion of the bill they really want. They don't want you to know this, of course. Please test them. Jim Bell jimbell at pacifier.com Klaatu Burada Nikto -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMT/FyvqHVDBboB2dAQGWbgQAlEpgHvprqslBSJLaGO4A6uk6ixAzVp9L 0FNEFlBqqnTVzLN4phPcjUb1DTPkjQqqoMDFJYD9nBGucyLWfGdvU5xxxLYD9ZAy Qfh57JQoFeR6og9M4khYwAhic+qCXphWKegH7fIGolMi4vW8SXv+OcSbPMQqTAAk rdGarImmTmc= =/9/5 -----END PGP SIGNATURE----- From jya at pipeline.com Sun Mar 10 08:28:24 1996 From: jya at pipeline.com (John Young) Date: Mon, 11 Mar 1996 00:28:24 +0800 Subject: FCC v. Internet Phone? Message-ID: <199603091507.KAA27706@pipe2.nyc.pipeline.com> TWP March 8: "Long-Distance Dueling. Free Dialing Via Internet Faces a Challenge From Small Phone Firms." VIA_net From vznuri at netcom.com Sun Mar 10 08:41:11 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 11 Mar 1996 00:41:11 +0800 Subject: steganographic trick In-Reply-To: <960308040205_240667097@emout04.mail.aol.com> Message-ID: <199603082130.NAA26560@netcom4.netcom.com> >> given one key, it decrypts into one set of data, and given >>another key, it decrypts into another set of data. > >The only computationally feasible way to accomplish this would be to use a >variation of the one time pad (OTP) cipher, and use two keys: the genuine >key, which is made by the random number generator of your choice, and a >specially cooked key generated by XORing the encrypted message with an >innocuous message. Decrypting with the random key will yield the real >message, and decrypting with the cooked key will yield the innocuous message. > The disadvantage to this system is that each key will be the same length as >the message. I don't agree that this is the only way to accomplish the problem I proposed. I gave a scheme that is not equivalent to the one you state. you seem not to address my actual technical description, although I admit it requires a bit of inference on the part of the reader. in the scheme I proposed, P1 and P2 are the two keys. an XOR or OTP system has nothing to do with what I described. one problem you do remind me of is that P1 and P2 are going to be hard to "remember". of course the way PGP handles this is a pass phrase that unlocks the encrypted key using the IDEA cipher. another interesting approach would be to use a hash of the passphrase as a random seed in the process to get the prime number. in other words, the passphrase is the seed to the algorithm that hunts for the prime number starting at some random location, and if fed the same seed (the hash of the passphase) it will again find the same prime number.... >The method you propose (using multiple RSA keys) is not workable. Finding 2 >RSA keys that will decrypt a given ciphertext block to any 2 meaningful >plaintexts is at least as difficult as breaking RSA, and expanding this >concept to messages longer than 1 block moves it into the realm of >impossibility. I believe you have misunderstood my description. I gave a feasible system. I don't know precisely what you mean by "multiple RSA keys". my system did not have any aspect of public key crypto to it. it is a single key cipher. From gary at kampai.euronet.nl Sun Mar 10 08:42:03 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Mon, 11 Mar 1996 00:42:03 +0800 Subject: Leahy's guillotine Message-ID: <199603101630.RAA08311@kampai.euronet.nl> Bill Stewart wrote: > Let's look at the word "willfully". Among other things, it implies > knowledge; under US law, to be guilty you have to know you did something > that you at least reasonably believe is an activity that you're not supposed > to do. Agreed, but it's precisely the sort of thing that is misinterpreted by prosecutors and has to be resolved by a judge after a potentially long stay in prison whilst awaiting trial. (All depending on circumstances of course). Too close for comfort I'm afraid. Jim Bell wrote: > 2804. Unlawful use of encryption to obstruct justice > Whoever willfully endeavors (by means of encryption) to (obstruct, > impede, or prevent) the communication of (information in furtherance > to a felony) (which may be prosecuted in a court of the United States), > to an investigative or law enforcement officer shall... I think the following is a tad better: Whoever willfully endeavors (by means of encryption) to (obstruct, impede, or prevent) the communication of information (in furtherance to a felony (which may be prosecuted in a court of the United States)), to an investigative (or law enforcement) officer shall... Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 From lharrison at mhv.net Sun Mar 10 09:10:38 1996 From: lharrison at mhv.net (Lynne L. Harrison) Date: Mon, 11 Mar 1996 01:10:38 +0800 Subject: FWD: FCC's Implementing the CDA Schedule Message-ID: <9603101655.AA09844@mhv.net> FYI - **************************************************** FCC Schedule for Rulemaking Implementing The Communications Decency Act The FCC has announced a schedule for promulgating regulations implementing the Telecommunications Act of 1996. The Communications Decency Act is number 28 on that schedule. The following is from the FCC announcement: Issues/FCC Bureas 28. Obscene or Harassing Use of Telecom. Facilities CCB [Common Carrier Bureau] [OGC] [Office of General Counsel] Statutory Requirements/Deadlines Pursuant to section 223, FCC may describe measures which are reasonable, effective, and appropriate to restrict access to prohibited communications. (83) FCC shall have no enforcement authority over the failure to utilize such measures. FCC shall not endorse specific products relating to such measures.(83) FCC Proceedings Section 223 Measures Timetable NOI [Notice of Inquiry] Third Quarter 1996 Policy Statement First Quarter 1997 For Further Information Contact: Robert Cannon, Esq. 2358 N. Vernon Street Arlington, VA 22207 202-862-4395 (o) 703-527-6631 (home office) ********************************************************** Lynne L. Harrison, Esq. | "The key to life: Poughkeepsie, New York | - Get up; E-mail: | - Survive; lharrison at mhv.net | - Go to bed." ********************************************************** From jf_avon at citenet.net Sun Mar 10 09:14:12 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Mon, 11 Mar 1996 01:14:12 +0800 Subject: rhetorical trickery Message-ID: <9603101655.AA20716@cti02.citenet.net> >Or it's the list of local dairies, and the guy can't spel.... Diary, dairies... It gives me diarrhoea! Jay Effay From lharrison at mhv.net Sun Mar 10 09:26:14 1996 From: lharrison at mhv.net (Lynne L. Harrison) Date: Mon, 11 Mar 1996 01:26:14 +0800 Subject: FWD: FCC's Implementing the CDA Schedule Message-ID: <9603101704.AA10490@mhv.net> Oops. The URL is: http://www.cais.net/cannon/noi.html/ ********************************************************** Lynne L. Harrison, Esq. | "The key to life: Poughkeepsie, New York | - Get up; E-mail: | - Survive; lharrison at mhv.net | - Go to bed." ********************************************************** From nobody at REPLAY.COM Sun Mar 10 09:27:22 1996 From: nobody at REPLAY.COM (Anonymous) Date: Mon, 11 Mar 1996 01:27:22 +0800 Subject: Explosives, Criminality, and Preemptive Action Message-ID: <199603101703.SAA09526@utopia.hacktic.nl> At Sun, 10 Mar 1996 Timothy C. May wrote: > At 7:06 AM 3/10/96, JonWienke at aol.com wrote: > >Who says they were going to blow anything up? It is perfectly legit for > >farms to have large quantities of fertilizer around--they use it all the > >time. Same with diesel fuel--what are they supposed to run the tractors and > >combines with? Dog piss? DUHHHH! As far as having the instructions for > >mixing them to go boom, who the hell made that a crime? You could bust most > >of the farmers in this country if you criminalize simultaneous posession of > >fertilizer and diesel fuel. Did these people ever actually mix any of the > >fert. and fuel together? Did they threaten to blow up anything? > > > My personal belief, from the news reports I've read (which may be > incorrect, of course), is that the ingredients were for use in a bomb, > whether or not they'd ever have gone through with it or not. The ancillary > items found (dozens of assault rifles, weapons manuals, patriot literature, > crank, meth, etc.), and the stockpiling of ANFO precursors, suggests an > Oklahoma City-type scenario. Hey!, if I lived on a farm I would no doubt possess similar amounts of fertilizer and diesel. I would also possess a few dozen assault rifles if I could afford to (not that I'm a gun nut [I do happen to enjoy shooting, and would doubtless own a few if I lived on a farm] but would have "stocked up" before Klintons assault rifle bill.) I also possess weapons manuals (ranging from bullwhips to blowguns to 66mm anti tank weapons) and what you would call patriot literature (ranging from books on Jefferson, on the civil war ("The South was Right"), to The Turner Diaries.) I am also an ocaissional drug user, so you may find varying amounts of coke/crack, meth, horse, LSD, peyote, and ecstasy in my abode. In addition to this you would find books on lockpicking, hacking, drug manuafacture, holocaust revisionism, credit card fraud, false ID, smuggling, gun-running and tax evasion. You would also find some very violent movies in my collection. But, despite all of these circumstances, I assure you that I have not (and would, ney, could not) commit any non-victimless crime. I am an out and out pacifist Libertarian. > This is what I think was objective reality. I think this is what I call circumstancial evidence. From jamesd at echeque.com Sun Mar 10 09:35:35 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 11 Mar 1996 01:35:35 +0800 Subject: Petty Civil Disobedience Message-ID: <199603101719.JAA02292@dns1.noc.best.net> At 10:31 AM 3/9/96 -0500, Declan B. McCullagh wrote: > Perhaps we should put up our own protest web sites with one or two > explicit sexual images as real civil disobedience? I have added a pornographic image to my web site as an act of real civil disobedience. I urge others to do the same. In the course of doing this, I discovered that on windows, Netscape makes jpegs of naked pretty girls look like crap. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From erc at dal1820.computek.net Sun Mar 10 09:50:01 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Mon, 11 Mar 1996 01:50:01 +0800 Subject: Explosives, Criminality, and Preemptive Action In-Reply-To: <199603101703.SAA09526@utopia.hacktic.nl> Message-ID: It is quite common to find ammonium nitrate fertilizer and diesel fuel on a farm, as well as blasting caps, dynamite, gasoline, soap, and a host of other things that could be used to make a bomb. When non-country folks bring it up, my most common reaction is, "so?" Lots of stuff that you find on a farm can be made to hurt lots of other people. Guns, rat poison, flammables, explosives ... the list goes on and on. Doesn't mean that they are used for such purposes, nor does it mean that such would ever be anyone's intent. They are tools, nothing more. Next thing you know, they'll be banning selling ammonia and chlorine bleach together. Sheesh. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From erc at dal1820.computek.net Sun Mar 10 09:54:15 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Mon, 11 Mar 1996 01:54:15 +0800 Subject: Petty Civil Disobedience In-Reply-To: <199603101719.JAA02292@dns1.noc.best.net> Message-ID: On Sun, 10 Mar 1996 jamesd at echeque.com wrote: > I have added a pornographic image to my web site as an act of > real civil disobedience. I urge others to do the same. > > In the course of doing this, I discovered that on windows, Netscape > makes jpegs of naked pretty girls look like crap. Check your screen resolution, and make sure it is displaying 256 colors or more. If it's set to 16 colors, it *will* look like crap. Also might want to check the Preferences property sheets in Netscape. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From jamesd at echeque.com Sun Mar 10 10:29:58 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 11 Mar 1996 02:29:58 +0800 Subject: Petty Civil Disobedience Message-ID: <199603101821.KAA07814@mail1.best.com> On Sun, 10 Mar 1996 jamesd at echeque.com wrote: > > I have added a pornographic image to my web site as an act of > > real civil disobedience. I urge others to do the same. > > > > In the course of doing this, I discovered that on windows, Netscape > > makes jpegs of naked pretty girls look like crap. At 11:40 AM 3/10/96 +0000, Ed Carp wrote: > Check your screen resolution, and make sure it is displaying 256 colors It is not my screen, nor the image, but rather a very common defect in the way they have implemented Floyd Steinberg dithering. They dither to the color cube, as does the Central Point Software file viewer, whose dithering program I wrote, but the Central point software file viewer does a vastly better job. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jf_avon at citenet.net Sun Mar 10 10:49:23 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Mon, 11 Mar 1996 02:49:23 +0800 Subject: [govt] artist coercion Message-ID: <9603101837.AA24771@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- Bill Stewart wrote: >I'll agree with that, except in cases where the corporate client is >being coerced by government (or other Mafia) into not buying >some forms of controversial art. We'd see more controversial >movies/plays/performance art on TV, for instance, if the government >weren't helping us. The coercion occurs at the govt/businessman interface and it does not concern the artist/businessman interface. If the artist refused to com promise, the businessman activities would be so lame that nobody would get interested in it. And it is about time that the business world regain power. I do not mean the big govt-sucking business but the millions of small business that get fleeced by the govt/big business affiliation. > > >>JFA >>Accepting a grant is accepting stolen money. >Only a government grant, or a grant from other thieves... > >>Restore an objective monetary standard such as gold! > >I can see why you don't want the government telling us we have >to use government-printed soft money, but why should they tell us >we have to use "objective" money, whether gold, silver, or > hempscript? >Why should they be making those decisions for us at all? >The free market can do a fine job of picking between competing >hard, mushy, soft, and totally vaporous currencies, and >encouraging or discouraging people from issueing them. Of >course, if you believe >in using government-funded courts to enforce your contracts, >you're stuck with whatever subjective standards the government >feels like using. I think that you are taking things out of context a bit. A govt is a tool that *we* create in order to help run certains things. Among others, are the defence dept, the courts applying as objective as possibles laws and the issuing of money. But today's govt is a living blood thirsty entity that went loose on it's own... JFA -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMULKtciycyXFit0NAQF47gf9GTIlhde47TbZ3YRqKvCuQPiFZJvXsrgZ TZxuLQBP2HxW2vFnBQZiPdW2tWVmUMl2ZX6dblKX2S2yHK54+JhGSLIdSGRdsTyW iLnbu0b5LUT+bAcXOat7cR7JtoqoycbIbATsxLYi0W7U+9HImKWUhJmqsn8mD+Uo 6KmN4Z5TtWGdJ8MMXGncdAX9nhMZosilBfaAOUcm5vzLK2k0ehxNFvRusetuYGGW i+KXkIV9csnWgZ5qfbT1VluPb/v5LIjP6BRxNTTm3PlqIPW7qFyqKHF+eu7PhPK9 vBrMj+hBVpPCE/oJ0xAI79MpJyTvDCfIcwrQrNMEnPoCTpGgGogc/w== =nfLr -----END PGP SIGNATURE----- Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 From nobody at c2.org Sun Mar 10 10:54:31 1996 From: nobody at c2.org (Anonymous User) Date: Mon, 11 Mar 1996 02:54:31 +0800 Subject: Offshore Online Message-ID: <199603101833.KAA15479@infinity.c2.org> Yet another Offshore/Privacy provider is online. Try http://194.157.210.14. If you're running First Class Cleint set the network address to 194.157.210.14 port 3004 and create your own userid when you're online. Cypherpunks/cypherpunks is a valid login, but has a daily time limit of 30 minutes, so you might want to create a new identity. From weld at l0pht.com Sun Mar 10 10:55:49 1996 From: weld at l0pht.com (Weld Pond) Date: Mon, 11 Mar 1996 02:55:49 +0800 Subject: Infosecurity News blurb on Notes Message-ID: >From the March/April 1996 issue. Lotus accepts escrow In a compromise to obtain export permission, Lotus Development Copr. has agreed to escrow 24 bits of the 64-bit encryption keys used in the new release of Lotus Notes. The U.S. government allows export of unescrowed 40-bit key strings. Under the Lotus plan, U.S. agents will be able to access the escrowed portion of the key but would still have to decrypt the rest to obtain a clear-text message. Althought the NSA has not said it can decrypt 40-bit DES encryption, many postuylate that it can. [end excerpt] Postulate??? And I thought Notes used RC4? Pretty bad for a security journal. Weld Pond - weld at l0pht.com - http://www.l0pht.com/~weld L 0 p h t H e a v y I n d u s t r i e s Technical archives for the people - Bio/Electro/Crypto/Radio From anonymous-remailer at shell.portal.com Sun Mar 10 11:00:52 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Mon, 11 Mar 1996 03:00:52 +0800 Subject: ANTI-CRYPTO CYPHERPUNKS Message-ID: <199603080239.SAA00668@jobe.shell.portal.com> B. Schneier: bs208 at newton.cam.ac.uk, schneier at counterpane.com M. Blaze: mab at crypto.com, mab at research.att.com J. Bizdos: jim at rsa.com S. Safaddar: shabbir at vtw.org D. Weinstein: djw at vplus.com P.. Peterson: padgett at hobbes.orl.mmc.com I wish to point out that some of these people are just probably misguided and should be educated not hurt. A full mail spool is educatio[nal but but it would IMHO be wrong to do mailbombing the postmaster or hacking their accts etc. Give them a chance. From anonymous-remailer at shell.portal.com Sun Mar 10 11:01:11 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Mon, 11 Mar 1996 03:01:11 +0800 Subject: ANTI-CRYPTO CYPHERPUNKS Message-ID: <199603080305.TAA03009@jobe.shell.portal.com> This is the first in a regular series of postings of cypherpunks who have joined big brothers fight to deprive you from Unescrowed Crypto. Some of these pigs have come out in favor of the new anticrypto bill which makes it a crime to use crypto if big bro can't read it and also sets up key escrow but others have just said that they don't care if the government can read YOUR mail as long as they get what they want. A few megabytes an hour of email from real cypherpunks/patriots should help these guys see the errors of their way when they give away your rights. B. Schneier: bs208 at newton.cam.ac.uk, schneier at counterpane.com M. Blaze: mab at crypto.com, mab at research.att.com J. Bizdos: jim at rsa.com S. Safaddar: shabbir at vtw.org D. Weinstein: djw at vplus.com P.. Peterson: padgett at hobbes.orl.mmc.com From lmccarth at cs.umass.edu Sun Mar 10 11:01:39 1996 From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu) Date: Mon, 11 Mar 1996 03:01:39 +0800 Subject: Request Comments: Transpose/XOR Hash In-Reply-To: <199603040416.XAA23922@bb.hks.net> Message-ID: <199603080211.VAA05994@thor.cs.umass.edu> -----BEGIN PGP SIGNED MESSAGE----- Olcay Cirit writes: > I'd like to know if anyone has comments regarding the hash > method I came up with. My primary suggestion is that you do some reading in a good crypto text like Applied Cryptography (2nd ed.). The introduction to PRZ's manual for PGP is also particularly germane, as is the sci.crypt FAQ. > It is a combination of Transposition > and XORing. Basically, it works like this: > > Let's say K is the 8 character key that will be hashed. > There are two binary accumulators M and L, which store the > Most and Least significant bits in each byte of K. After M and > L are both 8 bits long, they are XORed together and the > resulting value replaces byte N in the Key. This is repeated > 8 times, and each time, N is incremented by one. OK, since I'm procrastinating doing some non-crypto work right now, I looked at your algorithm for 10 minutes or so. Your description is rather vague, so I'm not sure I understand exactly what you're proposing. My best guess is: The hash has 8 rounds. The initial 64-bit digest value is H = K. For notational convenience, let H[i] denote the i-th byte of H, and H[i,j] denote the j-th bit of H[i]. Juxtaposition denotes concatenation. I'll assume bit 1 is the MSB. You hash K by doing: H = K for k = 1 to 8 do M = H[1,1] H[2,1] ... H[8,1] L = H[1,8] H[2,8] ... H[8,8] H[k] = M xor L od return H First of all, this isn't even a good checksum, since the output depends on only 16 of the 64 input bits (namely the MSBs and LSBs of each byte of K). Many pairs of output bits are highly correlated (in fact, equal). H[2,1] == H[3,1] == ... == H[8,1] because H[1] doesn't change after the first round. Similarly H[1,8] == H[2,8] == ... == H[8,8] because H[8] doesn't change until the end of the algorithm. For each other choice of bit index j, there's a "before" value H[1,j] == ... == H[j,j] and an "after" value H[j+1,j] == ... == H[8,j]. This tells us that there are at most 2^(1 + 7*2) == 2^15 possible hash output values. But it would be faster to take advantage of the observation that for each j, H[1,j] == K[j,1] xor K[j,8]. We guess the 8 LSBs as g_1, g_2, ..., g_8, and compute the corresponding 8 MSBs as m_j = g_j xor H[1,j], which gives us all the information we need to compute a hash value. So we can compute a preimage of an arbitrary hash value with at most 2^8 = 256 guesses. In any case, this is an extremely weak cryptographic hash. Lewis "...made my own pretty hate machine" (Tori Amos) lmccarth at cs.umass.edu http://www.cs.umass.edu/~lmccarth -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMT+XOWf7YYibNzjpAQHSSAQA3iBNxdO/xtWUVK66tw/JsgMnEG6U/KwD wurB+s8GpMEUHlHAuKpTDeiJJDe1qIPHg7lXoArs7kadgBTcnGVkaoMsLZ5zWStb yLJ5rMn2M4C1SnlxSkE6DfGXxnjbrAZtI60vwuIAkuPwJRknDyrmY/dTizy4R8GU Erf/KmTj0uU= =P1O+ -----END PGP SIGNATURE----- From lmccarth at cs.umass.edu Sun Mar 10 11:04:23 1996 From: lmccarth at cs.umass.edu (lmccarth at cs.umass.edu) Date: Mon, 11 Mar 1996 03:04:23 +0800 Subject: What's anyone know about Teledyne Electronic Technologies? In-Reply-To: Message-ID: <199603080232.VAA27660@thor.cs.umass.edu> Mark Aldrich writes: > Teledyne (TET) is out marketing a "new" crypto system as a competitor > against DES and what TET calls "linear" cryptosystems. They are claiming > a non-linear approach in which (as best I can tell) they are permuting > the s-boxes and using 4 bit/16 entry substitution tables. > > They are also asserting that these "key generated substitution tables and > inter-round permutations" are supported by "nonlinear orthomorphic > mappings generated from arbitrary key" (and that this is patented) and > "row-complete Latin Squares generated from an arbitrary key" (and that > this is also patented). Lothrop Mittenthal, who is Senior Cryptologist at TET, gave a sparsely- attended talk about some or all of this stuff at the RSA conference in January. The title was "Statistically Efficient Inter-round Mixing in Block Substitution Devices". I came in late and was ill-prepared to evaluate much of what he was presenting, so I can't offer any useful technical opinion. Copies of his transparencies are in the RSADSC proceedings, so you might try to borrow someone's copy, or I suppose someone could scan `em and mail you a copy. He didn't give an email address AFAIK, but according to the proceedings his phone is (in the PST zone) (805) 498-3621 ext. 5005 Lots of cypherpunks were wandering around there, so maybe someone else heard the whole seminar and can comment. (CME ?) -Lewis "You've got no secrets to conceal. How does it feel ?" (Dylan) From jya at pipeline.com Sun Mar 10 11:05:10 1996 From: jya at pipeline.com (John Young) Date: Mon, 11 Mar 1996 03:05:10 +0800 Subject: TER_ror Message-ID: <199603080259.VAA05749@pipe2.nyc.pipeline.com> The Economist, March 2, 1996, pp. 23-25. What is terrorism? The use of terror is more widespread and effective than is generally recognised June 1914: a young man in Sarajevo steps up to a carriage and fires his pistol. The Archduke Eerdinand dies. Within weeks, the first world war has begun. The 1940s: the French resistance kill occupying troops when and how they can. June 1944: at Oradour-sur-Glane, in central France, German SS troops take revenge, massacring 642 villagers. August 1945: the United States Air Eorce drops the world's first nuclear weapons. Some 190,000 Japanese die, nearly all of them civilians. Within days the second world war has ended. Which of these four events was an act of terrorism? Which achieved anything? Which, if any, will history judge as justified? And whose history? Terrorism is not the simple, sharp-edged, bad-guy phenomenon we all love to condemn. No clear line marks off politics from the threat of force, threat from use, use from covert or open war. Who is or is not a terrorist? The suicide bomber, the rebel guerrilla, the liberation front, the armed forces of the state? In practice, what act or person earns the label depends on who wants to apply it. To Ulster loyalists all IRA violence is terrorism; to Sinn Fein it is part of a legitimate war.To many Israelis, everyone from the suicidebombers in Jerusalem or Ashkelon to the Hizbollah grenade-thrower in South Lebanon is a terrorist; to many Arabs during the 1982 Lebanon war, the worst terrorists in the Middle East were the -- entirely legitimate, uniformed -- Israel Defence Force. If the concept is not to vanish into all-embracing fudge, two distinctions can be drawn, though habitually they are not. Terrorism is indeed about terror; not just violence, but its use to spread terror. And the violence is aimed specifically at civilians. Classical terrorism, ideological rather than territorial, reveals the niceties. Recent decades saw West Germany's Baader-Meinhof gang and Red Army Faction murder prominent businessmen such as Alfred Herrhausen and Jurgen Ponto (bosses of Germany's two largest banks, Deutsche and Dresdner respectively. Italy's Red Brigades murdered Aldo Moro, a former prime minister. Its far right in 1980 blew up a train in Bologna station, killing 84 people. Which of these was truly terrorism? Arguably, only the last. It was an act of indiscriminate violence to terrorise citizens at large; the others were discriminate assassinations to win publicity and display power. Likewise, lobbing mortar-bombs into a British army base in South Armagh may have deadly results, but it is guerrilla warfare. Planting a bomb that kills a dozen diners in a restaurant is terrorism. The suicide bomber in Jerusalem was a terrorist; the Hizbollah fighter in South Lebanon attacking Israeli army patrols is not. Even in the distinction between guerrilla warfare and terrorism, there are grey areas. The soldier in a tank is a military target. What about one in a jeep escorting civilian vehicles? Or returning on a bus from leave? A bus that may -- and was, when a suicide bomber attacked it in Gaza last April -- be carrying civilians too? There are, in contrast, distinctions often made that ought not to be. What is or is not "terrorism" does not depend on the badness or goodness of the cause, nor on whether those espousing it have the chance to express their demands democratically. When President James Garfield was assassinated in America in the same year, 1881, that a Russian terrorist group blew up Tsar Alexander II, the Russians wrote an open letter condemning Garfield's killers and arguing that: In a land where the citizens are free to express their ideas, and where the will of the people does not merely make the law but appoints the person who is to carry the law into effect, political assassination is the manifestation of despotism ... Despotism is always blameworthy and force can only be justified when employed to resist force. Yet despotism does not justify throwing bombs into crowds (as the group sometimes did). The fact is that a good cause may use terrorism just as a bad one may. South Africa has provided a clear example. The ending of white dominance was a plainly good cause. For the most part, the African National Congress used mass demonstrations and industrial sabotage to advance its cause. But the men who shot up a white church congregation or planted a bomb outside a cinema were terrorists in the purest sense of the word. Nor does the terrorists' ultimate success or failure alter the truth. Menachem Begin got to lead a country; Yasser Arafat may do; Velupillai Prabhakaran, who leads the Tamil Tigers, probably will not. None of that changes the fact that Deir Yassin (a massacre of Palestinian villagers by Israelis fighting to establish their state), the killing of 11 Israeli athletes at the Munich Olympics in 1972 and this year's Tamil Tiger bomb in Colombo were all acts of terror. The terror of the state So much for the underdogs. Can there be terrorist governments too? The Americans certainly think so when they accuse Libya or Iran of supporting international terrorism. In the cold war, international terrorists were used to wage war by proxy: the East German regime provided safe houses for Baaders and Meinhofs; the modern era's most notorious terrorist, the gun-for-hire Carlos the Jackal, made his career in this world of state-sponsored terrorism. All that was diplomacy by terror. Can a recognised government also be guilty of terrorism against its own people? Yes. Stalin used terror systematically to consolidate his power -- random murders of Communist-Party members and army officers in the 1930s, massacres and exiles of smaller ethnic groups throughout his rule. Much of Latin America practised state terrorism in recent decades. The brasshat regimes of the day faced left-wing, sometimes terrorist movements. Many fought back with terror. And not just through paramilitaries or unacknowledged death squads. The infamous massacre at El Mozote in El Salvador in 1981 was the work of that country's regular army. The unit that did it had a cheerful song of its own, "Somos Guerreros": We are warriors, Warriors all! We are setting out to kill A mountain of terrorists. What in fact they killed was over 500 peasants; probably the worst "official" massacre in Latin America's recent history. Can regular armies, in regular war, be guilty of terrorism? The answer, surely, is yes. Look at the Japanese rape of Nanking in 1937, when not hundreds or thousands but ten of thousands of civilians were murdered, to terrorise the rest of China. Then go a step further. Can the armies of proud democracies be guilty too? A century ago, the rich world, with the rules of war that it claimed to use, would have called attacking civilians impermissable. The modern world has other ideas. The Allied bombing of Germany was aimed at civilians in the hope of shattering morale: in short, terror. The fire bombing of Tokyo and the atomic weapons that vaporised Hiroshima and Nagasaki were arguably aimed at government morale, not that of Japan's population. Their victims did not notice the difference. Who kills and how? What use, one can ask, is a definition so wide that it can go from Stalin to the American air force? There are two answers. First, it is a reminder that terrorism, historically, has been the tool of the strong, not the weak. Medieval armies, having taken a besieged town, would slaughter some or all of the citizens to encourage other towns to surrender faster. During India's struggle for independence, by far the worst terror was the Amritsar massacre in 1919, when British-officered troops shot up a political gathering, and carried on shooting until the bullets ran out; 379 civilians died (and it worked: the rebellious province of Punjab returned to order). In contrast, discriminate assassination was the typical weapon of the 19th-century anarchist and nihilist. By and large, true random terrorism has come in the past 30 years, as in the Bologna train bomb, the recent nerve- gassing of the Tokyo metro by a religious cult, or the Oklahoma City bomb; all three crimes were aimed at no matter whom for a purpose so vague or Utopian as to seem irrelevant, except to the deranged. Even in this period most -- not all -- IRA killing was aimed at defined targets: soldiers, policemen, individual Protestant farmers in border areas. The Basque violence of ETA has often followed this pattern. Peru's Shining Path guerrillas are truer terrorists, but even they (mostly) prefer the tactics, honed by the Vietcong, of killing officials, not just (as in some infamous massacres) everyone in sight. Algeria's and Sri Lanka's terrorists today probably have the strongest claim to be called spreaders of true random terror. The second thing one can learn from the wide definition of terrorism is that the phenomenon is neither uniquely wicked, nor -- still less -- uniquely deadly. People fight with the weapons they have: knives, Semtex, rifles, fighter-bombers. All their users are alike convinced of their own righteousness, all kill and all their victims are equally dead. What they are not is equal in number. The Munich terrorists killed 11 Israelis; Israel's retaliation against the Lebanese town of Nabatiyeh, however justified, killed about 100 Arabs. The State Department has totted up the deaths due to international terrorism from 1968 through 1995. Its total, and it defines terrorism broadly, is 8,700. Twenty-four hours of air raids killed six times as many civilians at Dresden in 1945. One is a crime, says international law, the other a legitimate act of war. The response Is all this mere word-play? It is not. It crucially affects responses to terrorism. One true difference between a terrorist group and a government is that the group is almost impossible to smash. You can destroy or seize a government's ability to make conventional war; you will never get every terrorist's last stick of dynamite or timing mechanism, and it requires wonderfully few terrorists to keep a civilised society on edge. But many other imagined differences are less great than they might appear. It is a common error to suppose that because terrorism is not war, and because its weapons are not the full panoply of war, then the psychology of terrorists must be different too. Of course, there are plenty of curious specimens among terrorism's ranks: Carlos the Jackal, now in French hands, was not just any old gunman; or consider Abimael Guzman, an academic who until his capture in 1992 led Peru's Shining Path movement. Every terrorist must have personal devotion to the cause -- he is, after all, risking his liberty, and often his life; not many reluctant army conscripts, drafted by a legitimate government, are likely feel the same way. And plainly, say those who know them, the IRA and other groups include people who enjoy violence for its own sake. But so do most armies. And most governments, once at war, can produce remarkable devotion to the national cause. In its own terms, a warring terrorist group, like a warring government, is "pursuing diplomacy by other means", even if its means of war are different. It too is subject to highs and lows, to war fatigue and collapses of morale, to premature celebration of a battle won as if it had been the war. It too can be threatened with a heavy hand; some of its members may be wooed with a lighter one. Terrorists, like governments, may be rational: they are pursuing a policy they hope will succeed. And the more it works, the more vigorously they will pursue it. It is always hard, when terrorism is just one element in a complex pattern of events, to identify its impact. But the world is manifestly a different place because of acts of terror. In 1948, the Israelis blew up the King David hotel, the administrative centre of the British rulers of Palestine. The atrocity helped persuade the British to leave. Often, terrorists help advance a general cause, but not their own particular aims. That may be the case with the IRA. Irish Republican terrorism helped dramatise the nationalist cause throughout periods of discriminatory Protestant rule. And Britain has made concessions to the nationalists. In the Anglo-Irish agreement of 1985, the British accepted the right of the Irish Republic to a say in a province of the United Kingdom; in the two governments' Downing Street declaration of 1993 Britain said it had "no selfish strategic or economic interest in Northern Ireland". It is hard to imagine any other government saying such things of its own accord. Yet whether it was the IRA that brought this about, or persistent pressure from the Irish government and peaceful nationalists in the north, is debatable. The leader of the biggest nationalist party in Northern Ireland, John Hume, argues that IRA terrorism has been the main obstacle to a peaceful settlement in Ulster. If so, the IRA may also have harmed the nationalist cause. And sometimes, terrorists can advance both a general cause and themselves. The PLO'S campaigns in the 1970s made the organisation the dominant representative of the Palestinians. They also helped solidify the Palestinians' own sense of their distinct identity, which until then had been relatively weak. Just as terrorists make a difference to the world, so changes in the world make a difference to terrorists. It was not just their own weakness that led the British to quit India, or later Cyprus (whose EOKA gunmen, though damned as terrorists, were more like guerrilla fighters), or later still Kenya (where they faced a genuinely terrorist liberation movement). Weakness played its part, but so did a world view that said colonial empires had had their day. Much the same was true in South Africa. F.W. de Klerk, probably the last white president there, may not have been a more virtuous man than the architects of apartheid who preceded him. But he was and is a realist, who lived in different days and under different pressures. In that case, a just cause plainly helped the terrorists. For Muslim countries the Palestinian cause was no less just. Western countries, guiltily aware of the horrors of Jewish history, disagreed, and it took 20 years of Israeli occupation and the intifada, the Palestinian uprising of 1987-90, to persuade them that the PLO too had a case. It is still not one that much impresses Americans; and though other westerners may have sympathy with Palestinian dreams of statehood, any movement that still seeks a quite different thing, the destruction of Israel, on top will -- very rightly -- find that its bombers face a western world united behind the Jewish state. Like the rest of us -- mostly In all this, what is different about dealing with terrorism? The answer, perhaps unsurprisingly, is not very much. Any government has its own interests, its own pressures, its concessions it can make and those it cannot. It fights its conventional wars with tanks and aircraft, its small-scale wars -- partly terrorist, mostly not -- with intelligence men and small arms. It cannot, usually, zap the terrorists' territory as it could that of a hostile state. But its psychology will be much the same in the two cases -- and so will that of its enemies. The terrorist or suicide bomber or gunman or fighter or liberation hero is not different from other men (men, sic; rarely have women played any notable part, any more than they have in old-fashioned war). With one notable exception: the nutters, whether with a cause or no evident cause at all. The American way-out redneck who thinks he has to plant a bomb, when he could vote for Pat Buchanan, is beyond any but a psychiatrist's reach. So too elitist solipsists like the Baader-Meinhof mob, convinced that murder was justified because they knew all the answers and it was society that was out of step. Among the almost causeless, Italy's far right may have sought instability, but for what? That was never clear. And no known concession could have led Japan's Aum Shinrikyo cult to put aside its chemistry set. Is it coincidence that three of these four groups seem to specialise in the true terrorism, the random murder of civilians for terror's sake? Perhaps it is not. [End] This special essay is from an issue of The Economist that also writes on "in the mind of the terrorist," "a new plan for Ulster" and "Israel, Palestine and Hamas." From jya at pipeline.com Sun Mar 10 11:36:34 1996 From: jya at pipeline.com (John Young) Date: Mon, 11 Mar 1996 03:36:34 +0800 Subject: SWI_tch Message-ID: <199603091331.IAA24276@pipe2.nyc.pipeline.com> Science, 1 March 1996: "Isotope Switch Toughens Transistors." Semiconductor researchers are reaching for superlatives to describe the discovery that a simple isotope switch deuterium for hydrogen can improve transistor lifetimes by factors of 10 to 50, according to a paper just accepted at APL. The finding "has huge implications worldwide," says Dan DiMaria of IBM. "Mixing Nanotube Structures To Make a Tiny Switch." Two research teams have developed a way to make an all-carbon nanotube that behaves like a semiconductor at one end and a metal at the other. The intersection in the middle forms a gatelike junction that controls the flow of electrons. In the macroworld, such gates, known as heterojunctions, form the basis for transistors and a host of other electronic devices. (PRL, 5 February.) SWI_tch From frogfarm at yakko.cs.wmich.edu Sun Mar 10 11:42:45 1996 From: frogfarm at yakko.cs.wmich.edu (Damaged Justice) Date: Mon, 11 Mar 1996 03:42:45 +0800 Subject: Petty Civil Disobedience Message-ID: <199603091317.IAA12223@yakko.cs.wmich.edu> Jeff Weinstein writes: > > I predict that 6 months after the first internet rating system is widely > deployed, the largest use of search engines such as altavista will be to > look for pages with the most "naughty" ratings. Perhaps such services will > allow text searches for free, but charge for searches based on the rating > tag... Not much crypto relevance, but the CDA has had much more effect than we may realize at first. I regularly read about 25 newsgroups with an extremely wide range of subject matter, and over the last few weeks I have seen literally hundreds of people with things in their .sigs like, "Please excuse this CDA- required obscenity: FUCK." Victimless crime laws (more accurately, "consensual crime laws") have this as their primary effect, I've found, especially when the "crime" in question is especially petty or harmless to others. When the public is treated like a child, it will start acting more like one. The greater the penalty for any transgressions, the more people will start transgressing. Naturally, this doesn't mean a whole hell of a lot in the big picture -- as James Donald has said, if just one out of a hundred tax serfs picked up their gun and said, "I ain't payin'," the IRS would collapse. This hasn't happened because most people aren't into civil disobedience -- or rather, NOT WHEN THEY FEEL THE RISK IS TOO GREAT. But if they perceive little or no risk, they will happily break the law regularly and openly, making no attempt to conceal their activities. Childish, because there are far more meaningful laws they could be ignoring. But the first reaction of a child when it's told it can't do something is to go out and do it. Obviously, very few people feel truly threatened by CDA penalties. -- http://yakko.cs.wmich.edu/~frogfarm ...for the best in unapproved information Tell your friends 'n neighbors you read this on the evil pornographic Internet "Where one burns books, one will also burn people eventually." -Heinrich Heine People and books aren't for burning. No more Alexandrias, Auschwitzs or Wacos. From markm at voicenet.com Sun Mar 10 11:58:25 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 11 Mar 1996 03:58:25 +0800 Subject: rhetorical trickery In-Reply-To: <5s9HkD33w165w@bwalk.dm.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Fri, 8 Mar 1996, Dr. Dimitri Vulis wrote: > Lance Deitweller posting as Vladimir Z. Nuri writes: > > there is an infamous case of a child pornographer or pedophile in > > California that is sometimes cited by law enforcement representatives > > as a good example of the evils of encryption: supposedly he encrypted > > his diary and it couldn't be unlocked by them. this was mentioned in > > the article. > > Did this really happen? I've never seen any concrete references to this > incident and strongly suspect it's another urban legend. There was an article in the July 1995 issue of Technology Review by Dorothy Denning explaining the "evils of encryption" in defense of the Clipper Chip which mentions this case. I suspect that it actually happened. - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMUMu5LZc+sv5siulAQHvggP/VpoFFQrtcRsahfI8NFkJUwj8AcQt6L/I sJvfY+94XC2+Dlf2fzkcSFwPYyNejrNGL6veMcC0kjx5fMwZvUXlNPmSK0yf7Y05 kdIbMi7CrcoOuwwgKTPubN3RB/L+xa2AaT4UOMs29bOJ1lC6KRIwBG7kT+2dkzXq GVpz3dzysUQ= =rJcm -----END PGP SIGNATURE----- From rickt at psisa.com Sun Mar 10 12:03:06 1996 From: rickt at psisa.com (Rick Tait) Date: Mon, 11 Mar 1996 04:03:06 +0800 Subject: (Fwd) Gov't run anon servers Message-ID: <2.2.32.19960310194049.006f9ecc@psisa.com> At 11:38 AM 3/5/96 +0100, Gary Howland wrote: >The passphrase could be kept in memory and entered >every time the system is started. > >Gary Right. Couldn't you insert some kind of var into the kernel, rebuild and upon each reboot have the remailer process (which would have to be root owned) check for the value of this? I am of course assuming that the owner of the remailer has admin control over the box, which is kind of unscalable. If someone does gain entry to the machine, he'd need root to skim through the kernel memory, and since he wouldn't have access to the remailer src (you don't have it online, right?) he'd have a hard time looking for what he needed... /rickt _____________________________________________________________________ Rick Tait rickt at psa.pencom.com Unix cowboy, Technofuturist, Extropian, Crypto-anarchist, Brit Hacker From jimbell at pacifier.com Sun Mar 10 12:11:28 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 11 Mar 1996 04:11:28 +0800 Subject: Explosives, Criminality, and Preemptive Action Message-ID: At 03:03 AM 3/10/96 -0800, Timothy C. May wrote: >My personal belief, from the news reports I've read (which may be >incorrect, of course), is that the ingredients were for use in a bomb, >whether or not they'd ever have gone through with it or not. The ancillary >items found (dozens of assault rifles, weapons manuals, patriot literature, >crank, meth, etc.), and the stockpiling of ANFO precursors, suggests an >Oklahoma City-type scenario. Justa sec, Tim, the second amendment says, "keep and bear _arms_", not merely "guns." My dictionary defines arms as "objects used as weapons." Explosives can be used as weapons, both offensively and defensively. Are you assuming that the possession of ANFO must be offensive? >This is what I think was objective reality. >Now, before certain readers go ballistic, start foaming about how TCMay and >his Tentacles of Medusa are pawns of Bill and Hillary, not to mention spawn >of Satan, etc., I'm not saying that what they did is criminal. Having the >potential to build a bomb or other deadly gadget is not the same as >actually building and using one. But again, it appears that you are assuming that "building a bomb" is not covered in the 2nd amendment. I believe, to the contrary, that it very much is covered, even if this interpretation isn't very much respected. >But should law enforcement have waited until the bomb "the bomb"? Again, you're assuming a lot... What would you say to a person who buys 1000 pounds of AN, who claims to do it because he believes that some day, it might be outlawed or restricted severely by an even-more oppressive government? Is there anything illegitimate in anticipating and preparing for the advent of tyranny? >The argument that because farmers can use these products that the use must >have been an innocent use is a weak one. Anyone with any common sense can >see what they were up to. Who's kidding whom? Again, I disagree. I broadly interpret the 2nd amendment to mean that I should be entitled to possess ANY "objects used as weapons," including chemical (both explosives and poisons), biological, and yes, nuclear. Thus, the possession of bomb-making materials cannot be interpreted as a by-definition-offensive position, and it isn't even clear to be that the 2nd amendment isn't supposed to cover weapons whose "only" use is offensive. Remember, the people who wrote the 2nd had just fought and won a revolution, and they were well aware that people needed the tools to do this if they were to stay free. >Certainly the folks in Oregon will not face much prosecution, as near as I >can figure. The weapons charges may affect their parole (some of them are >ex-cons). The drug amounts are small. And the ANFO precursors....not clear >to me at all that having these is a violation of the laws about explosives, >but maybe it is. Not in Oregon! AN can be bought, without ID, in most places that stock fertilizer. >>This whole situation is nothing more than jackbooted thugs getting a rush by >>stomping on people. FTJBT > >Overly simplistic. Don't misunderstand me: I share your anger at Waco, Ruby >Ridge, gun confiscation, tens of thousands of laws, high taxes, etc. But I >doubt the Oregon bust was a bunch of Waco Warriors assaulting the compound >with tanks and helicopters. True, it wasn't, but that was simply because those people in Oregon didn't choose to defend themselves. Tiny amounts of drugs were found, all of which could have been planted by the cops to justify post-facto the raid. (I'm not saying they WERE planted, merely that police are usually fully prepared for such eventualities. Drugs are usually chosen because they are illegal per-se, and it's easier to sneak in an ounce of pot than 200 pounds of AN. If they don't find anything suspicious, they usually come prepared to make their own evidence. I know, because one of my best friends is an ex-cop who tells me all about this kind of stuff.) Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Sun Mar 10 12:18:11 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 11 Mar 1996 04:18:11 +0800 Subject: Lawz to be. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 09:55 PM 3/6/96 -0500, Matt Blaze wrote: >> No, what the wording seems to outlaw was the use of encryption to obstruct >> the commission of the crime, not the investigation. Read it again please. >I suppose you could parse it that way if you really wanted to, If you acknowledge that, you are agreeing that a prosecutor could take that position to court, and until the Supreme Court decides he's wrong, he gets to harass citizens. > but it seems to me that the obvious meaning of this rather tortured language: > "Whoever willfully endeavors by means of encryption to obstruct, impede, or > prevent the communication of information in furtherance to a felony which > may be prosecuted in a court of the United States, to an investigative or > law enforcement officer shall..." >is "...willfully endeavoring to obstruct by means of encryption the >communication to an investigative or law enforcement officer information that >is in furtherance of a felony..." But what, exactly, is included in that latter meaning? Does a person who runs an anonymous encrypted remailer, who is fully aware that somebody could be using his system at any moment to break a law, classify as in violation? That's the problem, I think: The government wants to shut down the USE of encryption among those it decides to target, while ostensibly keeping encryption legal. >I think no reasonable person (judge, jury or prosecutor) would interpret >it any other way. You're just as optimistic as Weinstein. I'm not. > Fortunately, the law is not a program that gets run on a >computer. People have to interpret it. That's a mixed blessing. Are you aware of the fact that in the 1930's, the Supreme Court ruled that a farmer growing corn and feeding it to his pigs was engaging in "interstate commerce" because (the court "reasoned") if he didn't grow the corn it would have to be brought in to the state from another state (or displace other usages which would, themselves, have to need a similar import) so he was doing "interstate commerce." (and just a few years later, in three separate cases, they upheld the internment of Japanese-Americans on the west coast as a preventative measure...) Ignore this all you want, but the fact is that judges are sleazy people who will do exactly what they want to do regardless of how wrong it is. > In the case of this section, the >awkward wording is an artificat of several iterations of narrowing it from >what was originally a rather broad crime (as it still is in the House bill). Whose fingerprints are on this portion of the bill? >I would rather have the awkward (but still clear) wording than a broader crime. I don't want any "new crimes," except possibly those that punish acts by government employees and officeholders. >As it stands, several lawyers whose judgement I trust have told me that this >provision is worded narrowly enough to apply only to people who can already >be conviceted of the underlying crime and who can be proven to have used >encryption for the SOLE purpose of thwarting law enforcement. That's not how the proposed law reads. I realize that what you were given may be the "Walt Disney" version of the law, but reality will be dramatically different, I can assure you. Maybe you ought to ask one of these lawyers if he is willing to write a legal brief describing the "worst-case scenario": What a malicious prosecutor COULD do with this law if he so chose. And remind him that the operators of encrypted remailers don't have the funds to take any appeals to the Supreme Court: Lawyers are usually trained to knee-jerk assume that they can eventually get the "right" decision from the SC, which assumes _they_are_hired_ by a defendant who can afford this route. > I don't like >this new crime (since it still stigmatizes encryption as being something >criminals use), but I can probably live with it. I cannot. I _will_not_. >Personally, on balance, I think the bill, as written, is a big >enough step forward to be worth supporting. >-matt It sounds like you're assuming that this bill is a "take it or leave it" type of proposition. I'm not. I see no reason to come to some sort of a "Siskel and Ebert"-type of thumbs-up/thumbs-down decision on the whole thing. I'll say it again: If the only way this bill can be passed is the inclusion of this particular section, then that must mean that somebody "out there" must want that part REALLY badly. And if they want it that badly, I want it gone even more! Jim Bell jimbell at pacifier.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUMjBvqHVDBboB2dAQGAlgP+IbkQsBm3FPKQNGQe/RvYAYHaoPvWVeZd 86AFx8hqi60nWvWUsAnZ0qGofjaMf1xNW49XKPOhY1lM3uJmeOnp4Wai0UOcwzSM qvUufKkgyeEjC0RJgWqGWg1lKVmHKp4O3mava8jjYv8xQ4yYHP+yvHkAtGN9iLZr 3hjxMBp5S+8= =2Ym6 -----END PGP SIGNATURE----- From jimbell at pacifier.com Sun Mar 10 12:18:25 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 11 Mar 1996 04:18:25 +0800 Subject: Leahy's guillotine. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 01:11 AM 3/10/96 -0800, Bill Stewart wrote: >Leahy et al.: >> Whoever willfully endeavors by means of encryption to obstruct, >> impede, or prevent the communication of information in furtherance >> to a felony which may be prosecuted in a court of the United States, >> to an investigative or law enforcement officer shall... > >! > >Let's look at the word "willfully". Among other things, it implies >knowledge; under US law, to be guilty you have to know you did something >that you at least reasonably believe is an activity that you're not supposed >to do. And if the government should take the position that the mere existence of an anonymous encrypted remail allows for illegal use, without detection by the operator, then a person could easily argue that the mere willful OPERATION of that remailer violates the section. >Yes, cops can send you email threatening to use your remailer for >felonious purposes, but if you don't know they've actually done it, >and you haven't agreed with them to provide your encryption services >in support of their felonious action, you're not a willing participant. I disagree. At least, I disagree that this interpretation will be automatically adopted by the government thugs. >Especially if you've got the welcome banner on your remailer page >saying "You may not use this email encryption service for thoughtcrime, >violations of the verbal morality act, idea laundering, anti-abortion activism, >or other felonious or Un-American activities." You're no more a willful >participant than the guy who receives an unordered package of child pornography >mailed by a postal inspector. Which brings up a case from the midwest which (fortunately) was overturned by the SC a few years ago. Seems a person was repeatedly sent ads (in reality, the ads came from the government!) offering some kind of pornographic material. A "long time" later, he eventually "bit" and ordered something. Needless to say, this was enough to get a search warrant, and a prosecution. Question: Despite the fact that this conviction was eventually overturned, don't you think the prospect of a multi-year all-out battle with the prosecutors would be enough to deter people from doing things that they believed might really be legal, but would be looked on with disfavor by equally-sleazy prosecutors? Why is it that I get the impression that the people who don't see this provision as being so bad have no sense of reality? Are they not aware of the various ways prosecutors abuse their positions? >Now, if they make this a felony, surely conspiracy to participate in >such activities could eventually be made illegal, and if the DemoPublicrats >get re-elected, it probably will be some day. But this law doesn't do that yet. In other words, they're aiming the gun at you, but they don't quite yet have their finger on the trigger. When, exactly, do you start worrying? Jim Bell jimbell at pacifier.com Klaatu Burada Nikto -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUMma/qHVDBboB2dAQGcTQP9E18kw/tyelFbXNRqqEsjwvK9gsig6npR c+aC/B15zgDShJlcPEZXqJboAtE5w0osoEm8wC3uPVhQZNTam1lk0pgQCzCCTjVs KMBDLOBTtzRovxNnq/YmTf01cCLGfFVSFXWa3MNUf0uJtRxgIiN3T7f5NjjlzCLW 4vWenZVpzi8= =530O -----END PGP SIGNATURE----- From frantz at netcom.com Sun Mar 10 12:36:24 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 11 Mar 1996 04:36:24 +0800 Subject: Bell, Detweiler, Ravings, and Whatnot Message-ID: <199603102019.MAA04277@netcom7.netcom.com> I appologize for being trolled into more Assassination Politics discussion. I'll try to sit down, and be quiet and good. Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From frantz at netcom.com Sun Mar 10 12:36:25 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 11 Mar 1996 04:36:25 +0800 Subject: Leahy's guillotine. Message-ID: <199603102019.MAA04267@netcom7.netcom.com> At 1:11 AM 3/10/96 -0800, Bill Stewart wrote: >Now, if they make this a felony, surely conspiracy to participate in >such activities could eventually be made illegal, and if the DemoPublicrats >get re-elected, it probably will be some day. But this law doesn't do that >yet. As far as I can tell, whether a pol is Republican or Democrat tells us nothing about how s/he stands on issues such as free speech and free crypto. I am feeling friendly toward Lehey and Weld these days and hostile toward Feinstein and Buchannan. We need to treat them as individuals. We need to learn and publicize their positions on the issues that interest us. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From Piete.Brooks at cl.cam.ac.uk Sun Mar 10 13:03:55 1996 From: Piete.Brooks at cl.cam.ac.uk (Piete Brooks) Date: Mon, 11 Mar 1996 05:03:55 +0800 Subject: PGP 3.0/4.0 In-Reply-To: <199603061501.KAA16783@homeport.org> Message-ID: >| How about code that goes out & fetches keys upon demand, al-la DNS? That's what the next generation of Distributed Key Server stuff will do. > This works with procmail to get keys for all mail I receive. As you say, fetching keys for all keys you ever receive will cause your keyring to become excessive ... I prefer to be able to fetch a key in real time when I want to send to it. As such, I wrote a reasonably defined command such that "if the exit code is 0, then stdout is the armoured key for the KeyID or UserID specified on the command line". In future, it'll use the new Distributed Key Server, but until then, it uses a "fast" server (a perl daemon which loads the whole keyring into a DBM backed ASSOC array) or WWW servers. [ Former takes about 500mS locally, but as Sprint appear only to have been making one attempt per week to get the greatly overdue Fat Pipe upgrade going it'll be somewhat more for anyone outside the UK :-(( ] See http://www.pgp.net/pgpnet/#krem if you're interested ... [ Any offers to provide pgp.net services are likley to be greatfully accepted ] From die at pig.die.com Sun Mar 10 13:21:21 1996 From: die at pig.die.com (Dave Emery) Date: Mon, 11 Mar 1996 05:21:21 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guid In-Reply-To: <199603090558.VAA18420@ix7.ix.netcom.com> Message-ID: <9603090715.AA16941@pig.die.com> Bill Stewart wrote: > > Not much - Government Radio said tonight that they're not allowed to > plea-bargain third strike felonies down to misdemeanors. The LA public > defender's office is absolutely swamped, partly because third-strike > cases are supposed to get diligent support, and partly because they > have to go to trial rather than plea-bargaining a guilty, which is less work. > The county jails are also having serious crowding problems, because > prospective third-strikers are being kept in them pending trial > to avoid risk of flight, so non-third-strike jailees are getting out > early (especially drug violators.) > The Friday (3/8/95) NYT has an article by Fox Butterfield on this which points out that CA is unique in having a three strikes law that does not require three violent felonies. Apparently most other states do require three serious violent felonies. Wilson (the CA governer and would be presidential candidate) is claiming that the extremely harsh CA law is reducing crime rates for two straight years for the first time - but others point out that they have been falling nationally, including in states without three strike laws. The article also points out that in a state with a 7% black population 43% of the three time losers are black. The article mentions that 192 people were sentenced under the law for marijuana possesion compared to 40 murderers, 25 rapists and 24 kidnappers. Sorry for the digression from crypto ... Dave Emery die at die.com From frantz at netcom.com Sun Mar 10 13:21:23 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 11 Mar 1996 05:21:23 +0800 Subject: Assassination Politics(tm) was V-chips, CC, and Motorcycle Helmets Message-ID: <199603090640.WAA20310@netcom7.netcom.com> At 5:26 PM 3/8/96 -0400, E. ALLEN SMITH wrote: >From: IN%"jimbell at pacifier.com" "jim bell" 16-FEB-1996 03:25:12.58 >>At 02:18 PM 2/15/96 -0800, Bill Frantz wrote: Since my name keeps getting dragged into this discussion, I will share with youall the conclusions I reached after my last set of exchanges with Jim Bell. (1) Assassination Politics (AP) will be most useful to a fired-up group of people who want to silence a single person. Madeline Murray O'Hare comes to mind. (She was a Texas atheist who challenged school prayer and won.) (2) Jim Bell and I disagree strongly on the market price for assassinations. (3) Jim Bell and I disagree on the number of deaths needed to deter someone who believes in what they do. In our discussion, this question comes down to: are IRS employees more like corporate consultants or like soldiers. (4) I think that if someone can be traced as profiting from a AP death, e.g. through winning a gamble on the date/time of death, that person's whereabouts at the time of death will be carefully investigated. (5) While killing someone whose name and residence are known is easy, and the killer is likely to get away with it, does that mean that killing someone who has been marked as having a price on her head is as easy? I assume her friends and neighbors will protect her. The TV cameras will be running 24 hours a day. This will, at a minimum raise the price of assassinations. Regards (that means you too, Jim Bell) - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From ncognito at gate.net Sun Mar 10 13:22:51 1996 From: ncognito at gate.net (Ben Holiday) Date: Mon, 11 Mar 1996 05:22:51 +0800 Subject: TCP/IP Stego (was CU-SeeMe) In-Reply-To: <199603082056.MAA20781@netcom7.netcom.com> Message-ID: Okay, i'm going to try to address things systematically, here goes.. (excuse non standard quoteing) _______________________ >From savron at world-net.sct.frSat Mar 9 00:54:38 1996 >Fine idea to create a subliminal channel using packet parity on an >ftp connection but this is not a peer connection , so can't be used >to do subliminal chat (for example) but could be used to do >subliminal mail delivery . ------------------------ Since the data is steg'd into the tcp header and not the data you are sending (openly) it doesnt make much difference what client is generating the packets. Could be a web server. Could be a Y/Ntalk client, a sendmail daemon, or a telnet. The greatest restriction being that you only get about 1k per 500k .. which is a bit cumbersome in most cases. More on that later. ------------------------ >From JonWienke at aol.comSat Mar 9 00:54:43 1996 Subject: Re: TCP/IP Stego (was CU-SeeMe) >This is a bad idea, because in addition to the extra processor overhead, it >is an incredible waste of bandwidth. For a 512 byte packet, you are only >getting .02% efficiency, because you wouldn't be able to use the actual data >in the packet; otherwise someone would probably notice the increased error >rate if you dink around with the checksum. No need to do anything strange to the checksum. In the normal process of framing packets data is buffered, and packets are 'padded' to make a full packet. The hacked tcp protocol would simply be a bit more selective about where and when padding was added. The checksum would still be a valid checksum for that packet - we would simply select a packet that gave a correct checksum value. The overhead for this is more than with standard tcp but could hardly be considered a serious drain of cpu cycles. As for wasted bandwidth: That could be seen as a problem, but there are a few things to offset the overhead, the big one being that it doesnt make any difference what form the carrier data takes.. if you can generate half a meg of ANYTHING that can be plausibly sent to another machine, then you can send your 1k of data. If implemented properly the carrier data wouldnt even need to all come in through the same route. This scenario leaves any one who may be watching with quite a haystack, and a very small needle to find. >This does not provide adequate plausible deniability. Stegoing a 16 bit I disagree. Consider: the packet, taken bit by bit, or as a whole, would be completely valid - with nothing added, or taken away except perhaps the few octets that would need to be dropped to acheive the right parity. This would actually be very few, since you have a 50% chance that the parity will be correct to begin with. --------------------- From: Jim McCoy Subject: Re: TCP/IP Stego (was CU-SeeMe) >I think that the original poster meant twiddling some of the (relatively) >unused fields of the header which most routers and applications do not >care about, the type-of-service field or priority would good place to >start. I'm pretty certain that altering TOS would pretty well scrap the packet, but im not positive. . Sequence numbers are definitly out. However i think that playing with the priority flag could definitly work. Also a parity check of the 'window' field could be done quite easily. Only problem i see is that 'priority' packets basically are only used for special characters and the like, for example to send 'ctrl-c' to a abort a running ftp. Having a large number of priority packets would be reletivly noticable. The window field is a bit more promising - you'd need to prove the arrival sequence and timing of each packet and ack in the stream to prove that it had been tweaked. >This would have no effect on the data in the packet, particularly >if you fiddle at the IP level instead of TCP. [tons of good things I hadnt even thought of snipped] -------------------- From: Bill Frantz Subject: Re: TCP/IP Stego (was CU-SeeMe) >If you can hack your TCP implementation, you should be able (with a high >probability) stego information in a few bits of the TCP checksum by >adjusting the packet boundries of the TCP stream. An error correcting code >protocol would cover the cases where you couldn't get that *%$# bit set >correctly. Please note that this technique would not result in TCP >checksum errors. Thank you! This is what I was attempting (apparantly quite poorly) to say in the original post. :) Benji From PADGETT at hobbes.orl.mmc.com Sun Mar 10 13:26:26 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Mon, 11 Mar 1996 05:26:26 +0800 Subject: Bootable disks Message-ID: <960310161546.2020ae8b@hobbes.orl.mmc.com> >In Mar. 5 (?) Edupage, there's a blurb about a floppy drive that is >compat with 1.44M disks but can also handle special 80M disks, allegedly >available in April. Several years ago Insite had a "floptical" drive that could handle both regular 3 1/2" and special 20Mb flopical drives. Iomega followed suit and there was an industry spec. Compression would yeid 40 Mb capacity to a marketeer. (Can tell a floptical disk easily - the write protect slide is on the other side). Was a great idea then that was marred by U$500 for the drive and U$20 for the cartriges. Never flew. Three years development would give 80 Mb easily (100 Mb Iomega "ZIP" disks could have been put in a normal 3 1/2 case - is a lot of waste space on either side. Think it was kind of dumb that they didn't but suppose there is a marketing reason - probably the same marketeers that insisted that each new Bernoulli be incompatable with earlier ones.) Major difference is that the floptical could be made bootable but then it had a special SCSI card, did not plug into the normal floppy controller & have to tell the BIOS that drive B was not there. The card then added a BIOS extension similar to what I mentioned in an earlier post to access the disk. For that matter, any drive that has a controller on the bus *could* be made bootable with a PROM. It is only those that plug into the parallel port - all of which require special drivers - that would need "help". Warmly, Padgett From wlkngowl at unix.asb.com Sun Mar 10 13:34:17 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Mon, 11 Mar 1996 05:34:17 +0800 Subject: Another Motivation for the CDA Message-ID: <199603061345.IAA12345@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Timothy C. May wrote: > > Given that Sen. Fineswine is one of the strongest supporters of gun > confiscation, and that she had this to say about the Telecom Bill:[..] Felons may not own a gun unless granted a waiver by certain judges. They also lose the right to vote, BTW. I think you're reading too much into motives, Tim. I don't think that most in congress are capable of thinking that elaborately, and besides, if someone is convicted of violating the CDA for saying "fuck" online, that is the type of felony that one can get a judge's waiver for... - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMT2XCCoZzwIn1bdtAQFkNQF9E31snnxksyX8FREMyloHZg1YnSzAqDDb 30qKVbtDhUN2dLd8ic6afX7MsnKkJWEZ =weLu -----END PGP SIGNATURE----- From vznuri at netcom.com Sun Mar 10 13:35:48 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 11 Mar 1996 05:35:48 +0800 Subject: rhetorical trickery In-Reply-To: <199603100221.VAA13733@UNiX.asb.com> Message-ID: <199603102119.NAA27691@netcom21.netcom.com> >> >> but I have a question: how did they know it was his diary? >> > >> >If I remember some earlier discussion about that case from a few years >> >ago, the file was called "diary.pgp". >> >> how did they know it was *his* diary? > >Well, nobody *knows*. But if you've got a file called diary.pgp on >your hard drive, chances are it's a diary of some sort. It's a >reasonable guess. > >Whether there's anything incriminating in it for him or anyone else >is another matter, of course. all my respondents seem to be missing some basic points I have been trying to make about law enforcement in the US. the law runs on proof, and evidence. a file with the name "diary.pgp" is not incriminating. it is not evidence. no one could be prosecuted as a criminal for having a diary. there is the presumption of innocence unless there is evidence and proof to the contrary. furthermore, suppose the "pedophile" is actually prosecuted successfully. does that mean the diary was incriminating? no, it does not. in the CA case it happened that the pedophile was prosecuted without decrypting the diary. which in fact argues in favor of the side that says, "cryptography is not the end of law enforcement, and this case proves it." as packwood demonstrates, it is easy to have a diary that one would want to encode to hide embarrassing information that is not necessarily incriminating. now, a person might be successfully prosecuted for obstruction of justice, or contempt of court, in refusing to hand over the decrypted diary (but the other post I made about giving the federal agents a key that decrypts the file to a cookie recipe handles this quite nicely). somebody-or-other objected that the police are not likely to "buy it" if such a situation occurs. well, excuse me, but WHAT IS YOUR POINT? are you suggesting that they are now going to have to resort to torture or something to elicit the real key? last I checked, torture was illegal in our country... please, will people stop sending me responses like the above? do you understand how the American legal system works? a person cannot be prosecuted without evidence. evidence cannot be illegally obtained. a person is not required to testify against oneself. these are all basic long-established cornerstones of our legal system. look, if someone WANTS to be put in jail for having encrypted files, I'm sure you can probably figure out some way to pull it off. but if you don't act like an idiot, such a thing is highly unlikely. it clearly has not happened to date. I am really amazed at all the times when I point out basic limitations on e.g. the NSA or the law enforcement agencies, and somebody says, well yes BUT so-and-so hypothetical situation might arise. it is almost as if some people here have a secret "prosecute me" wish. why is there such deep fear around here about life in the US today? I'd say that people here are high up on the list of creating the paranoia. be careful what you fear, you might get it. From erc at dal1820.computek.net Sun Mar 10 13:41:26 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Mon, 11 Mar 1996 05:41:26 +0800 Subject: MS Access encryption? Message-ID: Anyone know how secure the encryption is that Microsoft uses in its Access database product? I was asked that by a client, but didn't know the answer....thanks in advance. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From PADGETT at hobbes.orl.mmc.com Sun Mar 10 13:56:34 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Mon, 11 Mar 1996 05:56:34 +0800 Subject: FCC & Internet phones Message-ID: <960310164021.2020ae8b@hobbes.orl.mmc.com> I rote: > You seem to forget that the Internet is just about the *only* electronic > communications media not controlled/licensed by the FCC in the US. The > FCC also prohibits use of cryptography by those with amateur licenses. Bill wresponded: >Oh, we remember it :-). But actually, large chunks of the Internet's >facilities _are_ on controlled or semi-controlled media, such as >frame relay (which the Feds just insisted had to be tariffed) or >local private-line (which is often regulated by state PUCs.) Do not disagree, just is not regulated by the FCC the same way radio stations are. Today we think (if you do) of Zenith as manufacturer of computers (owned by Thompson), cable TV decoders, and televisions (Samsung ?). However seventy years ago, Commander MacDonald "willfully" (having notified Herbert Hoover) started broadcasting station WJAZ in Chicago on a frequency reserved for Canadian stations (have a copy of a photograph *somewhere* showing the 1925 station crew in Pirate costumes) in direct violation of a Department of Commerce order. Shortly thereafter Congress passed a law creating the FCC. History tends to repeat itself. Warmly, Padgett From frantz at netcom.com Sun Mar 10 14:09:43 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 11 Mar 1996 06:09:43 +0800 Subject: rhetorical trickery Message-ID: <199603102145.NAA10827@netcom7.netcom.com> At 1:19 PM 3/10/96 -0800, Vladimir Z. Nuri wrote: >please, will people stop sending me responses like the above? do you >understand how the American legal system works? a person cannot >be prosecuted without evidence. evidence cannot be illegally obtained. >a person is not required to testify against oneself. these are all >basic long-established cornerstones of our legal system. I'm sure that my friend who tried to argue about a speeding ticket in New Jersey, had the bones around his eye socket broken and then was arrested for "Resisting Arrest" will be comforted to hear this. (BTW, a mutual friend was a witness and confirmed the story. I can't think of any reason they would have to lie to me about the facts.) Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From frantz at netcom.com Sun Mar 10 14:09:46 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 11 Mar 1996 06:09:46 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guid Message-ID: <199603102145.NAA10842@netcom7.netcom.com> At 2:08 AM 3/10/96 -0500, JonWienke at aol.com wrote: >In a message dated 96-03-09 04:05:26 EST, you write: > >>At 9:59 PM 3/8/96 -0800, Bill Stewart wrote: >>>The pizza guy was a thug, but twice as many third-strikers got >>>their third strike for marijuana as for all violent crimes combined. >>>I assume most of these had large quantities, possibly intended for sale, >>>and a number of them had real crimes as their previous felonies >>>rather than Prohibition-related offenses. But you can get legally >>>serious quantities of marijuana by just growing a couple of plants. >> >>I wonder how many of these drug dealers previous "real crimes" were related >>to using violence to protect their drug business, defense which would have >>used the courts and police had drug dealing been legal. > >What difference does that make? If you are deranged enough to murder someone >because they are selling crack in your territory, you are deranged enough to >shoot your manager after getting fired from McDonalds, or to do any number of >heinous things that ahve nothing to do with drug laws. Sick people will >still do sick things, even if some of them are legalized. Back over 20 years ago, some acquaintances at the time stopped working in the drug trade because it became necessary to carry fire arms to protect against having your drugs or money stolen. Other people of course carried the guns, and I assume used them at times. This violence would not have occurred had the drug trade been legal. Remember that here in California, about 70% of the people think killing someone is a suitable punishment for certain crimes. Many people also think that violence in defense of life or property is a reasonable act. Are all these people "deranged"? Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From uunet!in2.uu.net!news.ios.com!news2.ios.com!usenet at warwick.com Sun Mar 10 14:21:01 1996 From: uunet!in2.uu.net!news.ios.com!news2.ios.com!usenet at warwick.com (Mr. Sam) Date: Mon, 11 Mar 1996 06:21:01 +0800 Subject: Pat Buchanan, anti-semite and ... the next Crossfire host! In-Reply-To: Message-ID: <4hl8g0$mnv@news2.ios.com> In <313cf45d.11750162 at 198.4.75.50>, voltai29 at chelsea.ios.com (Volty) wrote: >That's not what the election results for the Republican primaries and >caucuses tonight (Tuesday, March 5, 1996) are saying. It appears that >the hand picked GOP geezer and sacrificial lamb to Bill Clinton in Dolty is very predictable. While it looked like Mr. Pat was going to pull ahead, his spew was directed at him. Now, that Mr. Bob is forging ahead, expect Dolty to start ranting against Mr. Bob. You wait, in a few months he'll be saying nice things about Mr. Pat. Mark my words. This loser is not really interested in anything factual to discuss. He is so deathly afraid of Mr. Bill being sent back to Arkansas, that he would blaspheme even against God himself, if he was running on the Republican ticket. >November is running away with the Republican nomination. Pat will just >have to goose step back to Crossfire after he finished splitting the >party right down the middle (right?). Wrong. You are rarely right on anything. -- Mr. Sam: member, talk.politics.misc troll patrol channel operator, #Sci-Fi - Undernet IRC sci-fi/fantasy channel http://www.cyberstorm.com/~rockd/sci-fi.html _____________________________________________________________________________ "Government is not a solution to our | "First of all, keep in mind that most problem, government IS the problem." | of our problem is with working -- R. Reagan. | Americans." -- B. Clinton. _____________________________________|_______________________________________ From alano at teleport.com Sun Mar 10 14:21:17 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 11 Mar 1996 06:21:17 +0800 Subject: Boycott "Applied Cryptography" and AT&T and RSA Message-ID: <2.2.32.19960307022620.008f307c@mail.teleport.com> At 01:40 PM 3/6/96 -0800, anonymous-remailer at shell.portal.com wrote: >Bruce Schnier (Author of applied cryptography) and Matt Blaze (Who >is a crypto bigwig at at&t) have made it clear that they support >key escrow. Both have written letters in favor of the new crypto >law, it creates a key escrow system and also other restricts on >crypto. The letters are on the CDT homepage and i think were >posted here. They support a bill which is aimed at easing the restrictions for the uses of cryptography. Judging from what I have read from their positions, they view the bills as having more positive effects than negative effects. (Which may or may not be true...) >WHAT THE FUCK?????????????????????????????????????????? Sudden capslock stickage? >EFF, EPIC, VTW and almost everyone else (except for Bizdos at RSA, hmmmm) >have all come out against this piece of shit. But with these so called >experts baking it it could pass anyway. I think that you are infering evil intent where there is no evidence of same. The bill does have some major flaws, but it also has some major advantages. Being the cynic that I am, I think that the "use of crypto in a crime" provisions are a big negative. Others are not nearly as cynical however. >Maybe the ltrs are a forgery? We should ask them, and if this is true, LETS >SEND THEM A MESSAGE!!!!!!!! SWITCH YOUR PHONE SERVICE AND TELL AT&T WHY!!! >STOP RECOMMENDING APPLIED CRYPTO (THERE ARE EASIER BOOKS ANYWAY). DEMAND >THAT THESE PEOPLE STOP GIVING AWAY YOUR RIGHTS!!!!!!!!!!!!!!!!!!!!!!!!!!! Posting in all caps will not help you convince people of the correctness of your position. Claiming conspiracys involving people who have better reputations for supporting crypto than yourself will not help either. If I were to charge people with complicity in conspiracy, yours would be one of the first in line. (Though a pretty lame one at that... Trying to smear people who have actual reputations with juvinile assertions and b1ff style postings is not the way to win the hearts and minds of the Cypherpunks(tm).) BTW, good luck in trying to boycott AT&T. They own alot more than you can imagine. "You Will! And the people to make you do it -- AT&T!" | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From mab at crypto.com Sun Mar 10 14:21:29 1996 From: mab at crypto.com (Matt Blaze) Date: Mon, 11 Mar 1996 06:21:29 +0800 Subject: Lawz to be. In-Reply-To: <960306193119.20205a93@hobbes.orl.mmc.com> Message-ID: <199603070255.VAA11866@crypto.com> > No, what the wording seems to outlaw was the use of encryption to obstruct > the commission of the crime, not the investigation. Read it again please. > I suppose you could parse it that way if you really wanted to, but it seems to me that the obvious meaning of this rather tortured language: "Whoever willfully endeavors by means of encryption to obstruct, impede, or prevent the communication of information in furtherance to a felony which may be prosecuted in a court of the United States, to an investigative or law enforcement officer shall..." is "...willfully endeavoring to obstruct by means of encryption the communication to an investigative or law enforcement officer information that is in furtherance of a felony..." I think no reasonable person (judge, jury or prosecutor) would interpret it any other way. Fortunately, the law is not a program that gets run on a computer. People have to interpret it. In the case of this section, the awkward wording is an artificat of several iterations of narrowing it from what was originally a rather broad crime (as it still is in the House bill). I would rather have the awkward (but still clear) wording than a broader crime. As it stands, several lawyers whose judgement I trust have told me that this provision is worded narrowly enough to apply only to people who can already be conviceted of the underlying crime and who can be proven to have used encryption for the SOLE purpose of thwarting law enforcement. I don't like this new crime (since it still stigmatizes encryption as being something criminals use), but I can probably live with it. > Thought the gotcha was down in the part about the Secretary of Commerce. > My reading is that the secretary will still be required to grant > approval for commercial export. Is past the part about no regulation > inside the US (which is true now - still would be nice to see a "Congress > shall make no law..."). The puzzler is the requirement that a comperable > foreign product must exist before permission to export will be granted. > > Will this be like "comparable product" price matching in discount houses ? > Somehow there never is one... No. Right now crypto exports fall under the State Department (which is in the business of saying "no") unless they decide otherwise, in which case it goes to the Commerce department (which is in the business of saying "yes"). Under the bill, for non-mass-market software and hardware, the Commerce department must issue a license if equal strength crypto is already available outside the country. But the biggest win is that, under the bill, you don't need a license from anyone in the case of mass-market (or public domain) software (or hardware bundled with mass-market crypto software). You can just export it. See the analysis of the bill in http://www.vtw.org. Personally, on balance, I think the bill, as written, is a big enough step forward to be worth supporting. -matt From droelke at rdxsunhost.aud.alcatel.com Sun Mar 10 14:22:40 1996 From: droelke at rdxsunhost.aud.alcatel.com (Daniel R. Oelke) Date: Mon, 11 Mar 1996 06:22:40 +0800 Subject: Boycott "Applied Cryptography" and AT&T and RSA Message-ID: <9603062351.AA12913@spirit.aud.alcatel.com> > > Bruce Schnier (Author of applied cryptography) and Matt Blaze (Who > is a crypto bigwig at at&t) have made it clear that they support > key escrow. Both have written letters in favor of the new crypto > law, it creates a key escrow system and also other restricts on > crypto. The letters are on the CDT homepage and i think were > posted here. > > WHAT THE FUCK?????????????????????????????????????????? > > EFF, EPIC, VTW and almost everyone else (except for Bizdos at RSA, hmmmm) > have all come out against this piece of shit. But with these so called > experts baking it it could pass anyway. > Put your 2 brain cells together and think for a minute. If you read the stuff - you can see that the bill talks about key-escrow, BUT you can escrow the key with yourself if you so desire. It also does not put up any mandates for key-escrow requirements in encryption systems. The bill also will force relaxation of the export restrictions. I hope - you could read and understand that 5 line "executive" summary. Dan ------------------------------------------------------------------ Dan Oelke Alcatel Network Systems droelke at aud.alcatel.com Richardson, TX From rich at c2.org Sun Mar 10 14:26:04 1996 From: rich at c2.org (Just Rich) Date: Mon, 11 Mar 1996 06:26:04 +0800 Subject: MS Access encryption? In-Reply-To: Message-ID: On Sun, 10 Mar 1996, Ed Carp wrote: > Anyone know how secure the encryption is that Microsoft uses in its > Access database product? I was asked that by a client, but didn't know > the answer....thanks in advance. Not. A file called "msdunce" was posted to comp.databases.ms-access a few months ago. Look for it on DejaNews or whatever. -rich From stewarts at ix.netcom.com Sun Mar 10 14:34:18 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 11 Mar 1996 06:34:18 +0800 Subject: FCC & Internet phones Message-ID: <199603102200.OAA29839@ix16.ix.netcom.com> At 09:56 AM 3/10/96 -0500, "Harry S. Hawk" wrote: >> I wonder what exactly the FCC means by the term "Internet Phone." >> Does this just mean that software like IPhone will be regulated, or >> will this also apply >The thing is that at "best" the Iphone people (et al), are sell >Equipment!. NO ONE is SELLING phone service.. I mean Selling phone >service means some guy in NYC putting a sign on a store front offering >10 cents a minute calls "anyway where in the world." Maybe nobody is selling phone service, and the internet provider is selling packet-transfer service, but phone service _is_ being provided. One possible response would be for the FCC to require internet providers to block phone connections (highly unlikely; you could offer the service on any port you wanted, and I think one of the versions runs over IRC); another would be for them to block the sale of the software (tough to block sale of Israeli software, much less free software.) Bogus. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From tomservo at access.digex.net Sun Mar 10 14:48:49 1996 From: tomservo at access.digex.net (Scott Fabbri) Date: Mon, 11 Mar 1996 06:48:49 +0800 Subject: rhetorical trickery Message-ID: -----BEGIN PGP SIGNED MESSAGE----- An entity self-representing as "Vladimir Z. Nuri" writes: >sure, a government agent could insist, "well, don't be a bonehead. >it's obviously his diary, and surely contains all his crimes against >children". A standard attitude among LEOs is: "if you're not guilty of something, what are you hiding?" Skilled ones use this lever to get suspects to allow searches of their property on the flimsiest of pretenses. >ah yes, just as, obviously, even before trial, "the man is a criminal" "Innocent until proven guilty" is at best an abstraction to most police. Given the amount of time they have per case, on average, they're more interested in slorking up whatever evidence they can against a suspect and making a bust. Didn't Ed Meese say something along the lines of, "if they weren't criminals, they wouldn't be involved with the police"? ObCrypto: Having a fair amount of encrypted stuff around makes any given piece stand out less. A couple dozen PGP-encrypted files with names like "1994 1040 Schedule A" and "Business Contact List, 1Q 1995" is a hell of a lot less suspicious than a single encrypted file called "detonate.pgp." :^) Furthermore, if they don't believe me and I choose not to give them the plaintext, isn't that my Fifth Amendment right? Or has that been waived in cyberspace for our convenience? Scott -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMUNUZuvEnOI8TfM9AQEzjwL/RC1kBe/R8aKru9z0PRFI8wwb+/qhMx8d UFrZ/VA36xDDKY48muwVA+rF+e0tIn3n006DvEBcwMNJ4LfQ15KaVssXjOlDoE0R mAp8umb/K6uK0bZ9+M4/qZe8e6by0VkW =CBfe -----END PGP SIGNATURE----- From blancw at accessone.com Sun Mar 10 14:57:56 1996 From: blancw at accessone.com (blanc) Date: Mon, 11 Mar 1996 06:57:56 +0800 Subject: rhetorical trickery Message-ID: <01BB0E8F.24B0CF60@blancw.accessone.com> From: Vladimir Z. Nuri[ please, will people stop sending me responses like the above? do you understand how the American legal system works? a person cannot be prosecuted without evidence. evidence cannot be illegally obtained. a person is not required to testify against oneself. these are all basic long-established cornerstones of our legal system. ................................................................................... Please, please, when Nuri-logical makes a public post, will people stop copying him in their responses? At least, not until you have read about the Clipper chip, the V-chip, key escrow, ITAR, the CDA, who those "four horsemen" are, etc., and understood how the American legal system works? Personally, I am really amazed at all the times when people point out basic liberties to the NSA or the law enforcement agencies, and somebody says, well yes BUT so-and-so hypothetical situation might arise. Why is there such deep fear about citizens? I'd say that some people there are high up on the list of creating a paranoia about life in the U.S. today. I t is almost as if some people have a public "prosecute you" wish. .. Blanc From JonWienke at aol.com Sun Mar 10 15:11:56 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Mon, 11 Mar 1996 07:11:56 +0800 Subject: No Subject Message-ID: <199603102218.RAA17249@emout05.mail.aol.com> d 96-03-10 11:44:01 EST, you write: >Jim Bell wrote: > >> 2804. Unlawful use of encryption to obstruct justice >> Whoever willfully endeavors (by means of encryption) to (obstruct, >> impede, or prevent) the communication of (information in furtherance >> to a felony) (which may be prosecuted in a court of the United States), >> to an investigative or law enforcement officer shall... > >I think the following is a tad better: > >Whoever willfully endeavors (by means of encryption) to (obstruct, >impede, or prevent) the communication of information (in furtherance >to a felony (which may be prosecuted in a court of the United States)), >to an investigative (or law enforcement) officer shall... I prefer this: 2804. [Deleted] Top that! Jonathan Wienke From stewarts at ix.netcom.com Sun Mar 10 15:18:27 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 11 Mar 1996 07:18:27 +0800 Subject: How to get test messages to test your mail filters Message-ID: <199603100739.XAA27461@ix2.ix.netcom.com> Sending test messages to mailing lists of 500-1000 people just to test your mail filters is rude, and it's been happening a lot lately. On the other hand, building interesting mail filters is a reasonable cypherpunk topic - issues like reputation servers, email privacy, etc. are relevant technology, though this isn't mailpunx. So if you want to send us all a test message, it'd be nice if there were some description of the cool stuff you're implementing :-) On the other hand, if you just need someone other than yourself to send you mail, one useful technique is to send email to bogususer at wellknownmachine.com, for some value of wellknownmachine. Since most machines don't have a user named "bogususer", it'll bounce, unless of course it's running OS/2, which assumes that email for any address on the machine is targeted at the real user (or unless it's running an email system that doesn't implement bouncing...) At 01:40 AM 3/9/96 -0800, Bryan Koschmann wrote: >just a test to see if my filter works..sorry3 for any inconvenience > Gate| Tim rote: >(By the way, I also figured out the anonymous markets for assassinations >bit, too, in 1988, and discussed it in detail then with Eric Drexler, Marc >Stiegler, Mark Miller, Robin Hanson, and others. Long enough ago that I have forgotten the citation, I read an even older SF story about explosive necklaces worn by politicians. If their electronic agreement percentage (and think this was in the sixties folks) dropped too low, a vacancy occured. Warmly, Padgett ps if you have strong principles, and stick by them, sooner or later you will manage to offend everyone. From adam at lighthouse.homeport.org Sun Mar 10 16:05:58 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Mon, 11 Mar 1996 08:05:58 +0800 Subject: FCC & Internet phones In-Reply-To: <199603100222.VAA06105@bb.hks.net> Message-ID: <199603100507.AAA02942@homeport.org> Mutant Rob wrote: | > Q: Is it practically possible to find netphone traffic on a | > generic network at any level above the source and target addresses? | | Good question. Presumably, the signal has a number of charictaristics. Some of them have a central switchboard, where preople go to set up calls. Most presumably use a mix of a UDP data connection and tcp for control functions. They all consist of high volume, long duration connections (or data flows in the case of UDP.) Many probably use a standardized destination port. They might use the urgent pointer to force data up the stack quickly. In short, yes the data streams can be easily found, if one can tap and grep a T3 in real time. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From townsend at smokin.fly.net Sun Mar 10 16:16:33 1996 From: townsend at smokin.fly.net (Chris Townsend) Date: Mon, 11 Mar 1996 08:16:33 +0800 Subject: Leahy's guillotine. In-Reply-To: Message-ID: On Sat, 9 Mar 1996, jim bell wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > To: All > > > Recent Senate crypto bill > Mr. LEAHY (for himself, Mr. BURNS, and MRS. MURRAY) introduced the > following bill; which was read twice and referred to the Committee > > [stuff deleted] > > 2804. Unlawful use of encryption to obstruct justice > > Whoever willfully endeavors by means of encryption to obstruct, > impede, or prevent the communication of information in furtherance > to a felony which may be prosecuted in a court of the United States, > to an investigative or law enforcement officer shall... > > > I think we may reasonably assume that this section was very carefully > written, and thus it may contain meanings (or avoid containing meanings) > that only a careful reading will disclose. > > Contrary to some other sloppy interpretations that I've seen here recently > from organizations that ought to know better, I see nothing in this section > that limits the prosecution on this law to people who are actually > participating in a crime. This distinction is vital. While the sentence > is not diagrammed, it appears to be the INFORMATION which is in "furtherance > to a felony," not the "obstructing" of that communication. The implication > is that it is not necessary that a person know the exact information > involved or be able to decrypt it; he needs only be deliberately using > encryption to prevent the knowledge of what the information is about, or its > routing. (As in an encrypted anonymous remailer, for instance.) ??? Your third sentence doesn't make any sense. While I agree with your position, why would it *possibly* be a crime to interefere with felonious communcations? The lanuguage is lamentably unambiguous about the fact that it is the obstruction and not the information that is in furtherance of a felony... > Moreover, the errors among the organizations that are now apparently > declaring their general support for this amendment are apparently based on a > false view of the effects of this section. > > Aside from this, it isn't clear what is meant by the phrase, "obstruct, > impede, or prevent the communication of information in furtherance to a > felony." An obvious problem is this: How will they know if the use of > encryption actually had that effect? If it was UNsuccessful, then obviously > that encryption did not prevent the government from obtaining information. > If it was SUCCESSFUL, then how is the government to know that the > communication in question was "in furtherance to a felony"? Even if they > can prove the felony by other means, how can they show that the > communication actually had anything to do with the crime? It is quite conceivable that an unsuccessful attempt to obstruct justice might cause additional trouble, time, and expense to the guys in the white hats. Note that the language does not distinguish between successful and unsuccessful attempts...though you're right that it seems that only unsuccessful attempts could be verified... the rest is clouded by your assumption that the information, rather than the obstruction, must be in furtherance of the crime... > > Another problem: Encryption, per se, does not "prevent the communication of > information." What it does, of course, is to prevent the UNDERSTANDING of > that information. Do the writers of this bill intend to use this law to > punish the LATTER effect, rather than the former? > > Further, how is the person to be charged to know if his use of encryption > had the effect of "obstruct[ing], imped[ing], or prevent[ing] the > communication of that information? If he encrypts a file to his hard disk, > and he doesn't intentionally send the file to the cops, how is he supposed > to anticipate that the use of encryption had this effect? As far as HE > knows, it was simply his decision to not send the file to the cops; he can't > be expected to know that they'll show up the next morning with a search > warrant and take his computer, can he? Would his refusal to provide the > decrypt key constitute a violation of this section? Probably. That's what the word "willful" is doing in there. Read carefully: it's willful obstruction, not willful encryption... I am not a lawyer, although I play one on the net. I agree with your position, but you're not reading as closely as the enemy will... -cpt townsend at fly.net From samman-ben at CS.YALE.EDU Sun Mar 10 16:38:58 1996 From: samman-ben at CS.YALE.EDU (Rev. Ben) Date: Mon, 11 Mar 1996 08:38:58 +0800 Subject: Index of Coincidence In-Reply-To: Message-ID: > I'm looking for detailed information on a statistical tool to aid in > cryptanalysis called an "index of coincidence". I would appreciate it if > someone could please explain what this is, how one builds such an index > against a given ciphertext, and how it is valuable in the cryptanalysis of > said ciphertext. Given a ciphertext X with discrete components x[1], x[2], ... x[n], I[c] is the probability that two random elements of x are identical. Ben. Ben Samman..............................................samman at cs.yale.edu "If what Proust says is true, that happiness is the absence of fever, then I will never know happiness. For I am possessed by a fever for knowledge, experience, and creation." -Anais Nin Want to give a soon-to-be college grad a job? Mail me for a resume From mab at crypto.com Sun Mar 10 16:40:22 1996 From: mab at crypto.com (Matt Blaze) Date: Mon, 11 Mar 1996 08:40:22 +0800 Subject: Lawz to be. In-Reply-To: Message-ID: <199603110020.TAA22441@crypto.com> While I don't agree with some of the conclusions you reached in your note, I certainly agree that the Leahy bill would be better for cryptography without this crime. I hope that section gets further narrowed (or removed altogether), but based on discussions I've had with various Senate staffers, I'm not optimistic that it will be. If you feel strongly about this, I urge you to lobby your Senators (and representatives, since there's also a House version of the bill) and tell them exactly what you like and don't like about this legislation, as I am doing with mine. -matt From rich at c2.org Sun Mar 10 16:54:01 1996 From: rich at c2.org (Just Rich) Date: Mon, 11 Mar 1996 08:54:01 +0800 Subject: ADL_mil (militias and the USAF) In-Reply-To: <199603102215.RAA05819@pipe2.nyc.pipeline.com> Message-ID: On Sun, 10 Mar 1996, John Young wrote: > "ADL Special Report: The Militia Movement in America." > > A 1995 national survey by the ADL offers disturbing > evidence that the militia movement has continued to > grow. The ADL survey also found that many hard-core > militiamen believe that the United States Government > itself conducted the Oklahoma City bombing to create an > excuse for further depriving citizens of their > constitutional rights. A continuing flow of information [...] > [Thanks to AF] That info used to be available at http://www.pafb.af.mil/deomi/DEOMI.HTM (the Defense Equal Opportunity Management Institute), under the "Special Interest Groups" heading, but access was restricted to MilNet on Friday when I pointed out, somewhat sarcastically, that they were violating the ADL's copyrights. Geez, they *REALLY* don't want people accessing that server; not only is it firewalled now, but they removed www.pafb.af.mil from the public DNS (its IP address is 131.25.131.53). I guess the Air Force can't take a joke (gee, I wonder why). Anyway, if you're interested in a bunch of very interesting reports on right-wing terrorist groups in the US, most of them dated August 1993, I just might be able to put you in touch with someone who might have those files in his or her N*tscape cache directory. My friend Cecelia points out that the ADL made a few silly mistakes, though, like getting Neo-Nazi leader William Pierce's birthdate wrong (Pierce is the wacko who wrote The Turner Diaries, which inspired a tring of murders/bank robberies by The Order and, more recently, Timothy McVeigh). The general thrust of DEOMI seems to be that people in non-combat posts in the military have every right to be involved with these jokers in their off hours. There are several .mil addresses on the openly Neo-Nazi Stormfront list -- and they're not all plants. In general, they'll only investigate you if your paranoid fantasies about the Zionist Occupational Government prompt you to get up in a tower and start shooting people. Which has, of course, happened, so I have no problem whatsoever with the USAF (or anyone else) talking to the ADL, as long as rights are respected. -rich From markm at voicenet.com Sun Mar 10 17:03:25 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 11 Mar 1996 09:03:25 +0800 Subject: anonymous web pages (Was: SurfWatch) In-Reply-To: <199603100450.XAA16800@hausdorff.math.psu.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 9 Mar 1996, Dan Cross wrote: > This is an interesting idea, though I think a really really insecure one. > What's keeping someone from posting ``trojan web pages'' and then waiting > for the pages to be soaked up by servers? Something that says ``click > to see the /etc/passwd file for this site!'' which runs some funky > CGI thing to cat /etc/passwd or, ``Enter your credit card number to buy > super wiz-bang gadget!'' or the like is a really scary, but very real, > possibility if great care is not taken in setting this kind of thing up. > News servers, on the other hand, don't suffer from this problem because > the data which they contain is much more passive in nature (at least, while > in the spool..) than HTML. The obvious fix would just be to disallow the use of CGI scripts in anonymous web pages. In order for a file to be designated a CGI script, the must be explicitly specified as such in the httpd configuration. The web is every bit as passive as Usenet. The only difference is you can't make a program that will execute on the NNTP server everytime it is retrieved (which would be the Usenet equivalent of CGI). - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMUN0ybZc+sv5siulAQGlSAP+N+4Cm0PVcU3zU0WQC6O7m/JXQQJA5RuP dF4/b1OhB8iGeT41PFZhJ/XL94KjKRwmA8TptPThaUKjbJ9feYj6ixm6LvT0xyRY kGDKQkCF4wi3hHlVAw8ADembUw5+gQlNe3xrqnNsXPoZ5FDBpqHqQjFlPOiQhDbV +lR85iyPbRI= =/G3y -----END PGP SIGNATURE----- From WlkngOwl at UNiX.asb.com Sun Mar 10 17:08:02 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Mon, 11 Mar 1996 09:08:02 +0800 Subject: rhetorical trickery Message-ID: <199603110043.TAA19252@UNiX.asb.com> > all my respondents seem to be missing some basic points I have been > trying to make about law enforcement in the US. > > the law runs on proof, and evidence. a file with the name "diary.pgp" > is not incriminating. it is not evidence. no one could be prosecuted > as a criminal for having a diary. there is the presumption of innocence > unless there is evidence and proof to the contrary. A diary isn't illegal... but if you are suspected or even convicted of a crime, and there's reason to believe that a book or computer file is a diary and that you wrote about more crimes in the diary, then it's worth investigating. Just as if one is suspected of money laundering and it is known that that person has Swiss or Cayman Island bank accounts... having them doesn't mean one is guilty, but if there is other evidence that the crime took place then they are well within the realm of investigating. > furthermore, suppose > the "pedophile" is actually prosecuted successfully. does that mean > the diary was incriminating? no, it does not. in the CA case it happened [..] No. It's just another area of potential evidence. > that the pedophile was prosecuted without decrypting the diary. which > in fact argues in favor of the side that says, "cryptography is not > the end of law enforcement, and this case proves it." One can argue that, yes. In fact I remember some LE type who was pro-crypto who insisted the DT Bill was for lazy cops who didn't want to do the footwork necessary for an investigation. Another is when they cited the World Trade Ctr bombing... seems they already had a handle that it was in the works and did nothing anyway. DT or a crypto-ban or GAK would not have prevented that. [..] > now, a person might be successfully prosecuted for obstruction of > justice, or contempt of court, in refusing to hand over the > decrypted diary (but the other post I made about giving the federal > agents a key that decrypts the file to a cookie recipe handles this > quite nicely). And in some ways one has less rights when in contempt of court then when convicted of a felony.... [..] > please, will people stop sending me responses like the above? do you > understand how the American legal system works? a person cannot > be prosecuted without evidence. evidence cannot be illegally obtained. [..] Ideally, that is how the system works. But if they have a good reason to suspect something is evidence (and in the above pedaphile ase a file named "diary.pgp" would probably qualify) a warrant can be obtained. Note that just having PGP-encrypted files would not necessarily be evidence either. They pointed out a specific file with specific reasons why it should be examined. > a person is not required to testify against oneself. these are all > basic long-established cornerstones of our legal system. It's not clear in terms of court rulings whether handing over decryption keys is self-incrimination or not. From what I have heard, the courts do not view safe combinations as self-incriminating... > look, if someone WANTS to be put in jail for having encrypted files, > I'm sure you can probably figure out some way to pull it off. but > if you don't act like an idiot, such a thing is highly unlikely. it > clearly has not happened to date. Doesn't mean it won't... [..] > such deep fear around here about life in the US today? I'd say > that people here are high up on the list of creating the paranoia. > be careful what you fear, you might get it. Good point indeed. "We have nothing to fear but fear itself." (Flames for an FDR quote from raving anti-socialists will be bounced to /dev/null.) Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From tcmay at got.net Sun Mar 10 17:39:27 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 11 Mar 1996 09:39:27 +0800 Subject: Bell, Detweiler, Ravings, and Whatnot Message-ID: At 4:12 AM 3/10/96, jim bell wrote: >In short, the government is trying to head off "crypto-anarchy," which I >guess is Tim May's trademark. I suggest that we don't allow them to; it >will merely make the government's eventual end even bloodier. Not my "trademark," though it was my coinage (in 1987). I'm happy it's gaining usage, by people as diverse as David Friedman, Dorothy Denning, and various journalists. (By the way, I also figured out the anonymous markets for assassinations bit, too, in 1988, and discussed it in detail then with Eric Drexler, Marc Stiegler, Mark Miller, Robin Hanson, and others. Several of us on the Extropians list discussed the implications, countersteps that might be taken, etc., several years ago. I recall incisive comments by Robin Hanson, David Friedman, Hal Finney, Nick Szabo, and others. And on this list, the topic was discussed a bit later. The archives may be helpful...though I'm not sure I want to help Jim Bell figure out the holes in his logic!) Note to Jim: Your posts are getting longer and longer, often including huge chunks of previous posts. I doubt many of us are reading these "novellas"...I am responding to this part of your latest massive post because I detected my name being used. I urge you to try to limit your quoting to about a screenfull or so...this is what a lot of experience has said is the maximum amount of quoting people are willing to deal with in most cases. And your insulting comments about people whom you disagree with, or people whom you think are not taking your ideas seriously enough, are reminiscent of the ravings of the last victim here of late stage Detweiler's Syndrome. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From cp at proust.suba.com Sun Mar 10 17:55:17 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Mon, 11 Mar 1996 09:55:17 +0800 Subject: Lawz to be. In-Reply-To: <199603110020.TAA22441@crypto.com> Message-ID: <199603110105.TAA05652@proust.suba.com> Matt Blaze said, > ...but based on discussions I've had with various Senate staffers, > I'm not optimistic that it will be. > If you feel strongly about this, I urge you to lobby your Senators > (and representatives, since there's also a House version of the bill) and > tell them exactly what you like and don't like about this legislation, as > I am doing with mine. It sounds like you're making much better contact with your representatives than I've ever been able to make with mine. Whenever I call or write I have the impression that I'm just talking with a receptionist who either does nothing with my comment or just puts it on a tally sheet of some kind. Do you know something about lobbying that I don't? Or do your Senators' staffers know about your reputation as an expert who ought to be listened to? When you call up a Senator's office, who do you ask to speak to? How do you find out which staffer would carry the ball on a particular issue? I'm sure we'd all make the effort to lobby if we felt it was making a difference. From jya at pipeline.com Sun Mar 10 18:09:45 1996 From: jya at pipeline.com (John Young) Date: Mon, 11 Mar 1996 10:09:45 +0800 Subject: To: s1018954 Message-ID: <199603110114.UAA19006@pipe2.nyc.pipeline.com> Mail to your "from" address bounces with message "insufficient permission." Care to check that? From wlkngowl at unix.asb.com Sun Mar 10 18:11:10 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Mon, 11 Mar 1996 10:11:10 +0800 Subject: FCC & Internet phones In-Reply-To: <199603101456.JAA08887@cmyk.warwick.com> Message-ID: <31437E51.D38@unix.asb.com> Harry S. Hawk wrote: [..] > > Btw. the worst thing is all the phone companies are very very good > a lobbying... congress, the FCC, etc. > > ALso once FCC regulations something commmerical speach becomes "restricted." > Eg., tobbaco ads.. Hmmm... So any word from the EFF? Perhaps it is time for ISPs to start their own lobbying organization.... --Rob From wlkngowl at unix.asb.com Sun Mar 10 18:16:23 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Mon, 11 Mar 1996 10:16:23 +0800 Subject: How would Leahy bill affect crypto over HAM radio? Message-ID: <31437F04.EF1@unix.asb.com> Subject asks it. I'm not a HAM, but still curious. Wonder if anyone has brought this to Leahy's attention... Comments from the packet folx on the list? --Rob From frantz at netcom.com Sun Mar 10 18:23:20 1996 From: frantz at netcom.com (Bill Frantz) Date: Mon, 11 Mar 1996 10:23:20 +0800 Subject: TCP/IP Stego (was CU-SeeMe) Message-ID: <199603082056.MAA20781@netcom7.netcom.com> At 12:19 PM 3/8/96 -0800, Jim McCoy wrote: >... The original >technique of doing stego on packets is still valid, and by adding it in >to a WinSock lib or linux tcp/ip implementation the user can send hidden >messages just by connecting to a friendly stego-enhanced web server out >on the net and doing some casual browsing. If you can hack your TCP implementation, you should be able (with a high probability) stego information in a few bits of the TCP checksum by adjusting the packet boundries of the TCP stream. An error correcting code protocol would cover the cases where you couldn't get that *%$# bit set correctly. Please note that this technique would not result in TCP checksum errors. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From dinesh at alphaque.com Sun Mar 10 18:54:45 1996 From: dinesh at alphaque.com (Dinesh Nair) Date: Mon, 11 Mar 1996 10:54:45 +0800 Subject: Someone in a goverment with something close to the right idea... In-Reply-To: <01I2565G8OEEAKTUFI@mbcl.rutgers.edu> Message-ID: On Sat, 9 Mar 1996, E. ALLEN SMITH wrote: > Well, he at least has part of the right idea. > -Allen > > Reuters New Media > KUALA LUMPUR, Malaysia - Censoring Internet access will not solve > concerns over privacy and individual freedom in cyberspace, Malaysia's > Deputy Prime Minister Anwar Ibrahim said. He's got good ppl advicing him. Basically, these guys even surprised me, being in malaysia and all that. but his stand on the matter as well as the PM's is pretty good on this. now, the information minister is a different kettle of fish altogether, but he'll seccede to the PM's wishes anyway. Regards, /\_/\ "All dogs go to heaven." dinesh at alphaque.com (0 0) +==========================----oOO--(_)--OOo----============================+ | for a in past present future; do | | for b in clients employers associates relatives neighbours pets; do | | echo "The opinions here in no way reflect the opinions of my $a $b." | | done; done | +===========================================================================+ http://pgp.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=0x230096E9 From tbyfield at panix.com Sun Mar 10 19:19:49 1996 From: tbyfield at panix.com (t byfield) Date: Mon, 11 Mar 1996 11:19:49 +0800 Subject: Cut the mystical artist crap. (No crypto relevance here) Message-ID: At 2:10 AM 3/11/96, Anonymous wrote: >Was it Thoreau who said "Consistency is the hobgoblin of >simpletons"? No, it was Emerson. And that's not what he said. >What the compromises have to do with are that one lives in >a society with rules, mores, laws. One of those touch-shit >facts of life. You can do what you want, but when it involves You seem to be rather fond of consistency. ;) Ted From EALLENSMITH at ocelot.Rutgers.EDU Sun Mar 10 19:31:48 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 11 Mar 1996 11:31:48 +0800 Subject: Lawz to be. Message-ID: <01I26SR4VEMOAKTUL8@mbcl.rutgers.edu> From: IN%"PADGETT at hobbes.orl.mmc.com" "A. Padgett Peterson P.E. Information Security" 10-MAR-1996 01:15:57.84 >Thought the gotcha was down in the part about the Secretary of Commerce. >My reading is that the secretary will still be required to grant >approval for commercial export. Is past the part about no regulation >inside the US (which is true now - still would be nice to see a "Congress >shall make no law..."). The puzzler is the requirement that a comperable >foreign product must exist before permission to export will be granted. >Will this be like "comparable product" price matching in discount houses ? >Somehow there never is one... Quite. A better format would be "as hard or harder for the NSA to decrypt," given the publically stated purpose for ITAR. -Allen From bdavis at thepoint.net Sun Mar 10 19:42:14 1996 From: bdavis at thepoint.net (Brian Davis) Date: Mon, 11 Mar 1996 11:42:14 +0800 Subject: Cut the mystical artist crap. (No crypto relevance here) In-Reply-To: <199603110110.CAA05830@utopia.hacktic.nl> Message-ID: On Mon, 11 Mar 1996, Anonymous wrote: >... > Was it Thoreau who said "Consistency is the hobgoblin of > simpletons"? Thoeau said that "a foolish consistentcy is the hobgoblin of little minds ..." ^^^^^^^ EBD From EALLENSMITH at ocelot.Rutgers.EDU Sun Mar 10 20:01:43 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 11 Mar 1996 12:01:43 +0800 Subject: No Subject Message-ID: <01I26TJVXRGMAKTUL8@mbcl.rutgers.edu> From: IN%"tallpaul at pipeline.com" 10-MAR-1996 15:48:49.98 >In other words, this or that person acts as a (perhaps temporary) remailer >from their regular account, gets the material encrypted, and massages it in >various ways before sending it out. The point is to increase entropy by >creating the technological base for an enormous proliferation of >remailer/anon tech at the lowest possible price. >Internationally know "elite" (in the good sense of the word) remailers are >by definition known, and thus easy to monitor. Mixmaster etc sites popping >up from the home computers in the rec rooms of suburbia are not. I have been considering the problem of making sure that these non-elite remailers are actually used by enough people to defeat traffic analysis, be useful, et al. Just posting the location & key in a public place is good, but leads to the possibility of somebody cracking down (especially if it's in someplace like Singapore). The alternatives are: A. Send out the address in some form of reply block, along with the key. If someone wants to use the remailer, they include the reply block at the appropriate stage. Thus, the remailer decoding the reply block (probably an "elite" remailer) will know the address, but none others will. B. Send it to one remailer with a setup such that it will encrypt some percentage of messages coming through it with the key of the "stealthed" remailer and mail them to that remailer. Again, whoever operates that remailer will (if they look) know the location. This can also add length to chains even when others don't know the stealth remailer exists. C. Send it to one of the web-page or other automatic chaining facilities with their automatically using it in some percentage of the cases. Again, this trusts the maintainers of the chaining facility. In all of these cases, one would not want the stealth remailer to be the last one in the chain. But such remailers can still help make things more difficult for an attacker. -Allen From wb8foz at nrk.com Sun Mar 10 20:07:40 1996 From: wb8foz at nrk.com (David Lesher) Date: Mon, 11 Mar 1996 12:07:40 +0800 Subject: How would Leahy bill affect crypto over HAM radio? In-Reply-To: <31437F04.EF1@unix.asb.com> Message-ID: <199603110226.VAA00697@nrk.com> > > Subject asks it. I'm not a HAM, but still curious. Wonder if anyone > has brought this to Leahy's attention... > > Comments from the packet folx on the list? Non-cleartext has been forbidden for last 60 years anyhow. -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From EALLENSMITH at ocelot.Rutgers.EDU Sun Mar 10 20:11:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 11 Mar 1996 12:11:44 +0800 Subject: Not a good idea... Message-ID: <01I26T3JWQ7AAKTUL8@mbcl.rutgers.edu> From: tcmay at got.net (Timothy C. May) >We need to be very careful here. A service like "SurfWatch," voluntarily >used by others, has entered into no contracts with sites to meet defined >standards of what should and shouldn't be blocked. It is essentially a >"review" service, like a reviewer of books, movies, restaurants, etc. Sure, >some books, movies, and restaurants are "hurt" by negative reviews, but >this is life in a free society. It has not yet reached the point in these >Beknighted States that a bad review can be the basis of a tort (though I >could be wrong...nothing would surprise me these days). One wonders if an ISP (say, Prodigy or AOL) that used SurfWatch to automatically filter everything could be liable if they filtered something that wasn't against their policies (due to overly accepting SurfWatch's or TimWatch's ratings) - non-provision of service? I'd guess they have some clause or another in their normal contract w/users to try to prevent such, but framing it so as to cover such without also basically making it a non-contract (no agreement to provide anything) could be difficult. -Allen From jehill at gauss.elee.calpoly.edu Sun Mar 10 20:56:28 1996 From: jehill at gauss.elee.calpoly.edu (Joshua E. Hill) Date: Mon, 11 Mar 1996 12:56:28 +0800 Subject: Symantec Q&A passwords Message-ID: <199603102313.PAA28956@hyperion.boxes.org> Well... this is only vaguely on topic, but: Does anyone know how to circumvent a password on a Q&A (3.0) database? Symantec said that they would do it for $75... I would imagine that means they use a trivial encryption system... Does anyone know if this is the case? (and if so, what system do they use?). Thank You, Joshua Hill -----------------------------Joshua E. Hill----------------------------- | Murphy's Military Laws: | | 3. Friendly fire ain't. | -------jehill@.calpoly.edu-------- From rah at shipwright.com Sun Mar 10 20:59:29 1996 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 11 Mar 1996 12:59:29 +0800 Subject: PA Message-ID: At 6:42 PM 3/10/96, "A. Padgett Peterson P.E. Information Security" > Long enough ago that I have forgotten the citation, I read an even older > SF story about explosive necklaces worn by politicians. If their >electronic > agreement percentage (and think this was in the sixties folks) dropped > too low, a vacancy occured. We talked here a while back about the Gilbert & Sullivan operetta where there was a "court exploder" or something, whose job it was to blow up the king should the monarch become too egregious in conduct. The limiting factor was that the "exploder", or whatever, was the person who would inherit the king's job. ;-). Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From jamesd at echeque.com Sun Mar 10 21:03:00 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 11 Mar 1996 13:03:00 +0800 Subject: rhetorical trickery Message-ID: <199603110412.UAA13426@dns1.noc.best.net> At 02:36 PM 3/10/96 -0500, Mark M. wrote: > There was an article in the July 1995 issue of Technology Review by > Dorothy Denning explaining the "evils of encryption" in defense of the > Clipper Chip which mentions this case. I suspect that it actually > happened. Why should the fact that Dorothy Denning says something lead you to suspect that it actually happened? --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From tcmay at got.net Sun Mar 10 21:59:43 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 11 Mar 1996 13:59:43 +0800 Subject: Leahy Bill a Move to Slow Crypto Exports as Much as Possible Message-ID: At 1:42 AM 3/11/96, E. ALLEN SMITH wrote: >From: IN%"PADGETT at hobbes.orl.mmc.com" "A. Padgett Peterson P.E. >Information Security" 10-MAR-1996 01:15:57.84 > >>Thought the gotcha was down in the part about the Secretary of Commerce. >>My reading is that the secretary will still be required to grant >>approval for commercial export. Is past the part about no regulation >>inside the US (which is true now - still would be nice to see a "Congress >>shall make no law..."). The puzzler is the requirement that a comperable >>foreign product must exist before permission to export will be granted. > >>Will this be like "comparable product" price matching in discount houses ? >>Somehow there never is one... > > Quite. A better format would be "as hard or harder for the NSA to >decrypt," given the publically stated purpose for ITAR. I think this is showing that one of the intended purposes of the Leahy bill is to slow down exports of crypto for as long as possible, and then only to grant export licenses when competition from abroad threatens to undo the effects of the stalling process anyway. The clause reads to me as: "We'll delay approval for export of your software for as long as possible, and only grant approval when you face serious competition from abroad, by which time we'll have accomplished our goals anyway." It seems that the SPA estimates of $60B are being responded to, that the Leahy bill addresses the potential competitive losses to other products only. (And of course the $60B, though probably inflated, includes more than just lost sales because a vendor can't ship with strong encryption.) The effect of the clause is to make truly novel new applications--including many of the things that interest us--stallable for an indefinite period. Then, when the Italian or Taiwanese version appears, if ever, the export license will have to be granted. If this is a correct reading of the indended use, then this is another reason not to cheer about the Leahy bill. It would _not_ make crypto freely exportable. But by claiming it has loosened up crypto exports (which it will for certain corporate products), it will have taken the wind out of the sails of those who wanted relaxed exports. Those who can buy lobbyists and who are competing in fairly "standardized" niches, where competitors exist, will probably be able to get export licenses. Those in quasi-underground niches, trying to sell things that have not been built before, will likely face a stone wall. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jya at pipeline.com Sun Mar 10 22:27:10 1996 From: jya at pipeline.com (John Young) Date: Mon, 11 Mar 1996 14:27:10 +0800 Subject: ADL_mil Message-ID: <199603102215.RAA05819@pipe2.nyc.pipeline.com> "ADL Special Report: The Militia Movement in America." A 1995 national survey by the ADL offers disturbing evidence that the militia movement has continued to grow. The ADL survey also found that many hard-core militiamen believe that the United States Government itself conducted the Oklahoma City bombing to create an excuse for further depriving citizens of their constitutional rights. A continuing flow of information from ADL Regional offices around the country indicates militias are operating in at least 40 states, with membership reaching some 15,000, and that these numbers could rise still higher. The following is a 40-state summary of known militia activity. ADL_mil (36 kb) [Thanks to AF] From eagle at armory.com Sun Mar 10 22:31:31 1996 From: eagle at armory.com (Jeff Davis) Date: Mon, 11 Mar 1996 14:31:31 +0800 Subject: rhetorical trickery In-Reply-To: <199603102145.NAA10827@netcom7.netcom.com> Message-ID: <9603101417.aa28560@deepthought.armory.com> > At 1:19 PM 3/10/96 -0800, Vladimir Z. Nuri wrote: > >please, will people stop sending me responses like the above? do you > >understand how the American legal system works? a person cannot > >be prosecuted without evidence. evidence cannot be illegally obtained. > >a person is not required to testify against oneself. these are all > >basic long-established cornerstones of our legal system. > > I'm sure that my friend who tried to argue about a speeding ticket in New > Jersey, had the bones around his eye socket broken and then was arrested > for "Resisting Arrest" will be comforted to hear this. (BTW, a mutual > friend was a witness and confirmed the story. I can't think of any reason > they would have to lie to me about the facts.) > --Bill Frantz There is *some* justice in America. The University of Wyoming had a Campus Cop named Waters, who also worked for Information Technology and fancied himself becoming the next Internet Sherlock Holms. Unfortunately, IT canned his ass for alleged violations of privacy before he could make a career out of electronic snooping. The closest he came to me in all the years I was using unauthorized access there, was giving me a ticket for driving on an expired license. Now days I'm getting too legit to quit. Prof Van Baalen bought my idea of Free Public Internet Access for Wyoming residents on a self educational UNIX box, a spare Sparc 10 wired at T1 speed. We go online by the Equinox >;) -- According to John Perry Barlow: *What is EFF?* "Jeff Davis is a truly gifted trouble-maker." *email * *** O U T L A W S On The E L E C T R O N I C F R O N T I E R **** US Out Of Cyberspace!!! Join EFF Today! *email * From jimbell at pacifier.com Sun Mar 10 22:40:32 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 11 Mar 1996 14:40:32 +0800 Subject: Lawz to be. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 07:20 PM 3/10/96 -0500, Matt Blaze wrote: >While I don't agree with some of the conclusions you reached in your note, By now you should have seen my most recent item, an editorial by George Will. The case he describes should make it clear to you that the abuse of property owned by an "innocent victim" does not protect that person from confiscation of his property. Or did you think it would? >I certainly agree that the Leahy bill would be better for cryptography >without this crime. I hope that section gets further narrowed (or removed >altogether), but based on discussions I've had with various Senate staffers, >I'm not optimistic that it will be. Okay, here are some questions you should be asking them: 1. Why was this one highly negative section added to what is otherwise apparently a good bill? Whose fingerprints are on it? 2. "All" bills can be amended. "Why not this section?!?" 3. "Why is this section so ambiguous?" 4. What crimes, EXACTLY, do you intend to prosecute using this section? 5. Can you list any examples of REAL incidents that have already occurred that would be in violation of this section if it were already in law? (Surely they know of some, right?!?) If they can think of no such examples, ask them why they are putting a "useless provision" into a law and why is it so important that it be there that we can't have it removed. 6. And finally, "what are you guys afraid of?" >If you feel strongly about this, You don't know how strongly I feel about this. > I urge you to lobby your Senators >(and representatives, since there's also a House version of the bill) and >tell them exactly what you like and don't like about this legislation, as >I am doing with mine. >-matt If that is all that I was planning to do to stop this bill, I would consider myself to be a slacker. Jim Bell jimbell at pacifier.com Klaatu Burada Nikto... Which should stop this damn bill if you guys don't. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUOtKfqHVDBboB2dAQGDKwQAm5rQbtAdaIByJGRKYW3KlxsNGGTKzuB6 U75G5KF8TgIuJKICrkGRjwG0/vnZo8kGuA9N1oCzwqQpTN4swMoOi26e8t/7DPim ZU3V4xGj9sUlopBBcN0pC8ksUC5ADB1K54nDfmbfEee0tL6GxstTgLKepIH2yC1j D7/2UGFbHnc= =vU5b -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Sun Mar 10 23:02:23 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 11 Mar 1996 15:02:23 +0800 Subject: How would Leahy bill affect crypto over HAM radio? Message-ID: <199603110505.VAA03962@ix2.ix.netcom.com> At 09:26 PM 3/10/96 -0500, you wrote: >> >> Subject asks it. I'm not a HAM, but still curious. Wonder if anyone >> has brought this to Leahy's attention... >> >> Comments from the packet folx on the list? > >Non-cleartext has been forbidden for last 60 years anyhow. Yes, but the law _might_ have the side-effect of changing that. It'd be real pleasant if it does... I suspect the best way to make that happen would be to say "shhhh" any time anyone proposes mentioning the topic to a politician.... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From erc at dal1820.computek.net Sun Mar 10 23:32:29 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Mon, 11 Mar 1996 15:32:29 +0800 Subject: How would Leahy bill affect crypto over HAM radio? In-Reply-To: <199603110226.VAA00697@nrk.com> Message-ID: On Sun, 10 Mar 1996, David Lesher wrote: > > > > Subject asks it. I'm not a HAM, but still curious. Wonder if anyone > > has brought this to Leahy's attention... > > > > Comments from the packet folx on the list? > > Non-cleartext has been forbidden for last 60 years anyhow. Not quite. Anything intended to hide the meaning of the message is banned. Compression isn't banned, because the intention is to make more efficient use of the frequency, not to hide the meaning. -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From uunet!in2.uu.net!psinntp!psinntp!psinntp!interramp.com!usenet at warwick.com Mon Mar 11 00:24:17 1996 From: uunet!in2.uu.net!psinntp!psinntp!psinntp!interramp.com!usenet at warwick.com (Alan Beale) Date: Mon, 11 Mar 1996 16:24:17 +0800 Subject: Very boring test Message-ID: <4hjus6$cs4@usenet7.interramp.com> Is there anybody *out* there? -- .signature under construction From savron at world-net.sct.fr Mon Mar 11 01:14:12 1996 From: savron at world-net.sct.fr (savron at world-net.sct.fr) Date: Mon, 11 Mar 1996 17:14:12 +0800 Subject: PGP reveals the key ID of the recipient of encrypted msg Message-ID: <199603110740.IAA06254@storm.certix.fr> I began testing PGP a few days ago ( I'm a PGP newbie ) and I found that it gives out the key ID of an encrypted message . From this you can get the identification of the recipient of the message , if it's someone who has publicaly distributed his key (keyserver , homepage ...) . So even if you are unable to decode the message you can find who is the recipient of a given message . I think this is a big privacy problem . The problem is carried along when you encrypt a message for multiple recipients , you get the key IDs of all the recipients and same problem as above . I think something like 'blind email copy' should be used , because the recipients don't have to know the identity of each other . Comments from long time PGPer will be welcome From EALLENSMITH at ocelot.Rutgers.EDU Mon Mar 11 01:48:12 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 11 Mar 1996 17:48:12 +0800 Subject: SurfWatch Message-ID: <01I26PWDSTX4AKTUBC@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 9-MAR-1996 21:00:29.15 >I plan to taper off on all responses to this thread about SurfWatch and >ratings services. Various sides have expressed their opinions about what >courts and governments will demand, and others respond by saying, "I >disagree. They can pass a law..." or "I disagree. The government is >powerless," etc. I can see your reasons for doing so. The discussion of how to use ratings systems in ways not intended, so long as the government isn't able to get in the way of doing so, is probably more interesting. >In the terms of the lawyers--from what I picked up during my time on the >Cyberial list--a requirement that words be rated before they can be >distributed would not pass Constitutional muster. This does not mean that >one's words will not trigger prosecutions, lawsuits, treason trials, etc. >What it means is that "prior restraint" is frowned upon (recall "The >Progressive" H-bomb case of about 15 years ago, where a court subjected >this magazine to prior restraint...a rare occurrence, later overturned. A >more recent case involves "Business Week," and is still unresolved). I may check with a lawyer myself on this issue. I had known that prior restraint, as in restraining something from being published at all, was considered unconstitutional by all but the nut-case authoritarians. But I had thought that the question of rating was still up in the air - the TV industry seems to have decided not to fight the V-chip in court, for instance. Since the government seems to have decided that it can remove "indecent" material, as judged by them, from the purview of minors, it could argue that a mandated rating system is the "least restrictive" way to do so - ignoring that others can use it for further restrictions. >By the way, who does the rating in this scenario? As others have also >noted, if I am rating my own pages, and rate them as "suitable for all >ages," but Jesse Helms disagrees, what charges can be filed? That I was not >a good enough judge of the material? That my opinions differed from Senator >Helms'? Well, I and Senator Helms have differing views on what is "obscene" and what isn't - and a court is more likely to go with his (prevailing community norms and all that nonsense) in deciding whether to prosecute me. >"Voluntary self-rating" runs into problems, such as this example. One is >left with ratings by _others_, e.g.. ratings boards, and even then there >are variations of this same problem. The "Lesbian Alliance" is going to >have different ideas of what children should be exposed to than the >"Christian Crusade" will ideas about. Who is right? ("What is truth?") There's also the lawsuit issue. If somebody decides that I haven't rated my words high enough to keep "indecent" material from their children, they may sue - and "community norms" will be used to decide. >> D. The government in a country such as China uses rating systems to >>help them filter. >Doesn't have much to do with _my_ words or pages. It ain't the business of >the U.S. court system--which is what we're talking about here--to worry >about what some Maoists think is proper for young cadres to read. I was discussing what was ethical for the proponents of rating systems to do, not what they should be _allowed_ to do. In other words, I am in favor of allowing anyone who wishes to create a rating system, just as I am in favor of allowing anyone who wishes to talk a bunch of utter trash about Holocaust Revisionism. But I wish to discourage people from doing either (or at least in the first case from creating systems that can be misused in such an obvious fashion). >I disagree with the overall conclusions of this line of reasoning. (Though >the "children are not the property of their parents" point is heavy >phrasing, and hard to take issue with directly, due to the language.) I use it as the anarcho-capitalists do who claim that taxation is theft. It gets the attention. I am angered by modern trends in favor of _either_ parental (parents deciding their kids shouldn't learn about evolution, or about sex) or societal (curfews et al). I am also angered by cases like the Joey Buttafuocco (sp?) one, in which he was convicted for having sex with a (definitely willing) minor who was decided to be sufficiently competent to be tried as an adult for committing murder. I had a set of decidedly overprotective parents myself, and I can trace lots of psychological damage from that. They did it out of love, but sometimes that just doesn't work. >In any case, while children are not for their parents to do with as they >please, a reasonable Schelling point has been that I will not force other >parents to expose their children to the teachings of Cthulhu if they will >not demand that my children sit through propaganda tapes about the joys of >homosexual sex. The status of children in a free society is a thorny issue, >but I reject the increasingly-prevalent notion that society knows what's >best and the government will decide what influences can be used with >children. A society which takes away this parental choice is a terrible >society. I tend to conclude that neither parents nor "society" should have any more reign over their children than absolutely necessary. Parents have certain rights over their children which derive from their responsibilities over those children - i.e., to keep those children safe, get them educated so they can have freedoms like speech and press, et al. If the parent can't clearly show that the intervention into the child's life isn't necessary for that responsibility to be fulfilled, then the parent shouldn't be able to do that intervention any more than I should be able to claim that the CO2 being put out by a factory is harming me, and should be stopped, without a lot of evidence otherwise. >I see much of the debate about violence and sex in society and in the media >as being this kind of "battle for the hearts and minds" of children. I >don't want some sociologist telling me that "Terminator II" is "bad" for my >child but that "The Story of O" should be mandatory for my 11-year-old to >watch. I agree about the "mandatory" part; I simply want to make it an option for that child - not an option for the parent. -Allen From EALLENSMITH at ocelot.Rutgers.EDU Mon Mar 11 01:50:31 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 11 Mar 1996 17:50:31 +0800 Subject: Leahy's guillotine. Message-ID: <01I26QG1VLNCAKTUBC@mbcl.rutgers.edu> From: IN%"jimbell at pacifier.com" "jim bell" 9-MAR-1996 21:27:52.24 >Further, any organization with even a shred of credibility that does not >condition its support for this bill on the complete removal of this section >is doing the rest of us an extreme disservice: It is trading on and risking >its reputation, because many of them are issuing opinions of this section of >the bill with assurances that it will only be used against "guilty" people, >when there is simply no way to know if this is going to be true. Either complete removal _or_ replacement with something clearly stating the preferable interpretation (only for cryptography knowingly used by a person committing a felony to conceal the commission of that felony). The latter, while not as good as the former (why should there be additional charges for using cryptography for concealment of a felony?), is acceptable with the other portions of the bill counterweighing it. -Allen From wb8foz at nrk.com Mon Mar 11 01:52:17 1996 From: wb8foz at nrk.com (David Lesher) Date: Mon, 11 Mar 1996 17:52:17 +0800 Subject: Explosives, Criminality, and Preemptive Action In-Reply-To: Message-ID: <199603110136.UAA00547@nrk.com> > > It is quite common to find ammonium nitrate fertilizer and diesel fuel on > a farm, as well as blasting caps, dynamite, gasoline, soap, and a host of > other things that could be used to make a bomb. When non-country folks > bring it up, my most common reaction is, "so?" More importantly, USDA gives out book on how to blow up stumps with the stuff.... -- A host is a host from coast to coast.................wb8foz at nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 From EALLENSMITH at ocelot.Rutgers.EDU Mon Mar 11 02:03:44 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Mon, 11 Mar 1996 18:03:44 +0800 Subject: Cryptanalysis Message-ID: <01I26QA8KE9UAKTUBC@mbcl.rutgers.edu> From: tcmay at got.net (Timothy C. May) >The usual: Kahn, Denning, and some of the old Dover Press books on crypto. >Also, Herbert Zim wrote a nice little book about 40-50 years ago on codes. >Some of the standard crypto textbooks will of course have more pointers to >cryptanalysis. (Not to sound harsh to Allen, but why would anyone ask here >on the list for recommendations to such a standard subject when Schneier, >Garfinkel, Denning, etc. all have books listed?) Thanks, I'll check. I don't happen to _have_ a copy of Applied Cryptography, etcetera, immediately available, and I had gotten the impression that those concentrated on cyphers as opposed to codes. >And there are so many interesting areas to pursue with using and furthering >modern crypto, that I just can't understand how people can think that >classical cryptanalysis is useful. It might be fun, as a hobby, but it has >no bearing on modern systems. (Well, I'm exaggerating a bit. I suspect that >classical cryptanalysts at the NSA or GCHQ might have some insights into >some problems with modern systems, such as traffic analysis. So I shouldn't >say there is "no use" for it. But I hope you all understand my point in >general. It is unlikely in the extreme that anyone who fools around a >little with classical cryptanalysis will have anything important to >contribute as a result of this.) I never said I was interested in putting stuff about codes into practical usage. Actually, I'm a roleplaying gamer, and I wanted the info for historical settings. True codes appear to be the historical equivalent of OTPs. -Allen From jimbell at pacifier.com Mon Mar 11 02:07:34 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 11 Mar 1996 18:07:34 +0800 Subject: [NOISE] Re: Do you feel lucky, punk? Message-ID: At 09:05 PM 3/10/96 -0800, Bill Stewart wrote: >>In fact, I would argue that a remailer operator will actually be considered >>MORE responsible, legally, than Mrs. Bennis: > >On the contrary, the government would have far _less_ ability to forfeit >the property of a remailer-operator for the activities of a non-owning abuser >than they do to seize Mrs. Bennis's car, because the misuser, Mr. Bennis, >was also its owner. Your logic is faulty. The issue is not whether Mr. Bennis' interest in the car could be taken; the issue is whether _Mrs._ Bennis' interest can. The "reasoning" given by Rehnquist (which I quoted; you ignored the quote) clearly indicates that he thinks Mrs. Bennis should lose her interest as well. Go back and re-visit the issue. As for the comparison of the levels of "guilt" of Mrs. Bennis and the hypothetical encrypted anonymous remailer, generally the law tends to claim to punish people for things they can do something about; it is somewhat pointless to punish a person for something he (or she) has no control over. Mrs. Bennis can not be reasonably expected to be able to stop her husband from using the car; thus she can't be expected to stop him from ABUSING it, either. Despite this, Rehnquist tries to punish her. Clearly, he feels that anyone who is at the level of control of Mrs Bennis (or, presumably, greater) is responsible for such abuse. (Four justices disagreed, however.) An anonymous remailer, on the other hand, does not have to exist: The operator could simply shut it down. The remailer operator, therefore, is ABSOLUTELY in control of the behavior of his system: He chooses to run it; he chooses the software; he chooses to keep records or to not keep records. All these things are within his control. If that system forwards a piece of email, it does so only because the operator allowed it to. Thus, from "the Rehnquist perspective," the anonymous remailer operator is ABSOLUTELY responsible for the abuse of his system. You may disagree, of course, but you aren't the sleaze on the Supreme Court who is going to make the decision. There is, therefore, no reason to believe that the Supreme Court will treat the anonymous encrypted remailer operator any BETTER than Mrs. Bennis, and in fact they will likely try to treat him worse. How could you ever have believed otherwise? >On the other hand, I'd say that a remailer used for assassination politics >is _far_ more likely to be seized, warranted, subpoenaed, and otherwise harassed >that one merely used for unencrypted dirty pictures or encrypted dirty money.... Which, of course, is one of the prime reasons this section is in the bill. You know it and I know it. The Feds are running scared. Jim Bell jimbell at pacifier.com Klaatu Burada Nikto From adam at lighthouse.homeport.org Mon Mar 11 02:27:41 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Mon, 11 Mar 1996 18:27:41 +0800 Subject: Cryptanalysis In-Reply-To: Message-ID: <199603100237.VAA02706@homeport.org> Timothy C. May wrote: | cryptanalysis. (Not to sound harsh to Allen, but why would anyone ask here | on the list for recommendations to such a standard subject when Schneier, | Garfinkel, Denning, etc. all have books listed?) Niether Schneier nor Garfinkel really talk about analysis. The only book I can think of is Biham's "Cryptanalysis of the DES," and thats on a single technique. I don't know of any books on 'applied cryptanalysis.' The public knowledge is all in the heads of a few practitioners, and the papers they've written. | And there are so many interesting areas to pursue with using and furthering | modern crypto, that I just can't understand how people can think that | classical cryptanalysis is useful. It might be fun, as a hobby, but it has | no bearing on modern systems. (Well, I'm exaggerating a bit. I suspect that | classical cryptanalysts at the NSA or GCHQ might have some insights into | some problems with modern systems, such as traffic analysis. So I shouldn't While classical cryptanalysis is not likely to be useful, traditional cryptanalysis hasn't changed much. Stealing keys, bribing people, getting physical access to systems is still far more useful than trying to brute force a key. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From declan+ at CMU.EDU Mon Mar 11 02:33:45 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 11 Mar 1996 18:33:45 +0800 Subject: FCC & Internet phones In-Reply-To: Message-ID: Excerpts from internet.cypherpunks: 10-Mar-96 Re: FCC & Internet phones by t byfield at panix.com > I think ACTA will make a valiant effort to ban this stuff, and the > FCC might listen--if only to safeguard its purview--but the only > "effective" way to enforce such a ban would be to impose yet another > policing duty on ISPs. Bandwidth aside, they've got better things to worry > about. Unfortunately, that's not true. From: http://fight-censorship.dementia.org/top/ -Declan ---------- Forwarded message begins here ---------- Date: Fri, 8 Mar 1996 15:37:07 -0600 From: "Neal J. Friedman" Subject: FCC Sets Comment Date for Internet Phone Call Rulemaking The FCC has acted with astonishing speed in setting a date for comments on the ACTA petition to regulate telephone calls via the Internet. It is not uncommon for rule making petitions to sit for weeks, months, even years without action. ACTA filed its petition on March 6th and two days later the FCC issued a Public Notice seeking comment. The deadline for comments is April 8, 1996 with reply comments due 15 days later. After reviewing the comments, the FCC will either terminate the proceeding without further action or issue a Notice of Proposed Rule Making seeking further comments on a proposed rule. Time is of the essence for those who may be interested in opposing the Notice. Our law firm would be available to represent parties who may wish to file joint comments in opposition. Please contact me privately if you have any interest. _____________________________________________________________ |Neal J. Friedman | Pepper & Corazzini, LLP |Voice: | | njf at commlaw.com | 1776 K Street, N.W. | 202-296-0600| |Telecommunications| Suite 200 |Fax: | |& Information Law | Washington, D.C. 20006 | 202-296-5572| | | | Web Server: http://www.commlaw.com/ | |____________________________________________________________| From jamesd at echeque.com Mon Mar 11 03:18:32 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Mon, 11 Mar 1996 19:18:32 +0800 Subject: Petty Civil Disobedience Message-ID: <199603110412.UAA13449@dns1.noc.best.net> jamesd at echeque.com wrote: >> In the course of doing this, I discovered that on windows, Netscape >> makes jpegs of naked pretty girls look like crap. At 08:36 PM 3/10/96 -0500, Mutant Rob wrote: > It would take much longer to process the image without dithering of > some sort. Displaying jpegs in high quality is CPU intensive. You have this ass backwards. Dithering slows it down, but is needed for quality, since they presumably do not wish to optimize the palette. The point is that they do a lousy job on dithering. So does Microsoft explorer. They probably purchased the identical code from some clot. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From rich at c2.org Mon Mar 11 03:19:01 1996 From: rich at c2.org (Just Rich) Date: Mon, 11 Mar 1996 19:19:01 +0800 Subject: ADL_mil (militias and the USAF) In-Reply-To: Message-ID: On Sun, 10 Mar 1996 22:54:58 -0500 (EST) alanh at larry.infi.net (Alan Horowitz) wrote: >Well, yes. > >However... > >The strongman of ADL, Abe Foxman has a salary in six figures. People in >the organization are doing good business on the "militia" scare. This is true. Someone posted a general indictment of the pressure-group mentality a few days ago. I agree with most of what the ADL does, but I don't like it when *anyone* "exaggerates" like that. I've criticized the ADL, and I've criticized the Nazis and black-helicopter wackos who also lie and "exaggerate" to get financial and moral support. As Declan found out, I tend to be harshest on friends, because I consider them most worth saving. I've never aspired to be anything but an independent loudmouth, and a FUCKING STATIST, of course. -rich Institute for Ernst Zundel Revisionism http://www.c2.org/~rich/Press/Swedish/ From gary at kampai.euronet.nl Mon Mar 11 03:19:06 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Mon, 11 Mar 1996 19:19:06 +0800 Subject: steganographic trick Message-ID: <199603111054.FAA14158@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- > Imagine you're an FBI agent or something like that. You've been assigned > to investigate some guy, to include sniffing out any data he may have > stored in encrypted format to keep private. > > You de-crypt the data from some elaborate stego scheme, and find - a > recipe for chocolate cookies. It's funny you should joke about this. A good friend of mine was under serious investigation for a crime which he was not involved with, simply because he fitted a profile. His house was raided and he was under surveillance on and off for 9 months. During the house raid the cops took away a "suspicious" disk (containing an encrypted (although not PGP) file). During the 9 months he was sometimes "tailed" by up to 6 cars, and they had fitted a radio locator to his car. They spent nearly $500,000 investigating him, and also blew their local computer budget trying to crack the encrypted disk. He knows all of this information since he became friends with the investigating officer after it became clear that my friend was innocent. After my friend was told about their efforts to crack the disk, he showed the investiagting officer what the encrypted file was - a .gif of Mickey Mouse! (Note to skeptics - this is no UL - this was a good friend of mine) Gary - -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUQGRioZzwIn1bdtAQGfLgGAjZCjMWMVyBKQSYkZJzlI/7LQrInx+JYE 2bU0KKLRkBumXhhPjoLeiR5TcXNgva9N =7uPA -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Mon Mar 11 03:21:36 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 11 Mar 1996 19:21:36 +0800 Subject: Cryptanalysis Message-ID: <199603110518.VAA13194@ix5.ix.netcom.com> At 10:45 PM 3/10/96 -0500, you wrote: >IS there anyone outside of governments, doing code-breaking _for a living_? Don't know if it's a full-time income or not, but there are certainly several people offering commercial products for cracking Microsoft and other popular word processor encryption for people who've lost their passwords. And people who are designing good cryptosystems to protect information have to understand how to crack them, so they can tell whether their new system is stronger or weaker. But there's usually not much other legitimate need for cracking real messages; the authorized people usually have the keys. Whether there are also Bad Guys doing the job for profit, I don't know. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From erc at dal1820.computek.net Mon Mar 11 03:24:59 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Mon, 11 Mar 1996 19:24:59 +0800 Subject: Petty Civil Disobedience In-Reply-To: <199603110412.UAA13449@dns1.noc.best.net> Message-ID: On Sun, 10 Mar 1996 jamesd at echeque.com wrote: > The point is that they do a lousy job on dithering. So does Microsoft > explorer. They probably purchased the identical code from some clot. Some *rich* clod, you mean... :( -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From wlkngowl at unix.asb.com Mon Mar 11 03:32:55 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Mon, 11 Mar 1996 19:32:55 +0800 Subject: What about PGP? (was Re: Leahy Bill a Move to Slow Crypto Exports as Much as Possible) In-Reply-To: Message-ID: <31440843.1348@unix.asb.com> Timothy C. May wrote: > I think this is showing that one of the intended purposes of the Leahy bill > is to slow down exports of crypto for as long as possible, and then only to > grant export licenses when competition from abroad threatens to undo the > effects of the stalling process anyway. Hmmm. But what about the case of PGP? It's a relatively strong product, and an international version exists. I'd guess that PGP 3.0 may implement other algorithms (PK and symmetric), and likely an international PGP3 would follow... so how could the Commerce Dept rationalize not giving an export license to ViaCrypt? And would a similar, but non-compatible, utility that used RSA and/or IDEA, 3DES, etc. also be exportable? ... [Problem is that like most legislation the legalise gets confusing to non-lawyers, and maybe even lawyers not expert in that field...] --Rob From gary at kampai.euronet.nl Mon Mar 11 03:42:28 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Mon, 11 Mar 1996 19:42:28 +0800 Subject: anonymous web pages (Was: SurfWatch) Message-ID: <199603111106.GAA14193@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Nelson Minar wrote: > cp at proust.suba.com (Alex Strasheim) writes: > >Has anyone ever considered setting up anonymous web sites on top of usenet? > > I proposed this a couple of months ago, there should be a bit of > discussion left over in the archives. My idea was to have an account > keyed to a password - if you emailed the server with the right > password, it would take the text of your email and put it in the > specified URL. Then you can use remailers to preserve anonymity with > the server. It's sort of like the alias.c2.org accounts. Cant it be done with a web page consisting of usenet references? eg: Test

Test of news post
Gary - -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUQJISoZzwIn1bdtAQHsGQGA1a69oJvSO7KXYGVlRzy8H14IxwzIyybK nsWo5tA9fLsGI8qt1o9hBkNdKEfvMt0H =qiC8 -----END PGP SIGNATURE----- From gary at kampai.euronet.nl Mon Mar 11 03:47:10 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Mon, 11 Mar 1996 19:47:10 +0800 Subject: Leahy bill nightmare scenario? Message-ID: <199603111112.GAA14213@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Dan Weinstein writes: Dan says "you" wrote: > > Question: What, exactly, is the motivation of a person running an > > anonymous remailer? His motivation is clear: To allow people to > > send anonymously untraceable messages. Assuming he's of ordinary > > levels of intelligence or beyond, he is aware that somebody may some > > day use his system for illegal purposes. You're going to have to > > explain why a court _CAN'T_ interpret this as being in violation of > > the law. > > If I rent cars, someone might one day use a car rented from me in a > robbery. Does that make my an accessary? NO. This is an unfair analogy. Now if you had said that you rented cars without asking for proof of identification, thus making your car hire centre very useful to robbers, that may more closely resemble the anon-remailer situation. Gary - -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUQKsCoZzwIn1bdtAQFvMgF+M2YV6V31uBGswLkZtltCnwZ+Gwn3gavf 2KeYva5tb1+myr3plgxgXEvHe8wt3lXZ =vQMv -----END PGP SIGNATURE----- From shabbir at vtw.org Mon Mar 11 05:23:48 1996 From: shabbir at vtw.org (Shabbir J. Safdar) Date: Mon, 11 Mar 1996 21:23:48 +0800 Subject: What about PGP? (was Re: Leahy Bill a Move to Slow Crypto Exports as Much as Possible) Message-ID: <199603111304.IAA04507@panix4.panix.com> Mutant Rob writes: >Timothy C. May wrote: >> I think this is showing that one of the intended purposes of the Leahy bill >> is to slow down exports of crypto for as long as possible, and then only to >> grant export licenses when competition from abroad threatens to undo the >> effects of the stalling process anyway. I think this is somewhat skewed. Let's look at our situation now: We don't get to export much crypto software. The Leahy bill takes us to: We get to export lots of software that is "generally available", "in the public domain or publicly available", or if similar products exist already in other countries. (That's a lot of stuff, but it's not the whole enchilada.) We want to be at: We get to export all crypto software. (I mean legally; I think we all know that export controls don't work against someone with enough brains to post news, send mail, or use ftp) This is a pretty good improvement in the situation, and will hopefully pave the way for the "whole enchilada". It's not good strategy though to criticize this because it's not the ultimate crypto bill. Let's be honest with ourselves here, this is Congress we're talking about and this is a pretty bold step. We need to educate them to see the facts we understand so thoroughly: that crypto export controls do not work, endanger our own requirements for confidentiality, and aren't helping contain this technology in the rest of the world. Forcing Congress to have this debate will lay bare these facts and hopefully embarass the Administration for their absurd policy approach on encryption. They say that liberty is seldom lost all at once, but a little at a time. Regaining it is probably done this way as well. In this case, the Leahy bill gives us back a mouthful. -S > >Hmmm. > >But what about the case of PGP? It's a relatively strong product, and >an international version exists. I'd guess that PGP 3.0 may implement >other algorithms (PK and symmetric), and likely an international PGP3 >would follow... so how could the Commerce Dept rationalize not giving >an export license to ViaCrypt? > >And would a similar, but non-compatible, utility that used RSA and/or >IDEA, 3DES, etc. also be exportable? ... > -Shabbir J. Safdar * Online Representative * Voters Telecomm. Watch (VTW) http://www.vtw.org/ * Defending Your Rights In Cyberspace From eagle at armory.com Mon Mar 11 06:36:56 1996 From: eagle at armory.com (Jeff Davis) Date: Mon, 11 Mar 1996 22:36:56 +0800 Subject: Bell, Detweiler, Ravings, and Whatnot In-Reply-To: Message-ID: <9603110624.aa25893@deepthought.armory.com> > Well, it's a very apt invention. > Well, until about 3/4 of a year ago, I spent no time on Internet except > Well, maybe at times I do get a bit testy, but most recently on this Leahy > jimbell at pacifier.com Well...sound's like Ronald Regan on Acid. -- According to John Perry Barlow: *What is EFF?* "Jeff Davis is a truly gifted trouble-maker." *email * *** O U T L A W S On The E L E C T R O N I C F R O N T I E R **** US Out Of Cyberspace!!! Join EFF Today! *email * From raph at CS.Berkeley.EDU Mon Mar 11 07:11:56 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Mon, 11 Mar 1996 23:11:56 +0800 Subject: List of reliable remailers Message-ID: <199603111450.GAA01786@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail. For more information, see: http://www.c2.org/~raph/premail.html For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = " cpunk pgp hash ksub ek"; $remailer{"vishnu"} = " cpunk mix pgp hash latent cut ek ksub reord"; $remailer{"robo"} = " cpunk hash mix"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"wmono"} = " cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = " cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ksub"; $remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = " cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = " cpunk pgp hash latent cut ?"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'gondonym'} = ' alpha pgp'; $remailer{'nymrod'} = ' alpha pgp'; $remailer{"lead"} = " cpunk pgp hash latent cut ek"; $remailer{"treehole"} = " cpunk pgp hash latent cut ek"; $remailer{"nemesis"} = " cpunk pgp hash latent cut"; $remailer{"exon"} = " cpunk pgp hash latent cut ek"; $remailer{"vegas"} = " cpunk pgp hash latent cut"; $remailer{"haystack"} = " cpunk pgp hash latent cut ek"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) (vishnu spook wmono nymrod) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 11 Mar 96 6:48:05 PST remailer email address history latency uptime ----------------------------------------------------------------------- spook remailer at spook.alias.net **-+ 25:32 100.00% ecafe cpunk at remail.ecafe.org ####**###-++ 15:00 99.99% nymrod nymrod at nym.alias.net **+******-++ 14:36 99.98% replay remailer at replay.com +****+***-+* 29:01 99.98% portal hfinney at shell.portal.com --##+#-##-** 37:14 99.97% hacktic remailer at utopia.hacktic.nl **+******-++ 34:21 99.96% alpha alias at alpha.c2.org +.-+__+++++ 1:09:47 99.95% exon remailer at remailer.nl.com ----+***-*++ 15:48 99.94% c2 remail at c2.org ++ -*__-+*+* 43:39 99.92% flame remailer at flame.alias.net ----------- 3:06:48 99.86% nemesis remailer at meaning.com ** -**--+-++ 1:12:35 99.81% gondonym alias at nym.gondolin.org ------..__.* 15:01:03 99.81% tjava remailer at tjava.com ###*##*###++ 3:26 99.81% vishnu mixmaster at vishnu.alias.net * -** ***--+ 55:32 99.80% gondolin mix at remail.gondolin.org ------..__.* 14:43:10 99.76% vegas remailer at vegas.gateway.com #+##*#+** ++ 8:47 99.72% extropia remail at extropia.wimsey.com .+-____.-.-+ 35:57:21 99.60% pamphlet pamphlet at idiom.com +---+- 17:43:46 99.58% mix mixmaster at remail.obscura.com _______. - * 51:16:44 99.52% treehole remailer at mockingbird.alias.net -+--+-- ---+ 3:32:18 99.51% haystack haystack at holy.cow.net #+#-+ 44:54 98.92% penet anon at anon.penet.fi ......._- 30:55:28 98.39% shinobi remailer at shinobi.alias.net * ##*#**#++ 8:06 97.92% lead mix at zifi.genetics.utah.edu +-+++++ + 43:52 97.56% alumni hal at alumni.caltech.edu - ## *-** ++ 17:50 90.94% amnesia amnesia at chardos.connix.com 2:59:45 -61.78% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From adam at lighthouse.homeport.org Mon Mar 11 07:25:54 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Mon, 11 Mar 1996 23:25:54 +0800 Subject: PGP reveals the key ID of the recipient of encrypted msg In-Reply-To: <199603110740.IAA06254@storm.certix.fr> Message-ID: <199603111505.KAA02090@homeport.org> savron at world-net.sct.fr wrote: | The problem is carried along when you encrypt a message for multiple | recipients , you get the key IDs of all the recipients and same | problem as above . I think something like 'blind email copy' should | be used , because the recipients don't have to know the identity of | each other . | | Comments from long time PGPer will be welcome If someone is concerned about this, they can create a new anonymous key, and use that for their correspondance. They can sign & encrypt it to the correspondants they want to use that key. Keys are cheap. Everyone should have a bunch. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From PADGETT at hobbes.orl.mmc.com Mon Mar 11 07:48:04 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Mon, 11 Mar 1996 23:48:04 +0800 Subject: Video resolution Message-ID: <960311101404.2020a2ad@hobbes.orl.mmc.com> Note: this refers to the IBM PC & clones only > The point is that they do a lousy job on dithering. So does Microsoft > explorer. They probably purchased the identical code from some clot. Have been watching this go back and forth & get further from the original question as usual. I suspect that if the original poster looks in her/his/ its/other SYSTEM.INI file, the line "display.drv=vga.drv" will be found in the [boot] section. This is the default 16 color driver installed by Windows to be compatible with every 256k 640x480 VGA card. This makes a decent GIF or JPEG - even "64 gray scale" such as the QuickCam produces - look like olifactory solid waste products. To do better, you need three things: 1) A video card with higher resolution (usually at least 1 Mb of video memory is necessary). 2) A video monitor capable of supporting the card's output. 3) An increased resolution (at least 256 colors as the first responder mentioned) video driver to replace vga.drv (YMMV). If any of these are missing, see the second paragraph above. Warmly, Padgett ps the CDA does nothing to block really creative insults 8*). From tighe at spectrum.titan.com Mon Mar 11 07:49:54 1996 From: tighe at spectrum.titan.com (Mike Tighe) Date: Mon, 11 Mar 1996 23:49:54 +0800 Subject: Cryptanalysis In-Reply-To: <01I25ASYNMT6AKTUGH@mbcl.rutgers.edu> Message-ID: <199603111510.JAA18870@softserv.tcst.com> >There are very good reasons to say little about "conventional >cryptanalysis": it just doesn't matter much with modern ciphers, such as >public key systems. Modern ciphers don't fall to conventional attacks based >on word frequency, pattern analysis, etc. I disagree with this, and think that in the next 10-25 years we will find that most of the systems we are using today were as easily broken as the systems of yester-year (Enigma, Japanese Codes ,etc). From jya at pipeline.com Mon Mar 11 08:10:51 1996 From: jya at pipeline.com (John Young) Date: Tue, 12 Mar 1996 00:10:51 +0800 Subject: TWP on Crypto Keys Message-ID: <199603111541.KAA12090@pipe1.nyc.pipeline.com> The Washington Post, March 11, 1996, p. A18. Security and Software [Editorial] The number of computer users continues to grow, but use of the Internet for business and financial transactions isn't keeping pace. At least, that's the complaint of many who expected a flood of Americans to go on-line for banking, publishing and mail-ordering -- with tremendous profits to the on-line industries that handle these services. One big reason for the lag is customer concern about the safety of information, from credit-card numbers to bank balances and business secrets, in the hacker-rich environment of the Internet -- an eminently reasonable concern that many in the industry believe can be addressed only by the wider use and availability of sophisticated "encryption software," which scrambles information en route, making it indecipherable to anyone who doesn't hold the key to the code. The sense that encryption technology holds the key to future economic growth on the Internet is pushing an arcane but intense argument between the Clinton administration and the computer industry over whether to lift existing restrictions on the export of the most powerful encryption software. The administration, especially its law enforcement agencies, bars on national security grounds the export of encryption software above a certain difficulty level, saying that it needs to be able, if neqessary, to seek and obtain the equivalent of a permit to wiretap. The makers of the software argue that these restrictions are ruinous for U.S. competitiveness in the international market because foreign customers want the most secure encryption available. Some civil liberties organizations argue that the restrictions are an invasion of customers' privacy rights. Legislation introduced this month in both the House and the Senate would ease the export restrictions while attempting to meet some of the government's security concerns. Code makers would deposit a "spare key" to any exported encryption software with a trusted third-party agency -- a compromise the Justice Department and national security agencies also have been pursuing in talks with the industry, but at which the industry hesitates because it fears that the existence of "spare keys lying around" would cause potential customers to balk. (The Justice Department also would like a spare-key agreement for encryption software sold domestically, but has less leverage because such sales require no license.) The legislation would heavily penalize any "key holder" agency that provides an unauthorized copy to anyone besides the government. But it also would make it legal to export any encryption technology that is already "generally available" -- for instance, in stores or on domestic computer bulletin boards. Such a sweeping change, law enforcement authorities fear, could render the other barriers and safeguards in the bill close to academic in the borderless, lightning-quick world of Internet transmission. Once it's widely available overseas, "uncrackable" software or hardware can't be recalled. The U.S. intelligence agencies with their superior computing power can still crack most coded software, if not immediately, then much faster than 99.9 percent of ordinary commercial hackers. But that doesn't mean their concerns should be shrugged off. Like arms sales, encryption technology sales have implications for traditional national security interests as well as the economic kind. The urgent interest both sides share is to get this resolved soon. [End] From hallam at w3.org Mon Mar 11 08:16:50 1996 From: hallam at w3.org (Phillip M. Hallam-Baker) Date: Tue, 12 Mar 1996 00:16:50 +0800 Subject: Vexatious Litigants (was: SurfWatch) Message-ID: <199603111547.KAA14991@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- E. ALLEN SMITH wrote: > > From: IN%"stewarts at ix.netcom.com" "Bill Stewart" 10-MAR-1996 04:29:37.67 > > >Presumably, almost nobody in Europe is going to add these silly Yankee > >rating labels to their web pages, except a few commercial content providers > >who want to sell advertising or services into markets that block > >un-rated web pages. So schoolkids behind rating-mandatory sites > >will have to ask their teachers why the "World-Wide-Web" is just American --- > >"It's got All 50 States, Johnny!" ! > > The WWW consortium is approaching European governments about their > rating system - the one found at SafeSurf. > -Allen Disclaimer: I don't work on PICS and I don't speak for the consortium. Actually the European govts are far more likely to see labels being used. In the US a piece of crackpot legislaion has been passed which has some clearly unconstitutional parts. The ban on abortion related speach for example which the justice dept isn't going to defend in any way. I expect that the Exon amendment will eventually be ruled unconstitutional through being overbroad. The problem is that it is difficult to get people to do something voluntarily after ordering them to do so and being overuled by the courts. This is the kind of small minded, foot stomping politics that the US congress is famous for worldwide. In Europe the governments tend to be more aware of their impotence. There is also much less hysteria about kids seing pornography, the main concern is violence and in particular amoral US TV shows for kids, the sort where people beat each other up but nobody ever gets hurt. In France one can buy hard core porn in the supermarket. The govt. is far more concerned about foreign language material. The whole point about PICs is that it is not bound to a single rating scheme. I had a go at producing a spec for a rating scheme back in '94 but gave up since life is too short to waste. The Web is decentralised and anyone can set up shop in it. Now we have a scheme in which anyone can set up a rating scheme. So we will have the kook brigade filtering out material on evolution and the concerned parents preventing their five year olds from viewing the alt.tv.very.scary gifs. Actually this is the main point of the exercise. I can't think of any system which is going to defeat determined 14+ kids from finding porn but its a bit easier to stop the 7 and unders from accidentially seeing stuff that will give them nightmares. Phill - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMURLKSoZzwIn1bdtAQGeWgGA0n4wmvgI8F4UspSxmWJ3Q9C2+LaxVPl7 xy+H0/0QN66VneWZg+h+pNZd3kmLdgOj =+z3H -----END PGP SIGNATURE----- From PADGETT at hobbes.orl.mmc.com Mon Mar 11 08:38:32 1996 From: PADGETT at hobbes.orl.mmc.com (A. Padgett Peterson P.E. Information Security) Date: Tue, 12 Mar 1996 00:38:32 +0800 Subject: Leahy and Mrs. Bemmis (now that's a subject line) Message-ID: <960311112406.2020a2ad@hobbes.orl.mmc.com> First, would like to comment that some people do not like some of my beliefs. Tough. Do try to be honest and consistant about them. One of them is that while the US is imperfect, it is better than anything else I have seen (and have seen more than a few) and has the potential to remain great. Do believe in the "sovereign right of nations" to be a fact. Also believe in human rights personally but do not expect governments to agree merely because I say so. Some favor direct action. I prefer the "theater of the absurd" & have found that most people are able to recognize absurdity when they see it, particularly if carried to extreems. Most of life is absurd to those who are able to really enjoy it. The Leahy bill is flawed in two areas. Sent a message with proposed wording to Sen. Leahy via his web page but have not gotten a response. Have a bad habit of reading laws without thought since this is how LEA and prosecutors are told to enforce them - as written, not as believed. If an area is vague, a court is required to decide how to interpret it, not LEA. If badly written *everyone* loses. At the same time am pragmatic enough to accept the idea that it will have no effect unless it passes and to be passed today it must have something like the criminalization statement. The goal here should not be to throw it out since that would simply cause the whole bill to fail, but to word it carefully enough that it satisfies those who reguire laws while being narrow enough to avoid exploitation. IMNSHO the best way to do that is to require that: 1) A felony occured (curiously misdemeanors were ommitted) and 2) That the individual to be charged was an active participant (before, during, or after the fact) and 3) That encryption was used in furtherance. Note: that in the US (1) and (2) seem sufficient for a criminal charge to be brought, so does (3) really add anything except words or possibly severity ? Seizure seems to be a great concern of the group with the point of the Bemmis Pontiac being brought up. For someone providing a free remailer, that is a valid concern since the first question a court might ask is "what was the motivation". I suspect that someone providing a remailer and charging a reasonable fee to all who might want to use the service might be in a much better position (not a lawyer so not allowed to know). One indicator might be easy to check: Has there ever been a seizure involving a rental car (Hertz, Avis, etc.) and if so, what was the disposition ? Warmly, Padgett From perry at piermont.com Mon Mar 11 09:21:50 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 12 Mar 1996 01:21:50 +0800 Subject: noise levels Message-ID: <199603111655.LAA00604@jekyll.piermont.com> Noise levels have been rising fast again. I encourage people to think about whether things are on topic before they post. Perry From SilcocSM at tbacrm001.prose.dpi.qld.gov.au Mon Mar 11 09:41:26 1996 From: SilcocSM at tbacrm001.prose.dpi.qld.gov.au (Silcock, Stephen) Date: Tue, 12 Mar 1996 01:41:26 +0800 Subject: Fertilizer & fuel oil as cause for suspicion - similar to cryptography? Message-ID: <3144AEFF@inferno.ind.dpi.qld.gov.au> On Friday 8th March Allen wrote: In the below article, the cops seem to be claiming that fuel oil, fertilizer, and bomb-making knowledge = illegal explosives possession. This idea doesn't make sense. Crypto relevance? An example of how governmental idiots are likely to take cryptography. -Allen ----------------- Copyright © 1996 Nando.net Copyright © 1996 The Associated Press CORVALLIS, Ore. (Mar 8, 1996 11:09 a.m. EST) -- Ingredients for a fertilizer bomb like the one that killed 169 people in Oklahoma City were found on a farm along with bomb-making instructions, guns and drugs, police said. Four people were arrested on weapons and drug charges. Charges involving illegal explosives were expected to be filed later, police Sgt. Dennis Carson said Thursday. Officers seized a large quantity of fuel oil and the fertilizer ammonium nitrate, two key ingredients in the April 19 Oklahoma City bombing. "My understanding is it could have made a large bomb and a rather large explosion had it been detonated," Carson said. "All they had to do was mix the parts. It would take just a few minutes." He wouldn't say how much fertilizer was found in the raid Wednesday night near this city about 80 miles south of Portland. The fertilizer, found in an 8,000-square-foot barn, was removed in a state police bomb-squad truck. Carson said investigators were trying to determine whether those arrested had plans to bomb a building or had ties to any anti-government groups. The federal Bureau of Alcohol Tobacco and Firearms is investigating. Along with the material for the fertilizer bomb, officers found 29 guns, including eight assault rifles, and material to make pipe bombs. Three ounces of marijuana and some methamphetamine were also found. [...] All were charged with drug possession and Luehring and the younger Bradley were also charged with being ex-convicts in possession of weapons. Carson didn't have details on their criminal past. [...] I would be the first to admit that fertilizer and petrol are freely available and quite possibly innocent enough, but when the people involved are ex-convicts also in possession (apparently illegally; I don't know US law that well) of TWENTY-NINE firearms including EIGHT ASSAULT RIFLES, then I think police concern is quite reasonably warranted. From jimbell at pacifier.com Mon Mar 11 10:53:56 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 12 Mar 1996 02:53:56 +0800 Subject: Leahy bill nightmare scenario? Message-ID: At 06:12 AM 3/11/96 -0500, Gary Howland wrote: >Dan Weinstein writes: >Dan says "you" wrote: >> > Question: What, exactly, is the motivation of a person running an >> > anonymous remailer? His motivation is clear: To allow people to >> > send anonymously untraceable messages. Assuming he's of ordinary >> > levels of intelligence or beyond, he is aware that somebody may some >> > day use his system for illegal purposes. You're going to have to >> > explain why a court _CAN'T_ interpret this as being in violation of >> > the law. >> >> If I rent cars, someone might one day use a car rented from me in a >> robbery. Does that make my an accessary? NO. > >This is an unfair analogy. Now if you had said that you rented cars >without asking for proof of identification, thus making your car hire >centre very useful to robbers, that may more closely resemble the >anon-remailer situation. >Gary Exactly! I'm glad you noticed, and commented. As you've noticed, I keep getting faulty reasoning from people who SHOULD know better. Analogies are extremely useful, but if they are poorly crafted, they do little more than show the limitations of their author. From EALLENSMITH at ocelot.Rutgers.EDU Mon Mar 11 12:00:19 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 12 Mar 1996 04:00:19 +0800 Subject: Cryptanalysis Message-ID: <01I26QNY0Q3MAKTUBC@mbcl.rutgers.edu> From: Adam Shostack >From: TCMay: >| cryptanalysis. (Not to sound harsh to Allen, but why would anyone ask here >| on the list for recommendations to such a standard subject when Schneier, >| Garfinkel, Denning, etc. all have books listed?) > Niether Schneier nor Garfinkel really talk about analysis. >The only book I can think of is Biham's "Cryptanalysis of the DES," >and thats on a single technique. I wasn't asking about cryptanalysis; I was asking about codes (as opposed to cyphers). -Allen From cp at proust.suba.com Mon Mar 11 12:04:21 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Tue, 12 Mar 1996 04:04:21 +0800 Subject: Bell, Detweiler, Ravings, and Whatnot In-Reply-To: Message-ID: <199603111039.EAA07811@proust.suba.com> > As for reading the archives, I'm never tried to do that, and I don't even > know how (where) to get them. If I felt I could learn something from it, I > would, but you've already listed commentary by Detweiler which sounds > sufficiently > wacky that it has to be far beyond anything I've said. How relevant are HIS > comments compared to anyone else you've ever disagreed with? Just in case someone else is interested, the archives are at http://www.hks.net/cpunks/index.html. The entire history of the list is there, and you can browse by date, subject, or author. You can also read this list and many others via the hks.net nntp server. There's a lot of good stuff there, even if you're not interested in Detweiller. From declan+ at CMU.EDU Mon Mar 11 12:17:45 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 12 Mar 1996 04:17:45 +0800 Subject: Petty Civil Disobedience In-Reply-To: <199603100537.VAA24499@mail1.best.com> Message-ID: Excerpts from internet.cypherpunks: 9-Mar-96 Re: Petty Civil Disobedience by jamesd at echeque.com > At 10:31 AM 3/9/96 -0500, Declan B. McCullagh wrote: > > Perhaps we should put up our own protest web sites with one or two > > explicit sexual images as real civil disobedience? > > Major problem here is that ten million horny geeks are likely to bring > your server to its knees, but if one only has one image, and it is > moderately small, say thirty thousand bytes, perhaps the flood would > taper off eventually. jef at well.com ran into this with his nude-of-the-month page; the WELL fixed it by throttling. (JEF is the guy who wrote thttpd) -Declan PS: His page is at http://www.well.com/~jef/ From gary at kampai.euronet.nl Mon Mar 11 12:19:21 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Tue, 12 Mar 1996 04:19:21 +0800 Subject: (Fwd) Gov't run anon servers Message-ID: <199603111015.LAA10327@kampai.euronet.nl> > Right. Couldn't you insert some kind of var into the kernel, rebuild and > upon each reboot have the remailer process (which would have to be root > owned) check for the value of this? I am of course assuming that the owner > of the remailer has admin control over the box, which is kind of unscalable. > If someone does gain entry to the machine, he'd need root to skim through > the kernel memory, and since he wouldn't have access to the remailer src > (you don't have it online, right?) he'd have a hard time looking for what he > needed... I was thinking of something much simpler, eg.: % remailer Enter passphrase: xxx Remailer started ... % This of course assumes that the remailer runs as a process - if it doesn't then there is no reason a 'remailer helper' cannot. The only disadvantage of this is that the remailer cannot be rebooted without a passphrase being entered, but then there are ways around this (entering the passphrase remotely over a secure link etc., or more sophisticated 'remote authorisation' systems). The advantage of this is that the password is never on the disk, only in memory (which will take serious (read "expensive") to extract). I am amazed at all of the talk of smart cards etc., when all that is really needed is a password entered at boot time. Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 From perry at piermont.com Mon Mar 11 12:19:57 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 12 Mar 1996 04:19:57 +0800 Subject: rhetorical trickery In-Reply-To: <199603110412.UAA13426@dns1.noc.best.net> Message-ID: <199603111727.MAA00641@jekyll.piermont.com> jamesd at echeque.com writes: > At 02:36 PM 3/10/96 -0500, Mark M. wrote: > > There was an article in the July 1995 issue of Technology Review by > > Dorothy Denning explaining the "evils of encryption" in defense of the > > Clipper Chip which mentions this case. I suspect that it actually > > happened. > > Why should the fact that Dorothy Denning says something lead you to > suspect that it actually happened? Denning has happily talked about snuff films in the past. James is dead on that Denning is not a credible source. On the other hand, Phil Zimermann has personally told me of a case in which the police had trouble with a child molester using PGP in the stated manner. He is a credible source for this. Let us remember that just as murderers can use perfectly useful household knives to do their evil deeds, and we should not therefore ban cooking utensils, so it is to be expected that privacy tools would be used sometimes for evil as well as for good. A free society does not ban cars because they can be used to run people down, and does not ban PGP just because on rare occassions it is used to conceal the diary of a child molester. Perry From jimbell at pacifier.com Mon Mar 11 12:26:27 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 12 Mar 1996 04:26:27 +0800 Subject: Bell, Detweiler, Ravings, and Whatnot Message-ID: At 11:58 PM 3/10/96 -0800, Timothy C. May wrote: >There are many things I find terrible, disgusting, dangerous, wrong, etc. >But I have never been persuaded by people ranting at me and insulting me, >so I doubt that rants and insults from me will be effective. (I'm not >claiming to always be calm and non-insulting, just claiming that the style >of ranting is rarely effective, and I try to avoid it.) I think your criticism is unrealistic, at least by trying to suggest that I'm "ranting." I'm responding to a number of claims (the most recent one was from Bill Stewart) that the wart in this bill won't be abused, or at least not seriously. The people who make these claims frequently use wildly faulty reasoning; I challenge them and (I believe) support my position with accurate examples and commentary to prove my point. Admittedly, if you were on the receiving end of my persistent efforts, you might feel unhappy, but that doesn't make my comments "rants." >Screaming insults at people, resorting to ad hominem attacks on their >personality (such as Jim did with Padgett Peterson) I know nothing about Peterson's "personality" other than by his writing style and content. I find his commentary to be highly dishonest, because (as he fully admitted) he avoided responding to the points that I had made, which had accurately contradicted his original claims. I'm not complaining that didn't quote me; it's that he ignored the issues I'd raised in challenge to his claims. Further, he tried to disguise his failure by taking it off the list. >, ranting about how people are fools and worse, When these people stop acting like fools... Look, Tim, if I'm right about the ambiguities and threats in the Leahy bill, then it's a serious danger to us all. And that means that if an organization which is supposed to protect our interests soft-pedals the negatives, they are actually adding to the problem. When I saw a number of organizations lap it up like a cat slurps milk, I began to wonder if they were really paying attention to the issues at all. In addition, I've seen two separate comments (not on CP) by people who just about proudly claim that they "never" agree with me, but are actually quite pleased and are in agreement with my comments on this bill. Maybe this should tell you that I have a point, on this issue if nowhere else. In addition, "everybody" seems to agree that the positive parts of the bill are "positive," and most people can correctly identify the negative part. The issue is basically, "how negative" it is. A few days ago, all we saw was a few press releases by these organizations falling all over themselves to praise the bill, and having mild criticism for the bad part. I was the person who raised the issue of the serious danger of this bill to remailers and ISP's, which I still believe to be an accurate and very serious criticism. Contrary to the pessimistic opinions of some others, I believe that one of two situations are true: 1. The bad part is "easy" to delete, and we should and can do so. or 2. Somebody REALLY wants that bad part in there, in which case we should carefully investigate who it is, and why he wants it there. >Read the archives covering the several months when Detweiler (aka V. Z. >Nuri, aka S. Boxx, aka Pablo Escobar, aka about 20 other pseudonyms) was >foaming at the mouth about how people were mutating his brain, how the >crypto anarchists were ignoring him, how the snakes of Medusa were hiding >in his keyboard, and so on. Then note the similarities to Jim Bell. Sounds like a deliberately faulty association, Tim. I'm not responsible for Detweiler, and I think it's an unfair tactic to try to suggest that my comments are "similar." The moment I start talking about "mutating my brain" or things like that, I will have earned that kind of criticism. If you can show that my analysis is faulty with respect to the Leahy bill, you will have gone a long way to supporting your claims. As of now, your disagreement is simply with my debating style, which is admittedly on the "hardball" side. As for reading the archives, I'm never tried to do that, and I don't even know how (where) to get them. If I felt I could learn something from it, I would, but you've already listed commentary by Detweiler which sounds sufficiently wacky that it has to be far beyond anything I've said. How relevant are HIS comments compared to anyone else you've ever disagreed with? Jim Bell jimbell at pacifier.com From anonymous-remailer at shell.portal.com Mon Mar 11 12:47:05 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Tue, 12 Mar 1996 04:47:05 +0800 Subject: Cryptographers against cryptography Message-ID: <199603111735.JAA17685@jobe.shell.portal.com> This is the second in a regular series of postings to expose cryptographers and cypherpunks who are either lying to us or making a very serious mistake in there judgement. Why do I say this?? What do these people have in common? Easy. Even though they act like they are on the side of crypto for the masses, every one of them support the Leahy anticryptography bill. This law will make it illegal to run an encrypting remailer and will require key escrow. If it isn't clear why this is the case READ THE BILL!!!! Several wise people on the CypherPunkS mailing list, cypherpunks at toad.com have exposed the bill for what it is. Even though these people have been presented with evidence that the bill does these things they have not recanted. They stab us in the back and then they lie about it. Some of these people have been bought out by forces unknown. Others are just blind to the facts and need education. Bizdos is in a class by himself. It's time we "help" them think about this. Email each of these people with youre opinion that they should support cryptography or maybe stop lying to us that they do. What you say and do is up to you. I do not support breaking the law (yet). B. Schneier: bs208 at newton.cam.ac.uk, schneier at counterpane.com M. Blaze: mab at crypto.com, mab at research.att.com J. Bizdos: jim at rsa.com S. Safaddar: shabbir at vtw.org D. Weinstein: djw at vplus.com P.. Peterson: padgett at hobbes.orl.mmc.com B. Stewart: stewarts at ix.netcom.com BOYCOTT APPLIED CRYPTOGRAPHY, AT&T, VTW, and RSA!!!! From harmon at tenet.edu Mon Mar 11 13:13:07 1996 From: harmon at tenet.edu (Dan Harmon) Date: Tue, 12 Mar 1996 05:13:07 +0800 Subject: spy sats Message-ID: Tonight on the Discovery Channel at 10 eastern is a program about spy satellites. Dan From junger at pdj2-ra.F-REMOTE.CWRU.Edu Mon Mar 11 13:13:15 1996 From: junger at pdj2-ra.F-REMOTE.CWRU.Edu (Peter D. Junger) Date: Tue, 12 Mar 1996 05:13:15 +0800 Subject: A lengthy preliminary analysis of the Leahy bill. Message-ID: This is a preliminary draft of my preliminary analysis of the Leahy bill. In it I am primarily concerned with the affect---if any---of that bill on the constitutionally protected freedoms of speech and of the press. At times in this submission I may seem overly suspicious of some agencies of the government. That may be a consequence of this being merely a preliminary draft; it is more likely, however, that it is the result of years of studying the ITAR and the antics of the agents in the Office of Defense Trade Controls and the NSA as they relate to the licensing requirements for cryptographic software. Permission is granted to post this submission to other mailing lists and news groups, but only if it is posted in its entirety (except for headers other than the ``To'', ``From'', and ``Subject'' lines). ------------------------------------------------- The Leahy Bill known as the Encrypted Communications Privacy Act is certainly well intentioned and Senator Leahy and the other sponsors (Senators Burns, Dole, Murray, and Pressler) should be congratulated for their efforts. Those whose major goal is to be able to export mass-marketed cryptography have good reason to support this bill, even though it has features---and ambiguities---that they may find undesireable, and even though the bill may not actually make all mass marketed cryptographic hardware and software freely exportable. (There is even the danger that it might even be interpreted (for reasons that I will explain hereafter) as not making any change in the requirements for the export of cryptographic software, whether mass marketed or not). On the other hand, those like Daniel Bernstein and myself, who want to publish information---including algorithms and source code---that is subject to the licensing requirements of the International Traffic in Arms Regulations (``ITAR'') that apply to cryptographic devices and software---at least according to the National Security Agency's representatives and that agency's puppets in the Office of Defense Trade Controls---may find the bill more of a hindrance than a help in their efforts to assert the constitutional right of freedom of speech and of the press. My concern is not that the bill will somehow lead to mandatory key escrow. My concern is that in relaxing the restrictions on the export of software as a commodity it may actually give support to the efforts of the censors to keep Daniel Bernstein from publishing his article about his algorithm for converting a hash function into a cryptographic program---I hope that is a fair enough description of his article, an article that the censors have prevented me from ever seeing---and those censor's efforts to keep me from publishing my materials---which contain some cryptographic software---for my course in computers and the law, and to keep foreign students from taking that course. The major threat is that, for the first time, there would be at least colorable Congressional authority for the requirement that one obtain a license before publishing or otherwise disclosing information. And software is, after all, nothing but information. Let me go through the bill and attempt to explain my concerns. (I hope that the version of the bill that I am using is correct.) A BILL To affirm the rights of Americans to use and sell encryption products, to establish privacy standards for voluntary escrowed encryption systems, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the "Encrypted Communications Privacy Act of 1996". SEC. 2. PURPOSE. It is the purpose of this Act- (1) to ensure that Americans are able to have the maximum possible choice in encryption methods to protect the security, confidentiality, and privacy of their lawful wire or electronic communications; and (2) to establish privacy standards for key holders who are voluntarily entrusted with the means to decrypt such communications, and procedures by which investigative or law enforcement officers may obtain assistance in decrypting such communications. I have no objections to the provisions of this section---except possibly for the reference to procedures by which officers may obtain assistance in decrypting communications. But I am not happy that the purpose does not include protecting the freedoms of speech and of the press, and particularly the freedom to communicate information about cryptography. SEC. 3. FINDINGS. The Congress finds that- (1) the digitization of information and the explosion in the growth of computing and electronic networking offers tremendous potential benefits to the way Americans live, work, and are entertained, but also raises new threats to the privacy of American citizens and the competitiveness of American businesses; Notice that there is nothing here---at least not directly---about the freedom to distribute and to obtain access to information and that, therefore, there is no mention of the constitutional right to speak and publish information about cryptography. (2) a secure, private, and trusted national and global information infrastructure is essential to promote economic growth, protect citizens' privacy, and meet the needs of American citizens and businesses. Once again, there is nothing about the freedom to distribute and obtain access to information. (3) the rights of Americans to the privacy and security of their communications and in conducting their personal and business affairs should be preserved and protected; I like this one. (4) the authority and ability of investigative and law enforcement officers to access and decipher, in a timely manner and as provided by law, wire and electronic communications necessary to provide for public safety and national security should also be preserved; This is presumably included as a political compromise. Those whose concerns are primarily with marketing software can probably live with it. Those who are concerned with privacy and liberty and human decency should, on the other hand, find this finding terrifying. (Of course, one can argue that the findings are just window dressing without any substantive significance; I assure you, however, that they can be used to interpret the substantive provisions of the statute and that ultimately the interpretation is more important than the words of the statute itself.) (5) individuals will not entrust their sensitive personal, medical, financial, and other information to computers and computer networks unless the security and privacy of that information is assured; I have no problem with this as a finding, though I am not sure that I want to encourage people to entrust sensitive information to computers and computer networks, no matter what assurances they may be given. (6) business will not entrust their proprietary and sensitive corporate information, including information about products, processes, customers, finances, and employees, to computers and computer networks unless the security and privacy of that information is assured; No problem. (7) encryption technology can enhance the privacy, security, confidentiality, integrity, and authenticity of wire and electronic communications and stored electronic information; That is correct. (8) encryption techniques, technology, programs, and products are widely available worldwide; Yep. (9) Americans should be free lawfully to use whatever particular encryption techniques, technologies, programs, or products developed in the marketplace they desire in order to interact electronically worldwide in a secure, private, and confidential manner; The clumsiness of the language worries me. That word ``lawfully'' may just mean that Congress finds that people should be free to do whatever the law allows, but that there are no restrictions on what the law may forbid. More troublesome is the reference to programs ``developed in the market place''. That might be read as suggesting that there is no freedom to use products that were not developed in the market place. (The small number of programs that I have written have all been developed in my head, and in my head's extension, my computer; none of them had anything to do with the market place. Are the programs produced by the Free Software Foundation produced in the market place?) (10) American companies should be free to compete and to sell encryption technology, programs, and products; I have no objection to this finding, but notice that it has nothing to do with the free speech issues that are my concerns. I want to be able to give away the programs that I have written, and to give away encryption technology, programs, and products that are subject to copylefts or are otherwise available. And I want to be able to explain to my law students about how encryption programs work and why they may be ethically required to use them for electronic communications with their clients (and where to get them). (11) there is a need to develop a national encryption policy that advances the development of the national and global information infrastructure, and preserves Americans' right to privacy and the Nation's public safety and national security; I don't really object to this, but I suspect that the best policy would be no policy. There are powers within the government who would use the reference to ``the Nation's public safety and national security'' as a basis for continuing to restrict the export or publication or other disclosure of any secure cryptographic software and algorithms. (12) there is a need to clarify the legal rights and responsibilities of key holders who are voluntarily entrusted with the means to decrypt wire or electronic communications; I am not sure that this would not best be left to private agreements between the owners of the keys and their holders. (But this is not in the area of my concern.) (13) the Congress and the American people have recognized the need to balance the right to privacy and the protection of the public safety and national security; This is most unfortunate. In cases of extreem danger the courts may allow the agents of the state to ignore the constitutional right of privacy, but it is not a matter of ``balancing'' equally protected interests. The agents of the state always claim that they are acting in order to protect public safety and national security, especially when they are trying to destroy the safety of the constitution. (14) the Congress has permitted lawful electronic surveillance by investigative or law enforcement officers only upon compliance with stringent statutory standards and procedures; and I guess I don't object to this, except that I am not sure that it is true. (15) there is a need to clarify the standards and procedures by which investigative or law enforcement officers obtain assistance from key holders who are voluntarily entrusted with the means to decrypt wire or electronic communications, including such communications in electronic storage. This seems confused; what about encrypted data that is not a communication? SEC. 4. FREEDOM TO USE ENCRYPTION. (a) LAWFUL USE OF ENCRYPTION.-It shall be lawful for any person within any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States, and by United States persons in a foreign country to use any encryption, regardless of encryption algorithm selected, encryption key length chosen, or implementation technique or medium used except as provided in this Act and the amendments made by this Act or in any other law. This only says it is lawful to use encryption unless there is a law forbidding it. I hardly find that helpful. (b) GENERAL CONSTRUCTION.-Nothing in this Act or the amendments made by this Act shall be construed to- (1) require the use by any person of any form of encryption; OK, but shouldn't it also cover requiring any person _not_ to use any form of encryption? (2) limit or affect the ability of any person to use encryption without a key escrow function; or OK, though the language is rather clumsy. (3) limit or affect the ability of any person who chooses to use encryption with a key escrow function not to use a key holder. SEC. 5. ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS. (a) IN GENERAL.-Part I of title 18, United States Code, is amended by inserting after chapter 121 the following new chapter: "CHAPTER 122-ENCRYPTED WIRE AND ELECTRONIC COMMUNICATIONS "2801. Definitions. "2802. Prohibited acts by key holders. "2803. Reporting requirements. "2804. Unlawful use of encryption to obstruct justice. "2805. Freedom to sell encryption products. These provisions are not my major concern at this time, but note that ``encryption'' by definition only applies to wire and electronic communications. It thus seems that these provisions have nothing to do with data that is encrypted but that is not a communication. Do you think that this was what was intended? "\S 2801. Definitions "As used in this chapter- "(1) the terms 'person', 'State', 'wire communication', 'electronic communication', 'investigative or law enforcement officer', 'judge of competent jurisdiction', and 'electronic storage' have the same meanings given such terms in section 2510 of this title; "(2) the term 'encryption' means the scrambling of wire or electronic communications using mathematical formulas or algorithms in order to preserve the confidentiality, integrity or authenticity and prevent unauthorized recipients from accessing or altering such communications; "(3) the term 'key holder' means a person located within the United States (which may, but is not required to, be a Federal agency) who is voluntarily entrusted by another independent person with the means to decrypt that person's wire or electronic communications for the purpose of subsequent decryption of such communications; "(4) the term 'decryption key' means the variable information used in a mathematical formula, code, or algorithm, or any component thereof, used to decrypt wire or electronic communications that have been encrypted; and "(5) the term 'decryption assistance' means providing access, to the extent possible, to the plain text of encrypted wire or electronic communications. "\S 2802. Prohibited acts by key holders "(a) UNAUTHORIZED RELEASE OF KEY.-Except as provided in subsection (b), any key holder who releases a decryption key or provides decryption assistance shall be subject to the criminal penalties provided in subsection (e) and to civil liability as provided in subsection (f). "(b) AUTHORIZED RELEASE OF KEY.-A key holder shall only release a decryption key in its possession or control or provide decryption assistance- "(1) with the lawful consent of the person whose key is being held or managed by the key holder; "(2) as may be necessarily incident to the holding or management of the key by the key holder; or "(3) to investigative or law enforcement officers authorized by law to intercept wire or electronic communications under chapter 119, to obtain access to stored wire and electronic communications and transactional records under chapter 121, or to conduct electronic surveillance, as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801), upon compliance with subsection (c) of this section. Except for subdivision (3) this seems totally unnecessary. Let the parties agree to any arrangement they want. (And anyone who is seriously going to use an outside key holder is going to want to have them bonded, and will look to the bonding company for protection. (Bonding companies are mean.)) "(c) REQUIREMENTS FOR RELEASE OF DECRYPTION KEY TO INVESTIGATIVE; OR LAW ENFORCEMENT OFFICER.- "(1) CONTENTS OF WIRE AND ELECTRONIC COMMUNICATIONS.-A key holder is authorized to release a decryption key or provide decryption assistance to an investigative or law enforcement officer authorized by law to conduct electronic surveillance under chapter 119, only if- "(A) the key holder is given- "(i) a court order signed by a judge of competent jurisdiction directing such release or assistance; or "(ii) a certification in writing by a person specified in section 2518(7) or the Attorney General stating that- "(I) no warrant or court order is required by law; "(II) all requirements under section 2518(7) have been met; and "(III) the specified release or assistance is required; "(B) the order or certification under paragraph (A)- "(i) specifies the decryption key or decryption assistance which is being sought; and "(ii) identifies the termination date of the period for which release or assistance has been authorized; and"(C) in compliance with an order or certification under subparagraph (A), the key holder shall provide only such key release or decryption assistance as is necessary for access to communications covered by subparagraph (B). "(2) STORED WIRE AND ELECTRONIC COMMUNICATIONS.-(A) A key holder is authorized to release a decryption key or provide decryption assistance to an investigative or law enforcement officer authorized by law to obtain access to stored wire and electronic communications and transactional records under chapter 121, only if the key holder is directed to give such assistance pursuant to the same lawful process (court warrant, order, subpoena, or certification) used to obtain access to the stored wire and electronic communications and transactional records. "(B) The notification required under section 2703(b) shall, in the event that encrypted wire or electronic communications were obtained from electronic storage, include notice of the fact that a key to such communications was or was not released or decryption assistance was or was not provided by a key holder. "(C) In compliance with the lawful process under subparagraph (A), the key holder shall provide only such key release or decryption assistance as is necessary for access to the communications covered by such lawful process. Note once again that this applies only to _communications_. "(3) USE OF KEY.-(A) An investigative or law enforcement officer to whom a key has been released under this subsection may use the key only in the manner and for the purpose and duration that is expressly provided for in the court order or other provision of law authorizing such release and use, not to exceed the duration of the electronic surveillance for which the key was released. "(B) On or before completion of the authorized release period, the investigative or law enforcement officer to whom a key has been released shall destroy and not retain the released key. "(C) The inventory required to be served pursuant to section 2518(8)(d) on persons named in the order or the application under section 2518(7)(b), and such other parties to intercepted communications as the judge may determine, in the interest of justice, shall, in the event that encrypted wire or electronic communications were intercepted, include notice of the fact that during the period of the order or extensions thereof a key to, or decryption assistance for, any encrypted wire or electronic communications of the person or party intercepted was or was not provided by a key holder. "(4) NONDISCLOSURE OF RELEASE.-No key holder, officer, employee, or agent thereof shall disclose the key release or provision of decryption assistance pursuant to subsection (b), except as may otherwise be required by legal process and then only after prior notification to the Attorney General or to the principal prosecuting attorney of a State or any political subdivision of a State, as may be appropriate. "(d) RECORDS OR OTHER INFORMATION HELD BY KEY HOLDERS.-A key holder, shall not disclose a record or other information (not including the key) pertaining to any person whose key is being held or managed by the key holder, except- "(1) with the lawful consent of the person whose key is being held or managed by the key holder; or "(2) to an investigative or law enforcement officer pursuant to a subpoena authorized under Federal or State law, court order, or lawful process. An investigative or law enforcement officer receiving a record or information under paragraph (2) is not required to provide notice to the person to whom the record or information pertains. Any disclosure in violation of this subsection shall render the person committing the violation liable for the civil damages provided for in subsection (f). "(e) CRIMINAL PENALTIES.-The punishment for an offense under subsection (a) of this section is- "(1) if the offense is committed for a tortious, malicious, or illegal purpose, or for purposes of direct or indirect commercial advantage or private commercial gain- "(A) a fine under this title or imprisonment for not more than 1 year, or both, in the case of a first offense under this subparagraph; or "(B) a fine under this title or imprisonment for not more than 2 years, or both, for any second or subsequent offense; and"(2) in any other case where the offense is committed recklessly or intentionally, a fine of not more than $5,000 or imprisonment for not more than 6 months, or both. "(f) CIVIL DAMAGES.- "(1) IN GENERAL.-Any person aggrieved by any act of a person in violation of subsections (a) or (d) may in a civil action recover from such person appropriate relief. "(2) RELIEF.-In an action under this subsection, appropriate relief includes- "(A) such preliminary and other equitable or declaratory relief as may be appropriate; "(B) damages under paragraph (3) and punitive damages in appropriate cases; and "(C) a reasonable attorney's fee and other litigation costs reasonably incurred."(3) COMPUTATION OF DAMAGES.-The court may assess as damages whichever is the greater of- "(A) the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation; or "(B) statutory damages in the amount of $5,000."(4) LIMITATION.-A civil action under this subsection shall not be commenced later than 2 years after the date upon which the plaintiff first knew or should have known of the violation. "(g) DEFENSE.-It shall be a complete defense against any civil or criminal action brought under this chapter that the defendant acted in good faith reliance upon a court warrant or order, grand jury or trial subpoena, or statutory authorization. "\S 2803. Reporting requirements "(a) IN GENERAL.-In reporting to the Administrative Office of the United States Courts as required under section 2519(2) of this title, the Attorney General, an Assistant Attorney General specially designated by the Attorney General, the principal prosecuting attorney of a State, or the principal prosecuting attorney of any political sub division of a State, shall report on the number of orders and extensions served on key holders to obtain access to decryption keys or decryption assistance. "(b) REQUIREMENTS.-The Director of the Administrative Office of the United States Courts shall include as part of the report transmitted to the Congress under section 2519(3) of this title, the number of orders and extensions served on key holders to obtain access to decryption keys or decryption assistance and the offenses for which the orders were obtained. "\S 2804. Unlawful use of encryption to obstruct justice "Whoever willfully endeavors by means of encryption to obstruct, impede, or prevent the communication of information in furtherance to a felony which may be prosecuted in a court of the United States, to an investigative or law enforcement officer shall- "(1) in the case of a first conviction, be sentenced to imprisonment for not more than 5 years, fined under this title, or both; or "(2) in the case of a second or subsequent conviction, be sentenced to imprisonment for not more than 10 years, fined under this title, or both. This provision is completely incoherent. There is no telling how the government will interpret it, but at a guess they will use it to make people reveal their keys: ``if you don't tell us your key, we are going to charge you with impeding the communication to me of information about the felony I am investigating.'' "� 2805. Freedom to sell encryption products "(a) IN GENERAL.-It shall be lawful for any person within any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, and any territory or possession of the United States, to sell in interstate commerce any encryption, regardless of encryption algorithm selected, encryption key length chosen, or implementation technique or medium used. This sounds nice, but remember that ``encryption'' is defined as: ``the scrambling of wire or electronic communications using mathematical formulas or algorithms in order to preserve the confidentiality, integrity or authenticity and prevent unauthorized recipients from accessing or altering such communications''. So what does it mean to sell ``any encryption''? "(b) CONTROL OF EXPORTS BY SECRETARY OF COMMERCE.- "(1) GENERAL RULE.-Notwithstanding any other law, subject to paragraphs (2), (3), and (4), the Secretary of Commerce shall have exclusive authority to control exports of all computer hardware, software, and technology for information security (including encryption), except computer hardware, software, and technology that is specifically designed or modified for military use, including command, control, and intelligence applications. OK, here is where the problems that concern me arise. This provision sounds quite nice, but it covers up several big problems. In the first place, the delegation to the Secretary of Commerce sounds like a good idea, because, at the present time the people in the Commerce department who enforce export controls are very nice and helpful, and operate reasonably under reasonable regulations, while the puppets who front for the NSA (or are actually agents of the NSA) in the Office of Defense Trade Controls are not very nice, are exceptionally unhelpful, and specialize in unreasonable---and down right irrational---interpretations of unreasonable regulations. But if the jurisdiction is handed over to Commerce, I predict that the the puppet masters will turn their attention to Commerce, and shortly thereafter---if only because of Presidential pressure---Commerce will have its own incoherent regulations and its own unpleasent people and it won't be as easy to export software as one might hope. Note that the transfer is to Commerce but there is nothing that expressly specifies what law is to be applied by Commerce. Thus in theory at least there is nothing to stop Commerce from enforcing the same old provisions of the ITAR >From the point of view of one who is concerned with first amendment rights rather than selling cryptographic software as a commodity, the really unfortunate part is that this provision authorizes export contols on ``software''. Now the Leahy bill does not define software, but there is a definition of lying around in the International Traffic in Arms Regulations (``ITAR'') that I fear Commerce might adopt---it may even be the language that the draftsmen of the Leahy bill had in mind. And this definition of ``software'' includes a great deal of material that cannot constitutionally be controlled. Here is that definition from the ITAR \S 121,8(f): ``Software includes but is not limited to the system functional design, logic flow, algorithms, application programs, operating systems and support software for design, implementation, test, operation, diagnosis and repair.'' Note that what is covered here is nothing but information, and that that information includes algorithms, _i.e._ recipes. If the government can constitutionally ``control'' the ``export'' of cryptographic algorithms by requiring a license before one can publish them or otherwise disclose them to a foreign person, then they can require a license before one publishes Julia Child's recipe for a _bombe surprise_ or a recipe for winning a Presidential election without actually committing any felonies. Even if that definition is adopted, the fact remains that software is still nothing but information, and that it is the communication of information that is protectected by the first amendment to the United States constitution. (If you aren't convinced that software is protected by the first amendment, notice that software is copyrightable as a ``literary work''.) Note that the paradigmatic violation of the first amendment is a scheme under which the government requires publishers to obtain a license before publishing. Part of what I fear is that, were the Leahy bill to be passed in its present form is that the President, in conformance with that bill, would simply transfer the licensing and rule making powers with respect to cryptographic devices and software to the Department of Commerce, but would still leave them controlled by the ITAR and the Arms Export Control Act just as they are now, including all of the cryptic and unconstitional interpretations of ITAR that up to now have been imposed upon the Office of Defense Trade Controls by the National Security Agency. There is nothing in the Leahy bill that forbids that sort of shell game. The trouble is that there is nothing in the bill that specifies the law under which Commerce is to ``control'' cryptographic devices and software. The real problem, however, is simply that the Leahy bill appears to authorize control (including licensing) of cryptographic software and thus to authorize the imposition of licensing requirements for the constitutionally protected communication of information. At the present time, on the other hand, although the Arms Export Control Act does, quite constitutionally, require licensing of physical devices, the provisions in the ITAR requiring licenses for the communication of information are not authorized by any act of congress. (The point is of practical importance because the courts may be willing to strike down the ITAR's licensing requirements on software on the grounds that they are _ultra vires_ simply to avoid having to decide the constitutional issues.) Thus the major problem with the Leahy bill, from the point of view of those concerned with the freedoms of speech and of the press, is that it conflates hardware, which can be regulated constitutionally, with software, which is text that cannot be constitutionally regulated, and certainly cannot be subjected to a licensing scheme. (The agents of the NSA in the Office of Defense Trade Controls try to confuse this distinction, claiming that cryptographic software is hardware, not information that is in the public domain under the provisions of the ITAR.) The only satisfactory bill, from the point of view of those of us who are concerned with freedom of speech and of the press would be a bill that says that export licensing controls do not apply, and recognizes that export controls cannot be applied constitutionally, to the publication or other disclosure or communication of software. Another problem is that the Leahy bill expressly does not apply to ``computer hardware, software, and technology that is _specifically designed or modified for military use_, including command, control, and intelligence applications''. This may sound harmless, but the emphasized language is almost exactly the language that is used in the ITAR to define what can be included on the United States Munition List in the ITAR. The major prerequisite for the designation of an article or service on the United States Munitions List, according to ITAR \S 120.3, is that it is: ``specifically designed, developed, configured, adapted, or modified for a military application''. This strongly suggests that, if the Leahy bill were adopted, the NSA and the Office of Defense Trade Controls would simply take the position that cryptographic devices and software still are specifically designed for military use and thus remain on the Munitions List and under the control of the Office of Defense Trade Controls in the State Department. This would seem to inconsistent with the intent of the Leah bill, but that is hardly going to bother the rather spooky people in the Office of Defense Trade Controls since the law expressly provides that the courts may not review the designation of an item on the United States Munitions List. (Even before that provision forbidding judicial review was adopted, one federal district court held that the defendant in a criminal case---whose alleged crime was exporting cable or satellite TV descrambler boxes---could not challenge the inclusion of descramblers on the Munitions List, because their inclusion was an unreviewable ``political'' determination.) Thus I predict that the passage of the Leahy amendment would have no affect whatsoever on the licensing requirements that are presently applied by the Office of Defense Trade Controls to cryptographic devices and software. The people who enforce those requirements are not now governed by law or logic; the Leahy bill is not likely to change that, not when it contains such a gaping loophole. But let us look at the particular provisions of the Leahy bill that will supposedly ease the burden on both cryptographic hardware and software: "(2) ITEMS NOT REQUIRING LICENSES.-No validated license may be required, except pursuant to the Trading With The Enemy Act or the International Emergency Economic Powers Act (but only to the extent that the authority of such Act is not exercised to extend controls imposed under this Act), for the export or reexport of- ``Validated license'' is a term that is not used in the Arms Export Control Act and the ITAR, so to the extent that that act and those regulations remain applicable to cryptographic devices and software---and, as has been pointed out, nothing in the Leahy bill purports to change that---, this provision will have no affect whatsoever. On the other hand, the term ``validated license'' is used in the regulations of the Bureau of Export Administration of the Department of Commerce. Thus 15 Code of Federal Regulations \S 770.2 defines ``Validated license'' as: ``A document issued by or under the authority of the Bureau of Export Administration, authorizing export.'' So perhaps this provision of the Leahy bill does give some protection, but only if the powers of the Commerce Department to regulate software are deligated to Commerce's Bureau of Export Administration and even then only if this definition is not amended. It would, moreover, have been preferable if the bill had provided that cryptographic hardware and software are entitled to a ``general license'', which is defined in 15 CFR \S 770.2 as follows: ``A license established by the U.S. Department of Commerce for which no application is required and for which no document is granted or issued. It is available for use by all persons, except those listed in and prohibited by the provisions of Supplement No. 1 to part 788, and permits export within the provisions thereof as prescribed in the Export Administration Regulations. These general licenses are not applicable to exports under the licensing jurisdiction of agencies other than the Department of Commerce.'' (But note the last provision.) "(A) any software, including software with encryption capabilities, that is- "(i) generally available, as is, and designed for installation by the purchaser; or "(ii) in the public domain or publicly available because it is generally accessible to the interested public in any form; or "(B) any computing device solely because it incorporates or employs in any form software (including software with encryption capabilities) exempted from any requirement for a validated license under subparagraph (A). This provision at first glance looks pretty good, but it arguably offers no protection to people like Daniel Bernstein and myself who want to publish new (even if, as is ture in my case, also trivial) software with encryption capabilities. The ITAR also has a public domain exemption, but the censors in the Office of Defense Trade Controls take the position that one would violate the ITAR by the act of putting matter in the public domain or making it generally available. (The Office of Defense Trade Controls also takes the position that cryptographic software is not information that can fall within the public domain exception in the ITAR.) Note that though no validated license can be required for such software and related hardware under the Leahy bill, there is nothing that says that such software and hardware is entitled to a general license. One may thus find oneself in the situation---that happened for example to Daniel Bernstein under the ITAR---that one has written software that cannot be exported without a license, but for which no possible license is available. "(3) SOFTWARE WITH ENCRYPTION CAPABILITIES.-The Secretary of Commerce shall authorize the export or reexport of software with encryption capabilities for nonmilitary end-uses in any country to which exports of software of similar capability are permitted for use by financial institutions not controlled in fact by United States persons, unless there is substantial evidence that such software will be- "(A) diverted to a military end-use or an end-use supporting international terrorism; "(B) modified for military or terrorist end-use; or "(C) reexported without requisite United States authorization. Here we see what appears to be authority for the Secretary of Commerce to regulate the export of software, a provision that probably violates the first amendment of the United States constitution, unless the definition of ``export or rexport of software'' is limited in a manner that would make the regulation quite ineffective. The Leahy bill, however, makes no effort to define what is an ``export'' of software. One thus has reason to fear that the Secretary of Commerce will simply adopt the definitions which have been used to restrain the publication or other disclosure of cryptographic software under the ITAR. "(4) HARDWARE WITH ENCRYPTION CAPABILITIES.-The Secretary shall authorize the export or reexport of computer hardware with encryption capabilities if the Secretary determines that a product offering comparable security is commercially available from a foreign supplier without effective restrictions outside the United States. This applies only to hardware, and so is not subject to attack on first amendment grounds. I am willing to bet, however, that if this provision is passed, the National Security Agency would be delegated the job of determing whether products of comparable security are available outside the United States and that very few products would be found by the NSA to be comparable (and that it would take years to get a determination of any sort). "(5) DEFINITIONS.-As used in this subsection- "(A) the term 'generally available' means, in the case of software (including software with encryption capabilities), software that is widely offered for sale, license, or transfer including, but not limited to, over-the-counter retail sales, mail order transactions, phone order transactions, electronic distribution, or sale on approval; Notice that this gives no protection to those who do not widely offer their software for sale, license, or transfer---persons like Daniel Bernstein and almost all academic cryptographers, for example. Those who are interested in mass marketing cryptographic software may be happy with this provision, but it is no consolation to those of us who are not mass marketers. (Note that mass marketed software may be entitled to less constitutional protection, as commercial speech, than is the software that academics like Dan Bernstein or myself may desire to publish as part of our research or educational activities.) "(B) the term 'as is' means, in the case of software (including software with encryption capabilities), a software program that is not designed, developed, or tailored by the software company for specific purchasers, except that such purchasers may supply certain installation parameters needed by the software program to function properly with the purchaser's system and may customize the software program by choosing among options contained in the software program; "(C) the term 'is designed for installation by the purchaser' means, in the case of software (including software with encryption capabilities)- "(i) the software company intends for the purchaser (including any licensee or transferee), who may not be the actual program user, to install the software program on a computing device and has supplied the necessary instructions to do so, except that the company may also provide telephone help-line services for software installation, electronic transmission, or basic operations; and "(ii) that the software program is designed for installation by the purchaser without further substantial support by the supplier; Note that those of us who are not a ``software company'' that sells software to a ``purchaser'' are apparently excluded from the benefits of this definition. "(D) the term 'computing device' means a device which incorporates one or more microprocessor-based central processing units that can accept, store, process, or provide output of data; and "(E) the term 'computer hardware', when used in conjunction with information security, includes, but is not limited to, computer systems, equipment, application-specific assemblies, modules, and integrated circuits.". I do not have any comments on the remaining portions of the bill, and so I have deleted them from this already too lengthy submission. I look forward to your reactions and corrections. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger at pdj2-ra.f-remote.cwru.edu junger at samsara.law.cwru.edu From tcmay at got.net Mon Mar 11 13:13:18 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 12 Mar 1996 05:13:18 +0800 Subject: Leahy Bill a Move to Slow Crypto Exports as Much as Possible Message-ID: At 11:02 AM 3/11/96, Mutant Rob wrote: >Timothy C. May wrote: >> I think this is showing that one of the intended purposes of the Leahy bill >> is to slow down exports of crypto for as long as possible, and then only to >> grant export licenses when competition from abroad threatens to undo the >> effects of the stalling process anyway. > >Hmmm. > >But what about the case of PGP? It's a relatively strong product, and >an international version exists. I'd guess that PGP 3.0 may implement >other algorithms (PK and symmetric), and likely an international PGP3 >would follow... so how could the Commerce Dept rationalize not giving >an export license to ViaCrypt? > >And would a similar, but non-compatible, utility that used RSA and/or >IDEA, 3DES, etc. also be exportable? ... Oh, I think they probably will (assuming the ViaCrypt and/or PGP products are unencumbered with respect to patent issues). I was more thinking about "novel" applications: things related to digital cash, remailers, information markets, etc. These are things which are at a nascent stage, and nearly any of them can stalled for export by citing the absence of comparable competitors in Europe and Asia. Hence my concern that the clause is effectively an excuse for delaying crypto for as long as is practically possible. Not much of an improvement over what we have now--though established companies will no doubt be happy because they can export their fairly boring apps--and the new criminalization of crypto (when connected with any of the other thousands of felony-class crimes, such as swearing) is a step backward. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Mon Mar 11 13:51:03 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 12 Mar 1996 05:51:03 +0800 Subject: noise levels Message-ID: At 4:55 PM 3/11/96, Perry E. Metzger wrote: >Noise levels have been rising fast again. I encourage people to think >about whether things are on topic before they post. > I again encourage Perry to consider learning how to use filters. While I happen to be uninterested in many of the topics being discussed, I realize that one man's noise is another man's signal. Besides, the C coders and crypto mavens created their own protected list, the Coderpunks list, and this is where Perry and others can presumably find the high S/N discussion of Java, Diffie-Hellman, applets, DES, and memory leaks that he so craves. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From nobody at REPLAY.COM Mon Mar 11 13:56:52 1996 From: nobody at REPLAY.COM (Anonymous) Date: Tue, 12 Mar 1996 05:56:52 +0800 Subject: Cut the mystical artist crap. (No crypto relevance here) Message-ID: <199603110110.CAA05830@utopia.hacktic.nl> Don't mystify what an "artist" is, please! What the compromises have to do with are that one lives in a society with rules, mores, laws. One of those touch-shit facts of life. You can do what you want, but when it involves other people, restrictions come in. You deal with them, whether you are an artist, programmer, politician, goverment wonk, or whatever. It has nothing to do with selling out or losing integrity. If you want food and shelter and you're not living in the woods, then you have to play by everyone else's rules if you don't have the power to make your own rules. Was it Thoreau who said "Consistency is the hobgoblin of simpletons"? From wlkngowl at unix.asb.com Mon Mar 11 14:05:28 1996 From: wlkngowl at unix.asb.com (Deranged Mutant) Date: Tue, 12 Mar 1996 06:05:28 +0800 Subject: Another Motivation for the CDA (Federal Sentencing Guid In-Reply-To: <960310020800_242145444@emout09.mail.aol.com> Message-ID: <31437C99.35BD@unix.asb.com> WARNING: The word "crypto" appears only once in this post. JonWienke at aol.com wrote: > What difference does that make? If you are deranged enough to murder someone > because they are selling crack in your territory, you are deranged enough to > shoot your manager after getting fired from McDonalds, or to do any number of > heinous things that ahve nothing to do with drug laws. Sick people will > still do sick things, even if some of them are legalized. Did someone say "deranged"? ;) If you're involved in the crack trade, chances are low level dealers are supporting your habit. Crack tends to make people deranged, and the pressure of the competition and illegality don't do much for one's paranoia. The character who shoots his boss at Micky D's may well be speeded out or coked up too. The drugs tends to make one muy loco. Then again, people don't see much wrong with executing criminals or going into another country and killing off the civillians because their petty dictator president would suck the cocks of US/European corporations so what do you expect? The derangement is pretty widespread in America. You got Waco wackos hiding from black helicopters enforcing the Zionist conspiracy to make Amerikkka part of the one-world government run by a cabal of Jewish lesbians from the Andromeda galaxy. I think the crackheads shooting each other on street corners are quite down to earth in comparison. ObCrypto: None. --Rob From perry at piermont.com Mon Mar 11 14:49:05 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 12 Mar 1996 06:49:05 +0800 Subject: Cryptographers against cryptography In-Reply-To: <199603111735.JAA17685@jobe.shell.portal.com> Message-ID: <199603111828.NAA00776@jekyll.piermont.com> anonymous-remailer at shell.portal.com writes: > This is the second in a regular series of postings to expose > cryptographers and cypherpunks who are either lying to us or > making a very serious mistake in there judgement. No, this is the umpteenth stupid anonymous denunciation of people who deserve no such stupidity. You aren't fit to eat Bruce Schneier or Matt Blaze's toenail clippings. Perry From mark at unicorn.com Mon Mar 11 15:18:17 1996 From: mark at unicorn.com (Rev. Mark Grant, ULC) Date: Tue, 12 Mar 1996 07:18:17 +0800 Subject: anonymous web pages (Was: SurfWatch) Message-ID: On Sat, 9 Mar 1996, Nelson Minar wrote: > I proposed this a couple of months ago, there should be a bit of > discussion left over in the archives. My idea was to have an account > keyed to a password - if you emailed the server with the right > password, it would take the text of your email and put it in the > specified URL. Then you can use remailers to preserve anonymity with > the server. It's sort of like the alias.c2.org accounts. I have something like that (not yet finished or released). I run a mailbot which accepts mail to a unicorn.com address and allows remote updating of my WWW tree (and a lot of other things, e.g. mailing lists, multiple mailbox support, etc). It just checks the PGP signature matches the www key in my PGP keyring, and performs the update if it does. Most of the interest I've had in the release version was from people who wanted remote updates of their non-anonymous sites by email, but it could easily be used for anonymous accounts. Much more secure than just using a plaintext password (of course neither are secure if someone can log into your account, but if they can do that, they can modify your Web pages directly). Mark From merriman at arn.net Mon Mar 11 15:22:32 1996 From: merriman at arn.net (David K. Merriman) Date: Tue, 12 Mar 1996 07:22:32 +0800 Subject: shellback.com online Message-ID: <2.2.32.19960311064735.00682e48@arn.net> -----BEGIN PGP SIGNED MESSAGE----- Just a short note to let everyone know that shellback.com is, in fact, online: http://www.shellback.com Note that our domain name arrived in time; none of that IP address stuff needed. It ain't much, but it's mine (and my partners). I'd appreciate any feedback folks might have about our links to privacy/crypto sites. Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUOwRMVrTvyYOzAZAQEZrgP/arTmLrZwjHg9u/KLvyie86vwIleiCz6g xTl54ygZBn4DrmqtvvdKZ8K/ysT9jY9iCFymAell5PS/sMnL1UNFtNw4Sl2t4kOo E6us2f1hpThIMCG6w+6zBJhqWEhI7YqQAKLlIXP8+8BUsyM8hEy7NykCMlrZT/+B kvNXHnH8tW0= =cRL7 -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> For privacy tools: http://www.geocities.com/capitolhill/1148 From nobody at c2.org Mon Mar 11 15:45:49 1996 From: nobody at c2.org (Anonymous User) Date: Tue, 12 Mar 1996 07:45:49 +0800 Subject: noise levels Message-ID: <199603111905.LAA08099@infinity.c2.org> "Perry E. Metzger" wrote: > Noise levels have been rising fast again. I encourage people to think > about whether things are on topic before they post. > > Perry > > This message is generated as part of an ongoing effort to keep noise off of the Cypherpunks mailing list (cypherpunks at toad.com) Your message contains no cryptography content. Please do not post messages of this sort to the Cypherpunks mailiing list in the future. Thank you for your cooperation; it will ensure that further action will not be necessary. -- USENET POLICE DEPARTMENT "To serve and obey, and guard men from harm" From jcr at idiom.com Mon Mar 11 15:57:47 1996 From: jcr at idiom.com (John C. Randolph) Date: Tue, 12 Mar 1996 07:57:47 +0800 Subject: rhetorical trickery In-Reply-To: Message-ID: <199603111126.DAA25557@idiom.com> tomservo at access.digex.net (Scott Fabbri) Says: >An entity self-representing as "Vladimir Z. Nuri" writes: >>sure, a government agent could insist, "well, don't be a bonehead. >>it's obviously his diary, and surely contains all his crimes against >>children". >A standard attitude among LEOs is: "if you're not guilty of something, what >are you hiding?" Skilled ones use this lever to get suspects to allow >searches of their property on the flimsiest of pretenses. This is why we need to adopt the standard attitude of "Well, Officer, If you're not a jackbooted thug, why are you asking me to consent to an unreasonable search?" -jcr From alanh at larry.infi.net Mon Mar 11 17:21:44 1996 From: alanh at larry.infi.net (Alan Horowitz) Date: Tue, 12 Mar 1996 09:21:44 +0800 Subject: ADL_mil (militias and the USAF) In-Reply-To: Message-ID: Well, yes. However... The strongman of ADL, Abe Foxman has a salary in six figures. People in the organization are doing good business on the "militia" scare. From bplib at wat.hookup.net Mon Mar 11 17:25:41 1996 From: bplib at wat.hookup.net (Tim Philp) Date: Tue, 12 Mar 1996 09:25:41 +0800 Subject: Cut the mystical artist crap. (No crypto relevance here) In-Reply-To: <199603110110.CAA05830@utopia.hacktic.nl> Message-ID: On Mon, 11 Mar 1996, Anonymous wrote: > Was it Thoreau who said "Consistency is the hobgoblin of > simpletons"? Wasn't it Emmerson who said "A foolish consistancy is the hobgoblin of small minds"? Pedantically yours Tim Philp =================================== For PGP Public Key, Send E-mail to: pgp-public-keys at swissnet.ai.mit.edu In Subject line type: GET PHILP =================================== From EALLENSMITH at ocelot.Rutgers.EDU Mon Mar 11 17:27:17 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Tue, 12 Mar 1996 09:27:17 +0800 Subject: Vexatious Litigants (was: SurfWatch) Message-ID: <01I26T701LU4AKTUL8@mbcl.rutgers.edu> From: IN%"stewarts at ix.netcom.com" "Bill Stewart" 10-MAR-1996 04:29:37.67 >Presumably, almost nobody in Europe is going to add these silly Yankee >rating labels to their web pages, except a few commercial content providers >who want to sell advertising or services into markets that block >un-rated web pages. So schoolkids behind rating-mandatory sites >will have to ask their teachers why the "World-Wide-Web" is just American --- >"It's got All 50 States, Johnny!" ! The WWW consortium is approaching European governments about their rating system - the one found at SafeSurf. -Allen From stewarts at ix.netcom.com Mon Mar 11 17:32:13 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 12 Mar 1996 09:32:13 +0800 Subject: [NOISE] Re: Do you feel lucky, punk? Message-ID: <199603110505.VAA03975@ix2.ix.netcom.com> >In fact, I would argue that a remailer operator will actually be considered >MORE responsible, legally, than Mrs. Bennis: On the contrary, the government would have far _less_ ability to forfeit the property of a remailer-operator for the activities of a non-owning abuser than they do to seize Mrs. Bennis's car, because the misuser, Mr. Bennis, was also its owner. On the other hand, I'd say that a remailer used for assassination politics is _far_ more likely to be seized, warranted, subpoenaed, and otherwise harassed that one merely used for unencrypted dirty pictures or encrypted dirty money.... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From jimbell at pacifier.com Mon Mar 11 17:33:29 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 12 Mar 1996 09:33:29 +0800 Subject: Bell, Detweiler, Ravings, and Whatnot Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 03:38 AM 3/10/96 -0800, Timothy C. May wrote: >Not my "trademark," though it was my coinage (in 1987). I'm happy it's >gaining usage, by people as diverse as David Friedman, Dorothy Denning, and >various journalists. Well, it's a very apt invention. >(By the way, I also figured out the anonymous markets for assassinations >bit, too, in 1988, and discussed it in detail then with Eric Drexler, Marc >Stiegler, Mark Miller, Robin Hanson, and others. Several of us on the >Extropians list discussed the implications, countersteps that might be >taken, etc., several years ago. Well, until about 3/4 of a year ago, I spent no time on Internet except through a FIDO gateway on Libernet and Libernet-d, so I missed all that. I'm a bit ashamed to admit that I haven't read the vast majority of Cybernomicon, although somebody was nice enough to email me a section on the subject of anonymous assassination markets. I wondered why you hadn't extended the idea to a more general system, but then again that was a bit early if you talked about it in 1988. Without the invention of digital cash, it's a bit hard to reward the assassin. >I recall incisive comments by Robin Hanson, >David Friedman, Hal Finney, Nick Szabo, and others. And on this list, the >topic was discussed a bit later. The archives may be helpful...though I'm >not sure I want to help Jim Bell figure out the holes in his logic!) You might be surprised: There is far more to this than I've described so far. I go into as much detail as a person asks, but it turns out that there are many more apparent "problems" that I've already solved long ago which have never been anticipated by anyone else, "problems" that I've never publicized because by the time the idea was ready for publicity, they were not "problems" anymore. This disappoints me, a little, because I'd hope that somebody (for example, a critic) would be a more effective discoverer of such problems/holes. >And your insulting comments about people whom you disagree with, or people >whom you think are not taking your ideas seriously enough, are reminiscent >of the ravings of the last victim here of late stage Detweiler's Syndrome. >--Tim May Well, maybe at times I do get a bit testy, but most recently on this Leahy bill I'm disgusted to see organizations that SHOULD be sounding the alarm actually express only mildly guarded support for that bill, "wart and all." I'd love to see _most_ of the bill pass, but the one bad section is a real killer. Jim Bell jimbell at pacifier.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUOetPqHVDBboB2dAQEEtwP+L/TjsCr17KwjFMByi+322CCv7E/HJRp/ C0R/LC26rESzHZUawhtZGJzQ5ormn/HpEbNysygYVMs/WbE/1M+gFJK3CJcGwj1F o/d5URKDT1M7IQNF/V5XTsYcZzz1/Cxq0zc3GQ1mtERHyicb/AwhcIXrXVkk9VVt zvvTFMtG/so= =kBX/ -----END PGP SIGNATURE----- From tcmay at got.net Mon Mar 11 17:34:52 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 12 Mar 1996 09:34:52 +0800 Subject: Bell, Detweiler, Ravings, and Whatnot Message-ID: At 3:37 AM 3/11/96, jim bell wrote: >Well, until about 3/4 of a year ago, I spent no time on Internet except >through a FIDO gateway on Libernet and Libernet-d, so I missed all that. >I'm a >bit ashamed to admit that I haven't read the vast majority of Cybernomicon, >although somebody was nice enough to email me a section on the subject of >anonymous assassination markets. I wondered why you hadn't extended the >idea to a more general system, but then again that was a bit early if you >talked about it in 1988. Without the invention of digital cash, it's a bit >hard to reward the assassin. Oh, but you are missing the main point completely. It was reading Chaum's 1985 paper on digital cash that got me thinking about this. By 1988-90, digital cash was essentially in the same state it is in now. Central to my points was an anonymous two-way market, such as the BlackNet market I developed in '93. >>And your insulting comments about people whom you disagree with, or people >>whom you think are not taking your ideas seriously enough, are reminiscent >>of the ravings of the last victim here of late stage Detweiler's Syndrome. >>--Tim May > >Well, maybe at times I do get a bit testy, but most recently on this Leahy >bill I'm disgusted to see organizations that SHOULD be sounding the alarm >actually express only mildly guarded support for that bill, "wart and all." >I'd love to see _most_ of the bill pass, but the one bad section is a real >killer. There are many things I find terrible, disgusting, dangerous, wrong, etc. But I have never been persuaded by people ranting at me and insulting me, so I doubt that rants and insults from me will be effective. (I'm not claiming to always be calm and non-insulting, just claiming that the style of ranting is rarely effective, and I try to avoid it.) Screaming insults at people, resorting to ad hominem attacks on their personality (such as Jim did with Padgett Peterson), ranting about how people are fools and worse, and generally foaming at the mouth...these are behaviors which cause people to be dismissed as jerks, paranoids, and killfile occuppants. Read the archives covering the several months when Detweiler (aka V. Z. Nuri, aka S. Boxx, aka Pablo Escobar, aka about 20 other pseudonyms) was foaming at the mouth about how people were mutating his brain, how the crypto anarchists were ignoring him, how the snakes of Medusa were hiding in his keyboard, and so on. Then note the similarities to Jim Bell. I have nothing against you, Jim Bell, but you are coming across as a loon, as someone who clearly needs some kind of anti-psychotic medication. You rant, you quote excessively, you dissect short comments with pages-long diatribes, you ascribe motivations to your opponents that you cannot possibly be privy to, and you generally act like a fool. I urge you to moderate your debating style before you're just dismissed completely as a detweiling basket case. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From cmca at alpha.c2.org Mon Mar 11 20:02:47 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Tue, 12 Mar 1996 12:02:47 +0800 Subject: PGP : what to do when a user ID has multiple RSA keys In-Reply-To: <199603110740.IAA06248@storm.certix.fr> Message-ID: <199603120045.QAA09097@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: savron at world-net.sct.fr] [cc: cypherpunks at toad.com] [Subject: Re: PGP : what to do when a user ID has multiple RSA keys ] [In-reply-to: Your message of Mon, 11 Mar 96 07:25:59 GMT.] <199603110740.IAA06248 at storm.certix.fr> >My DOS version of PGP 2.6.2 came with a built in PUBRING.PGP >containing two keys ( 1024 and 512 size ) with the same user ID . >For testing purposes I wanted to encrypt a message with the 512 >length key , but only the 1024 size key could be used . >How can I select the right key , apart from making a clone >PUBRING.PGP with only the key I want to use ? You can specify by the keyid. Do a pgp -kvv: $ pgp -kvv cmca at alpha.c2.org Type bits/keyID Date User ID pub 1024/6C87FFA5 1996/02/06 Chris McAuliffe 1 matching key found. Now do the encryption $ pgp -e 0x6C87FFA5 file Note the '0x' prefix on the keyid Chris McAuliffe (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMUS+3IHskC9sh/+lAQF8jgP+LdUjgTnfv5k4KsOwEuvPmVsw/V/G3jdD pyNwOQNtytjSDcGBobspmU4rcx1DObToitJqjzr74G1ytGkrr4wHRS4FWIy3Ea3U YgrmEhkviJT7B4Ix/vQcrKZJsn2+ZGML6VyVmWr3ehkEMo20UfjIheeTNUSq2OPL rO9LmZiFyhs= =MSju -----END PGP SIGNATURE----- From frantz at netcom.com Mon Mar 11 20:07:39 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 12 Mar 1996 12:07:39 +0800 Subject: Cryptographers against cryptography Message-ID: <199603111915.LAA05627@netcom7.netcom.com> At 9:35 AM 3/11/96 -0800, anonymous-remailer at shell.portal.com wrote: >BOYCOTT APPLIED CRYPTOGRAPHY, AT&T, VTW, and RSA!!!! And become a Know Nothing. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From tcmay at got.net Mon Mar 11 20:17:10 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 12 Mar 1996 12:17:10 +0800 Subject: Leahy bill nightmare scenario? Message-ID: At 11:12 AM 3/11/96, Gary Howland wrote: >Dan Weinstein writes: >> If I rent cars, someone might one day use a car rented from me in a >> robbery. Does that make my an accessary? NO. > >This is an unfair analogy. Now if you had said that you rented cars >without asking for proof of identification, thus making your car hire >centre very useful to robbers, that may more closely resemble the >anon-remailer situation. If a hotel rents a room to someone who commits a crime in that room, e.g., prostitution, drug use, plotting to blow up a building, can the hotel be seized under the asset forfeiture laws? Not that I have heard. Does it matter if the hotel fails to extensively check identification? (Hint: Rarely have I had my ID checked. Sometimes they ask for a driver's license and write down the number...and we all know how easy it is to get fake DLs. Mostly they don't.) If I lend my chain saw to my next-door neighbor without confirming his identity, and he carves up his wife, am I liable? Not in these parts. (If I lend my chain saw to a ranting, foaming maniac, am I liable? Perhaps.) If I let someone use my telephone without confirming his identity, am I liable for crimes committed with this phone? This last example is, I submit, a nearly perfect parallel to anonymous remailers. And not because the telephone system is a "common carrier," but because of scienter: I have no knowledge, and cannot be expected to have knowledge, of crimes committed with my phone. If I have visitors at my house, perhaps at a party, and I let a stranger go ahead and make a call from the phone in a bedroom, for example, and he plans a drug deal, can my house be automatically seized? Not that I have ever heard about. Maybe so, but if this ever happens, expect an outcry against the asset forfeiture laws that will make Linda Thompson's protest seem tame. Now if I operate a pay phone and encourage dealers and pimps to use it, then maybe the public nuisance, RICO, or "crack house" laws can be used to shut it down. (The public nuisance laws are what I would look to to see remailers shut down, which will just move them offshore, of course. Absent laws about sending encrypted packets outside the country, nothing can be done.) And, finally, packages and letters may be mailed anonymously. This is what pre-paid stamps are all about. And I've used non-U.S. Postal Service package delivery sytems without providing identification. Can Federal Express have their assets seized because of "anonymous remailing"? (Quibblers will no doubt cite laws requiring FedEx to "cooperate," demand ID, etc.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From markm at voicenet.com Mon Mar 11 20:24:07 1996 From: markm at voicenet.com (Mark M.) Date: Tue, 12 Mar 1996 12:24:07 +0800 Subject: Remailer passphrases In-Reply-To: <199603111015.LAA10327@kampai.euronet.nl> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Mon, 11 Mar 1996, Gary Howland wrote: > This of course assumes that the remailer runs as a process - if it doesn't > then there is no reason a 'remailer helper' cannot. > > The only disadvantage of this is that the remailer cannot be rebooted > without a passphrase being entered, but then there are ways around this > (entering the passphrase remotely over a secure link etc., or more > sophisticated 'remote authorisation' systems). > > The advantage of this is that the password is never on the disk, > only in memory (which will take serious (read "expensive") to extract). I don't know that it would be that expensive. If someone was able to gain root access to the system, something like "strings /dev/kmem" could narrow the search for the passphrase down significantly. Of course one could obfuscate the passphrase by XOR'ing it with 0x80, but that's only security through obscrurity. - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMUTQWrZc+sv5siulAQFH4wP/YOY0gxwW/F4+D/kt8cXw47XhldBfd8bK 9jM50XoZLOv9QHs6udtmIro1+2Dkb8eZz8HBn4gn+CVAIqso10LvevGXe8TpZ96p iO/XRm3LDpkdrt6mHoCC/J679hQ5nJgB0PThsBNl8MpW5mZMF5kZp9RWTosVsY3N FKGVQQSQ0VA= =UiDo -----END PGP SIGNATURE----- From nobody at c2.org Mon Mar 11 20:54:21 1996 From: nobody at c2.org (Anonymous User) Date: Tue, 12 Mar 1996 12:54:21 +0800 Subject: noise levels Message-ID: <199603111905.LAA08069@infinity.c2.org> "Perry E. Metzger" wrote: > Noise levels have been rising fast again. I encourage people to think > about whether things are on topic before they post. > > Perry > > This message is generated as part of an ongoing effort to keep noise off of the Cypherpunks mailing list (cypherpunks at toad.com) Your message contains no cryptography content. Please do not post messages of this sort to the Cypherpunks mailiing list in the future. Thank you for your cooperation; it will ensure that further action will not be necessary. -- USENET POLICE DEPARTMENT "To serve and obey, and guard men from harm" From jolson3 at netcom.com Mon Mar 11 21:16:54 1996 From: jolson3 at netcom.com (Joseph Olson) Date: Tue, 12 Mar 1996 13:16:54 +0800 Subject: Please ignore testing Private Idaho Message-ID: <199603111924.LAA13814@ix2.ix.netcom.com> Did I get through anonymously? From jimbell at pacifier.com Mon Mar 11 21:18:33 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 12 Mar 1996 13:18:33 +0800 Subject: How would Leahy bill affect crypto over HAM radio? Message-ID: At 08:36 PM 3/10/96 +0000, Ed Carp wrote: >On Sun, 10 Mar 1996, David Lesher wrote: > >> > >> > Subject asks it. I'm not a HAM, but still curious. Wonder if anyone >> > has brought this to Leahy's attention... >> > >> > Comments from the packet folx on the list? >> >> Non-cleartext has been forbidden for last 60 years anyhow. > >Not quite. Anything intended to hide the meaning of the message is >banned. Compression isn't banned, because the intention is to make more >efficient use of the frequency, not to hide the meaning. >-- >Ed Carp, N7EKG Even so, it isn't clear that this new law WON'T change the rules under which hams operate. An affirmative statement of the right to use encryption would seem to pre-empt prior bans, except if there was some sort of explicit exception for over-the-air transmissions. After all, the law was written broadly, and presumably is to be interpreted broadly. It if doesn't list or single out any particular medium (text on paper; Internet; modem/telephone; etc) then it may reasonably be assumed to apply to all media. Not that such an interpretation will necessarily be welcomed by some hams: Part of the reason for maintaining the ban on encryption would be the fear by hams that ham bandwidth will be surreptiously used by commercial services masquerading as ham users. Encryption would make such usage difficult to detect. However, I happen to believe that hams should be entitled to use good encryption, for voice and data communication. Jim Bell, N7IJS jimbell at pacifier.com From cmca at alpha.c2.org Mon Mar 11 21:26:54 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Tue, 12 Mar 1996 13:26:54 +0800 Subject: PGP : what to do when a user ID has multiple RSA keys In-Reply-To: <199603110740.IAA06248@storm.certix.fr> Message-ID: <199603120044.QAA09080@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: savron at world-net.sct.fr] [cc: cypherpunks at toad.com] [Subject: Re: PGP : what to do when a user ID has multiple RSA keys ] [In-reply-to: Your message of Mon, 11 Mar 96 07:25:59 GMT.] <199603110740.IAA06248 at storm.certix.fr> >My DOS version of PGP 2.6.2 came with a built in PUBRING.PGP >containing two keys ( 1024 and 512 size ) with the same user ID . >For testing purposes I wanted to encrypt a message with the 512 >length key , but only the 1024 size key could be used . >How can I select the right key , apart from making a clone >PUBRING.PGP with only the key I want to use ? You can specify by the keyid. Do a pgp -kvv: $ pgp -kvv cmca at alpha.c2.org Type bits/keyID Date User ID pub 1024/6C87FFA5 1996/02/06 Chris McAuliffe 1 matching key found. Now do the encryption $ pgp -e 0x6C87FFA5 file Note the '0x' prefix on the keyid Chris McAuliffe (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMUS+3IHskC9sh/+lAQF8jgP+LdUjgTnfv5k4KsOwEuvPmVsw/V/G3jdD pyNwOQNtytjSDcGBobspmU4rcx1DObToitJqjzr74G1ytGkrr4wHRS4FWIy3Ea3U YgrmEhkviJT7B4Ix/vQcrKZJsn2+ZGML6VyVmWr3ehkEMo20UfjIheeTNUSq2OPL rO9LmZiFyhs= =MSju -----END PGP SIGNATURE----- From perry at piermont.com Mon Mar 11 21:29:00 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 12 Mar 1996 13:29:00 +0800 Subject: noise levels In-Reply-To: <199603111905.LAA08069@infinity.c2.org> Message-ID: <199603111949.OAA03952@jekyll.piermont.com> Anonymous User writes: > "Perry E. Metzger" wrote: > > > Noise levels have been rising fast again. I encourage people to think > > about whether things are on topic before they post. > > This message is generated as part of an ongoing effort to keep noise off > of the Cypherpunks mailing list (cypherpunks at toad.com) > > Your message contains no cryptography content. Please do not post messages > of this sort to the Cypherpunks mailiing list in the future. God, you are a jerk, aren't you. Perry From hal9001 at panix.com Mon Mar 11 21:31:50 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Tue, 12 Mar 1996 13:31:50 +0800 Subject: PGP reveals the key ID of the recipient of encrypted msg Message-ID: At 2:25 3/11/96, savron at world-net.sct.fr wrote: >I began testing PGP a few days ago ( I'm a PGP newbie ) and I found >that it gives out the key ID of an encrypted message . From this you >can get the identification of the recipient of the message , if it's >someone who has publicaly distributed his key (keyserver , homepage >...) . So even if you are unable to decode the message you can find >who is the recipient of a given message . I think this is a big >privacy problem . There is little that can be done about this. There must be something in the message to identify who it is intended to be read by. As someone else has stated, you can always set up private keys to be used to send to you that are different from your Public KeyID for cases where you want to hide your identity or that of the party you are communicating with. >The problem is carried along when you encrypt a message for multiple >recipients , you get the key IDs of all the recipients and same >problem as above . I think something like 'blind email copy' should >be used , because the recipients don't have to know the identity of >each other . If you want to hide the recipient list, then send separate messages to each recipient - each of which is only encrypted to that one respective recipient. From jimbell at pacifier.com Mon Mar 11 21:44:10 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 12 Mar 1996 13:44:10 +0800 Subject: Leahy bill nightmare scenario? Message-ID: At 12:01 PM 3/11/96 -0800, Timothy C. May wrote: >At 11:12 AM 3/11/96, Gary Howland wrote: > >>Dan Weinstein writes: > >>> If I rent cars, someone might one day use a car rented from me in a >>> robbery. Does that make my an accessary? NO. >> >>This is an unfair analogy. Now if you had said that you rented cars >>without asking for proof of identification, thus making your car hire >>centre very useful to robbers, that may more closely resemble the >>anon-remailer situation. > >If a hotel rents a room to someone who commits a crime in that room, e.g., >prostitution, drug use, plotting to blow up a building, can the hotel be >seized under the asset forfeiture laws? >Not that I have heard. Your example is so misleading that it's wrong. Cities generally attack motels by threatening to pull their licenses, which is usually called an "administrative process" and thus few of the usual protections apply. >Does it matter if the hotel fails to extensively check identification? >(Hint: Rarely have I had my ID checked. Sometimes they ask for a driver's >license and write down the number...and we all know how easy it is to get >fake DLs. Mostly they don't.) They do if they've been harassed by the city, for example Portland Oregon to name the closest example I know. > >If I lend my chain saw to my next-door neighbor without confirming his >identity, and he carves up his wife, am I liable? Not in these parts. "Criminally", probably not. Civilly, probably if the victim's family has a good enough lawyer. >(If I lend my chain saw to a ranting, foaming maniac, am I liable? Perhaps.) Actually, then you're CRIMINALLY liable, as well. >If I let someone use my telephone without confirming his identity, am I >liable for crimes committed with this phone? >This last example is, I submit, a nearly perfect parallel to anonymous >remailers. And not because the telephone system is a "common carrier," but >because of scienter: I have no knowledge, and cannot be expected to have >knowledge, of crimes committed with my phone. Actually, that's wrong. The question will be asked, "Do you regularly lend your phone to strangers who you can't even see, no questions asked, without listening in to see that nothing untoward is being plotted?" _THAT's_ a more apt analogy. >If I have visitors at my house, perhaps at a party, and I let a stranger go >ahead and make a call from the phone in a bedroom, for example, and he >plans a drug deal, can my house be automatically seized? Not that I have >ever heard about. If your phone was already tapped, and the delivery occurred in your house, you'd better look for new accomodations. >Maybe so, but if this ever happens, expect an outcry >against the asset forfeiture laws that will make Linda Thompson's protest >seem tame. I prefer not to wait until the Pollyannas of this world have been proven wrong. >Now if I operate a pay phone and encourage dealers and pimps to use it, >then maybe the public nuisance, RICO, or "crack house" laws can be used to >shut it down. (The public nuisance laws are what I would look to to see >remailers shut down, which will just move them offshore, of course. Absent >laws about sending encrypted packets outside the country, nothing can be >done.) Justa sec: The Leahy bill makes "encryption furtherance of a felony" illegal. Sending encrypted packets out of the country, containing material you don't know (because they're encrypted) sounds like a classic opportunity to declare you in violation of some "conspiracy to violate the law" of some OTHER country, which is probably considered a Federal felony. Welcome to prison, Tim. Your optimism will serve you well, there. BTW, it is clear that you haven't yet read Mr. Junger's analysis of the bill. Nobody except a government stooge could read that and not wonder why anybody would support that bill. A complete re-write is called for. Jim Bell jimbell at pacifier.com From frogfarm at yakko.cs.wmich.edu Mon Mar 11 21:50:07 1996 From: frogfarm at yakko.cs.wmich.edu (Damaged Justice) Date: Tue, 12 Mar 1996 13:50:07 +0800 Subject: Noise levels Message-ID: <199603120033.TAA30130@yakko.cs.wmich.edu> Once again I'd like to remind everyone that I run a customized filtering service that drops off a single message in your inbox every day or two, consisting of what I deem to be the most entertaining and informative posts. I also remove any non-topical rants that don't include useful information. This way, your overworked mail filters will never again have to deal with the Perry and Tim show. To subscribe, send a polite message to the human behind this address. -- http://yakko.cs.wmich.edu/~frogfarm ...for the best in unapproved information Tell your friends 'n neighbors you read this on the evil pornographic Internet "Where one burns books, one will also burn people eventually." -Heinrich Heine People and books aren't for burning. No more Alexandrias, Auschwitzs or Wacos. From andrew_loewenstern at il.us.swissbank.com Mon Mar 11 22:18:38 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Tue, 12 Mar 1996 14:18:38 +0800 Subject: Mile High Snakeoil Message-ID: <9603111947.AA00418@ch1d157nwk> I was flipping through a copy of Spirit, the official magazine of Southwest Airlines, while on a flight to Vegas and found a thoroughly enjoyable advertisement for a crypto product. Underlines and emphasis are theirs. ---- Begin Snake-Oil Advertisement ---- __UNBREAKABLE__ COMPUTER SECURITY AND PRIVACY AT A __BREAKTHROUGH__ LOW PRICE! Stonewall-Drawbridge - Encryption Sytem In the face of the increasingly dangerous invasion of professional, business and personal privacy, unbreakable computer security at an affordable cost is a must. Lawyers, Accountants, Doctors, other professionals whose stock in trade is confidential information are especially vulnerable to malpractice as a result of unprotected information. It is important to deal with this very real potetial problem before it becomes a problem. Every business, every individual must also be concerned about computer security. Encryption can now be used to secure everything from credit card numbers to legal documents. Encryption through totally unbreakable Stonewall-Drawbridge is your ultimate security blanket. *Available Only to United States Citizens* STONEWALL an unbreakable, streaming type algorithm, 100 to 10,000 times faster than other encryptions. Stonewall compresses prior to encryption, eliminating the possible invasion of your computer files. Its key cannot be broken except by random chance, once in a million years. Good for DOS; Windows 3-1; Windows 95 operating systems..... ......$195 DRAWBRIDGE applies mathematical algorithms to encrypt messages and uses a quasi-infinite, one-way transfer to ensure veracity. Drawbridge uses an Infinite Venegere Key (IVK), combined with a one-way private key transfer which is impossible to break, except by chance, once in a million years. It also incorporates a forge-proof digital signature for verification and authentication insuring absolute transmittal protection. STONEWALL-DRAWBRIDGE ENCRYPTION SYSTEM provides unbreakable security protection for your "need to protect" files, archives and computer to computer transmission. The Stonewall-Drawbridge System is the ultimate encryption system, unmatched by anything else available...at a price that is significantly lower than any competitive product. This means it is affordable for every professional, business or individual who needs and seeks total and unfailing computer security....especially on the Internet.......$295 (includes a second system for your choice of contact) (800) 610-0859 Mr. Thomas (30 Day Money Back Guarantee) Make Checks Payable to: HWI 747 E. Green Street, Suite 300, Pasadena , CA 91101-2119 ---- End Snake-Oil Advertisement ---- andrew From gary at kampai.euronet.nl Mon Mar 11 22:21:37 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Tue, 12 Mar 1996 14:21:37 +0800 Subject: Leahy bill nightmare scenario? Message-ID: <199603112056.VAA12425@kampai.euronet.nl> Timothy C. May writes: >At 11:12 AM 3/11/96, Gary Howland wrote: >>Dan Weinstein writes: > >>> If I rent cars, someone might one day use a car rented from me in a >>> robbery. Does that make my an accessary? NO. >> >>This is an unfair analogy. Now if you had said that you rented cars >>without asking for proof of identification, thus making your car hire >>centre very useful to robbers, that may more closely resemble the >>anon-remailer situation. > >If a hotel rents a room to someone who commits a crime in that room, e.g., >prostitution, drug use, plotting to blow up a building, can the hotel be >seized under the asset forfeiture laws? I didn't initially use the the car-hire analogy, I was just trying to bring it more into line with the anon-remailer situation. Perhaps a better example would be an agency set up for the sole purpose of hiring cars on behalf of anonymous customers - as long as the customers didn't abuse the anonymous facility too much, then I guess they would be allowed to carry on operating, much like the remailers operate at present. However, I guess they're in for trouble when their service starts being abused at the expense of big brother, and I guess their policy of shredding all evidence at weekends won't help matters either. >If I let someone use my telephone without confirming his identity, am I >liable for crimes committed with this phone? > >This last example is, I submit, a nearly perfect parallel to anonymous >remailers. And not because the telephone system is a "common carrier," but >because of scienter: I have no knowledge, and cannot be expected to have >knowledge, of crimes committed with my phone. But this doesn't match the remailer scenario - this example is better likened to me letting you use my email account whilst at my house. >And, finally, packages and letters may be mailed anonymously. This is what >pre-paid stamps are all about. And I've used non-U.S. Postal Service >package delivery sytems without providing identification. Can Federal >Express have their assets seized because of "anonymous remailing"? >(Quibblers will no doubt cite laws requiring FedEx to "cooperate," demand >ID, etc.) Yes, but when was the last time someone physically mailed copyright source code (eg RC2) to half the world? When was the last time a pair of lawyers made worldwide news due to making a phone call? Again, the anon-postal-mail/anon-telephone-call analogy doesn't work. Gary -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 From declan+ at CMU.EDU Mon Mar 11 22:29:59 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 12 Mar 1996 14:29:59 +0800 Subject: Cut the mystical artist crap. (No crypto relevance here) In-Reply-To: Message-ID: Excerpts from internet.cypherpunks: 10-Mar-96 Re: Cut the mystical artist.. by Brian Davis at thepoint.net > Thoeau said that "a foolish consistentcy is the hobgoblin of little minds > ..." ^^^^^^^ *sigh* It was neither: Ralph Waldo Emerson: "A foolish consistency is the hobgoblin of little minds, adored by little statesmen and philosophers and divines. With consistency a great soul has simply nothing to do." -Declan From jpp at software.net Mon Mar 11 22:34:22 1996 From: jpp at software.net (John Pettitt) Date: Tue, 12 Mar 1996 14:34:22 +0800 Subject: PGP reveals the key ID of the recipient of encrypted msg Message-ID: <2.2.32.19960312003621.00b780f4@mail.software.net> >At 2:25 3/11/96, savron at world-net.sct.fr wrote: > >>I began testing PGP a few days ago ( I'm a PGP newbie ) and I found >>that it gives out the key ID of an encrypted message . From this you >>can get the identification of the recipient of the message , if it's >>someone who has publicaly distributed his key (keyserver , homepage >>...) . So even if you are unable to decode the message you can find >>who is the recipient of a given message . I think this is a big >>privacy problem . > and "Robert A. Rosenberg" replied: >There is little that can be done about this. There must be something in the >message to identify who it is intended to be read by. As someone else has >stated, you can always set up private keys to be used to send to you that >are different from your Public KeyID for cases where you want to hide your >identity or that of the party you are communicating with. > I can see a case where one would want to broadcast a message (say on usenet) with *no* indication of the intended recipient (not even a non registered key-id). It would seem to be easy enough to hack up something that does not have key-IDs - to know if it's for you try decryption and if it works then it was for you. This does not scale well as the recipient must trial decrypt all messages which could use *a lot* (tm) of CPU time. John John Pettitt, jpp at software.net VP Engineering, CyberSource Corporation, 415 473 3065 "Technology is a way of organizing the universe so that man doesn't have to experience it." - Max Frisch PGP Key available at: http://www-swiss.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=0xB7AA3705 From jimbell at pacifier.com Mon Mar 11 22:40:42 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 12 Mar 1996 14:40:42 +0800 Subject: A lengthy preliminary analysis of the Leahy bill. Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 12:26 PM 3/11/96 -0500, Peter D. Junger wrote: > >This is a preliminary draft of my preliminary analysis of the Leahy >bill. In it I am primarily concerned with the affect---if any---of >that bill on the constitutionally protected freedoms of speech and of >the press. [much scary but, sadly, probably accurate concerns deleted for space.] > "\S 2804. Unlawful use of encryption to obstruct justice > > "Whoever willfully endeavors by means of encryption to obstruct, > impede, or prevent the communication of information in furtherance to > a felony which may be prosecuted in a court of the United States, to > an investigative or law enforcement officer shall- > > "(1) in the case of a first conviction, be sentenced to imprisonment > for not more than 5 years, fined under this title, or both; or > "(2) in the case of a second or subsequent conviction, be sentenced > to imprisonment for not more than 10 years, fined under this title, > or both. > >This provision is completely incoherent. There is no telling how the >government will interpret it, but at a guess they will use it to make >people reveal their keys: ``if you don't tell us your key, we are >going to charge you with impeding the communication to me of >information about the felony I am investigating.'' Thank you, Mr. Junger, for your entire analysis, but particularly this comment on that atrocious section. I'm repeating it, because I think it bears vast significance to the problems with this bill. The bill needs a complete rewrite. The one thing that makes me hopeful is the fact that the people around here who seem to think that this bill must be accepted as written, with this section included, all claim that there is great opposition to it. If that is true, then all I need to do is to convince people who nominally should be on "our" side that the bill is bad, as written. Mr. Junger's careful, albeit prelimary analysis does that in spades. Jim Bell jimbell at pacifier.com Klaatu Burada Nikto -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUSagPqHVDBboB2dAQEXpwQAiLfZk/xPqhTI0UNbgAY/oQh7wR5ElRYH Cb3QZDHGrPmPBF7MZEFW9bL9U+U/33l0kK/q/20vGvLZMFALImcOPgdFjcidjVRA zqHAHPTnJWsyROJsv1fgO2l6u0QRkONFxT5MF2tyqGp9ArYAOSwZy4NMXgwX4CrM QnqwvuKnZfU= =Qm0E -----END PGP SIGNATURE----- From unicorn at schloss.li Mon Mar 11 22:52:45 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 12 Mar 1996 14:52:45 +0800 Subject: Do you feel lucky, punk? In-Reply-To: Message-ID: [rant including some very dubious abstracts of legal opinions deleted] Not only is your law poor and badly reasoned, your mastery of the jurisprudence of forfeiture law flawed, and your rhetoric twisted, but you don't seem to know the difference between dicta and holdings. --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From perry at piermont.com Mon Mar 11 22:56:39 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 12 Mar 1996 14:56:39 +0800 Subject: noise levels In-Reply-To: Message-ID: <199603112321.SAA29939@jekyll.piermont.com> Timothy C. May writes: > At 4:55 PM 3/11/96, Perry E. Metzger wrote: > >Noise levels have been rising fast again. I encourage people to think > >about whether things are on topic before they post. > > > > I again encourage Perry to consider learning how to use filters. I again point out that without artificial intelligence, filtering is very difficult. I already filter, but at best this eliminates about one third to one half of the noise. The rest would require that the filters actually understand the messages, which they cannot. > While I happen to be uninterested in many of the topics being discussed, I > realize that one man's noise is another man's signal. Why have thousands of mailing lists and newsgroups on the internet if everything belongs everywhere? Why not just have one big one and "filter"? The answer is obvious. It wouldn't work. > Besides, the C coders and crypto mavens created their own protected list, > the Coderpunks list, and this is where Perry and others can presumably find > the high S/N discussion of Java, Diffie-Hellman, applets, DES, and memory > leaks that he so craves. I see we are becoming contemptuous of those who actually write pay attention to the nuts and bolts of cryptography, eh? Tim, why don't you go off with Jim Bell and the rest and start a mailing list devoted to nothing but random chit-chat? Perry From alano at teleport.com Mon Mar 11 23:12:50 1996 From: alano at teleport.com (Alan Olsen) Date: Tue, 12 Mar 1996 15:12:50 +0800 Subject: PGP : what to do when a user ID has multiple RSA keys Message-ID: <2.2.32.19960311235939.008915b4@mail.teleport.com> At 07:25 AM 3/11/96 +0000, you wrote: >My DOS version of PGP 2.6.2 came with a built in PUBRING.PGP >containing two keys ( 1024 and 512 size ) with the same user ID . >For testing purposes I wanted to encrypt a message with the 512 >length key , but only the 1024 size key could be used . > >How can I select the right key , apart from making a clone >PUBRING.PGP with only the key I want to use ? You need to use the hex id of the key. (I have this problem as well.) To get the hex id of the key, try "pgp -kv ". That will give you the hex id (right after the key size). For example, if -kv returned: 2048/F7D02799 you would use "0xF7D02799" instead of your name. (No quotes and case does not matter.) This does have some Cypherpunks relevence... Many of the PGP front-ends I have seen do not use the key ID, and thus, do not pick the correct keys in this curcumstance. (And some use it for some, but not all, operations.) But then, I would like to see key management handled alot differently than it is now. (For example, I would like to see PGP use multiple keyrings with an order of precidence. Search the most used keyring first and then check the mega-keyring if nothing is found in the first one. I expect that kind of feature is a ways off...) --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From drose at AZStarNet.com Mon Mar 11 23:40:23 1996 From: drose at AZStarNet.com (drose at AZStarNet.com) Date: Tue, 12 Mar 1996 15:40:23 +0800 Subject: Cut the mystical artist crap. (No crypto relevance here) Message-ID: <199603110209.TAA08023@web.azstarnet.com> >Was it Thoreau who said "Consistency is the hobgoblin of >simpletons"? Wrong, my somewhat hysterical anonymous young woman. It was Emerson who wrote, "A foolish consistency is the hobgoblin of small minds." Please, try Bartlett's prior to again making an ass of yourself. From savron at world-net.sct.fr Mon Mar 11 23:42:40 1996 From: savron at world-net.sct.fr (savron at world-net.sct.fr) Date: Tue, 12 Mar 1996 15:42:40 +0800 Subject: TCP/IP Stego Message-ID: <199603110740.IAA06251@storm.certix.fr> It seems that bit fiddling involve a direct connection of two partners having each one a TCP/IP Stego adapted kernel to work . This is a direction to study , but we can't forget those who can't directly connect with their 'stego' partner . We can't forget also those who can't hack their kernel . Any comment welcome From savron at world-net.sct.fr Mon Mar 11 23:44:28 1996 From: savron at world-net.sct.fr (savron at world-net.sct.fr) Date: Tue, 12 Mar 1996 15:44:28 +0800 Subject: PGP : what to do when a user ID has multiple RSA keys Message-ID: <199603110740.IAA06248@storm.certix.fr> My DOS version of PGP 2.6.2 came with a built in PUBRING.PGP containing two keys ( 1024 and 512 size ) with the same user ID . For testing purposes I wanted to encrypt a message with the 512 length key , but only the 1024 size key could be used . How can I select the right key , apart from making a clone PUBRING.PGP with only the key I want to use ? Any comment welcome From bdavis at thepoint.net Mon Mar 11 23:45:25 1996 From: bdavis at thepoint.net (Brian Davis) Date: Tue, 12 Mar 1996 15:45:25 +0800 Subject: Cut the mystical artist crap. (No crypto relevance here) In-Reply-To: Message-ID: On Sun, 10 Mar 1996, t byfield wrote: > At 2:10 AM 3/11/96, Anonymous wrote: > > >Was it Thoreau who said "Consistency is the hobgoblin of > >simpletons"? > > No, it was Emerson. And that's not what he said. > > >What the compromises have to do with are that one lives in > >a society with rules, mores, laws. One of those touch-shit > >facts of life. You can do what you want, but when it involves > > You seem to be rather fond of consistency. ;) > > Ted > You are, of course, correct that it was Emerson, my half correct respone to Anonymous. The quotation continues ... "With consistency a great soul has simply nothing to do." EBD From wlkngowl at unix.asb.com Mon Mar 11 23:47:22 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Tue, 12 Mar 1996 15:47:22 +0800 Subject: Petty Civil Disobedience In-Reply-To: <199603101719.JAA02292@dns1.noc.best.net> Message-ID: <31438397.4FFD@unix.asb.com> WARNING: the word "crypto" does not appear in this post (aside from the this warning message). jamesd at echeque.com wrote: > I have added a pornographic image to my web site as an act of > real civil disobedience. I urge others to do the same. Yawn. I'd would not call it pornographic. Indecent (legalise), yeah. Porn? No. Don't make the same erroneous distinctions that the pro-CDA folx make... > In the course of doing this, I discovered that on windows, Netscape > makes jpegs of naked pretty girls look like crap. It would take much longer to process the image without dithering of some sort. Displaying jpegs in high quality is CPU intensive. From WlkngOwl at UNiX.asb.com Mon Mar 11 23:49:22 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Tue, 12 Mar 1996 15:49:22 +0800 Subject: How would Leahy bill affect crypto over HAM radio? Message-ID: <199603110352.WAA24293@UNiX.asb.com> > It is illegal for amateur radio operators to use codes and ciphers per part > 97.117 of the FCC rules. Therefore, the Leahy bill would have no impact on > "ham" radio. But doesn't the bill grant the right to use encryption? That's my point... the Internet and even international phone calls render that rule meaningless, since there are other (easier?) ways to communicate internationally using ciphers. Leahy's bill doesn't restrict what media encryption may be used on. I am aware that (as of now) crypto is banned on HAM, but my question is whether one can consider the Leahy bill to lift that ban. (It might also be useful for HAMs to get an amendment of some sort to the bill...) Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From markm at voicenet.com Mon Mar 11 23:50:08 1996 From: markm at voicenet.com (Mark M.) Date: Tue, 12 Mar 1996 15:50:08 +0800 Subject: PGP reveals the key ID of the recipient of encrypted msg In-Reply-To: <199603110740.IAA06254@storm.certix.fr> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Mon, 11 Mar 1996 savron at world-net.sct.fr wrote: > I began testing PGP a few days ago ( I'm a PGP newbie ) and I found > that it gives out the key ID of an encrypted message . From this you > can get the identification of the recipient of the message , if it's > someone who has publicaly distributed his key (keyserver , homepage > ...) . So even if you are unable to decode the message you can find > who is the recipient of a given message . I think this is a big > privacy problem . The recipient of the message is right in the "To:" header of the message. If you anonymously remail a message, however, only the last remailer in the chain will know to whom the message is encrypted, but the last remailer can also just read the "To:" header. I don't find this to be a problem at all. > > The problem is carried along when you encrypt a message for multiple > recipients , you get the key IDs of all the recipients and same > problem as above . I think something like 'blind email copy' should > be used , because the recipients don't have to know the identity of > each other . You could just encrypt a message to different key ID's seperately, rather than in one pass of PGP. The would have the effect of Bcc. - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMUSTJrZc+sv5siulAQHN/QP/ck5/e0+o6HFte49ht2ivN4R/xdL0r5WS aqWSHq2CO3zxnY1ko76TQ34mA+v6oPGJ8TsfgACsRWzEOOs/8lSwZM93YOIsmrLU obLgqu9Vgt0jS8l5AEgr82ma7yHzu03LV77jXIuOn+1Amh2uXJtVs66AO5LHbJxn aBtSPgfCCDY= =vp/g -----END PGP SIGNATURE----- From cp at proust.suba.com Mon Mar 11 23:50:36 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Tue, 12 Mar 1996 15:50:36 +0800 Subject: Cut the mystical artist crap. (No crypto relevance here) In-Reply-To: <199603110110.CAA05830@utopia.hacktic.nl> Message-ID: <199603110159.TAA05952@proust.suba.com> [...] > What the compromises have to do with are that one lives in > a society with rules, mores, laws. One of those touch-shit ~~~~~ Interesting parapraxis. > facts of life. You can do what you want, but when it involves > other people, restrictions come in. You deal with them, > whether you are an artist, programmer, politician, goverment > wonk, or whatever. > > It has nothing to do with selling out or losing integrity. > If you want food and shelter and you're not living in the > woods, then you have to play by everyone else's rules if you > don't have the power to make your own rules. > > Was it Thoreau who said "Consistency is the hobgoblin of > simpletons"? Thoreau was the guy who went to jail rather than pay his taxes when he felt the government was using the money for immoral purposes. From EALLENSMITH at mbcl.rutgers.edu Mon Mar 11 23:51:47 1996 From: EALLENSMITH at mbcl.rutgers.edu (E. ALLEN SMITH) Date: Tue, 12 Mar 1996 15:51:47 +0800 Subject: Stego - images and sounds Message-ID: <01I26QS0WD1KAKTUBC@mbcl.rutgers.edu> From: IN%"sasha1 at netcom.com" "Alexander 'Sasha' Chislenko" 9-MAR-1996 22:59:54.01 >At 12:19 PM 3/8/96 -0800, Jim McCoy wrote: >> >>Provided the bits are random in the way that they should be... The low-order >>bits in such files were chosen by implementors of stego programs because >>modification would not be noticed by the person viewing or listening to >>the file, not necessarily because there was actually randomness at this >>level which could be replaced. Does anyone know of a survey of images or >>sound files which tested the statistical randomness of these bits? They >>may not be as random as people think they are. >> > This should depend on how the image/sound was obtained, though I am pretty >sure in most cases there would be easily detectable patterns. They would >be the strongest in software-generated files, smaller in good reproductions >of precise recordings, and very small in noisy recordings. In all cases, >the number of lower bits used for stego-messages may be chosen lower than >the existing noise of the signal. Changing all lower bits in a good >rendered image may still be unnoticeable for the human viewer, but really >easy to detect to a program. Unless the picture, sound, whatever has a periodic function, the LSB ought to have an approximately random distribution (barring all 0's and all 1's, for full color saturation). The periodic function part could be a problem. -Allen From alanh at larry.infi.net Mon Mar 11 23:56:06 1996 From: alanh at larry.infi.net (Alan Horowitz) Date: Tue, 12 Mar 1996 15:56:06 +0800 Subject: Cryptanalysis In-Reply-To: Message-ID: IS there anyone outside of governments, doing code-breaking _for a living_? From jya at pipeline.com Tue Mar 12 00:48:39 1996 From: jya at pipeline.com (John Young) Date: Tue, 12 Mar 1996 16:48:39 +0800 Subject: The Future of Electronic Commerce Message-ID: <199603120357.WAA25093@pipe2.nyc.pipeline.com> "The Future of Electronic Commerce," released March 11 by The Aspen Institute's Communications and Society Program, describes the new economics of transacting business in cyberspace, from consumer privacy to potential advantages for entrepreneurs. The 270 kb report in .PDF format is available at: http://www.aspeninst.org. From jamesd at echeque.com Tue Mar 12 01:37:08 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 12 Mar 1996 17:37:08 +0800 Subject: Video resolution Message-ID: <199603120520.VAA08288@dns2.noc.best.net> At 10:14 AM 3/11/96 -0500, A. Padgett Peterson P.E. Information Security wrote: >Note: this refers to the IBM PC & clones only > >> The point is that they do a lousy job on dithering. So does Microsoft >> explorer. They probably purchased the identical code from some clot. >Have been watching this go back and forth & get further from the original >question as usual. I suspect that if the original poster looks in her/his/ >its/other SYSTEM.INI file, the line "display.drv=vga.drv" will be found in >the [boot] section. This is the default 16 color driver installed by >Windows to be compatible with every 256k 640x480 VGA card. And I also remembered to turn the computer on. I can assure you that I know how many colors my screen supports, and I have numerous dithering programs on my computer, two of them written by me. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From unicorn at schloss.li Tue Mar 12 01:47:02 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 12 Mar 1996 17:47:02 +0800 Subject: Leahy and Mrs. Bemmis (now that's a subject line) In-Reply-To: Message-ID: On Mon, 11 Mar 1996, jim bell wrote: > At 11:24 AM 3/11/96 -0500, A. Padgett Peterson P.E. Information Security wrote: > > >The Leahy bill is flawed in two areas. Sent a message with proposed wording > >to Sen. Leahy via his web page but have not gotten a response. Have a bad > >habit of reading laws without thought since this is how LEA and prosecutors > >are told to enforce them - as written, not as believed. If an area is > >vague, a court is required to decide how to interpret it, not LEA. If badly > >written *everyone* loses. > > Unfortunately, this is not the way CREATIVE prosecutors enforce laws. > _THEY_ try to be imaginative, "pushing the envelope" as it were, and expect > the courts to stop them. Sadly, those same courts often have ex-prosecutors > as judges, people who aren't particularly inclined to dissuade the abuse of > laws. (exceptions exist, obviously.) Mr. Bell seems to me, based on what I have observed of his legal "analysis" in past, entirely unqualified to be speaking to these issues. I hope readers will take his comments with a grain of salt, and keep this in mind. > Jim Bell > jimbell at pacifier.com --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From thad at hammerhead.com Tue Mar 12 01:54:34 1996 From: thad at hammerhead.com (Thaddeus J. Beier) Date: Tue, 12 Mar 1996 17:54:34 +0800 Subject: TWP on Crypto Keys Message-ID: <199603120544.VAA02212@hammerhead.com> Somebody posted this editorial this morning, that includes the following passage: > The Washington Post, March 11, 1996, p. A18. > > Security and Software [Editorial] ... > > Legislation introduced this month in both the House and the > Senate would ease the export restrictions while attempting > to meet some of the government's security concerns. Code > makers would deposit a "spare key" to any exported > encryption software with a trusted third-party agency... Now, I thought that the bills did no such thing. How could The Washington Post get this so wrong? As I understand it, the bills do not in any way tie export to key escrow. They mention key escrow only to the extent that they specify that it is illegal to disclose the keys. Why would the paper get this cockeyed? Is it just a screwup, or are they pushing for a change? thad -- Thaddeus Beier thad at hammerhead.com Technology Development 408) 286-3376 Hammerhead Productions http://www.got.net/~thad From jamesd at echeque.com Tue Mar 12 02:05:36 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 12 Mar 1996 18:05:36 +0800 Subject: Leahy and Mrs. Bemmis (now that's a subject line) Message-ID: <199603120603.WAA12207@dns2.noc.best.net> At 11:24 AM 3/11/96 -0500, A. Padgett Peterson P.E. Information Security wrote: > At the same time am pragmatic enough to accept the idea that it will have > no effect unless it passes and to be passed today it must have something > like the criminalization statement. I am glad to hear that the bill can be easily stopped. I think we should do something to kill it right away. The only good thing the bill does is give big companies the same power that most of us now possess -- the power to export crypto and get away with it. A good thing, a very good thing, but small change compared to the important individual liberties that the bill lightly discards. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From rittle at comm.mot.com Tue Mar 12 02:59:58 1996 From: rittle at comm.mot.com (Loren James Rittle) Date: Tue, 12 Mar 1996 18:59:58 +0800 Subject: FCC & Internet phones In-Reply-To: <199603100507.AAA02942@homeport.org> Message-ID: <9603120137.AA17060@supra.comm.mot.com> -----BEGIN PGP SIGNED MESSAGE----- >From: Adam Shostack >Date: Sun, 10 Mar 1996 00:07:20 -0500 (EST) >Presumably, the signal has a number of charictaristics. Some of them >have a central switchboard, where preople go to set up calls. Hum, I would set-up the system to `dial direct'. Maybe I could give you this one, for systems that allow random-chat modes. >Most >presumably use a mix of a UDP data connection and tcp for control >functions. OK, everything after the IP header is encrypted. I don't even know which protocol is in use. >They all consist of high volume, long duration connections >(or data flows in the case of UDP.) Many probably use a standardized >destination port. OK, everything after the IP header is encrypted. I don't know which port is in use. >They might use the urgent pointer to force data up >the stack quickly. OK, everything after the IP header is encrypted. I don't know which protocol options are in use. > In short, yes the data streams can be easily found, if one can >tap and grep a T3 in real time. In short, assuming IPSEC, the data stream cannot be easily found. Slightly different assumptions led to a radically different outcome. Regards, Loren - -- Loren J. Rittle (rittle at comm.mot.com) PGP KeyIDs: 1024/B98B3249 2048/ADCE34A5 Systems Technology Research (IL02/2240) FP1024:6810D8AB3029874DD7065BC52067EAFD Motorola, Inc. FP2048:FDC0292446937F2A240BC07D42763672 (708) 576-7794 Call for verification of fingerprints. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUTVK/8de8m5izJJAQGOQQP/R0iXXj4hSytLhifxkxWjkCHItIpQAZvZ J73NdpVIK3EOO8dEXl4jWimh//mTmW5Zt0kIyZtRW4Sn5UlE6FHkG7fnNfgSZbzR 8fu0XOM3ScRKioNhdp0e5ECnB6WrqaSRgTH0K9e+oheAN2zVob/bTb0Gh+gSe930 Znf9388LkZ4= =JMrb -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Tue Mar 12 03:02:09 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 12 Mar 1996 19:02:09 +0800 Subject: Remailer passphrases Message-ID: <199603120748.XAA09989@ix14.ix.netcom.com> At 08:16 PM 3/11/96 -0500, "Mark M." wrote: >On Mon, 11 Mar 1996, Gary Howland wrote: >> The only disadvantage of this is that the remailer cannot be rebooted >> without a passphrase being entered, but then there are ways around this >> (entering the passphrase remotely over a secure link etc., or more >> sophisticated 'remote authorisation' systems). >> >> The advantage of this is that the password is never on the disk, >> only in memory (which will take serious (read "expensive") to extract). > >I don't know that it would be that expensive. If someone was able to gain >root access to the system, something like "strings /dev/kmem" could narrow >the search for the passphrase down significantly. Except for special multi-level secure operating systems, and maybe some fancy capability-based systems, any operating system is going to let some administrator poke around in memory and on the disk, and if there's information anywhere on the machine, it can be gotten by the presevering privileged person. However, keeping the data off the disk is a very good start, and RAM-grubbers are far tougher to run on good OSs than disk-grubbers. Since the remailer has to decrypt data sent to it, it needs the password. The alternative to keeping the data in RAM or on disk is to keep it on some board or box hanging of a comm port or bus, such as a spare PC on RS232 running just a remailer application, or a decently self-protecting smart card in a PCM-CIA slot. To be really effective, it needs to be running the remailer application as well as just crypto; otherwise it might be possible to trick the card into decrypting arbitrary data for you or letting you snoop the remailer. On the other hand, if you're not that paranoid, and just want to do crypto on a card anyway, Matt Blaze did some interesting protocols for fast decryption with a CPU assisting a slow smartcard; they're on ftp://research.att.com/dist/mab/card_cipher.ps M. Blaze, "High-Bandwidth Encryption with Low-Bandwidth Smartcards." January 18, 1995. PostScript pre-print, to appear. >Of course one could obfuscate the passphrase by XOR'ing it with 0x80, > but that's only security through obscurity. You could be a bit more obscure than that if you wanted :-) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From medea at alpha.c2.org Tue Mar 12 04:06:52 1996 From: medea at alpha.c2.org (Medea) Date: Tue, 12 Mar 1996 20:06:52 +0800 Subject: Do you feel lucky, punk? Message-ID: <199603120446.UAA13698@eternity.c2.org> At 04:02 PM 3/11/96 jim bell scribbled: > >Again, you give no specific examples. And what is "twisted >rhetoric", at least as you've used it here? > >>but you don't seem to know the difference between dicta and holdings. > >I didn't use either term. Neither did George Will. You don't know what you're talking about - it's as simple as that. When someone points out to you the error of your ways using terms you're not familiar with, then display that at least one brain cell is working and look up the terms. Your response that you don't use them is childish. Was it meant to imply that you and George Will have formed a *Proud to be Stupid* club? Medea ============================================================ +++++++++++++++++++++++++++++++++++++++++++++++++++ + |---------------------------------------------| + + | The mind is its own place, and of itself | + + | Can make a heaven of hell, a hell of heaven | + + |---------------------------------------------| + +++++++++++++++++++++++++++++++++++++++++++++++++++ From stewarts at ix.netcom.com Tue Mar 12 04:08:08 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Tue, 12 Mar 1996 20:08:08 +0800 Subject: Cryptographers against cryptography Message-ID: <199603120523.VAA00317@ix14.ix.netcom.com> At 09:35 AM 3/11/96 -0800, you wrote: >This is the second in a regular series of postings to expose >cryptographers and cypherpunks who are either lying to us or >making a very serious mistake in there judgement. ..... >B. Schneier: bs208 at newton.cam.ac.uk, schneier at counterpane.com >M. Blaze: mab at crypto.com, mab at research.att.com >J. Bizdos: jim at rsa.com >S. Safaddar: shabbir at vtw.org >D. Weinstein: djw at vplus.com >P.. Peterson: padgett at hobbes.orl.mmc.com >B. Stewart: stewarts at ix.netcom.com Oh, boy, now I'm a Tentacle Again! But at least I can spell.... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From jamesd at echeque.com Tue Mar 12 04:15:00 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 12 Mar 1996 20:15:00 +0800 Subject: A lengthy preliminary analysis of the Leahy bill. Message-ID: <199603120546.VAA10498@dns2.noc.best.net> At 12:26 PM 3/11/96 -0500, Peter D. Junger wrote: > (4) the authority and ability of investigative and law enforcement > officers to access and decipher, in a timely manner and as provided > by law, wire and electronic communications necessary to provide for > public safety and national security should also be preserved; This provision of the bill makes the entire bill a worthless pile of repressive shit, despite all the pious good intentions in the rest of the bill. A little constitutional history: The supreme court used to rule that congress could not delegate its own power to bureaucrats, as this violated the principle of rule of law. Thus congress could pass a law than in a certain situation you had to do such and such, or refrain from doing so and so, but it could not pass a law that in a certain situation you had to do whatever some bureaucrat told you to do, because that would violate separation of powers and the principle of the rule of law, not men. Roosevelt threatened to stack the court, the court submitted, and the rule of law in the US was radically diminished. The proposed bill would seem to give bureaucrats the power to set aside the first, fourth, and fifth amendments, at whim. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jlasser at rwd.goucher.edu Tue Mar 12 04:15:45 1996 From: jlasser at rwd.goucher.edu (Bruce Zambini) Date: Tue, 12 Mar 1996 20:15:45 +0800 Subject: anonymous web pages (Was: SurfWatch) In-Reply-To: Message-ID: On Sun, 10 Mar 1996, Mark M. wrote: > On Sat, 9 Mar 1996, Dan Cross wrote: > > > This is an interesting idea, though I think a really really insecure one. > > What's keeping someone from posting ``trojan web pages'' and then waiting > > for the pages to be soaked up by servers? Something that says ``click > > to see the /etc/passwd file for this site!'' which runs some funky > > CGI thing to cat /etc/passwd or, ``Enter your credit card number to buy > > super wiz-bang gadget!'' or the like is a really scary, but very real, > > possibility if great care is not taken in setting this kind of thing up. > > News servers, on the other hand, don't suffer from this problem because > > the data which they contain is much more passive in nature (at least, while > > in the spool..) than HTML. > > The obvious fix would just be to disallow the use of CGI scripts in anonymous > web pages. In order for a file to be designated a CGI script, the must > be explicitly specified as such in the httpd configuration. The web is > every bit as passive as Usenet. The only difference is you can't make a > program that will execute on the NNTP server everytime it is retrieved (which > would be the Usenet equivalent of CGI). Doesn't solve the problem completely, or even the individual example given above. >From your public html directory, try 'ln -s /etc/passwd passwords.txt'. Then add a link to your homepage.... Jon ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From merriman at arn.net Tue Mar 12 04:15:48 1996 From: merriman at arn.net (David K. Merriman) Date: Tue, 12 Mar 1996 20:15:48 +0800 Subject: Cryptographers against cryptography Message-ID: <2.2.32.19960311190440.00695bfc@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 09:23 PM 03/11/96 -0800, Bill Stewart wrote: >At 09:35 AM 3/11/96 -0800, you wrote: >>This is the second in a regular series of postings to expose >>cryptographers and cypherpunks who are either lying to us or >>making a very serious mistake in there judgement. >..... >>B. Schneier: bs208 at newton.cam.ac.uk, schneier at counterpane.com >>M. Blaze: mab at crypto.com, mab at research.att.com >>J. Bizdos: jim at rsa.com >>S. Safaddar: shabbir at vtw.org >>D. Weinstein: djw at vplus.com >>P.. Peterson: padgett at hobbes.orl.mmc.com >>B. Stewart: stewarts at ix.netcom.com > >Oh, boy, now I'm a Tentacle Again! >But at least I can spell.... Gee, lucky you (not to be confused with Lucky Green :-). Maybe if I study real hard, and practise, and pay attention in school, *I* can make the 7 Worst Enemies List, too! Oh, BOY! As for spelling, I have it on good Authority that your secret is knowing how to operate your spell-checker. Dave "Not even a flagellum, nevermind a tentacle" Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMURc1MVrTvyYOzAZAQEm9AP/XHB/pc3wfkkd9ZoGxduVxxzB4WliFubU PoDWkF0Gt+O1BSFGvqSJWKGaxYeYqvtBHzRLBE0BYh7ot7curdHWL8/7mrnaNCJV /QsHIsYl3JvAp/nZckucWUEzSf1BDnzokeH9v2xpwaxT5cWYvCRQLu0Q25EjfZl3 4PyMemghhbA= =+yQN -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> For privacy tools: http://www.geocities.com/capitolhill/1148 From merriman at arn.net Tue Mar 12 04:18:37 1996 From: merriman at arn.net (David K. Merriman) Date: Tue, 12 Mar 1996 20:18:37 +0800 Subject: bell ringing Message-ID: <2.2.32.19960311185557.00689588@arn.net> -----BEGIN PGP SIGNED MESSAGE----- I've *finally* had a chance to try and catch up on my CyP (vice CoP) reading, including the running tit-for-tat between Jim Bell and (most of) the rest of the list. While Mr. Bell's Assassination Politics idea has a lot of interesting ramifications, I've found that his apparent in-your-face-and-wha'cha-gonna-do-about-it-PUNK attitude makes reading his postings very tedious. Perhaps if 'we' were to simply read his postings, and respond *only* to those that maintain a civil tone, it would finally sink in with him that his Terrible Two's antics aren't appreciated. The only other options I see are: Someone gets his snailmail address and sends him a Dale Carnegie book, or there's a mass kill-filing, with him as the guest of (dis)honor. As noted, his AP idea seems worth discussing, I'd be reluctant to lose it. I'd hate to see him turned into LD-2 (Son of LD? :-) because he doesn't seem to have learned Tact and Manners yet. Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMURa6sVrTvyYOzAZAQFdyAQAosYKaeQBAUFL/uz1dv+NTCEULmlyRc97 H1Q7jBzJK4mqpEvaYzRBTYl8XMAKkhxl2HaCsVLx6z4zJKnMAteRF7iEN/LO68bs ncAUBoi1TfhRSkSHL9NgBSIaDBtZ5ZT+HWf3dryBYSBkLmfGnDi6o4DMSDis7hC1 pmsSbPDfjk8= =lP2I -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> For privacy tools: http://www.geocities.com/capitolhill/1148 From jimbell at pacifier.com Tue Mar 12 04:18:52 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 12 Mar 1996 20:18:52 +0800 Subject: Do you feel lucky, punk? Message-ID: At 09:59 PM 3/11/96 -0500, Black Unicorn wrote: >On Mon, 11 Mar 1996, jim bell wrote: > >> At 05:54 PM 3/11/96 -0500, Black Unicorn wrote: >> >Not only is your law poor and badly reasoned, >> >> Just what George Will said about this recent Bennis SC decision. > >My issue was with your application of the cite and decisions to the >pending bill. You keep saying this kind of thing, repeatedly, but you don't back it up with a contrary argument. >> > your mastery of the jurisprudence of forfeiture law flawed, >> >> Ditto, and I notice you give no specific examples. Why is that? > >My issue was, again, with regard to your choice of cites, Ah! You simply didn't like me using that particular atrocious SC decision to suggest that we can't trust judges and courts in general! >the way you >chose to apply them to represent a general (and flawed) attitude toward >statuatory construction, "Flawed"? In what way? You keep making claims that you don't back up with facts. > and the manner in which you try to mold all of >the above in a way suggesting it has the least bit to do with the bill in >question. You keep making assertions that I'm wrong, but you don't demonstrate the "correct" interpretation according to your opinion. Why is this? >But, for the sake of equality, let's examine some of your legal assertions. >Or, more accurately, legal conclusions. (BTW, where is your J.D. from?) > >1> In fact, I would argue that a remailer operator will actually be >considered MORE responsible, legally, than Mrs. Bennis: > >2> I argue that a person who runs an anonymous encrypted remailer could be >clearly claimed to be "entrusting" that "property" to someone else, under >the meaning of the above paragraph. > >The "above paragaph," incidently, doesn't even rise to the level of court >dicta, but is a abstract of dicta by a court commentator. Using such >authority to back a legal conclusion (especially when applied to an >entirely seperate legal area) is twisted at best, and dangerous at worst. Let's suppose we agree that "George Will" is a "court commentator." Suppose further that he, more or less, says "this decision sucks." Because it DOES suck. To any normal person, the knowledge that a educated, erudite, intelligent person who has published a newspaper and magazine column for years says "this decision sucks" (although he did it a lot less coarsely than I relate) should be of interest. And most people of ordinary levels of intelligence can recognize that yes, the decision DOES suck. And George Will, who has certainly NOT become successful as a commentator by boring the reader, understands that this decision is of interest to enough people to have it occupy one of his columns for a day. Remember, one of the basic assumptions that any supporter of the Leahy bill could be making is that it will be interpreted INTELLIGENTLY by courts. If it is obvious to most of the rest of us that those lunatics can't even make the correct decision about a woman's half-interest in a common automobile, then their ability to decide whether an anonymous encrypted remailer is somehow breaking the law merely by forwarding unidentified traffic is certainly in question. The fact that you may not _like_ me bringing up a contemporaneous example where the SC stuck their collective heads firmly and completely up their respective asses is irrelevant. If anything, it shows that you feel the law is and should be above the heads of the average individual, or even the UN-average, intelligent individual who regularly reads editorials in their local newspaper. Such elitism is disgusting. >3> At least, that is the position the prosecutors could surely take, >especially given this Supreme Court decision. > >Uh huh. They might also take the position that the defendent is ugly, >and should be convicted. That doesn't make it a legally viable argument. Unfortunately, the only thing that determines whether, in fact, something is a "legally viable argument" is the dishonesty and stupidity and connivance of the person or people making the resulting decision, in this case the Supreme Court. (Or didn't you know that?) It is, given the current make-up on the Supreme Court today. Sad but true. Naturally, this reality embarrasses you. Your Emperor isn't wearing any clothes. >> > and your rhetoric twisted, >> >> Again, you give no specific examples. And what is "twisted rhetoric", at >> least as you've used it here? > >I'm not going to delve into semantics or be distracted by a war of the >dictionaries. But you already did. You called my rhetoric "twisted." "Twisted" implies that there is an "untwisted" version. I await hearing it. I'll probably be waiting a long time at the current rate you're getting to the point. > You proport to be knowledgeable in these areas, and yet >say nothing of value. I say nothing you want to hear. That's precisely why you consider it of no value. > Your appeal (what of it there is) is based >entirely on skewing meanings, using critiques of dicta, and generally >applying inflamatory language taken out of context in a manner which suits >you. I don't think I'm off base calling it "twisted." "Inflammatory language"? The real "inflammatory language" occurs every time a court makes yet another outrageous decision such as the ones you are weakly attempting (and miserably failing) to defend. I notice you don't provide an alternative competing interpretation, either of my conclusions or those of George Will. So how are we to know what "twisted" is if you can't clearly show something which is "untwisted"? >> Maybe you read that item too rapidly to notice that most of it was George >> Will's column, not my wording. > >Again, its application to the bill is what I question. All of which >throws your understanding of law, dicta, holdings, jurisprudence, and >rhetoric into question. What you should have cited was some statuatory >construction and legislative history cases, not forfeiture law. But how >could you be expected to know this? I chose my example to display the foolishness of the Supreme Court, as well as each and every one of the courts below it that did not properly dispose of that Bennis case. You find this disturbing. But it's applicable to ANY law that may someday rely upon a SC decision to overturn or uphold. Anyone considering supporting the Leahy bill had better understand this. Naturally, you want to cover it up. >> What, then, was the point of sending me the note, as well as wasting >> bandwidth on CP to share your unhappiness? > >Distribution of reputation capital (or in this case, negative reputation >capital). I believe I also wanted to make a point (in 1,200 bytes) about >the utility (or lack thereof) of your article (10,500 bytes) on this list. I'd glad to see you distributing YOUR "negative reputation capital." Why not do a better job for yourself and make it look like you are actually more familiar with the legal system than the rest of us are (which shouldn't be hard, if you have the credentials), and challenge us with an alternative explanation of the facts I (and George Will) describe? In other words, stop just saying I'm wrong and start DEMONSTRATING it, if you can. Convince us that you're not just an elitist snob and that we should actually have confidence that the scum on the Supreme Court will be gone soon and replaced with people who know how to make a correct decision reliably. At that point, the Leahy bill (with substantial modifications) will start looking a lot better to all of us. Jim Bell jimbell at pacifier.com Klaatu Burada Nikto From gary at kampai.euronet.nl Tue Mar 12 04:55:31 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Tue, 12 Mar 1996 20:55:31 +0800 Subject: Remailer passphrases Message-ID: <199603121043.FAA20786@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- markm at voicenet.com writes: On Mon, 11 Mar 1996, Gary Howland wrote: > > This of course assumes that the remailer runs as a process - if it doesn't > > then there is no reason a 'remailer helper' cannot. > > > > The only disadvantage of this is that the remailer cannot be rebooted > > without a passphrase being entered, but then there are ways around this > > (entering the passphrase remotely over a secure link etc., or more > > sophisticated 'remote authorisation' systems). > > > > The advantage of this is that the password is never on the disk, > > only in memory (which will take serious (read "expensive") to extract). > > I don't know that it would be that expensive. If someone was able to gain ^^ > root access to the system, something like "strings /dev/kmem" could narrow > the search for the passphrase down significantly. Of course one could > obfuscate the passphrase by XOR'ing it with 0x80, but that's only security > through obscrurity. Sure, _if_ they were able to gain root access without rebooting the machine, but the usual scenario is that the filth turn up with black bin liners, not men from the NSA. Gary - -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUVVMioZzwIn1bdtAQFFPAGAkqQFY1FRwSunSdqkvZBQx8S6BnD7UXRV ztKYpHcCkyex8pT4jL/WqeEIGPUXfi4l =voJ5 -----END PGP SIGNATURE----- From eagle at armory.com Tue Mar 12 05:39:39 1996 From: eagle at armory.com (Jeff Davis) Date: Tue, 12 Mar 1996 21:39:39 +0800 Subject: Electronic Frontiers Wyoming (fwd) Message-ID: <9603120216.aa04516@deepthought.armory.com> Forwarded message: > From: eagle at nyx.net (eagle) > Message-Id: <9603121000.AA25993 at nyx.net> > Subject: Electronic Frontiers Wyoming > To: kellee at uwyo.edu > Date: Tue, 12 Mar 1996 03:00:23 -0700 (MST) > Cc: barlow at eff.org (John Perry Barlow), mnemonic at eff.org, > brown at eff.org (Dan Brown), mech at eff.org (Stanton McCandlish), > ssteele at eff.org, aburt at nyx.net (Andrew Burt), > mbarry at stout.entertain.com (Bruce Dane), rcarter at nyx.net (Ron Carter), > eagle at armory.com > > -----BEGIN PGP SIGNED MESSAGE----- > > It was nice talking to you at the Information Center in the Union earlier. > You might like to know that Information Technology in conjunction with > Administration and Records has seen fit in a convulsion of gross idiocy to > publish your entire UW transcript on the World Wide Web. Anyone with your > social security number and your registration PIN can dowload your entire > transcript and post it to Usenet News if they so desire, where your grades > would be replicated in computers, and circling the planet in a few minutes. > By gross malfecence, the University of Wyoming has seen fit to *PUBLISH* *ALL* > the Non Degree seeking Graduate Students PIN in the Summer Bulletin; 4723. > > Patrick, who is a non degree seeking grad student, went ballistic when I gave > him *his* PIN to access his transcript. The web browser also writes your > social security number to the screen, so anyone watching over your shoulder > has all the information they need to violate your right to privacy. It's > really stupid to create an HTTP link directly into the cgi-bin as well. > > You can check this out for yourself at Whistle: > > http://siswww.uwyo.edu/cgi-win/homepage.exe > > Or wait until the Program Analyst I in charge of computer security at the > Water Resources Center, (they paid him more money that Math CoSci), writes > a *scathing* letter to the Branding Iron. It will be signed Patrick Malone. > > This bit of better living via Electronic Revolution has been brought to you > by your friendly neighborhood Cypherpunk. > > Jeff > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.1 > > iQCVAwUBMUVKIF4aVg6iEWoBAQETKgQAoL4xnCzIPvccRuJZTxslDXb36qC0Zhhj > DAK100FlTyAmgc8oxIJjcQ3C1f4qzKVSOj63hBXBrhdpIoIkvE0x8notQuRsl/ua > sKf6XwVWfl0vAZ2lMUn0/f/GtUU4579NMhsChXnwGADzrHnmzfB3belxVMZzxsyJ > Xc6wHukVRNU= > =wVEh > -----END PGP SIGNATURE----- -- According to John Perry Barlow: *What is EFF?* "Jeff Davis is a truly gifted trouble-maker." *email * *** O U T L A W S On The E L E C T R O N I C F R O N T I E R **** US Out Of Cyberspace!!! Join EFF Today! *email * From gary at kampai.euronet.nl Tue Mar 12 05:39:54 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Tue, 12 Mar 1996 21:39:54 +0800 Subject: FCC & Internet phones Message-ID: <199603121049.FAA20806@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Adam Shostack wrote: > Loren James Rittle wrote: > | >Most > | >presumably use a mix of a UDP data connection and tcp for control > | >functions. > | > | OK, everything after the IP header is encrypted. I don't even know > | which protocol is in use. > > Are you willing to play Mallet? Drop IP packets, and look for > duplicates. Those are TCP. (IPSEC might handle this, but I bet there > will be broken implementations that save time by resending.) Are you saying UDP protocols don't retransmit un-acked packets? If not, then you can't be sure the duplicates are TCP. Gary - -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUVWwioZzwIn1bdtAQHQaAGA1EjYZpEKrie9t/eIohlrHCC4rUY8Dzu1 HgB+1ZbAS8X7hIRb3eSHLlBB13LZtkDH =4Tgg -----END PGP SIGNATURE----- From wlkngowl at unix.asb.com Tue Mar 12 06:29:36 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Tue, 12 Mar 1996 22:29:36 +0800 Subject: Mile High Snakeoil In-Reply-To: <9603111947.AA00418@ch1d157nwk> Message-ID: <3145574F.38A9@unix.asb.com> I've been thinking about this a while. Perhaps it's high time some of us try to contact Consumer Reports or some of the local TV/Newspaper consumer reporters and encourage then to do features on encryption software... might even get them to talk about ITAR, GAK, and the Leahy Bill... Andrew Loewenstern wrote: > I was flipping through a copy of Spirit, the official magazine of Southwest > Airlines, while on a flight to Vegas and found a thoroughly enjoyable > advertisement for a crypto product. Underlines and emphasis are theirs.[..] > Encryption through totally unbreakable Stonewall-Drawbridge is your > ultimate security blanket.[..] > DRAWBRIDGE applies mathematical algorithms to encrypt messages and uses a > quasi-infinite, one-way transfer to ensure veracity. Drawbridge uses an > Infinite Venegere Key (IVK), combined with a one-way private key transfer ^^^^^^^^^^^^^^^^^^^^^^ > which is impossible to break, except by chance, once in a million years. Hahahaha. *cough* From jya at pipeline.com Tue Mar 12 08:25:22 1996 From: jya at pipeline.com (John Young) Date: Wed, 13 Mar 1996 00:25:22 +0800 Subject: DOT_con Message-ID: <199603121503.KAA28612@pipe1.nyc.pipeline.com> 3-12-96. TWP: "Making Connections With Dots To Decipher U.S. Spy Spending. Panel's Report Indirectly Discloses Details It Urged Keeping Secret." Buried in the commission's report is a chart that provides a striking account of previously secret spy spending and personnel levels for the CIA, NSA, DIA and NRO. The chart also confirms that the NSA, together with its various military service components employs the most people, a total of nearly 40,000 eavesdroppers and codebreakers. It appears to have an annual budget of around $3.7 billion. DOT_con From gary at kampai.euronet.nl Tue Mar 12 08:46:28 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Wed, 13 Mar 1996 00:46:28 +0800 Subject: FCC & Internet phones Message-ID: <199603121510.QAA14739@kampai.euronet.nl> Adam Shostack wrote: > Gary Howland wrote: > | Are you saying UDP protocols don't retransmit un-acked packets? ^^^^^^^^^^^^^ > | If not, then you can't be sure the duplicates are TCP. > > Err, yes. Thats the point of UDP; its unreliable and has no > acknowweldgement. Sorry, I meant protocols using UDP, not UDP itself. Gary From pkedrosk at sms.business.uwo.ca Tue Mar 12 09:06:19 1996 From: pkedrosk at sms.business.uwo.ca (Paul Kedrosky) Date: Wed, 13 Mar 1996 01:06:19 +0800 Subject: Your "switchboard" listing Message-ID: <3144A42E.7506@sms.business.uwo.ca> Ha! Very funny that you have yourself listed as Mssr Thomas Pynchon in Switchboard's listings. I especially like the mailing address. P. From ncognito at gate.net Tue Mar 12 09:06:43 1996 From: ncognito at gate.net (Ben Holiday) Date: Wed, 13 Mar 1996 01:06:43 +0800 Subject: Remail Software Where? In-Reply-To: <199603111450.GAA01786@kiwi.cs.berkeley.edu> Message-ID: Seems that berkeley's ftp ain't talking anymore. Where are the remailer packages living these days? Benji From drose at AZStarNet.com Tue Mar 12 09:08:17 1996 From: drose at AZStarNet.com (drose at AZStarNet.com) Date: Wed, 13 Mar 1996 01:08:17 +0800 Subject: Cryptographers against cryptography Message-ID: <199603112146.OAA25645@web.azstarnet.com> >anonymous-remailer at shell.portal.com writes: >> This is the second in a regular series of postings to expose >> cryptographers and cypherpunks who are either lying to us or >> making a very serious mistake in there judgement. > >No, this is the umpteenth stupid anonymous denunciation of people who >deserve no such stupidity. > >You aren't fit to eat Bruce Schneier or Matt Blaze's toenail >clippings. > >Perry I frequently have a problem with Perry's proprietary and bumptious mother-hen approach to the c-punks list; in this specific instance, I applaud his sentiments. To Mr/Ms/Space Alien (anonymous): It would be nice if you had the decency to identify yourself, but in any case, please bugger off (and don't keep pulling out that Thorazine drip connected to your arm). --Dave Rose From jimbell at pacifier.com Tue Mar 12 09:15:33 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 13 Mar 1996 01:15:33 +0800 Subject: Leahy Bill a Move to Slow Crypto Exports as Much as Possible Message-ID: -----BEGIN PGP SIGNED MESSAGE----- At 11:34 AM 3/11/96 -0800, Timothy C. May wrote: >I was more thinking about "novel" applications: things related to digital >cash, remailers, information markets, etc. These are things which are at a >nascent stage, and nearly any of them can stalled for export by citing the >absence of comparable competitors in Europe and Asia. > >Hence my concern that the clause is effectively an excuse for delaying >crypto for as long as is practically possible. Not much of an improvement >over what we have now--though established companies will no doubt be happy >because they can export their fairly boring apps--and the new >criminalization of crypto (when connected with any of the other thousands >of felony-class crimes, such as swearing) is a step backward. > >--Tim May You're exactly correct, here, Tim. (I realize that you may not necessarily welcome an affirmation from me, but you are indeed right about your concerns.) I've chosen to not focus on the export aspects; I'm glad to see you are ably raising them as problems. Jim Bell jimbell at pacifier.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUSWlfqHVDBboB2dAQE7SgQAo5lk3XrbgH9vUQjukZfKhzKTsE9c0pKb IRj9kzCirfJImb8MhxszevAm/ibGbgZssL2wX4u0osLZiClkwnh12gk39wNMeKuN K3GTHrzuuk6xKH5cseaHXJcCi1CuiL5bj0KQDDsJnMIgvrlQeE2RnmxLKlJH1ngO EO6ASNVSXto= =GepQ -----END PGP SIGNATURE----- From vznuri at netcom.com Tue Mar 12 09:23:20 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 13 Mar 1996 01:23:20 +0800 Subject: rhetorical trickery In-Reply-To: Message-ID: <199603112135.NAA20486@netcom5.netcom.com> >A standard attitude among LEOs is: "if you're not guilty of something, what >are you hiding?" Skilled ones use this lever to get suspects to allow >searches of their property on the flimsiest of pretenses. sigh. it seems I am still being misunderstood. SO WHAT??? so a nasty policeman thinks I stole something from my grandma. SO WHAT??? look, in life, if you are someone who can be walked on, it doesn't take a POLICEMAN to take advantage of your lack of backbone/spine. you are going to be exploited by a lot of people other than a policeman. if you don't know your rights, OF COURSE you can be taken advantage of. I can't comprehend all this silliness in response to my messages. "sure, you can do [x], but the police may still SUSPECT YOU". well, @#%$%^&* so what?!?!? doesn't anyone understand that if we are in a civilized society, that's completely irrelevant to the law??? >"Innocent until proven guilty" is at best an abstraction to most police. >Given the amount of time they have per case, on average, they're more >interested in slorking up whatever evidence they can against a suspect and >making a bust. Didn't Ed Meese say something along the lines of, "if they >weren't criminals, they wouldn't be involved with the police"? but don't you understand? their ATTITUDE is completely irrelevant. in regard to the law, we are considering only what they have authority to do. a policeman cannot get a conviction if he breaks the law in obtaining evidence. this is my basic point. this is a very powerful factor in favor of anyone who wishes to use cryptography without harassment. now, there are all kinds of cypherpunks who are going to write me back, because the mere fact that I used the word "police" in this message, which attracts flames here with approximately the same magnetism dead carcasses do flies. my posts are not about Nasty Police Urban Legends about how the Pigs are oppressors and have done [x] to my friend [y] who did ABSOLUTELY NOTHING to provoke it. in fact I am attempting to pierce some of these Urban Legends of Police Fear, but instead they continue to pop up around my posts, somewhat spurred by them. >ObCrypto: Having a fair amount of encrypted stuff around makes any given >piece stand out less. A couple dozen PGP-encrypted files with names like >"1994 1040 Schedule A" and "Business Contact List, 1Q 1995" is a hell of a >lot less suspicious than a single encrypted file called "detonate.pgp." :^) > >Furthermore, if they don't believe me and I choose not to give them the >plaintext, isn't that my Fifth Amendment right? Or has that been waived in >cyberspace for our convenience? these are pretty much the point I'm making that is obviously not making it through to everyone who responds to me. From jimbell at pacifier.com Tue Mar 12 09:25:01 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 13 Mar 1996 01:25:01 +0800 Subject: Cryptographers practicing law? Message-ID: At 01:28 PM 3/11/96 -0500, Perry E. Metzger wrote: > >anonymous-remailer at shell.portal.com writes: >> This is the second in a regular series of postings to expose >> cryptographers and cypherpunks who are either lying to us or >> making a very serious mistake in there judgement. > >No, this is the umpteenth stupid anonymous denunciation of people who >deserve no such stupidity. > >You aren't fit to eat Bruce Schneier or Matt Blaze's toenail >clippings. >Perry While I don't really appreciate this guy's style and anonymity any more than you do, it's a misleading argument to try to challenge his position based on (presumably) his crypto expertise or lack of it. I don't doubt Schneier's or Blaze's commanding position in that limited area, but when it comes to the analysis of a bill affecting crypto, knowledge of the technical details of crypto is far less important than knowing how a prosecutor or court will interpret any given law. I'm an "expert" in neither field, but I knew enough to worry. Further, after having read Junger's preliminary analysis, it is blatantly obvious that this bill doesn't constitute much of a step forward, and in fact is likely a retrenchment if the government has its way. The "guarantees" the bill provides aren't really guarantees at all, they are "feel-good" conditional promises, and the whole thing is so shot full of holes that it's hard to imagine that it will provide any protection beyond what we have today. As I noted in my original comment to VTW (Mr. Safdar, who hasn't taken the trouble to contradict, let alone respond to my comments) my biggest fear is that the organizations and people who originally came out in mistaken favor of this bill either won't see their mistake, or won't admit seeing it if they do. (People are funny that way; they hesitate to admit it when they are clearly wrong; organizations are even worse on this score; tiny organizations are worse still, because they must "appear" to be externally consistent yet there are few "heads" to depend on to fix mistakes.) If anything, _MY_ mistake was in believing that the rest of the bill was acceptable if a single bad section was removed; I now believe (after seeing Junger's analysis, and a much more careful reading of the bill) that a serious re-write is mandatory. (In my own defense, I had only skimmed the rest of the bill once, I focussed my criticism on the one "killer" section that I could easily tell would be the most questionable item.) This fiasco does, indeed, raise serious questions about the motivations and credibility of those who have effectively endorsed this bill so soon: It is doubtful whether we will get any accurate picture about the bill from anybody who is afraid of changing his original assessment. I'd be just as willing to listen to "experts" quoted by the people who have (so far) expressed support for this bill. Maybe, as he himself suggests, Junger is a bit too pessimistic. On the other hand, Junger has clearly raised many questions whose answers depend almost completely on the INTENT of people within the government, not the wording of the bill itself. Since I believe their intent to be uniformly bad, it is hard to imagine how anyone could resurrect confidence in this bill to anyone who was similarly pessimistic. And the people who originally claimed that the Administration would oppose this bill as "going too far" cannot now turn around and claim that the government's intent was anything other than bad, BTW. We now see how little good this bill might do, and how much trouble it might allow the Feds to cause, so it's hard to imagine why anyone would have believed the bill (if passed) would not have been signed. I predict that the organizations that have, so far, "endorsed" this bill will quietly stop doing so, but without any kind of specific retraction or apology or explanation. I also believe that they will refuse to reveal whatever legal advice they originally received that induced them to endorse it, because they probably had none. At least Leahy's bill is DOA. However, I think it would be interesting and useful to do a re-write of this bill, addressing all of Junger's concerns, mine as well, and Tim May's to boot. I recommend that we totally ignore comments such as those by Padgett Peterson which claimed that certain provision "must" be included for the bill to pass. Jim Bell jimbell at pacifier.com From unicorn at schloss.li Tue Mar 12 09:25:46 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 13 Mar 1996 01:25:46 +0800 Subject: [noise] Re: Do you feel lucky, punk? In-Reply-To: Message-ID: On Mon, 11 Mar 1996, jim bell wrote: > At 05:54 PM 3/11/96 -0500, Black Unicorn wrote: > > > > > >[rant including some very dubious abstracts of legal opinions deleted] > > > >Not only is your law poor and badly reasoned, > > Just what George Will said about this recent Bennis SC decision. My issue was with your application of the cite and decisions to the pending bill. (Perhaps if you are not qualified to make your own comments about court cases, and limited to citing the critiques of others, you should refrain from making inferences as to their likely or unlikely application to other legal issues). > > your mastery of the jurisprudence of forfeiture law flawed, > > Ditto, and I notice you give no specific examples. Why is that? My issue was, again, with regard to your choice of cites, the way you chose to apply them to represent a general (and flawed) attitude toward statuatory construction, and the manner in which you try to mold all of the above in a way suggesting it has the least bit to do with the bill in question. But, for the sake of equality, let's examine some of your legal assertions. Or, more accurately, legal conclusions. (BTW, where is your J.D. from?) 1> In fact, I would argue that a remailer operator will actually be considered MORE responsible, legally, than Mrs. Bennis: 2> I argue that a person who runs an anonymous encrypted remailer could be clearly claimed to be "entrusting" that "property" to someone else, under the meaning of the above paragraph. The "above paragaph," incidently, doesn't even rise to the level of court dicta, but is a abstract of dicta by a court commentator. Using such authority to back a legal conclusion (especially when applied to an entirely seperate legal area) is twisted at best, and dangerous at worst. 3> At least, that is the position the prosecutors could surely take, especially given this Supreme Court decision. Uh huh. They might also take the position that the defendent is ugly, and should be convicted. That doesn't make it a legally viable argument. > > > and your rhetoric twisted, > > Again, you give no specific examples. And what is "twisted rhetoric", at > least as you've used it here? I'm not going to delve into semantics or be distracted by a war of the dictionaries. You proport to be knowledgeable in these areas, and yet say nothing of value. Your appeal (what of it there is) is based entirely on skewing meanings, using critiques of dicta, and generally applying inflamatory language taken out of context in a manner which suits you. I don't think I'm off base calling it "twisted." > > >but you don't seem to know the difference between dicta and holdings. > > I didn't use either term. Neither did George Will. Perhaps you should have. It would have set of the alarm bells of others who might have been looking at your work with anything like a critical eye and saved them the time of reading the trash. > Maybe you read that item too rapidly to notice that most of it was George > Will's column, not my wording. Again, its application to the bill is what I question. All of which throws your understanding of law, dicta, holdings, jurisprudence, and rhetoric into question. What you should have cited was some statuatory construction and legislative history cases, not forfeiture law. But how could you be expected to know this? > BTW, I get particularly suspicious when people "respond" > to my posts and quote NOTHING that I have said. I delete fluff from my postings as a matter of courtsey to the readers. This is a habit you do not seem to share with me. This seems to be a pattern: I guess I'm not the only one who thinks your prose has the bouquet of rotting herring. > The person clearly disagrees with my position in general, but can't cite > specifics and in fact studiously avoids them. Padgett Peterson is an expert > at this, it appears you're trying to emulate him. I do not know Mr. Peterson, nor am I familiar with his works. I deleted a bunch of useless gibberish, commenting in the process on its general unsuitability in the context of the post. > What, then, was the point of sending me the note, as well as wasting > bandwidth on CP to share your unhappiness? Distribution of reputation capital (or in this case, negative reputation capital). I believe I also wanted to make a point (in 1,200 bytes) about the utility (or lack thereof) of your article (10,500 bytes) on this list. Perhaps in the process I might save a newcomer from the unfortuante and embarassing fate of actually lending some authority to anything you have to say. > Jim Bell > jimbell at pacifier.com --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jimbell at pacifier.com Tue Mar 12 09:25:58 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 13 Mar 1996 01:25:58 +0800 Subject: Leahy and Mrs. Bemmis (now that's a subject line) Message-ID: At 11:24 AM 3/11/96 -0500, A. Padgett Peterson P.E. Information Security wrote: >The Leahy bill is flawed in two areas. Sent a message with proposed wording >to Sen. Leahy via his web page but have not gotten a response. Have a bad >habit of reading laws without thought since this is how LEA and prosecutors >are told to enforce them - as written, not as believed. If an area is >vague, a court is required to decide how to interpret it, not LEA. If badly >written *everyone* loses. Unfortunately, this is not the way CREATIVE prosecutors enforce laws. _THEY_ try to be imaginative, "pushing the envelope" as it were, and expect the courts to stop them. Sadly, those same courts often have ex-prosecutors as judges, people who aren't particularly inclined to dissuade the abuse of laws. (exceptions exist, obviously.) >At the same time am pragmatic enough to accept the idea that it will have >no effect unless it passes and to be passed today it must have something >like the criminalization statement. I've occasionally seen statements like this, but the people who make these claims never seem to back them up with reasoned commentary, let alone facts, which would help to establish that this particular section is a "must" to any particular supporter, certainly not a substantial number of supporters of this bill. Even a quote or two from some political-type saying, "We need that section to pass this bill" would be better than nothing. I'm not suggesting this is totally implausible; merely that it would be lunacy to _assume_ that the bill "needs" this clause to pass, without more evidence or even opinion expressed by key people. It's almost as if you people have surrendered before the "fight" even has begun. _NOW_ do you understand why I'm so astonished at your reaction to this bill? Tim May would object to my use of the word, "Sheeple" here, but I think it fits absolutely. Anybody who would allow himself to be spoon-fed this _entire_, unrepaired bill _IS_ a "sheeple." Anyone who invents some requirement that this bad section be in place is WORSE. Furthermore, if any people (for example, Senators and Representatives) actually are willing to publicly stand up and insist on that section, then I'd say that's a cue for us to ask them some very hard questions. You seem to be unwilling to put them to their proof. I recommend that you stop living DOWN to your reputation, Padgett. > The goal here should not be to throw >it out since that would simply cause the whole bill to fail, Again, you do NOTHING to support this claim. How do you KNOW this to be true? And even with that knowledge, presuming you have it, why are you apparently not planning to use it to our best advantage? Why not try to "smoke out" some of the people who have conspired to include this section into the law? I'll bet they're hoping nobody questions them on their motivations! Moreover, does this comment indicate that you've had conversations or seen information that indicates that the presence of this part of the bill is necessary to its passage? And you're not TELLING US the details of that conversation or information? Suggesting that you're happy to sell the rest of us out? Hmmmmmm? Or are you just jumping to a conclusion? Padgett, the more you say the more you destroy your credibility. > but to word >it carefully enough that it satisfies those who reguire laws Huh?!? Who "require[s] laws"????????? _I_ certainly don't "require" this section to be there, and so far I haven't seen anyone on CP who _personally_ would insist on the presence of this section to condition his support the entire bill. Quite the opposite; most people express varying degrees of reservations about it. > while being narrow enough to avoid exploitation. IMNSHO the best way to do that is to >require that: >1) A felony occured (curiously misdemeanors were ommitted) > and >2) That the individual to be charged was an active participant (before, > during, or after the fact) The problem is, what is your definition of the words, "active participant"? And will YOUR definition actually be the one included in the law? I, on the other hand, see no reason to add crimes, since the implication above is that the person involved is ALREADY prosecutable in court. Why all this "piling on"? On the contrary, I believe it is absolutely certain that this clause will be used to prosecute people who are not otherwise prosecutable or convictable of any other crime. It's curious that you don't see that. > and >3) That encryption was used in furtherance. > >Note: that in the US (1) and (2) seem sufficient for a criminal charge to be >brought, so does (3) really add anything except words or possibly severity ? I sure wish you were better at answering your own questions... >Seizure seems to be a great concern of the group with the point of the >Bemmis Pontiac being brought up. For someone providing a free remailer, >that is a valid concern since the first question a court might ask is >"what was the motivation". I suspect that someone providing a remailer >and charging a reasonable fee to all who might want to use the service >might be in a much better position (not a lawyer so not allowed to know). Playing into their hands yet again, I see! Raising the price is merely a diluted form of banning, BTW. So far, people implement remailers because running them is a comparatively minor cost, and they feel that there is a need for those services. If there was some sort of de-facto rule that the operator had to charge for those services, this would complicate the use of anonymous remailers even more, deter their use even further, and achieve the government's ends just about as surely as a downright ban would do. In fact, accepting a fee might actually INCREASE the liability of the operator, not reduce it, because the remailer operator would have a financial stake in the use of his remailer. He could no longer argue that he did not "benefit" from the abuse (use) of that remailer. >One indicator might be easy to check: Has there ever been a seizure >involving a rental car (Hertz, Avis, etc.) and if so, what was the >disposition ? Well, given the fact that these auto-rental companies do billions of dollars of business each year and are known and "loved" by one and all, you could not use the (supposed) fact that no such incident occurred as some sort of positive sign. Any prosecutor is well aware that he may need a rental car some day, and angering a multi-billion dollar company is not something you do lightly. OTOH, if you discover that EVEN THESE organizations are liable for the transgressions of their renters, either civilly or criminally, that should give you fair warning that anyone smaller (especially an individual running a remailer) and less able to defend himself is certainly going to be a target eventually. Even a failed attempt to get a car rental company to be liable for something done by a renter is a sign that prosecutor was inclined to go after a big target, suggesting he wouldn't think twice before he tried to haul an individual into court. Do you think a person would operate a remailer if he thought it was likely he'd get prosecuted and have to pay thousands of dollars in legal bills, even if he were eventually acquitted? Remember, his legal bills won't be reimbursed by the government, though I believe they should be. Too bad you can't see this, huh? Jim Bell jimbell at pacifier.com From jya at pipeline.com Tue Mar 12 09:33:18 1996 From: jya at pipeline.com (John Young) Date: Wed, 13 Mar 1996 01:33:18 +0800 Subject: Panorama of the Spy Industry Message-ID: <199603121537.KAA02468@pipe1.nyc.pipeline.com> http://www.fas.org/pub/gen/fas/irp/overhead/index.html _________________________________________________________ FAS Project on Intelligence Reform _________________________________________________________ OVERHEAD THE INTELLIGENCE COMMUNITY As part of our Intelligence Agency model homepage profiles of the components of the intelligence community, we are constructing a picture gallery of agency and contractor sites and buildings. These are derived from US Geological Survey and other aerial photographs. We obtained some of these initial test images from Los Alamos National Lab. From kadie at eff.org Tue Mar 12 10:42:29 1996 From: kadie at eff.org (Carl M. Kadie) Date: Wed, 13 Mar 1996 02:42:29 +0800 Subject: Electronic Frontiers Wyoming (fwd) In-Reply-To: <9603120216.aa04516@deepthought.armory.com> Message-ID: <199603121633.IAA25987@eff.org> There are strong laws on the boks protecting student privacy. [From _College and University Student Records: A Legal Compendium_, Edited by Joan E. Van Tol, 1989] ================== p. 119 =============== The [Family Educational Rights and Privacy Act] regulations ... were significantly modified in 1988. ... The new regulations amend the definition of directory information and establish a standard for the designation of directory information. The new definition is: ' ... information contained in an education record of a student which would not be considered harmful or an invasion of privacy if disclosed. It includes, but is not limited to, the student's name, address, telephone list, date and place of birth, major field of study, participation in officially-recognized activities and sports, weight and height of members of athletic teams, date of attendance, degrees and awards received, and the most recent previous educational agency or institution attended.' The new standard -- that which would not be considered harmful or an invasion of privacy if disclosed -- permits the educational institution to exercise its discretion in the designation and and release of directory information provided that the eligible student does not object to the disclosure. ======================== p. 106 ============ [From the regulations: 34 C.F.R., 99.37 (1988)] 99.37 What conditions apply to disclosing directory information? (a) An educational agency or institution may disclose directory information if it has given public notice to parents of students in attendance and eligible student is attendance at the agency or institutional of -- (1) The types of personally identifiable information that the agency or institution has designed as directory information; (2) A parent's or eligible student's right to refuse to let the agency or institution any or all of those types of information about the student as directory information; and (3) The period of time within which a parent or eligible student has to notify the agency or institution in writing that he or she does not want any or all of those types of information about the student designed as directory information. ================== p. 155 ================ [from a reprint of an article printed in 1982 in _Computer/Law Journal_ by a Ms. Hyman.] ... A waiver of FERPA rights made pursuant to section 99.7 must be exercised by the student {109} and can apply to all FERPA rights {110}. Wavers must be signed {111}, and are most commonly given regarding letters of recommendation for admission {112}. Institutions may request students to waive their right of access to these letters, but they may not require a waiver as a condition for admission or services.{113}. [References] {110} 34 C.F.R. 99.7(a) (1980) {113} 34 C.F.R, 99.7(b) (1980) [Which I think cooresponds to this section of the 1988 regulations - cmk] ====================== p. 104 ================= [34 C.F.R. 99.12 (1988)] 99.12 What limitations exist on the right to inspect and review records? ... (b) A postsecondary institution does not have to permit a student to inspect and review educational records that are -- ... (3) Confidential letters and confidential statement of recommendation places in the student's records ..., if (i) The student has waived his or her right to inspect and review those letters and statements; ... (c) A waiver under paragraph (b)(3)(i) of this section is valid only if -- (i) The educational agency or institution does not require the waiver as a condition for admission to or receipt of a service or benefit form the agency or institution; ... ============================================ From ac at hawk.twinds.com Tue Mar 12 11:00:02 1996 From: ac at hawk.twinds.com (Arley Carter) Date: Wed, 13 Mar 1996 03:00:02 +0800 Subject: Mile High Snakeoil In-Reply-To: <9603111947.AA00418@ch1d157nwk> Message-ID: Oh No........... Not again Mr. Bill. Still recovering from the IPG exploit. Troll shield now in place Captain. ;-) Regards: -arc Arley Carter Tradewinds Technologies, Inc. email: ac at hawk.twinds.com www: http://www.twinds.com "Trust me. This is a secure product. I'm from ." On Mon, 11 Mar 1996, Andrew Loewenstern wrote: > I was flipping through a copy of Spirit, the official magazine of Southwest > Airlines, while on a flight to Vegas and found a thoroughly enjoyable > advertisement for a crypto product. Underlines and emphasis are theirs. > > ---- Begin Snake-Oil Advertisement ---- > > __UNBREAKABLE__ COMPUTER SECURITY AND PRIVACY AT A __BREAKTHROUGH__ LOW PRICE! > > Stonewall-Drawbridge - Encryption Sytem > > In the face of the increasingly dangerous invasion of professional, business > and personal privacy, unbreakable computer security at an affordable cost is > a must. Lawyers, Accountants, Doctors, other professionals whose stock in > trade is confidential information are especially vulnerable to malpractice as > a result of unprotected information. It is important to deal with this very > real potetial problem before it becomes a problem. Every business, every > individual must also be concerned about computer security. Encryption can > now be used to secure everything from credit card numbers to legal documents. > Encryption through totally unbreakable Stonewall-Drawbridge is your > ultimate security blanket. > > *Available Only to United States Citizens* > > STONEWALL an unbreakable, streaming type algorithm, 100 to 10,000 times > faster than other encryptions. Stonewall compresses prior to encryption, > eliminating the possible invasion of your computer files. Its key cannot be > broken except by random chance, once in a million years. Good for DOS; > Windows 3-1; Windows 95 operating systems..... ......$195 > > DRAWBRIDGE applies mathematical algorithms to encrypt messages and uses a > quasi-infinite, one-way transfer to ensure veracity. Drawbridge uses an > Infinite Venegere Key (IVK), combined with a one-way private key transfer > which is impossible to break, except by chance, once in a million years. It > also incorporates a forge-proof digital signature for verification and > authentication insuring absolute transmittal protection. > > STONEWALL-DRAWBRIDGE ENCRYPTION SYSTEM provides unbreakable security > protection for your "need to protect" files, archives and computer to > computer transmission. The Stonewall-Drawbridge System is the ultimate > encryption system, unmatched by anything else available...at a price that is > significantly lower than any competitive product. This means it is > affordable for every professional, business or individual who needs and seeks > total and unfailing computer security....especially on the > Internet.......$295 > (includes a second system for your choice of contact) > > (800) 610-0859 Mr. Thomas > > (30 Day Money Back Guarantee) > > Make Checks Payable to: HWI > 747 E. Green Street, Suite 300, Pasadena , CA 91101-2119 > > ---- End Snake-Oil Advertisement ---- > > > andrew > From um at c2.org Tue Mar 12 11:28:24 1996 From: um at c2.org (Ulf Moeller) Date: Wed, 13 Mar 1996 03:28:24 +0800 Subject: German minister predicts collapse of governments Message-ID: <199603112206.XAA00179@idril.shnet.org> German Minister of Justice: Governments' attempts to regulate the internet on their own are nonsensical, technically and economically. National states are obsolete. A crypto ban cannot be enforced. The German news magazine DER SPIEGEL features a story about the internet, with 33 pages of the usual hype. However, there is a remarkable interview with the German Minister of Justice, Edzard Schmidt-Jortzig: The minister says that he is not glad about always having to talk about control when concerned with the internet. According to him, the internet has been getting on without any special laws. The discussion about pornography and blocking programs reminds him of the discussion about the "dangerous device TV" in his youth. The state has legitimate interests in regulations, he says, but it is "nonsensical, when those attempts are restricted to one country. The internet has no borders. What is illegal in one state will simply be served to the net elsewhere." He admits that in a way he is happy about that: "This whole discussion still is at its very beginning." Conceivably, providers could be obliged to block pages with illegal contents to their customers, Schmidt-Jortzig says. However, such a step, performed by the government on its own, would hardly make sense technically and economically: Instead of going through the exteme effort of controlling the contents, providers would simply move to countries such as Andorra, Liechtenstein or Luxemburg. That would only increase telephone bills for the customers, but Germany would lose many innovative businesses and jobs. Propaganda from overseas could only be avoided by a world-wide convention or UN treaty, but he does not expect any such things for the next 10 years. Facing the development of technology, "our thinking in national categories is no longer adequate. That way, we will not be able to control the net. I rather think that we will have to say good-bye to the idea of enforcing German law on the internet." Of course, Nazi propaganda or child pornography would remain illegal in Germany, but the question were if it can be enforced. "I can already imagine those users sending their paroles and pamphletes to the net from Luxemburg, deriding the helpless German authorities. I don't really think that is great, but I don't see any solution." "I think the internet with its unlimited possibilites of communication and its anarchistic structure is one of the most amazing challenges the state currently has to face. Faster than we would have thought, the traditional national state will prove obsolete. A legislation ending at the borders of a certain territory will be increasingly hard to defend." He knows that many will find it difficult to bear, says Schmidt-Jortzig, "but we cannot outlaw the internet only because it does not fit with the conception of life of some [people living in yesterday's world]. Not even the Chinese can." The idea of the global citizen in the internet, who no loger has to cope with national ideas, is a nice vision, he says, but still very unrealistic. For some time, national states would remain authoritative and defend their function. "But I am afraid that this stuggle will eventually fail." Schmidt-Jortzig says that the Bavarian prosecutors' proceed against CompuServe has been absolutely legitimate, but if they will be sentenced were a totally different question, because the accused had no way of verifying every internet resource. In a global community, there could be something like a net police. German controls however, would be totally senseless today: "If I really were to regulate the internet with laws and prohibition in spite of all argumentation, then I would certainly need such control, a new federal Data Police. But I think nobody would have such absurd an idea, as everyone knows that would also mean the death of this innovative business field in Germany." The state could not care for fully effective privacy on the net, but may have to inform about the threads towards privacy. Schmidt-Jortzig does not see any reason for banning encryption software the police cannot break: "Why should I outlaw that on this still rather insecure media, people encrypt their private mail, and be it only the results of the federal league." - "Even if I wanted to, I could hardly enforce that ban. You can download encryption programs for free on the internet. Meanwhile, there even is software that allows you to undetectibly hide a message in normal e-mail. The state is participating in a persuit race that it cannot win at all. Of course that does not exempt us from having to try to persue in the beginning." Asked about criminals using encryption, he says that he knows there will be large scepticism if the state gives up that quickly. "Only, I am afraid that those who work against this development will eventually have to lay down arms. Any attempt to find a national solution will fail." From WlkngOwl at UNiX.asb.com Tue Mar 12 11:41:05 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Wed, 13 Mar 1996 03:41:05 +0800 Subject: How would Leahy bill affect crypto over HAM radio? Message-ID: <199603121028.FAA08674@UNiX.asb.com> jim bell wrote: > Even so, it isn't clear that this new law WON'T change the rules under which > hams operate. An affirmative statement of the right to use encryption would > seem to pre-empt prior bans, except if there was some sort of explicit > exception for over-the-air transmissions. After all, the law was written I re-read the bill... it notes "wire" communications, as opposed to all forms. It also allows for previous restrictions to keep in effect, I think. Still, the distinction between wire and wireless is not clear anymore with new technologies. Certainly if enough HAMs pester Sen. Leahy about this 'oversight' positive changes could be made. [..] > Not that such an interpretation will necessarily be welcomed by some hams: > Part of the reason for maintaining the ban on encryption would be the fear by > hams that ham bandwidth will be surreptiously used by commercial services > masquerading as ham users. Encryption would make such usage difficult to > detect. Interesting point... Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From shabbir at vtw.org Tue Mar 12 11:41:47 1996 From: shabbir at vtw.org (Shabbir J. Safdar) Date: Wed, 13 Mar 1996 03:41:47 +0800 Subject: TWP on Crypto Keys Message-ID: <199603121158.GAA19202@panix4.panix.com> I think the upshot of it is that they just read the bill (and the surrounding issues) incorrectly. I read the editorial and said to myself, "they aren't reading the same bill the rest of us are reading". -Shabbir J. Safdar * Online Representative * Voters Telecomm. Watch (VTW) http://www.vtw.org/ * Defending Your Rights In Cyberspace Thaddeus J. Beier writes: >Somebody posted this editorial this morning, that includes the >following passage: > >> The Washington Post, March 11, 1996, p. A18. >> >> Security and Software [Editorial] >... >> >> Legislation introduced this month in both the House and the >> Senate would ease the export restrictions while attempting >> to meet some of the government's security concerns. Code >> makers would deposit a "spare key" to any exported >> encryption software with a trusted third-party agency... > >Now, I thought that the bills did no such thing. How could The >Washington Post get this so wrong? > >As I understand it, the bills do not in any way tie export to >key escrow. They mention key escrow only to the extent that >they specify that it is illegal to disclose the keys. > >Why would the paper get this cockeyed? Is it just a screwup, >or are they pushing for a change? > >thad >-- Thaddeus Beier thad at hammerhead.com > Technology Development 408) 286-3376 > Hammerhead Productions http://www.got.net/~thad From gary at kampai.euronet.nl Tue Mar 12 11:42:59 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Wed, 13 Mar 1996 03:42:59 +0800 Subject: PGP reveals the key ID of the recipient of encrypted msg Message-ID: <199603121020.FAA20726@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- markm at voicenet.com wrote: On Mon, 11 Mar 1996 savron at world-net.sct.fr wrote: > > I began testing PGP a few days ago ( I'm a PGP newbie ) and I found > > that it gives out the key ID of an encrypted message . From this you > > can get the identification of the recipient of the message , if it's > > someone who has publicaly distributed his key (keyserver , homepage > > ...) . So even if you are unable to decode the message you can find > > who is the recipient of a given message . I think this is a big > > privacy problem . > > The recipient of the message is right in the "To:" header of the message. > If you anonymously remail a message, however, only the last remailer in the > chain will know to whom the message is encrypted, but the last remailer can > also just read the "To:" header. I don't find this to be a problem at all. Not everything goes via email, eg. mail exchanges via alt.anonymous. Gary - -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUVP2CoZzwIn1bdtAQGlBwF8DxnCbaU1P0pz0TQ7OkuE9kkuSgnf6Ump 3p6Ut328gqJGj7oEza5S78rjBMpHgUej =2Ymx -----END PGP SIGNATURE----- From perry at piermont.com Tue Mar 12 12:04:55 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 13 Mar 1996 04:04:55 +0800 Subject: FCC & Internet phones In-Reply-To: <199603121049.FAA20806@bb.hks.net> Message-ID: <199603121658.LAA01954@jekyll.piermont.com> Gary Howland writes: > Adam Shostack wrote: > > > > Are you willing to play Mallet? Drop IP packets, and look for > > duplicates. Those are TCP. (IPSEC might handle this, but I bet there > > will be broken implementations that save time by resending.) Since the TCP and IP layers are not the same, this won't happen. The retransmit occurs at the TCP layer and the IP layer will re-encrypt with a new initialization vector. > Are you saying UDP protocols don't retransmit un-acked packets? > If not, then you can't be sure the duplicates are TCP. Also true. Plus there are IPSEC transforms being talked about that will put in replay elimination, so I doubt this is going to be a problem. On the other hand, you can detect TCP packets pretty easily by timing them. They will usually follow a nice Van J. algorithm profile. Perry From adam at lighthouse.homeport.org Tue Mar 12 12:13:53 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Wed, 13 Mar 1996 04:13:53 +0800 Subject: FCC & Internet phones In-Reply-To: <199603121049.FAA20806@bb.hks.net> Message-ID: <199603121432.JAA06480@homeport.org> Gary Howland wrote: | Adam Shostack wrote: | > Loren James Rittle wrote: | > | >Most | > | >presumably use a mix of a UDP data connection and tcp for control | > | >functions. | > | | > | OK, everything after the IP header is encrypted. I don't even know | > | which protocol is in use. | > | > Are you willing to play Mallet? Drop IP packets, and look for | > duplicates. Those are TCP. (IPSEC might handle this, but I bet there | > will be broken implementations that save time by resending.) | | Are you saying UDP protocols don't retransmit un-acked packets? | If not, then you can't be sure the duplicates are TCP. Err, yes. Thats the point of UDP; its unreliable and has no acknowweldgement. "The User Datagram Protocol uses the underlying Internet Protocol to transport a message from one machine to another, and provides the same unreliable, connectionless datagram delivery semantics as IP." (Comer, 11.3) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From frantz at netcom.com Tue Mar 12 12:58:48 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 13 Mar 1996 04:58:48 +0800 Subject: Remailer passphrases Message-ID: <199603121853.KAA28808@netcom8.netcom.com> At 5:43 AM 3/12/96 -0500, Gary Howland wrote: >On Mon, 11 Mar 1996, Gary Howland wrote: >> root access to the system, something like "strings /dev/kmem" could narrow >> the search for the passphrase down significantly. Of course one could >> obfuscate the passphrase by XOR'ing it with 0x80, but that's only security >> through obscrurity. > >Sure, _if_ they were able to gain root access without rebooting the machine, >but the usual scenario is that the filth turn up with black bin liners, not >men from the NSA. The bottom line of all cryptography is that there is something that must be kept secret. Since it must be kept secret, there is always a significant level of paranoia about the means to keep the secret. For example, one could imagine an attacker attaching a logic analyzer to the CPU chip, unloading the on-chip caches and then rummaging thru the system memory for the secret. One of the reasons classical (government) crypto users change keys frequently is to minimize the amount of data compromised by a broken key. We keep hearing about NSA decrypting 20 year old cyphertext and showing more of the workings of the atomic spy rings operating in the 40s and 50s. If an opponent can rubber hose the key, her job is easy. If she has to perform cryptoanalysis, it is much harder. Remailers should regularly change their keys to avoid compromising previously recorded traffic. (They can have a long lived key for signing their traffic keys.) Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From jimbell at pacifier.com Tue Mar 12 14:14:16 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 13 Mar 1996 06:14:16 +0800 Subject: What about PGP? (was Re: Leahy Bill a Move to Slow Crypto Exports as Much as Possible) Message-ID: At 08:04 AM 3/11/96 -0500, Shabbir J. Safdar wrote: >I think this is somewhat skewed. Let's look at our situation now: > > We don't get to export much crypto software. > >The Leahy bill takes us to: > > We get to export lots of software that is "generally available", > "in the public domain or publicly available", or if similar > products exist already in other countries. (That's a lot of > stuff, but it's not the whole enchilada.) This is very debateable. Generally, I've found that the government will always disappoint you, in the implementation of any legislation, "good" or "bad." The "good" gets less good, the "bad" gets more bad. >We want to be at: > > We get to export all crypto software. (I mean legally; I think > we all know that export controls don't work against someone with > enough brains to post news, send mail, or use ftp) > >This is a pretty good improvement in the situation, and will hopefully >pave the way for the "whole enchilada". It's not good strategy though >to criticize this because it's not the ultimate crypto bill. I don't know about others, but _I_ haven't done that. I've made some distinct criticisms that say NOTHING about the extent to which export controls are loosened. (I leave that part of the issue alone because it is being addressed properly, unlike the matters I'm focussing on.) BTW, it has been two days since my first comment to you, however, and you have presumably seen a few more criticisms that I've heaped on a portion of the bill. Your response (or lack of it) is particularly unexpected, because you ought to be interested in defending a positive review of the bill. Sticking your head in the sand isn't a good tactic at this point. > Let's be >honest with ourselves here, this is Congress we're talking about and >this is a pretty bold step. We need to educate them to see the facts >we understand so thoroughly: "What's wrong with this picture"? If this is "a pretty bold step," then my question is, who "on our side" did they consult before they wrote this law? If, as you state, "we need to educate them..." then the implication is that this bill simply popped out without any apparent "ordinary-crypto-user/small-crypto writer-seller" input, right? In that case, we should ask "how [arguably] did they get what we wanted as well as they did?" On the other hand, if they DID get consultation from a number of "our" organizations, why didn't they fix the remaining problems? Here's a totally unsupported hypothesis for your consideration: I speculate that they DID get some input from "our" side, via some confidential arrangement, by some of those same organizations that were falling all over themselves to praise most of the bill. In other words, those organizations were subtly co-opted, although not nearly completely of course. However, those organizations then felt like they had a "hand into" the structuring of this bill, and you know how blind to faults a proud parent can be! Am I getting close to the truth here, Mr. Safdar? Tell me, Mr. Safdar, did you consult a lawyer before you endorsed this bill? Please share with us whatever legal opinions you received which induced you to speak positively about this bill. > that crypto export controls do not work, >endanger our own requirements for confidentiality, and aren't helping >contain this technology in the rest of the world. Then let's take the position that this law CAN be changed! In fact, let's insist on it. >Forcing Congress to have this debate will lay bare these facts and >hopefully embarass the Administration for their absurd policy >approach on encryption. With that limited statement I totally agree. >They say that liberty is seldom lost all at once, but a little at a time. >Regaining it is probably done this way as well. In this case, the >Leahy bill gives us back a mouthful. And the "mouthful" contains enough poison to kill our freedoms. Fortunately, the poison is easily identifiable, and is all in one spot, and should be removeable if we see it in time. So why are these people trying to shove it down our throats? Jim Bell jimbell at pacifier.com From underdog at netcom.com Tue Mar 12 14:16:46 1996 From: underdog at netcom.com (The Underdog) Date: Wed, 13 Mar 1996 06:16:46 +0800 Subject: spy sats In-Reply-To: Message-ID: <199603112208.OAA26091@netcom2.netcom.com> > > Tonight on the Discovery Channel at 10 eastern is a program about > spy satellites. Speaking of which, a huge car-sized Chinese spy sat is supposed to crash down sometime tomorrow with a 1 in 300 chance of hitting land. Joachim From jimbell at pacifier.com Tue Mar 12 14:20:29 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 13 Mar 1996 06:20:29 +0800 Subject: Leahy bill nightmare scenario? Message-ID: At 09:09 PM 3/11/96 -0800, Timothy C. May wrote: >At 11:29 PM 3/11/96, jim bell wrote: > >>Welcome to prison, Tim. Your optimism will serve you well, there. >> >>BTW, it is clear that you haven't yet read Mr. Junger's analysis of the >>bill. Nobody except a government stooge could read that and not wonder why >>anybody would support that bill. A complete re-write is called for. > >A question, Jim: do you _ever_ just respond calmly to a post you disagree >with, or is everyone you disaagree a stooge, a cretin, an agent for the >Feds, or someone who should be disposed of with your "assassination >politics"? What's your definition of "calmly." I'm as "calm" as you can imagine. I simply have not a shred of mercy in me for people who can't accept reality. >Yes, I read Junger's analysis. A nice analysis. What does this have to do >with the points I was making? I'm a government stooge, to use your terms, >because of my points about hotel rooms? Fortunately for me, Tim, and unfortunately for you, a friend of mine visited me last night, an ex-cop who is now a cabbie (he left the force due to an accident, slipping on glare ice chasing a "perp", which caused an inoperable back injury). Being a cabbie (in the same town he was a cop), and very familiar with the "drug" and "prostitute" sections of town, I asked him whether or not he was aware of a hotel or motel ever being siezed by the govt. for "tolerating" drugs and/or prostitution. His reply was that as we speak, he knows exactly where a motel has been closed, locked up, and BARRICADED with _city_ signs and POLICE TAPE (you know the kind, "Police line: Do not cross."). We're not talking of a bankrupty, or a voluntary shutdown, either. His understanding was that this was on the news a while back. Would you like the name and address? I didn't ask him for it, but I'm sure he'll be driving by it again within the next week or so. I accept your anticipated apology, Tim. Jim Bell jimbell at pacifier.com From perry at piermont.com Tue Mar 12 15:14:50 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 13 Mar 1996 07:14:50 +0800 Subject: Remailer passphrases In-Reply-To: <199603121853.KAA28808@netcom8.netcom.com> Message-ID: <199603121951.OAA02237@jekyll.piermont.com> Bill Frantz writes: > One of the reasons classical (government) crypto users change keys > frequently is to minimize the amount of data compromised by a broken key. > We keep hearing about NSA decrypting 20 year old cyphertext and showing > more of the workings of the atomic spy rings operating in the 40s and 50s. > If an opponent can rubber hose the key, her job is easy. If she has to > perform cryptoanalysis, it is much harder. Remailers should regularly > change their keys to avoid compromising previously recorded traffic. (They > can have a long lived key for signing their traffic keys.) Signed Diffie-Hellman key exchanges have the property known as "Perfect Forward Secrecy". Even if the opponent gets your public keys it still will not decrypt any traffic for him at all -- it just lets him pretend to be you. Thats one reason why protocols like Photuris and Oakley use the technique. Perry From rich at c2.org Tue Mar 12 15:26:21 1996 From: rich at c2.org (Just Rich) Date: Wed, 13 Mar 1996 07:26:21 +0800 Subject: anonymous web pages (Was: SurfWatch) In-Reply-To: Message-ID: On Tue, 12 Mar 1996 00:35:38 -0500 (EST) jlasser at rwd.goucher.edu (Bruce Zambini) wrote: >On Sun, 10 Mar 1996, Mark M. wrote: >>From your public html directory, try 'ln -s /etc/passwd passwords.txt'. > >Then add a link to your homepage.... Er, I believe CERN, NCSA, and N*tscape all disallow following symbolic links by default for precisely this reason. There is a follow-symlinks-for-owner-only option that we recently turned on. -rich Institute for Ernst Zundel Revisionism http://www.c2.org/~rich/Press/Swedish/ From stewarts at ix.netcom.com Tue Mar 12 15:27:06 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 13 Mar 1996 07:27:06 +0800 Subject: Your "switchboard" listing Message-ID: <199603120748.XAA09980@ix14.ix.netcom.com> At 05:07 PM 3/11/96 -0500, you wrote: >Ha! Very funny that you have yourself listed as Mssr Thomas Pynchon in >Switchboard's listings. I especially like the mailing address. The punctuation was also interesting.... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From bdavis at thepoint.net Tue Mar 12 15:28:24 1996 From: bdavis at thepoint.net (Brian Davis) Date: Wed, 13 Mar 1996 07:28:24 +0800 Subject: [noise] Re: Do you feel lucky, punk? In-Reply-To: Message-ID: On Mon, 11 Mar 1996, Black Unicorn wrote: > On Mon, 11 Mar 1996, jim bell wrote: > > > At 05:54 PM 3/11/96 -0500, Black Unicorn wrote: > > 3> At least, that is the position the prosecutors could surely take, > especially given this Supreme Court decision. > > Uh huh. They might also take the position that the defendent is ugly, > and should be convicted. That doesn't make it a legally viable argument. No, we usually go for the more general "I don't like the defendant." EBD Assassination Politics target #xxxx. BTW if I ever start lecturing cryptgraphers incessantly over days with rantings about the technical aspects of cryptography, I hope one of you tells me to shut the fuck up. From unicorn at schloss.li Tue Mar 12 15:29:32 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 13 Mar 1996 07:29:32 +0800 Subject: [noise] Re: Do you feel lucky, punk? In-Reply-To: Message-ID: This will be my last comment on this thread. On Mon, 11 Mar 1996, jim bell wrote: > At 09:59 PM 3/11/96 -0500, Black Unicorn wrote: > >On Mon, 11 Mar 1996, jim bell wrote: > > > >> At 05:54 PM 3/11/96 -0500, Black Unicorn wrote: > >My issue was with your application of the cite and decisions to the > >pending bill. > > You keep saying this kind of thing, repeatedly, but you don't back it up > with a contrary argument. Why not tell me why you didn't cite rules of statuatory construction, or the merit of looking at legislative history? I'm hardly going to spend 4 hours of legal research to rebuke what is a patently flawed "legal" opinion. Long time members of the list will know already that I am quite generous with my legal research when a legitimate legal problem arises. My patience does not extend to upstarts who's knowledge of law is limited to complaining about how legal scholars and Supreme Court Justices have their head up their asses. > >My issue was, again, with regard to your choice of cites, > > Ah! You simply didn't like me using that particular atrocious SC decision > to suggest that we can't trust judges and courts in general! You dismiss 7 learned people quite quickly. I know it's tempting to be superior to them, but as far as I can tell, you haven't even taken a judicial process class in undergrad. > >The "above paragaph," incidently, doesn't even rise to the level of court > >dicta, but is a abstract of dicta by a court commentator. Using such > >authority to back a legal conclusion (especially when applied to an > >entirely seperate legal area) is twisted at best, and dangerous at worst. > > Let's suppose we agree that "George Will" is a "court commentator." Suppose > further that he, more or less, says "this decision sucks." Because it DOES > suck. This illustrates my problem with you, and your writings to the list. This isn't the opinion of a noted legal scholar. It's not the opinion of a renound attorney, or court observer. It's not even the opinion of a law student. The bottom line is that you just don't know what you're talking about. You are wasting the list's time, my time, and, incidently, your time. > than I relate) should be of interest. And most people of ordinary levels of > intelligence can recognize that yes, the decision DOES suck. Excepting 5 surpreme court justices, the prosecution, and hundreds of years of American Jurisprudence. Sure, you're a more legitimate judge of decisions. Really it's just that you don't like the decision, and have latched on to anything to justify your dislike with the illusion of intelligence and knowledge, including a newspaper article in a local paper. And George > Will, who has certainly NOT become successful as a commentator by boring the > reader, understands that this decision is of interest to enough people to > have it occupy one of his columns for a day. What the hell does this have to do with your long stretch in applying it to the Leahy bill? > Remember, one of the basic assumptions that any supporter of the Leahy bill > could be making is that it will be interpreted INTELLIGENTLY by courts. Wrong. The assumption is that the rules of statuatory construction and a long history of weighing legislative history will be used in intrepreting the statute. I could go on for paragraphs about how this basic error on your part demonstrates your misunderstanding of the divisons of labor between the Legislative and Judiciary, and that your really calling for an active Judiciary that disregards law and imposes its own view in the face of obvious legislative intent, and go on longer about the importance of using cannons of construction to insure consistancy, but none of that would change the basic fact that you just don't know what you are talking about, and that arguing with you is like talking to a soap box preacher. You don't really care for logic. If > it is obvious to most of the rest of us that those lunatics can't even make > the correct decision about a woman's half-interest in a common automobile, Your "logic" has become a campaign speech. > The fact that you may not _like_ me bringing up a contemporaneous example > where the SC stuck their collective heads firmly and completely up their > respective asses is irrelevant. If anything, it shows that you feel the law > is and should be above the heads of the average individual, or even the > UN-average, intelligent individual who regularly reads editorials in their > local newspaper. No, I just feel it's probably beyond someone who couldn't name 2 cannons of statuatory intrepretation to rant on for paragraphs about the impact of a supreme court decision on a pending statute. > > Such elitism is disgusting. > I'm not the one calling the Supreme Court a pile of idiots. > > Your appeal (what of it there is) is based > >entirely on skewing meanings, using critiques of dicta, and generally > >applying inflamatory language taken out of context in a manner which suits > >you. I don't think I'm off base calling it "twisted." > > "Inflammatory language"? The real "inflammatory language" occurs every time > a court makes yet another outrageous decision such as the ones you are > weakly attempting (and miserably failing) to defend. I'm not defending the decision at all. Simply pointing out that it's connection to the Leahy bill is non-existant, and that you are a non-entity when it comes to legal analysis. > I notice you don't provide an alternative competing interpretation, either > of my conclusions or those of George Will. So how are we to know what > "twisted" is if you can't clearly show something which is "untwisted"? I'm not interested in the opinion, or Will's explanation of what it meant. I am interested in bringing some sanity to the list by filtering out the fluff and bullshit that results when people who know nothing about legislation or lawmaking proport to be experts. I'm sure you, however, would be quite willing to allow a pre-med student preform your bypass operation. > >Again, its application to the bill is what I question. All of which > >throws your understanding of law, dicta, holdings, jurisprudence, and > >rhetoric into question. What you should have cited was some statuatory > >construction and legislative history cases, not forfeiture law. But how > >could you be expected to know this? > > I chose my example to display the foolishness of the Supreme Court, Considering you have never read the opinion, or the briefs of the respective parties, and are relying on only the (perhaps legal, perhaps not) opinion of a newspaper writer, I think you're on fairly thin ice even without my help. as well > as each and every one of the courts below it that did not properly dispose > of that Bennis case. You find this disturbing. But it's applicable to ANY > law that may someday rely upon a SC decision to overturn or uphold. > Anyone considering supporting the Leahy bill had better understand this. > Naturally, you want to cover it up. You assume I support the Leahy Bill. Quote me. Where do you find my support? Because I think you should be taken with the grain of salt your legal ignorance obviously deserves? I could care less which side you are on, but I'm hardly going to let your ignorance be taken for anything but what it is. > >> What, then, was the point of sending me the note, as well as wasting > >> bandwidth on CP to share your unhappiness? > > > >Distribution of reputation capital (or in this case, negative reputation > >capital). I believe I also wanted to make a point (in 1,200 bytes) about > >the utility (or lack thereof) of your article (10,500 bytes) on this list. > > I'd glad to see you distributing YOUR "negative reputation capital." Why > not do a better job for yourself and make it look like you are actually more > familiar with the legal system than the rest of us are (which shouldn't be > hard, if you have the credentials), and challenge us with an alternative > explanation of the facts I (and George Will) describe? 1> I have often lent my legal expertise to the list. 2> I don't care what you or George Will think the seizure decision means, only that it has nothing to do with the Leahy bill. 3> Challenging you is like falling off a log. > In other words, stop just saying I'm wrong and start DEMONSTRATING it. Why not demonstrate you're right first Mr. Bell? Tell us all how the latest decision will impact Leahy bill in terms a bit more specific than "The supreme court is stupid, so you're going to get screwed." Cite provisions. Show us why the dicta you use is important rather than fluff. What was the holding in the seizure case? Do you even know? It's easy for me to say "The latest Supreme Court Decision is going to make currency ILLEGAL! LOOK OUT! HIDE YOUR DOUGH!" However, this does not mean I can expect every legal expert on the list to spend hours going over the opinion, and refuting endlessly the raving antics of my lunacy. The burden is on the presentor to make the connection. You're logic seems to look mostly like this. There was a court decision. Mr. Will is a popular newspaper writer. therefore Mr. Will is qualified to intrepret the decision. Mr. Will says some disparaging things about the decision. threfore The Decision is BAD. The decision has to do with seizure of jointly owned property. Remailer messages are jointly owned property. therefore the decision must apply to remailers. Since the property in the decision was seized, and since the Leahy bill has something to say about encryption, and since the seizure decision means that the supreme court has their head up their ass, therefore remailer messages and remailers WILL BE SEIZED. If there is a more logical chain here, I'd love to hear it. > you can. Convince us that you're not just an elitist snob I am an elitist snob. Who want's a passive attorney fighting for them? I worked hard for my degrees, my post-graduate work, and the Bar. I think I have earned a bit of ego for my years of hell. If nothing else, I have taken 23 hours more of aba accredited legislation courses from a top 10 U.S. law school than you have. > Jim Bell > > jimbell at pacifier.com --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From unicorn at schloss.li Tue Mar 12 15:29:32 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 13 Mar 1996 07:29:32 +0800 Subject: A lengthy preliminary analysis of the Leahy bill. In-Reply-To: <199603120546.VAA10498@dns2.noc.best.net> Message-ID: On Mon, 11 Mar 1996 jamesd at echeque.com wrote: > At 12:26 PM 3/11/96 -0500, Peter D. Junger wrote: > > (4) the authority and ability of investigative and law enforcement > > officers to access and decipher, in a timely manner and as provided > > by law, wire and electronic communications necessary to provide for > > public safety and national security should also be preserved; > > > This provision of the bill makes the entire bill a worthless > pile of repressive shit, despite all the pious good intentions > in the rest of the bill. Careful here. Note exactly what the bill says: wire and electronic communications necessary to provide for public safety and national security should also be preserved; SHOULD ALSO be preserved. Typically this means that it's not going to be funded by this bill, and that this is just a bit of extra hint as to legislative intent. I will grant you that it's not a nice bit, but it could easily have said "WILL be preserved." Note this clause also does not assign the authority to any agency, or suggest how it might be accomplished. It's a good indicator of where things are going, but in itself, it implements nothing. (Disclaimer: I haven't read the entire bill yet). --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jimbell at pacifier.com Tue Mar 12 15:52:49 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 13 Mar 1996 07:52:49 +0800 Subject: How would Leahy bill affect crypto over HAM radio? Message-ID: At 05:21 AM 3/12/96 +0000, Deranged Mutant wrote: >jim bell wrote: > >> Even so, it isn't clear that this new law WON'T change the rules under which >> hams operate. An affirmative statement of the right to use encryption would >> seem to pre-empt prior bans, except if there was some sort of explicit >> exception for over-the-air transmissions. After all, the law was written > >I re-read the bill... it notes "wire" communications, as opposed to >all forms. It also allows for previous restrictions to keep in >effect, I think. Perhaps. But I would hope that this bill would also contain protections for good-old-paper storage and communication (as admittedly useless as it may appear) and infrared and radio communication (such as satellite feeds, including uplinks, point-to-point microwave, IR links, PDA (personal digital assistant) links, cell phone connections, cordless phone connections, fiber LANs ("wire" and "fiber" might arguably be legally identical, but I wouldn't count on it) and various forms of electronic and magnetic and optical storage. >Still, the distinction between wire and wireless is not clear anymore >with new technologies. Certainly if enough HAMs pester Sen. Leahy >about this 'oversight' positive changes could be made. I think it's going to take a LOT of pestering. I didn't see a single concern of Mr. Junger that sounded inappropriate, and there are a lot of protections that could be added to this bill if people like him had the opportunity. A substantial load of stuff needs to be REMOVED, as well! All that key-escrow crap, at least with regard to the escrow holder. If key escrow is VOLUNTARY, then the key user and key holder can come to whatever VOLUNTARY agreement they'd care to. The only "key escrow" material that needs to be put into law are unavoidable criminal penalties for GOVERNMENT AGENTS who induce people to violate their contracted obligations, and requirements that any key-user be informed immediately if his key escrow agent is approached on any matter related to his escrow agreement, especially if this approach is done by a government agent. >[..] >> Not that such an interpretation will necessarily be welcomed by some hams: >> Part of the reason for maintaining the ban on encryption would be the fear by >> hams that ham bandwidth will be surreptiously used by commercial services >> masquerading as ham users. Encryption would make such usage difficult to >> detect. > >Interesting point... Hams have been allocated a lot of (now!) very valuable spectrum space. The orginal arguments for that were probably: 1. It's there and we're not using it. (not so true anymore!) 2. Hams drive technology (although admittedly that it's really so true anymore, either.) 3. Hams provide valuable community services, for example in case of emergencies. (still true) But what law giveth, law can also taketh away. A few years ago, a 2-MHz portion of the 220-225 MHz ham ban (220-222 MHz) was taken away and given to UPS, yes, UNITED PARCEL SERVICE. Ostensibly, the reason was that hams weren't using it adequately, a claim which might or might not have been true. Hams "police" themselves and their spectrum space fairly well, because abuse (or merely lack of use!) may lead to the loss of the space. Jim Bell, N7IJS jimbell at pacifier.com From nobody at REPLAY.COM Tue Mar 12 16:43:38 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 13 Mar 1996 08:43:38 +0800 Subject: Bell, Detweiler, Ravings, and Whatnot Message-ID: <199603122041.VAA21453@utopia.hacktic.nl> Timothy C. May writes in answer to jim bell - |Screaming insults at people, resorting to ad hominem attacks on their |personality (such as Jim did with Padgett Peterson), ranting about how |people are fools and worse, and generally foaming at the mouth...these are |behaviors which cause people to be dismissed as jerks, paranoids, and |killfile occuppants. |I have nothing against you, Jim Bell, but you are coming across as a loon, |as someone who clearly needs some kind of anti-psychotic medication. This is not supposed to be an insult?? |You rant, you quote excessively, you dissect short comments with |pages-long diatribes Says the one complaining of jim making ad hominem attacks. From perry at piermont.com Tue Mar 12 17:05:27 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 13 Mar 1996 09:05:27 +0800 Subject: Remailer passphrases In-Reply-To: <199603122027.MAA10600@netcom8.netcom.com> Message-ID: <199603122030.PAA05252@jekyll.piermont.com> Bill Frantz writes: > >Signed Diffie-Hellman key exchanges have the property known as > >"Perfect Forward Secrecy". Even if the opponent gets your public keys > >it still will not decrypt any traffic for him at all -- it just lets > >him pretend to be you. Thats one reason why protocols like Photuris > >and Oakley use the technique. > > Unless I am badly mistaken, these exchanges need interaction, which makes > them unsuitable for simple remailers. Well, actually, you can play similar tricks with El Gamal... Perry From frantz at netcom.com Tue Mar 12 17:56:42 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 13 Mar 1996 09:56:42 +0800 Subject: Remailer passphrases Message-ID: <199603122027.MAA10600@netcom8.netcom.com> At 2:51 PM 3/12/96 -0500, Perry E. Metzger wrote: >Bill Frantz writes: >> One of the reasons classical (government) crypto users change keys >> frequently is to minimize the amount of data compromised by a broken key. >> We keep hearing about NSA decrypting 20 year old cyphertext and showing >> more of the workings of the atomic spy rings operating in the 40s and 50s. >> If an opponent can rubber hose the key, her job is easy. If she has to >> perform cryptoanalysis, it is much harder. Remailers should regularly >> change their keys to avoid compromising previously recorded traffic. (They >> can have a long lived key for signing their traffic keys.) > >Signed Diffie-Hellman key exchanges have the property known as >"Perfect Forward Secrecy". Even if the opponent gets your public keys >it still will not decrypt any traffic for him at all -- it just lets >him pretend to be you. Thats one reason why protocols like Photuris >and Oakley use the technique. Unless I am badly mistaken, these exchanges need interaction, which makes them unsuitable for simple remailers. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From unicorn at schloss.li Tue Mar 12 18:09:08 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 13 Mar 1996 10:09:08 +0800 Subject: Key Escrow: Scholarly Treatment Message-ID: Interested cypherpunks might want to have a look at: "A puzzle even the codebreakers have trouble solving: A clash of interests over the electronic encryption standard," in the most recent issue of Law and Policy in International Business, The International Law Journal of Georgetown University Law Center. Mr. Sean M. Flynn does a fairly good job of outlining the policy issues, even if perhaps he managed to go a bit light on the NSA and miss some of his history re: the marketing of broken systems to the private sector and third world nations, and the mistrust the NSA seems to have earned as a result. I was also disturbed to see him fall into the government's "voluntary standard" trap but still, it's really nice to see a legal note with cites like: See e.g., Bruce Schneider, Applied Cryptography (1994) John Perry Barlow National Security Agency, Recruiting Brochure Unclassified Summary: Involvement of the NSA in the Development of [DES] Marc Rotenberg Whitfield Diffie Jim Bidzos mech at eff.org (I kid you not) Wired and A personal interview with D. Denning Worth the read, nice bit of research, if lacking in the "spirit" of things. --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jimbell at pacifier.com Tue Mar 12 18:13:36 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 13 Mar 1996 10:13:36 +0800 Subject: How would Leahy bill affect crypto over HAM radio? Message-ID: At 04:21 PM 3/12/96 +0000, Deranged Mutant wrote: >Jim Bell wrote: >But it's more than breaking an agreement. If you voluntarily escrow >your key (as with a corporation) and the holder is bribed to give it >to a competitor, it may be more worth the holder's while to break a >contract for the dollars the competitor may bribe him with. It makes >sense to have some criminal punishments for that. Well, okay, but we've really got to define whose key is being escrowed, anyway. Most corporations will probably handle it themselves, OR they will only give an ENCRYPTED escrowed key to the escrow agent. This would prevent the escrow agent from disclosing the key without authorization. Naturally, this raises the question, "who will escrow the key to the escrow," but then again, I think most individual citizens wouldn't trust anyone else with their key anyway. I think that where it is unnecessary to keep a key, such as a crypto telephone, no such key should be kept, certainly not "permanently." A crypto phone could simply generate a new public key for each phone call, verified with a permanent key to foil MITM attacks (but the permanent key won't be used to transmit actual voice data) and the temporary public key erased and replaced after the call ends. Siezing the telephone would be useless because it would contain no information that would help resurrect the phone call data. >Yes. In all areas of gov't. I'm all for the death penalty for >prosecutors who push for the d.p. on people they know are innocent, >for instance. It'll never happen (at least not in our lifetimes), >but it makes plenty of sense to me. Hey, I'm working on it! I assume you've read my essay... >> 2. Hams drive technology (although admittedly that it's really so true >> anymore, either.) > >Internet to Ham links, though? There's some technical drive there. >It's just plateaued. I look with a little disappointement on packet radio. I tried it once, but at 1200 bps (simplex, and the "real" data transfer rate is far lower than even this number would imply) it simply isn't a practical method of transmitting large quantities of data. Even the more modern 9600 bps packet modems are probably not a lot better. Microwave links can handle far more, but few people are in the right spot for such a link. The main hope, I think, is satellite-based Internet service, perhaps included in something like that DSS service. It could easily handle far more than the current volume for USENET, for example. That's not ham-level territory, however. Few hams do microwave, even fewer do anything other than straight FM or AM. The only microwave thing I've done is build a homebrew 36 GHz Gunn oscillator module, which raises a few eyebrows even among seasoned microwave hams, because not only isn't 36 GHz a ham band (It's Ka band radar, the kind they use for photo radar) few microwave hams dare go above K band (24.125 Ghz) and most stay at X-band. (10-10.5 GHz). >> But what law giveth, law can also taketh away. A few years ago, a 2-MHz >> portion of the 220-225 MHz ham ban (220-222 MHz) was taken away and given to >> UPS, yes, UNITED PARCEL SERVICE. Ostensibly, the reason was that hams >> weren't using it adequately, a claim which might or might not have been true. > >Who did UPS donate campaign funds to? I wish I knew! "Fortunately" (though some hams would disagree) the FCC implemented a Morse-code-less license a few years back, which I hope will bring much larger numbers of hams into the hobby, and I think already has had a serious effect. (I became a ham in 1986, more than a decade after I had all the electronics skills to pass the "technical" section, delayed simply because I didn't appreciate being forced to use an archaic method to transmit data. I finally developed enough ham friends that I felt a bit left out, so I spent a couple of weeks learning Morse. I never use it.) This should have substantially increased the number of hams and their political clout, which should keep the current spectrum allocations secure for a while. Jim Bell jimbell at pacifier.com From WlkngOwl at UNiX.asb.com Tue Mar 12 18:23:10 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Wed, 13 Mar 1996 10:23:10 +0800 Subject: How would Leahy bill affect crypto over HAM radio? Message-ID: <199603122128.QAA19067@UNiX.asb.com> Jim Bell wrote: [..] > I think it's going to take a LOT of pestering. I didn't see a single > concern of Mr. Junger that sounded inappropriate, and there are a lot of > protections that could be added to this bill if people like him had the > opportunity. A substantial load of stuff needs to be REMOVED, as well! All > that key-escrow crap, at least with regard to the escrow holder. If key > escrow is VOLUNTARY, then the key user and key holder can come to whatever > VOLUNTARY agreement they'd care to. The only "key escrow" material that But it's more than breaking an agreement. If you voluntarily escrow your key (as with a corporation) and the holder is bribed to give it to a competitor, it may be more worth the holder's while to break a contract for the dollars the competitor may bribe him with. It makes sense to have some criminal punishments for that. > needs to be put into law are unavoidable criminal penalties for GOVERNMENT > AGENTS who induce people to violate their contracted obligations, and > requirements that any key-user be informed immediately if his key escrow > agent is approached on any matter related to his escrow agreement, > especially if this approach is done by a government agent. Yes. In all areas of gov't. I'm all for the death penalty for prosecutors who push for the d.p. on people they know are innocent, for instance. It'll never happen (at least not in our lifetimes), but it makes plenty of sense to me. [..] > Hams have been allocated a lot of (now!) very valuable spectrum space. The > orginal arguments for that were probably: [..] > 2. Hams drive technology (although admittedly that it's really so true > anymore, either.) Internet to Ham links, though? There's some technical drive there. It's just plateaued. > 3. Hams provide valuable community services, for example in case of > emergencies. (still true) > > But what law giveth, law can also taketh away. A few years ago, a 2-MHz > portion of the 220-225 MHz ham ban (220-222 MHz) was taken away and given to > UPS, yes, UNITED PARCEL SERVICE. Ostensibly, the reason was that hams > weren't using it adequately, a claim which might or might not have been true. Who did UPS donate campaign funds to? > Hams "police" themselves and their spectrum space fairly well, because abuse > (or merely lack of use!) may lead to the loss of the space. An interesting internet analogy can be drawn here... Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From jimbell at pacifier.com Tue Mar 12 19:52:36 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 13 Mar 1996 11:52:36 +0800 Subject: Do you feel lucky, punk? Message-ID: -----BEGIN PGP SIGNED MESSAGE----- [from Cypherpunks] Those of you who are confident that the Leahy bill won't be interpreted to punish innocent people (for example, operators of encrypted anonymous remailers) who are not directly engaged in criminal activity should read the following article, that appeared as the George Will column March 10, in my local paper. Maybe it will give you a healthy dose of REALITY (remember reality, fellows?): "Taking Property from innocents doesn't fit conservative ideals" by George F. Will. In 1827, in a case concerning the forfeiture of a Spanish ship used for piracy, the U.S. Supreme Court held that the owner could lose his ship even if he was not even aware of the use of the ship for piracy: "the thing is here primarily considered as the offender, or rather the offense is attached primarily to the thing." That, and a long line of cases in that vein, is why the court last week said Tina Bennis has no right to compensation for her half-interest in the car she co-owned with her husband John and which was forfeited after he was convicted in Detroit of engaging in sexual activity with a prostitute in the car. The court was divided 5-4 in rejecting Mrs. Bennis' contention that the forfeiture violated her 14th amendment right to due process and her Fifth Amendment right not to have property take without just conpensation. Justice John Paul Stevens, joined in dissent by David H. Souter and Stephen Breyer (anthony M. Kennedy dissented separately), condemned the "blatant unfairness" of punishing an innocent person. And Justice Clarence Thomas, although concurring separately in the opinion written by Chief Justice WIlliam H. Rehnquist and joined by Sandra Day O'Connor, Antonin Scalia, Ruth Bader Ginsburg and Thomas, said that what was done to Mrs. Bennis by Michigan law was "intensely undesireable." Because many governments are increasingly agressive in their use of forfeiture as punishment for prostitution, drug, and other offenses, this decision, although supported by the most conservative justices, should trouble conservatives: it involves conflicts between three things they value- deference to states' legislative judgments, fidelity to precedent and respect for property rights. Bennis made his mistake in 1988 in an 11-year old Pontiac he and his wife had recently purchased for $600. The trial court judge had discretion to order payment of half the sale proceeds to "the innocent co-titleholder," but commented that "there's practically nothing left" after deduction of police, prosecutorial, and court costs." Ginsburg noted that the question at issue was not whether compensating Mrs. Bennis would have been fair but whether compensation was a constitutional right. And Ginsburg's concurring opinion suggests that she would have affirmed such a right had not the car belonged as much to Mr. Bennis as to Mrs. Bennis. Although Mrs. Bennis neither consented to nor knew of the misuse of the car, Rehnquist cited the court's language in a 1926 case, that it is common "for the law to visit upon the owner of property the unpleasant consequences of the unauthorized action of one to whom he has entrusted it." That practice, the court had said five years earlier, is "too firmly fixed in the punitive and remedial jurisprudence of the country to be now displaced." Certainly the court should not casually unsettle what it has firmly fixed. Nor should the court relieve Congress of its role in correcting dubious legal practices. the chairman of the House Judiciary Committee, Rep. Henry Hyde of Illinois, has drafted the Civil Asset Forfeiture Reform Act that would, among other things, strengthen protection of innocent property owners. Still, sometimes the court has had to say, in effect, "Well, come to think about it... ." It took four years of carnage and then the 13th amendment to correct what the court did in 1857 in Dred Scott vs. Sanford. But in other cases the court has tidied up after itself. In 1896 in Plessy vs. Ferguson, the court held that "separate but equal" public facilities segregated by race were compatible with the 14th Amendment's guarantee of equal protection of the laws. Later, the court conducted a protracted retreat from that position. In 1905 in Lockner vs. New York, as in similar cases, the court held that a New York law limiting bakers to a 10-hour workday violatedd teh DUe Process clause. By 1963, Justice Hugo Black could assert that the Lochner doctrint of "substantive due process," that the court can overturn laws it considers unwise, "has long since been discarded." (Actually, it has long since been smuggled into liberal jurisprudence to support a different social policy agenda.) In his obviously uneasy confurring opinion in the court's decision about Mrs. Bennis' car, Thomas says the case "is ultimately a reminder that the Federal Constitution does not prohibit everything that is intensely undesireable." Quite so. So it is time for the political branches of state governments and the federal government to act on the clear signals from Thomas and others concerning the need to protect innocent persons who cannot reasonably be considered culpably negligent concerning the misuse of their property. [end of article] To those suckers who say that they genuinely believe that the operator of an anonymous encrypted remailer will not be subject to criminal or civil penalties for what ends up being the misuse of their system, I would like to re-state a quote from the article above: "Although Mrs. Bennis neither consented to nor knew of the misuse of the car, Rehnquist cited the court's language in a 1926 case, that it is common "for the law to visit upon the owner of property the unpleasant consequences of the unauthorized action of one to whom he has entrusted it." That practice, the court had said five years earlier, is "too firmly fixed in the punitive and remedial jurisprudence of the country to be now displaced." " Does this sound familiar? Doesn't it hit just a bit too close to home? I argue that a person who runs an anonymous encrypted remailer could be clearly claimed to be "entrusting" that "property" to someone else, under the meaning of the above paragraph. At least, that is the position the prosecutors could surely take, especially given this Supreme Court decision. In fact, I would argue that a remailer operator will actually be considered MORE responsible, legally, than Mrs. Bennis: The abuser of _her_ property, Mr. Bennis, was in fact the co-owner of that property, and it is doubtful that Mrs. Bennis COULD have denied to Mr. Bennis, practically or legally, the opportunity to abuse that property. On the other hand, the operator of an anonymous encrypted remailer is, in effect, "giving out the keys" to that remailer (giving authorization to use it) to anyone at any time, with no checking or other specific authorization, to people who have no legal ownership in that remailer. In fact, the system is (at least arguably) helping to cover up after those abuses. If those self-selected people commit crimes using it, who else is responsible? Question: If the Supreme Court is willing to take away Mrs. Bennis' interest in that car under THOSE circumstances, do you really believe that it WOULD REFUSE to allow a prosecutor to decide that the operator of an abused remailer should be prosecuted (or his property taken by government in a forfeiture action)? Frankly, I don't know how rude I must be before reality sinks in to your brains: If you people continue to insist that this Leahy bill won't be abused, you truly do need to wake up before you end up screwing the rest of us "out here." Your foolish endorsements of this Leahy bill play directly into the hands of those who want to ban the EFFECTIVE use of encryption. Go ahead, endorse the bill CONDITIONALLY on the removal of that offending section. But you should make it quite clear that keeping that section should kill the entire bill. You have been warned. Is it any coincidence that we first heard about this Leahy bill much less than a week after the decision that Mr. Will speaks of? Is it possible Leahy was waiting to see if the SC would allow him to misuse the wording of that proposed law? Having gotten the go-ahead, out pops the new bill. As if on cue. "Do you feel lucky? Well, do you, PUNK?" If there are any of you who have doubts as to the need for the "Assassination Politics" idea, I'd say this S.C. decision should clear them up but fast. Anybody out there believe that the decision would have gone this way if we'd all been able to chip in and fix the problem in a few days? Jim Bell jimbell at pacifier.com p.s. especially to Tim May: If the issue wasn't so serious, and their blind support of this bill so obviously misguided, I wouldn't be rhetorically "slapping them in the face" as I'm trying to do here. Klaatu Burada Nikto -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUONFPqHVDBboB2dAQGIMQP/cQ4f7wUm3swBrXFKDgQ+QrzfrKWooDwu 0DVMIS3gRr5AOkXANjXKQmdV0U6Ug2Rf/Wtkh32S8lR+wpizvn9kg7nVhrDLHvKZ pClRAgTFolI5FDctU6J934+XxD5xt83nw15M4yenZAtPDN8OoakMft2cDKUeqEis apuLR5tzyTA= =aPdf -----END PGP SIGNATURE----- From maldrich at grctechs.va.grci.com Tue Mar 12 20:05:49 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Wed, 13 Mar 1996 12:05:49 +0800 Subject: Second mini-AIR report on PGP-Y Message-ID: The following appeared in the latest issue of The mini-Annals of Improbable Research ("mini-AIR"), Issue Number 1996-03, March, 1996, ISSN 1076-500X (a superb sceince journal that comes with my highest recommendation, BTW): ----------------------------------------------------------- 1996-03-05 PGP-Y Ill Advised Reader Andrew Rock has been investigating our foolproof data security protocol, PGP-Y (Pretty Good Parasychology). He intuited this missive to us: "You were ill-advised to release the details of your PGP-Y -- "Pretty Good Parapsychology" protocol on an international mailing list such as mini_AIR. US law prohibits the export of such highly secure transmission technology, defining it as munitions. Your proposal must await government-approved key espcrow [sic] systems rumoured to be under consideration by the NSA. The approved systems will prohibit the possession or transmission of ideas beyond the imagination of government officers. Please do not carelessly put the publication of AIR at risk while I have nearly two years left on my subscription." Investigator Trevor Green and a large team at the University of Saskatchewan have also been laboring in the field. Green reports: "After an initial trial period of PGP-Y within our department, we have had some disappointing initial results. While the transmission rate is nothing short of paraphenomenal, the security mechanism is, alas, not wholly foolproof -- everything worked fine, until my friend Steve started imagining that he was intercepting the telepathically-transmitted data. We are sure that this technical loophole may be overcome but wish to alert your paranormal engineers to the oversight. Meanwhile, I am pleased to report that the credit-card fraud charges against Steve will be settled out of court." ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From jimbell at pacifier.com Tue Mar 12 20:20:16 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 13 Mar 1996 12:20:16 +0800 Subject: How's that again? Message-ID: At 02:38 PM 3/12/96 -0800, Sandy Sandfort wrote: >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > SANDY SANDFORT > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > >C'punks, > >On Tue, 12 Mar 1996, jim bell wrote: > >> You will notice, I assume, that I have been and can be tactful to most >> people; where exceptions exist, they are typically among anonymous posters >> (such as this "Black Unicorn") ... >> Oh, yes, and I can't forget Padgett Peterson, who has raised spinelessness >> to a new art form. > >Hey, Jim, don't forget me. You are the only person I have ever >specifically UNinvited to one of my parties in over a decade of >hosting same. I guess that makes you special. > > > S a n d y (just another statist apologist) S a n d f o r t You're confused. You're describe YOUR reaction to ME, not MY reaction to YOU. And I am unaware of being invited to a "party," and now that I've discovered what a sleazy person Alan Olsen and his merry band are, it is really doubtful that I would have enjoyed what was advertised as a cypherpunks meeting, but which you now claim was a "party." Your level of "honesty" is showing. From sandfort at crl.com Tue Mar 12 20:21:50 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Wed, 13 Mar 1996 12:21:50 +0800 Subject: How's that again? In-Reply-To: Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Tue, 12 Mar 1996, jim bell wrote: > You will notice, I assume, that I have been and can be tactful to most > people; where exceptions exist, they are typically among anonymous posters > (such as this "Black Unicorn") ... > Oh, yes, and I can't forget Padgett Peterson, who has raised spinelessness > to a new art form. Hey, Jim, don't forget me. You are the only person I have ever specifically UNinvited to one of my parties in over a decade of hosting same. I guess that makes you special. S a n d y (just another statist apologist) S a n d f o r t ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From nobody at REPLAY.COM Tue Mar 12 20:26:14 1996 From: nobody at REPLAY.COM (Anonymous) Date: Wed, 13 Mar 1996 12:26:14 +0800 Subject: ADL_mil (militias and the USAF) Message-ID: <199603122050.VAA21740@utopia.hacktic.nl> ADL Report "The Anti-Defamation League has committed defamation. There is no other conclusion to be reached after reading its new report, The Religious Right: The Assault on Tolerance and Pluralism in America. It is sad that an organization with a proud history of fairness should have descended to this kind of character assassination and name calling."

- Columnist Mona Charen (1)

"In my twelve Senate years I worked with many of the 'Religious Right.' They were active in the cause of Soviet Jewry (many Pentecostals and other Christians couldn't leave the Soviet Union either). They were fervent supporters of the State of Israel and we worked together often. Among the leadership of Conservative Christians I never experienced even a hint of anti-Semitism. Indeed, it was quite the opposite-I am Honorary Vice-Chairman of the ADL. I am proud of that-But in this instance I strongly disagree. From all my experience I know their report to be ill-founded. Regretably it will do more harm than good."

- Former U.S. Senator Rudy Boschwitz, Honorary Vice-Chairman, ADL (2)


Introduction

On June 9, 1994, the Anti-Defamation League of B'nai B'rith, an organization created to fight defamation, released a report that alleges - with shoddy research and threadbare scholarship - that politically active people of faith pose a threat to the survival of American constitutional democracy. The ADL accuses numerous religious conservative organizations and leaders of anti-Semitism and bigotry. In so doing, the ADL itself has committed defamation. The ADL's new definition of "intolerance" apparently is disagreement with its liberal politics.

The ADL report is filled with fabrications, half-truths, innuendo and guilt by association that are reminiscent of the political style practiced by Joseph McCarthy in the 1950s.

Persons of impeccable character and reputation are smeared for dubious reasons or for no reason at all. This style of politics is beneath the dignity of any organization that claims to be dedicated to fighting bigotry.

The response to the ADL report has been dismay from Jews and Christians alike. "Politically active Christians, the ADL concludes, are-well, 'extremist,' 'bogus,' 'conspiratorial,' 'fevered,' 'phony,'...and yes, 'fervent.' Protestant evangelicals are simply de trop, an object of condescension and prejudice," observed William Kristol, former chief of staff to Vice President Dan Quayle. (3)

Columnist Don Feder of the Boston Herald calls the report "an attempted political assassination." Feder adds, "Instead of debating the issues like a gentleman, it stoops to implications of anti-Semitism to discredit a legitimate voice in the values debate." (4)

Beth Gilinsky of the Jewish Action Alliance calls the ADL report "a plainly partisan smear campaign against traditional Christians who energetically - and quite legitimately - advocate what they believe are important moral and social values." She concludes that although "Jewish-Christian friendship will survive the onslaught from the ADL, we are getting rather tired sweeping up after repeated ADL fiascos." (5)

This report specifically addresses those portions of the ADL document concerning the Christian Coalition. First, we will briefly examine the shoddy nature of the ADL's pseudo-research, and the report's heavy reliance on sources of questionable veracity. Second, we will discuss how the Christian Coalition really operates and discuss our true agenda of pluralistic democracy, nonpartisanship and inclusion. We also will discuss in detail the Coalition's nonpartisan voter guides and organizational structure and purposes.


The ADL's Pseudo-Research

The ADL claims its report was the culmination of nine months of research, but it bears none of the signs of a serious research report. It is virtually devoid of specific references to resource materials. (6) The reader is left to simply take it on faith that the ADL's most damning charges are true, which they are not. In fact, much of the ADL's report is simply a retread of materials (some over a decade old) from groups like People for the American Way, Americans United for the Separation of Church and State, the Institute for First Amendment Studies and other groups that long have had political axes to grind against religious conservatives. (7) Most disturbing, the ADL never contacted the Christian Coalition to get its response to their unfounded charges, nor did the ADL try to ascertain the accuracy of many of the quotations used in their report. This is particularly disturbing considering the fact that many of the groups and persons attacked have been! longstanding friends of the Jewish community, the State of Israel and the ADL.

In 1993, in seeking to settle charges that it had violated the privacy of certain individuals, the ADL sought to avoid legal liability by claiming that it enjoyed "journalistic status," making it "similar to any newspaper, magazine, or television station." (8) If so, then the ADL has violated even the most basic principles of ethical journalism.

Had the Christian Coalition or its leadership been contacted for clarification, many of the errors in the report would have been corrected. Instead, the report is filled with gross inaccuracies of fact. Quotations are listed without attribution, while others are listed (incredibly) as coming from the "library of People for the American Way." A quotation from Pat Robertson on church-state separation has no source listed at all. (9) Of 28 quotations attributed to Paul Weyrich, founder of the Washington-based Free Congress Foundation, 22 have no source for the quote. (10)


Numerous Factual Errors

Basic biographical errors abound. For instance, the ADL report says that Christian Coalition executive director Ralph Reed, Jr. once worked as a "campaign staffer for Georgia Rep. Newt Gingrich, former Georgia State Sen. Mack Mattingly and Sen. Jesse Helms of North Carolina." (11) Reed never has been employed on the campaign staffs of any of these individuals. He never was employed by Rep. Newt Gingrich in any capacity. He worked for Students For America, an independent organization, during the 1984 Senate race in North Carolina. He has never been employed by Senator Jesse Helms. He served as an intern for Mack Mattingly in the U.S. Senate in the summer of 1981. Mattingly was a U.S. Senator, not a state Senator, from Georgia.

Reed never made the comment attributed to him by the ADL calling for "a country once again governed by Christians-'."(12) Indeed, when asked on the NBC Meet the Press program in 1992 whether he believed America was a "Christian nation," Reed disagreed. "I think the only difference that I would have with it is - and I should probably preface this by telling you that I began my political career as the executive director of the first Jewish national chairman of the College Republicans in the history of the Republican party - I do think that you have to acknowledge the role that Jews have played and will continue to play, and I think there's a commonality among Jews and Christians on a lot of issues because again, ultimately it's a faith that I think has a lot of common values."(13)

It is not as though adequate documentation of Dr. Reed's views was unavailable to the ADL. As recently as February of this year, the New York Times news service carried an extensive profile that noted, "At the same time, the coalition is making overtures to minorities and Jewish leaders, hoping to bring some diversity to what has so far been a remarkably homogeneous movement." Arthur Kropp of People for the American Way added, "I disagree with [Reed] wholeheartedly, but I don't detect a mean spiritedness in him that you detect in other leaders. There's a political astuteness, perseverance, and intelligence."(14)

The ADL also misspells the name of the Coalition's Director of Legislative Affairs, Marshall Wittmann. This could not have been a typographical error, as Wittmann's name appears incorrectly spelled throughout the report. Cursory fact-checking should have caught this error. (15)

So poorly researched is the report that views attributed to columnist Robert Novak are based on a quotation so badly lifted out of context that its meaning is distorted. In arguing that a "grim" Paul Weyrich, a Washington pro-family strategist, is somehow tied to anti-Semitic individuals, the report quotes Novak as saying, "I am supposed to be the Prince of Darkness, but Paul's the only person who's so tough that he gets hate mail from Mother Theresa."(16) This statement was made by Mr. Novak at a roast in Weyrich's honor held in Washington, DC, on April 1, 1991. Clearly, the remark is offered in jest - but it is lifted out of its proper context by the ADL to distort the true meaning.(17)


Reckless Charges of Anti-Semitism

The ADL report repeatedly suggests that leaders and organizations in the pro-family movement are guilty of anti-Semitism.

Stung by criticism from within the Jewish community, the ADL is backpedaling, and now denies making the accusation. For example, in a response to an earlier Christian Coalition correction of its many factual errors, the ADL weakly claimed, "the ADL does not call the Christian Coalition or any other religious right organization anti-Semitic." (18)

Has the ADL not read its own report? It alleges that "movement leaders have demonstrated a disturbing insensitivity to Jews and Jewish concerns" (p. 2), that its agenda expresses "anti-Jewish and extremist sentiments" (p. 2), that its leaders make "public anti-Jewish pronouncements" (p. 21), that its rhetoric is "reminiscent of traditional anti-Semitic thinking" (p. 22), that its literature is peppered with "anti- Jewish nuggets" (p. 24), that its leaders have "issued a number of pronouncements antagonistic toward Jews" (p. 42), that the movement has been "tolerant of anti-Semitism" (p. 42), that its publications echo "evangelical anti-Judaism" (p. 43), and that its groups conspire with "the nation's leading anti-Semitic propaganda organization" (p. 97). (19)

Had the ADL simply contacted the Christian Coalition and other groups defamed by the report, extensive documentation could have been provided to demonstrate our wholehearted and steadfast opposition to anti-Semitism and bigotry.

In January 1994, Pat Robertson received the highest honor of the Christians' Israel Public Action Campaign at a Jewish-Christian solidarity rally in Washington, DC. At the awards ceremony, Robertson stated, "Those of us who are evangelicals say to those of you who are Jewish, we are your friends. We stand with you and however easy it is, or however difficult it is, you can count on us as your friends, your supporters and your compatriots in a struggle to bring forth the fulfillment of that prophecy, and to make this a better world for all of us to live in." (20)

Robertson also told the Los Angeles Times in 1993, "I am convinced on the political scene that the evangelical churches, the Catholic churches, the Orthodox Jewish people, all of us, will work together." Ralph Reed was quoted in the same story as saying, "We're working very closely with various conservative and orthodox rabbis to try to build a friendship and cooperation across theological lines on family and moral issues." (21)

Robertson has been a major contributor to the United Jewish Appeal, has donated large sums to Jewish charities in Jerusalem, and visited the ADL offices in 1985 to meet with its board of directors. At that meeting, Robertson held hands with then-executive director Nathan Perlmutter and the entire board of directors and the group prayed together for an end to anti-Semitism and intolerance in America. Those present at the meeting report that many were moved to tears.

In January 1994, Ralph Reed visited Israel on a tour sponsored by the Jerusalem Post. He met with former Prime Minister Yitzak Shamir, members of the Knesset, government officials, and the mayor of Jerusalem. Reed's trip was undertaken with the assistance of Jewish leaders in the United States to underscore the Christian Coalition's steadfast support for Israel and Jewish concerns. (22)


Twisting Words Out of Context

One of the most disturbing aspects of the ADL's report is its propensity to lift words out of context so as to distort their original meaning. It does so with reference to the irresponsible charge of anti-Semitism.

Citing an editorial in the Christian American newspaper, the ADL argues that the Christian Coalition believes that "Jews 'both killed the Lord Jesus and their own prophets, and have persecuted us; and they please not God, and are contrary to all men' (1 Thessalonians 2:15)." The ADL dismissively acknowledges that this quotation from the New Testament appeared in an editorial denouncing anti-Semitism, but refers to it as "typical of evangelical anti-Judaism." (23)

In fact, the editorial (titled "Anti-Semitism in the Church") cited the above-mentioned verse from the Bible as an example of Scripture twisted by anti-Semites in the past to justify their bigotry. The editorial went on to say that "the place of the Church is to restore, not to condemn." The column concludes, "Our editorial position has been and remains clear, consistent, and Biblical: we support the State of Israel and we oppose anti-Semitism." (24)

In the same issue of Christian American, another statement condemned bigotry against Jews. "Anti-Semitism is a serious and dangerous thing to take root and grow. Please do not give aid to this monster, and allow it to grow any further." (25)


Reaction from the Jewish Community

Many in the Jewish community have reacted with disbelief to the ADL's assault on Christian leaders who have been among their best friends in the United States. Midge Decter and Elliot Abrams both have begun efforts to refute the biased report by the ADL through newspaper advertisements. Former U.S. Senator Rudy Boschwitz, an honorary vice-chairman of the ADL, has written a letter distancing himself from the report. "In my 12 Senate years, I worked with many of the 'Religious Right.' They were very active in the cause of Soviet Jewry (many Pentecostals and other Christians couldn't leave the Soviet Union either). They were fervent supporters of the State of Israel, and we worked together often. Among the leadership of conservative Christians I never experienced even a hint of anti-Semitism. Indeed, it was quite the opposite-I am honorary vice-chairman of the ADL. I am proud of that-but in this instance I strongly disagree. From all my experience I know their report to be i! ll-founded. Regretably it will do more harm than good." (26)

Marshall Breger of the Heritage Foundation has noted that the report "inferred that the religious right is anti-Semitic, and I don't see how you can make that claim on the record." Marshall Wittmann, director of legislative affairs at the Christian Coalition, says, "This [report] was liberalism and not Judaism speaking." He adds, "It's quite ironic that the ADL, despite all the various anti-Semites out there, would go after people for their political views." (27) Wittmann, who has traveled extensively speaking to Christian Coalition seminars nationwide, recounts that he has "never encountered a whiff of anti-Semitism" among its members. (28)

"The greatest friends the State of Israel has in America are the Christian conservatives," said Herbert Zweibon, chairman of Americans for a Safe Israel. "And [the ADL] is telling this community to get lost?" Zweibon added that the ADL, founded in 1913 to combat anti-Semitism, had "gone off track" and "adopted a liberal political agenda that has nothing to do with its mission." The ADL, he concluded, "does not represent the views of most American Jews." (29)


Opposing David Duke

The ADL frequently resorts to the very same kinds of guilt-by-association lines of argument patented by virulent anti-Semites. One of the most egregious examples occurs in its allegation that Pat Robertson and Christian Coalition board member Billy McCormack gave aid and support to former klansman and neo-Nazi David Duke's Louisiana senatorial bid in 1990 and his gubernatorial bid in 1991. The allegation is not true.

The report says McCormack helped to table a 1990 censure motion against Duke in the Louisiana Republican Central Committee, implying that McCormack supported Duke's racist views. (30) This is inaccurate.

Rhett Davis, who served as Congressman Clyde Holloway's campaign coordinator in the 1991 gubernatorial campaign, says the following about McCormack's role:

"Months before Congressman Holloway formally announced his candidacy (though David Duke had already announced), Mr. Billy McCormack of Shreveport contacted me on numerous occasions expressing his strong feeling that we needed to convince Congressman Holloway to run because no other candidate was acceptable- .

Mr. McCormack and his friends statewide began a concentrated effort to help our campaign. Mr. McCormack was very effective, and ultimately provided the margin of victory for Holloway at the Republican State Convention." (31)

Davis also noted that McCormack brought Robertson to Louisiana to campaign against Duke in October 1991, and Robertson appeared in Baton Rouge, Lake Charles, and Shreveport at fundraisers for Holloway. (The trip was paid for by the Holloway for Governor campaign and Robertson appeared in his capacity as a private citizen.)

"Additionally," Davis continued, "please note that the effort to kill a move to censure Duke-was actually led by the anti-Duke forces, fearing such a move would not hurt him, and might indeed backfire like other, similar moves." (32) Other press accounts have similarly noted that the resolution was tabled to "deprive Duke of additional publicity." (33)

In November 1991, after Clyde Holloway (the favored candidate of religious conservatives) failed to make the run-off election for Governor, pro-family activists faced a dilemma. Edwards was an advocate of legalized gambling, liberalized pornography laws, and abortion. Duke - though conservative on these issues - held anti-Semitic and racist views that are anathema to religious conservatives.

How did religious conservatives react to this dilemma? In the ADL's green-spectacled fantasy, "Robertson displayed indifference to Duke's racist record, despite the fact that the national Republican Party-had repudiated and condemned the arch-bigot more than a year earlier." The ADL report gravely intones that Robertson "never denounced Duke during Duke's subsequent Louisiana gubernatorial bid- ." (34) That is an irresponsible statement for which the ADL should issue a retraction and an apology.

On November 13, 1991, Robertson denounced Duke on his 700 Club program before the run-off between Edwards and Duke. His words were unambiguous:

"You don't get converted one day and run for governor the next. And especially the fact that there was apparently a falsehood about his-service- it does not exist, apparently. And furthermore, he claims to be a member of a church that doesn't exist as well. There are a few little inconsistencies. Plus there's some really bad stuff in his background- . And it's very dangerous in America to foster hate, and racial hatred, hatred of Jews, bigotry - that kind of thing. It is something we just don't need in this country." (35)

Duke lost a campaign which he had led in many polls just weeks prior to the election. Many observers noted that Robertson's statement - strategically timed a few days before the run-off for maximum impact - might have made the difference by depressing Duke's support among white evangelical voters. Many other organizations and leaders adopted a more low-profile tactic in opposing Duke. (36) But Robertson boldly and publicly spoke out. Instead of praising Robertson for being the most prominent evangelical Christian figure in America to denounce Duke and prevent his election, the ADL smeared him with a falsehood.


Conspiracy Theories of the Left

The ADL is obsessed with the notion that Christian conservatives engage in so-called "stealth" activities that disguise their agenda. It relies heavily on bizarre theories like those propagated by People for the American Way and Skipp Porteous, a Massachusetts-based conspiracist-cum-propagandist who specializes in spreading falsehoodsand innuendo about religious conservatives.

By combining forces with paranoid conspiracists on the left, the ADL suggests that the distribution of nonpartisan voter guides by Christian organizations amounts to a subversion of democracy. The report asserts that "the policy of Robertson's Christian Coalition has often been to hide its election activity." (37) It falsely claims that the Coalition "acknowledges having used [stealth tactics]." It compares volunteers in churches who educate voters with "Tammany's ward heelers and the old Democratic machine in Chicago." (38)

The ADL report asserts, "The Coalition participated in the ground-breaking November 1990 elections in San Diego County in which 60 of 88 candidates associated with religious right groups were elected to office - an event that came to be known among the religious right and its critics as the 'San Diego model.' " (39)

This statement is false. The Christian Coalition played no part in the 1990 San Diego school board elections. At the time, the Coalition barely had been in existence a year. It had no state affiliate in California and no chapter in the San Diego area. The Coalition neither practices nor endorses the "stealth tactics" the ADL claims.

Contacted by the Los Angeles Times after the election, Ralph Reed of the Christian Coalition made it clear that his organization had nothing to do with the campaign. He noted that while the tendency of candidates to campaign in churches might have been an effective strategy, it probably would backfire if the candidates had not gained broad support for their views in the electorate.

Reed made these remarks in his capacity as a political analyst. He did not condone, endorse, or participate in the strategy. The Times misquoted Dr. Reed, a fact that the ADL could have discovered with a more thorough search of newspaper accounts on the subject. (40)

If the 1990 San Diego School Board races are a "model," as the ADL alleges, what were they a model for? The fact is that this strategy failed in San Diego - many of the candidates who used them were defeated in 1992 - and it never has been replicated again.

The ADL report fails to mention a single other community in the nation where the strategy has been used. It alludes to an undocumented charge by Skipp Porteous that such a strategy was undertaken in Williamsville, New York, but provides no evidence and names not one candidate who employed them. (41) In fact, the incident in Williamsville never happened. Jeff Baran, executive director of the Christian Coalition in New York, made this clear. "I can assure you that, while I have had a few conversations with Porteous in the past, none have ever contained talk of running candidates of any kind, let alone 'stealth' candidates. As is our policy, we have not engaged in partisan politics in Williamsville or anywhere in New York- ."(42) Apparently San Diego was not a "model" at all, just a threadbare scare tactic whipped up by conspiracy theorists like Skipp Porteous and People for the American Way.


Guilty of Democracy

The ADL seeks to tar the name of Christian Coalition by finding the organization guilty of commiting democracy. Through nonpartisan voter education efforts, Christian Coalition informs voters where candidates stand on a broad range of issues, and encourages voters to go to the polls and cast their ballots for the candidate of their choice.

Christian Coalition leaders have repeatedly disavowed so-called "stealth tactics." They always have been accessible to the press, open to the public, and have pursued a policy of honesty and rectitude in their voter education activities.

Ralph Reed told the Washington Times, "We don't encourage in any way people to run for office at any level and misrepresent their position on any issue. We believe pro-family candidates should run unapologetically on who they are and what they believe because the public shares their viewpoint." (43)

In an appearance on CNN's Crossfire, Reed specifically denounced the so-called stealth strategy:

Reed: We're working on behalf of choice in education.We're working to increase the standard deduction for children. We're working to decrease the tax burden on the American family. It's a mainstream agenda for a mainstream America. Eighty percent of the American people want prayer in school, 75 percent are opposed to abortion as a form of birth control, and two out of three want choice in education.

Sununu: Ralph, let me ask you this. If those statistics are valid, and I think they are, then why-the stealth candidate strategy that you're getting criticized about?

Reed: We don't, John. We don't encourage that. We don't teach it. We don't promote it. What we think is that, because our values are held by the vast majority of Americans, go out there and articulate what you stand for, and you'll draw the people to you. That's what Ronald Reagan did, and that's what we want to do. (44)

Coalition founder Pat Robertson has been equally clear: "People can say anything they want to, but it's not the policy of the Christian Coalition nationally to hide anything. We want to bring out the truth, not hide it. We want to know what people stand for." (45)


As Ralph Reed argues in his forthcoming book:

"We do not advocate electing officials by depressing voter turnout or taking advantage of historically low voter participation. Some have inaccurately charged that religious conservatives hide their religious affiliation, conducting "stealth" campaigns in which they eschew public forums and campaign exclusively in churches. The opposite is true. The Christian Coalition, for example, distributes millions of nonpartisan voter guides that inform voters on where all the candidates stand- .We want a more open airing of who the candidates are and what they believe. Pro-family candidates win at the ballot box because of their views, not in spite of them. They are elected precisely because of who they are and what they believe." (46)


The New York City Mode

If the ADL was looking for the real model of Christian Coalition activity, it would turn to the place where ADL's headquarters is located: New York City. In 1993, Queens school board member Mary Cummins led a protest movement against then-New York City School Chancellor Joseph Fernandez' imposition of the "Rainbow Curriculum," a multi-cultural course that included instruction on the gay lifestyle to students as young as six years old.

A local Christian Coalition chapter was organized, coincidentally, about the same time Cummins raised her voice. The Coalition's New York City coordinator made contact with Cummins, and over the next two months the Coalition, in cooperation with the Roman Catholic Archdiocese of New York, The Congress Of Racial Equality (CORE), The National Committee For the Furtherance of Jewish Education, and the Family Defense Council, supported her reform efforts by distributing 550,000 nonpartisan voter guides in 1,300 churches and synagogues.

Catholics, Hispanics and Jews joined the Christian Coalition to distribute more than 500,000 nonpartisan voter guides prior to the New York City School Board races. In addition to church and synagogue distribution, Christian Coalition voter guides were passed out at union halls, polling places and family events. The guides informed voters where 540 school board candidates stood on a broad range of issues, including school choice, voluntary prayer, merit pay for teachers and parental rights. The guides endorsed no candidates and were used for voter education. In a far-reaching show of support, Cardinal John O'Connor allowed the distribution of voter guides in 300 Catholic churches, a move that opened the door to ongoing Catholic/evangelical cooperation.

As a result of Christian Coalition's voter education campaign, voter turnout reached the highest level in 20 years. Approximately 450,000 voters went to the polls, and 60 percent of 130 pro-family candidates won election. Ten city school boards had solid pro-family majorities. Among the new board members: Linda Garcia, a Hispanic mother who won election in Manhattan's Lower East Side. Cummins and her allies were re-elected in Brooklyn. Fernandez was removed from his post. (47)

The Coalition's efforts in New York were the subject of ongoing press coverage from the beginning, and virtually every significant development was reported in detail. The Coalition held numerous news conferences in New York during the campaign to announce its activities. Indeed, when the New York Times and the New York Post listed which candidates they preferred in the contests, they did so based on information derived from the Coalition's well-documented voter guide. (48) So much for "stealth."

Reed told the New York Times during the campaign: "We're simply encouraging people of faith, of all religious traditions, including people of the Jewish and Roman Catholic faiths, to be informed voters." (49)


Another Distortion: The Phantom Manual

Seeking more fodder for its conspiracy grist mill, the ADL repeats the tired and false accusation that the "1992 Pennsylvania Christian Coalition's 'County Action Plan' directed" members to "never mention the name Christian Coalition in Republican circles." (50)

To state the obvious, Christian Coalition's activities within the GOP are a matter of public knowledge, especially given extensive news coverage of the last several years. With Democratic consultant Bob Beckel calling politically active evangelicals "Nazis," Mark Shields referring to them as the "American equivalent of Shiite Muslims," and Jocelyn Elders attacking them, it is difficult to see how the ADL can think that anyone is unaware of Christian involvement in the Republican party.

In fact, the manual the ADL cites does not exist. The "County Action Plan" was a draft prepared by a local volunteer. It was submitted to the national office and rejected as inconsistent with the Coalition's policy of openness and inclusion.

As Ralph Reed directed in a letter on October 7, 1992, to the executive director of the Pennsylvania chapter:

"There are several problems with the manual-It directs Christian Coalition members not to mention their affiliation with the Christian Coalition in party circles. That is not our policy- .This manual, in its current form, does not have the authorization or imprimatur of the Christian Coalition. Please retrieve all copies- ." (51)

The ADL need only have contacted the Christian Coalition and its staff would have gladly provided a copy of the letter. As it is, the ADL has repeated a false allegation about a manual that does not exist. In fact, the ADL barely mentions the legitimate and extensive Christian Coalition training materials, such as its 256-page Leadership Manual, which states the official policy of the organization.

Indeed, the Leadership Manual clearly urges pro-family citizens to be open, honest and up front about their views and beliefs:

"First, do not limit your campaign to just churches and the Christian community. As a supporter of family values, your positions on issues affecting the family are the same as a majority of the voting public. Do not be shy in declaring that your stands on the issues are based on principle- ."

"Do not use so-called 'stealth' tactics. In the past, some candidates have focused their campaigns on the churches and have not reached out to the general electorate. In the long run, this strategy is unsuccessful- .Working in the churches alone will not result in lasting success." (52)


A Nonpartisan Coalition

Christian Coalition's get-out-the-vote efforts are nonpartisan, contrary to the ADL's assertions. The ADL repeats partisan claims by the Democratic National Committee, which recently has launched an orchestrated campaign of bigotry against people of faith in the political arena. It mentions specious complaints that the DNC has filed with Federal Election Commission. It fails to mention that both the FEC and the IRS have found the Christian Coalition's nonpartisan voter guides in full compliance with the law.

The ADL conveniently ignores the fact that every complaint filed by the Democratic Party against the Coalition has been resolved in favor of the Christian Coalition, most notably a 1990 complaint that advertisements opposing taxpayer-funding of pornography constituted "express advocacy" on behalf of specific candidates. The FEC found that the advertisements were entirely consistent with the Christian Coalition's status as a nonpartisan issues organization. (53)

The ADL also fails to mention the fact that the Coalition has engaged in voter education activities in a number of Democratic races. For example, in the spring of 1994 in Houston, Texas, the Coalition distributed voter guides in a campaign in which Beverly Clark, an African-American, pro-life Democrat, ran in a congressional primary. "The Christian Coalition distributed nonpartisan voter guides in over 100 black churches and made thousands of nonpartisan get-out-the-vote calls to African-American voters from grassroots phone banks." (54) Clark forced Ken Bentsen, nephew of the Treasury secretary and former Texas senator, into a run-off.

A voter guide distributed for the April 12 Democratic run-off listed Clark's and Bentsen's stands (labeled "supports" or "opposes") on ten public policy issues. The answers were provided to the Coalition in response to a candidate survey. Those issues were: "Increased income taxes; balanced budget amendment; abortion-on-demand; taxpayer funding of abortion; voluntary prayer in schools; mandatory sentences for violent crimes; homosexuals in the military; parental choice in education (vouchers); federal government control of health care; 'workfare' requiring able-bodied welfare recipients to work or get job training." (55) The Coalition distributed a similar voter guide in a Mississippi Democratic congressional primary in 1994.

In Cincinnati, Ohio in 1993, pro-family activists supported Charles Winburn, an African-American pastor of the Kingdome Church, in his run for the city council. Winburn, a registered Democrat, graduated from a Christian Coalition training school and campaigned for welfare reform and school choice. (56)


Reaching Out to Democrats

The Coalition's 1994 Congressional Scorecard, which lists Senators' and Representatives' votes on a wide range of issues affecting families, makes no distinctions based upon party affiliation. Representative Charles Stenholm, (D-TX) scored a 100-percent rating on the Christian Coalition Scorecard. Representative Pete Geren, (D-TX) scored a 93- percent rating, as did Representative Gene Taylor, (D-MS). Some of the Democrats who have spoken at Christian Coalition events in recent years include: state Representative Roger Byrd (D-GA), Duval County (FL) School Board member Stan Jordan, Beverly Clark, Charles Winburn, and State Representative Woody Jenkins (D-LA). (57)

A number of other Democrats received high ratings on the Congressional Scorecard. Sen. Richard Shelby (D-AL), for instance, agreed with Coalition positions on 71 percent of the surveyed votes. Representative Jimmy Hayes (D-LA) scored 86 percent. Representative Sonny Montgomery (D-MS) rated 71 percent, as did Representative William Lipinski (D-IL). Representative Matthew McHugh (D-NY) had a 93-percent rating.

The Christian Coalition Scorecard highlighted Senate votes on such issues as: tax incentives for families; balanced budget amendment; taxpayer-funded abortions; Joycelyn Elders' nomination for surgeon general; term limits for Congress; and condoms for school children without parental consent. House votes included: cutting government waste; parental notification for abortion; abstinence-based sex education; lifting the ban on fetal tissue research; criminalizing pro-life speech. Each vote is factually described. (58)

The 1994 Congressional Scorecard clearly states that the listing of these votes on issues affecting the family does not imply an endorsement for office or a commentary on the personal faith of the elected official. "This Scorecard is for informational purposes and is not intended to influence the outcome of any election," the Scorecard reads. "Christian Coalition does not advocate the election or defeat of any candidate, and does not endorse any political party. Scores in this Scorecard are not to be taken as a commentary on the personal faith of individual members of Congress. The information in this Scorecard is provided as a tool to help you more effectively lobby your Congressman and two Senators on issues before the 103rd Congress." (59)

The Coalition's Scorecard and voter guides are little different from the informational ratings issued by the AFL-CIO, Americans for Democratic Action, American Conservative Union and numerous other organizations. The Coalition simply provides to voters - of all political persuasions - what they richly deserve: reference tools that show how their elected representatives in government stand on issues of concern to families.


How the Christian Coalition Works

The ADL complains that Coalition members play a major role in some state and local party organizations because they are the most energetic participants. What is wrong with citizens taking part in the political process? The ADL takes issue with religious conservatives who are simply exercising their rights of citizenship.

The Christian Coalition's Leadership Manual provides members with nuts-and-bolts information on the electoral process, from how to organize a local chapter and requirements for Christian Coalition affiliation to how to conduct a voter canvass.

The Coalition's purposes, as outlined in the manual, are as follows:

  1. To represent Christians before local councils, state legislatures and the U.S. Congress.
  2. To train Christians for effective political action.
  3. To inform Christians of timely issues and legislation.
  4. To speak out in the public arena and the media.
  5. To protest anti-Christian bigotry. (60)

"Your job as a Christian Coalition leader is to identify the Christian vote and get it to the polls," the manual says. (61) In this sense, the Coalition's mission is no different from the League of Women Voters, the National Organization for Women, NARAL, the AFL-CIO, or Jesse Jackson's Rainbow Coalition, which has registered hundreds of thousands of African-Americans to vote.

The Coalition's policy stances are rooted in faith - as were America's founders, who spoke of the people of this nation as being endowed by their "Creator" with "certain inalienable rights." As Reed said on NBC's Meet the Press: "The apostle Paul told the early Christians to render unto Caesar the things that are Caesar's and to exercise their civic responsibility. And what we're saying is that in a democracy, when you render unto the government that which is due it, that means your vote, your informed participation and your involvement." (62)


Personalizing Public Policy Differences

The ADL apparently regards grassroots democracy as a threat to, in its words, "tolerance and pluralism." In fact, the Coalition and the ADL simply disagree on public policy issues. The Coalition does not support taxpayer-funded abortion as a form of birth control. Neither do 87 percent of the American people, according to a recent survey. But the ADL equates a pro-family, pro-life position with intolerance. Indeed, Abe Foxman, executive director of the ADL, even charges that supporting the sanctity of innocent human life creates "hostility" in which "tolerance and pluralism inevitably plummet." (63) To equate one's public policy views with "tolerance" and impugn one's political foes as opposed to "pluralism" is intellectually dishonest.

The Christian Coalition believes students should be allowed to exercise their First Amendment right to free speech, including speech of a religious content. The ADL says this somehow violates the separation of church and state. If so, it may have a dispute with President Clinton as well. In a town hall meeting in Charlotte, North Carolina, in April 1994, Clinton stated his view that voluntary prayer does not violate the Constitution: "Now, it's been carried to such an extent now where they say, some people have said you can't have a prayer at a graduation exercise. I personally didn't agree with that. Why? Because if you're praying at a graduation exercise or a sporting event, it's a big open air thing, and no one's being coerced."

"I do not agree that people should not be able to freely pray and to acknowledge God. We have a chaplain in Congress, in the Senate and the House." (64)

Does the ADL believe that President Clinton is undermining pluralism by his opposition to the Lee v. Weisman decision of 1992 that bans high school graduation prayer? His position is identical to that of the Christian Coalition.

We may believe the ADL is wrong about some policy issues, but unlike the ADL we do not question their right to hold such views or their commitment to pluralism. And we stand arm-and-arm with the ADL in giving no quarter to anti-Semitism or bigotry of any kind.


Partisan Attacks

Unfortunately, the ADL report has become part of a highly partisan campaign against religious folk launched by the national Democratic party. By lending its name to this campaign against people of faith, the ADL risks being viewed as an organization driven more by partisan politics than Jewish concerns.

In August 1993, the Washington-based National Jewish Democratic Council held a conference to organize a 40-group coalition to oppose Christian conservatives. Among the participants were Arthur Kropp, president of People for the American Way, and Clinton Cabinet members Federico Pena and Donna Shalala. (65)

Throughout 1993, Lieutenant Governor Don Beyer of Virginia ran a particularly vicious, bigoted campaign against Mike Farris, the Republican candidate for lieutenant governor. Beyer used materials supplied by People for the American Way which accused Farris of seeking to ban books such as The Wizard of Oz. The Washington Post concluded that the charges were false. Michael Barone of U.S. News and World Report said that the allegation against Farris "unfairly distorts and ridicules" his views. (66)

In June of 1994, just days after the ADL released its report, Representative Vic Fazio (D-CA), chairman of the Democratic Congressional Campaign Committee, launched a new attack on religious conservatives, calling them "fire-breathing fanatics." The Democratic National Committee even has set up a bulletin board on Compuserve called "Radical Right," which contains speeches and other party documents designed to assault Christians.

U.S. Surgeon General Joycelyn Elders gave a speech in New York City within weeks of the ADL report's release in which she referred to religious folk who are conservatives as "un-Christian." This was a clear assault on the deeply-held religious beliefs of millions of Americans. All 44 Republicans in the Senate condemned this act of arch-bigotry in a letter to President Bill Clinton, and 87 members of the House of Representatives called for Elders' resignation. (67) What was the ADL's reaction to this act of defamation? Thunderous silence.

The ADL, once a respected civil rights organization, has aided and abetted a campaign of intolerance against people of faith with whom they disagree politically. Instead of calling the Democrats to task for dividing Americans based on where they go to church or synagogue, the ADL has cast its own stones.

"It's an old thing in politics," said Representative Dick Armey of Texas, "Whenever you are trying to get people's attention, you create a monster out there. So, they are looking for a bogeymen, and they are hyping the story that the Republican Party is being taken over by a bunch of extremists." (68)

"We are in a race between civilization and catastrophe," former Education Secretary Bill Bennett said of the campaign against religious conservatives. "We have record murder and violent crime rates, huge increases in births to unwed mothers, educational decline, broken families, and a president who has established a record of broken promises. All of this, and we are told that the very religious are what we must fear. Religion is on the side of civilization; more people ought to begin to realize it." (69)


The Separation of Church and State

The ADL report is full of accusations that the Christian Coalition does not support the separation of church and state. Its sources include undated flyers passed out at conferences and quotations lifted out of context - as well as more unreliable pseudo-scholarship by Skipp Porteous. It also features attacks on David Barton, a Texas-based scholar who has argued that many of America's founders were sympathetic to Christian values. Most of Barton's work extensively documents writings of the nation's founders.

The truth is that there is a lively debate about the role of religion in public life and the meaning of the First Amendment. The Christian Coalition supports the Establishment clause prohibiting a state- sponsored church. It does not support attempts to use the establishment clause to stifle the free speech rights of Christians, Jews, Muslims, native Americans, or anyone else.

That is why the Christian Coalition supported the Religious Freedom Restoration Act of 1993, which overturned the Supreme Court's 1990 decision in Employment Division v. Smith. In this decision the Court discarded the "compelling state interest standard" criteria for judging whether laws violated rights to free exercise of religion. The ADL strongly supported this legislation as well.

In the same spirit, the Christian Coalition supports free speech rights for children in public schools. While we oppose mandatory prayers composed by school officials, we believe voluntary, student-initiated prayer is consistent with First Amendment rights to free speech. While disagreements over First Amendment issues abound, it is disingenuous to suggest that those who would allow religious speech in public schools are ipso facto opposed to church-state separation. The ADL quotes Pat Robertson as arguing that the "separation of church and state" is a "Soviet concept." This quotation is lifted out of context. Robertson merely noted that the term "separation of church and state" does not appear in the U.S. Constitution, which is a statement of fact. The First Amendment specifically reads: "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof."

Robertson is a strong supporter of the First Amendment. For example, during his 1988 presidential campaign, Robertson stated: "I believe absolutely in the separation of church and state." (70)

In 1991, he said on Larry King Live, "I think it [the separation of church and state] is far better. You look at Europe where they have established churches and they are really dying out. We have a much healthier church here in America, free from government money- .But I don't think the Constitution requires government to be opposed to religious faith."(71)

Robertson's words echo those of William O. Douglas in Zorach v. Clauson (1952). "We are a religious people whose system of government presupposes a Supreme Being," argued Douglas. There was, he added, "no constitutional requirement which makes it necessary for government to be hostile to religion and to throw its weight against efforts to widen the effective scope of religious influence." (72)

For most of America's history, church pulpits flamed with sermons about social injustices ranging from slavery and racism to poverty and the liquor trade. No one suggested that these activities posed a threat to the separation of church and state. Americans always have resisted the notion of a national religion, but embraced faith-based political movements as an essential counterbalance to social injustice and government encroachments on liberty.

This is the view of the Christian Coalition. As Ralph Reed argues in his forthcoming book: "None of this adds up to the conclusion that America is a 'Christian nation' in the sense of a theocratic state or a unicultural society. That not only ignores the enormous contribution that Jews have made to America, but it is something of an anachronism. It makes just as much sense to say that Massachusetts is a Puritan colony or that Maryland is a Catholic state." (73)

Reed adds, "What religious conservatives want is to accommodate the historic role of faith in American civic life. In short, they seek to restore the time-honored tradition of civil religion - not to establish Christianity by law or to create an official church." (74)

"Our agenda, ultimately, of the Christian Coalition, isn't about theology," Reed said on ABC Nightline recently. "It is about public policy. We are trying to get public policy that is more family-friendly. And we think lower taxes, smaller government, and government that lives within its means is more family friendly." (75)


Conclusion

The supreme tragedy of the ADL report is there is a resurgent anti-Semitism across the land emanating from sources as wide-ranging as the Ku Klux Klan, former Farrakhan lieutenant Kahlid Abdul Muhammad (who called New York city "Jew York City"), David Duke, and some opponents of the Israeli lobby. But an inaccurate, biased, and politically motivated report like the recent ADL offering undermines efforts to combat anti-Semitism. By crying wolf, the ADL endangers its credibility at a time of rising bigotry and a period of extraordinary delicacy in the Middle East peace process.

In response to criticism of its report, the ADL has refused to back off, though it has engaged in some strategic public relations backpedaling. (76) For its part, the Christian Coalition will continue to combat anti-Semitism and religious bigotry in all its ugly forms. It is willing to seek common ground with Jewish organizations on issues of mutual concern. The Christian Coalition never will waver from its steadfast defense of the Jewish people and the nation of Israel, though it has been unfairly attacked by the ADL.

"The Jewish community should recognize the depth of religious faith among Christian evangelicals and treat the Religious Right with tolerance and respect," urges Marshall Breger of the Heritage Foundation. (77)

The ADL has displayed neither tolerance nor respect. Instead, it has engaged in a partisan campaign of innuendo, half-truths and outright falsehoods.

Sadly, the ultimate losers are not the ADL's constituency, but all of us, for we desperately need a legitimate watchdog to combat bigotry. The Anti-Defamation League has committed defamation, not only against religious conservatives, but against its own stated purpose.

We earnestly hope the ADL returns to its time-honored and vital role of ensuring that intolerance has no place in our civic discourse. For our part - despite the unfair and shoddily researched attack by the ADL - we will remain vigilant in seeing that anti-Semitism and bigotry does not rear its monstrous head in our society.


END NOTES

1. Mona Charen, "ADL Playing Upon Old Fears?"Washington Times, July 7, 1994, A17.

2. Boschwitz Op-Ed submitted to the New York Times July 25, 1994.

3. Sam Skolnik, "ADL Takes Heat for Criticizing Christian Right,"Washington Jewish Week, June 30, 1994.

4. Don Feder, "ADL Attack Discredits Organization," Boston Herald, June 16, 1994.

5. Beth Gilinsky, letter to the editor, New York Post, July 13, 1994 (original in possession of author).

6. An "annotated" bibliography provides few specific references. For sources on the Christian Coalition, for example, the ADL provides vague clues such as this: "The Los Angeles Times provided a comprehensive account of San Diego by Barry Horstman (March 22, 1992), and generally offers reliable West Coast coverage; the Norfolk Virginian-Pilot, The Freedom Writer, Group Research Report, People for the American Way's occasional reports and the group's monthly, Right- Wing Watch, were consulted frequently." Thus, the reader is supposed to take it on ADL' s word that its sources are reliable and that the quotations in the ADL report are accurate. Without specific listings of sources it is impossible to check many of its assertions.

7. Acknowledgments in the ADL report include, in addition to those already mentioned: Project Toscin, Coalition for Human Dignity, Group Research Report, Citizens Project, Mainstream Voters Project and Women' s Project. ADL, p. i.

8. Larry Kanter, "Gaining Journalistic Status Gives ADL a Legal Shot in the Arm," Northern California Jewish Bulletin, v. 142, No. 38, October 15, 1993, p. 3.

9. ADL, "Religious Right," p. 42.

10. Thomas L. Jipping, "The Anti-Defamation League's Campaign of Defamation," Free Congress Foundation, June 24, 1994, p. 13.

11. ADL, "The Religious Right," p. 27.

12. Ibid.

13. Transcript of NBC's Meet the Press, November 29, 1992, p. 4.

14. Sean Loughlin, "Christian Coalition's Soldier Marches On," Sarasota Herald-Tribune, February 22, 1994.

15. ADL, "Religious Right," p. 42. (The ADL consistently spells Wittmann' s name as "Wittman.")

16. ADL, "Religious Right," p. 91.

17. Thomas L. Jipping, "The Anti-Defamation League's Campaign of Defamation," June 24, 1994, Free Congress Foundation, p. 14.

18. David Cantor, "Anti-Defamation League Response to the Christian Coalition," July 13, 1994.

19. ADL, "Religious Right," pp. 2, 21, 22, 24, 42, 43, 97.

20. Transcript of speech for Christians' Israel Public Action Campaign, "Pat Robertson: Defender of Israel," January 30, 1994, p. 12.

21. Larry B. Stammer, "Religious Broadcasters Vow Fight On Doctrine Issue," Los Angeles Times, February 18, 1993.

22. John Wheeler, Jr., "Peace in the Holy Land," Christian American, February 1994, page 1, 4.

23. ADL, "Religious Right," p. 43.

24. John Wheeler, Jr., "Anti-Semitism in the Church," Christian American, July/August 1991, p. 12.

25. Ibid, p. 12.

26. Rudy Boschwitz Op-Ed submitted to the New York Times July 25, 1994.

27. Sam Skolnik, "ADL Takes Heat for Criticizing Christian Right," Washington Jewish Week, June 20, 1994.

28. Don Feder, "ADL Attack Discredits Organization," Boston Herald, June 16, 1994.

29. Rod Drehrer, "Pro-Israel Group Decried ADL Attack: Christian Conservatives Are Friends," Washington Times, June 28, 1994, A12.

30. ADL, "Religious Right," p. 45.

31. Memo to Christian Coalition from Rhett Davis, July 5, 1994.

32. Ibid.

33. Don Feder, "ADL Attack Discredits Organization," Boston Herald, June 16, 1994.

34. ADL, "Religious Right," p. 2.

35. Transcript of CBN' s 700 Club, November 13, 1991.

36. Dennis King and Chip Berlet, "ADL Gate," Tikkun, July/August
1993, p.36. The article describes how ADL leaders complained to the media about how they had been sidelined in their efforts to refute Duke's campaign because of their 501 (c) (3) status. Yet the ADL criticizes other organizations with the same tax status for not denouncing the Duke campaign.

37. ADL, "Religious Right," p. 20.

38. Ibid, p. 29.

39. Ibid, p. 28.

40. Thomas B. Edsall, "Christian Political Soldier Helps Revive Movement," Washington Post, September 10, 1993, A4.

41. ADL, "Religious Right," p. 20.

42. Jeff Baran, letter to Christian Coalition national office, July 25, 1994.

43. Carol Innerst, "Parents Labeled Religious Fanatics for Fighting Schools: Schools Learn Ways to Pin Labels on Parental Foes," Washington Times, April 13, 1994, A1.

44. Transcript of CNN' s Crossfire, December 18, 1992 [Transcript #727], p. 10.

45. KABC Radio, November 15, 1993.

46. Ralph E. Reed, working manuscript: The Dynamic Role of Religion in American Life (Dallas, TX: Word, Inc., 1994), p. 34.

47. Ralph E. Reed, "Casting a Wider Net," Policy Review, (Summer 1993), p. 31-33.

48. See, for example: "Christian Coalition NYC Voter Driver is Multi-Cultural Grassroots Effort," Christian Coalition press release, April 28, 1993. The New York Times carried in-depth stories about the Coalition's involvement in the May 4 elections on April 10, April 16 and April 17. Other New York media provided similarly detailed coverage.

49. Sam Dillon, "Spirited Race for Schools Accelerates," New York Times, April 28, 1993, B2.

50. ADL, "Religious Right," p. 32.

51. Letter from Ralph Reed to Rick Schenker, October 7, 1992.

52. Christian Coalition Leadership Manual (1994), p. 19.

53. ADL, "Religious Right," p. 36-37; 1990 FEC MURS 3167 and 3176, pp. 23, 24.

54. Reed, working manuscript, p. 223.

55. Christian Coalition Voter Guide, Texas Democratic Runoff Election, U.S. Congress, District 25.

56. Barbara Woerner, "African-American Christian Wins Office," Christian American (April 1994), p. 9.

57. Christian Coalition Congressional Scorecard, 1994 Edition.

58. Ibid.

59. Ibid.

60. Christian Coalition Leadership Manual, p. 1.3.

61. Ibid, p. 3.23.

62. Transcript of NBC's Meet the Press, November 29, 1992, p. 1.

63. ADL, "Religious Right," p. iii.

64. White House Press Office, "Remarks of President Clinton in 'Evening with the President' in Charlotte, North Carolina," April 28, 1994, U.S. Newswire.

65. Deborah Kalb, "Jewish Democrats Target Religious Right," Manhattan Jewish Sentinel, August 11-17, 1993, pp. 1, 11.

66. Michael Barone, "In Virginia, Distorted Debate," Washington Post, October 28, 1993, p. A23.

67. Larry Marasak, "Elders Resignation Urged," Houston Chronicle, June 25, 1994.

68. Transcript of ABC's Nightline, June 23, 1994.

69. Statement by William J. Bennett, Press Conference on Religious Bigotry in Virginia Politics, October 25, 1993.

70. John Margolis, "Robertson Candidacy on Line in South Carolina," Chicago Tribune, March 5, 1988.

71. Transcript of CNN's Larry King Live, April 10, 1991.

72. Zorach v. Clauson, 343 U.S. 306 (1952).

73. Reed, working manuscript: p. 126.

74. Ibid.

75. Transcript of ABC's Nightline, June 23, 1994.

76. In a letter to the editor of the New York Post published on July 13, 1993, Foxman downplays the ADL report as mere "criticism" and says "a healthy democracy encourages and depends on the political involvement of conservative Christians."

77. Marshall Breger, "Jewish Community Should Recognize Depth of Religious Faith," Moment, April 1994, p. 14.

Text Only Map
Copyright © 1995 by The Christian Coalition of this page and all contents. All Rights Reserved. From gary at kampai.euronet.nl Tue Mar 12 21:29:33 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Wed, 13 Mar 1996 13:29:33 +0800 Subject: [noise] Re: Do you feel lucky, punk? Message-ID: <199603121103.GAA20839@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- Black Unicorn write: > On Mon, 11 Mar 1996, jim bell wrote: > > Remember, one of the basic assumptions that any supporter of the Leahy bill > > could be making is that it will be interpreted INTELLIGENTLY by courts. > Wrong. The assumption is that the rules of statuatory construction and a > long history of weighing legislative history will be used in intrepreting > the statute. Surely one of the basic assumptions of the supporter of any bill is that it _will_ be interpreted intelligently? [Note - Jim is not saying this is the _only_ assumption]. It's hard to make bills foolproof, since fools are so ingenious ... Gary - -- pub 1024/C001D00D 1996/01/22 Gary Howland Key fingerprint = 0C FB 60 61 4D 3B 24 7D 1C 89 1D BE 1F EE 09 06 - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUVZ8ioZzwIn1bdtAQGj7QGAjQfpDDRD0LSqjEe0NqECd7mTe4coqPm6 mvRoQzFqmZxggtMjldvVj3R8T4cfir2A =YtOX -----END PGP SIGNATURE----- From adam at lighthouse.homeport.org Tue Mar 12 22:25:57 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Wed, 13 Mar 1996 14:25:57 +0800 Subject: FCC & Internet phones In-Reply-To: <9603120137.AA17060@supra.comm.mot.com> Message-ID: <199603120321.WAA05010@homeport.org> Loren James Rittle wrote: | >Most | >presumably use a mix of a UDP data connection and tcp for control | >functions. | | OK, everything after the IP header is encrypted. I don't even know | which protocol is in use. Are you willing to play Mallet? Drop IP packets, and look for duplicates. Those are TCP. (IPSEC might handle this, but I bet there will be broken implementations that save time by resending.) | >They all consist of high volume, long duration connections | >(or data flows in the case of UDP.) Many probably use a standardized | >destination port. | | OK, everything after the IP header is encrypted. I don't know | which port is in use. Which doesn't change the nature of the data, which is: Alice sends long (3-60 second) heavy flows to Bob. Alice's flow stops, Bobs picks up. repeat. | In short, assuming IPSEC, the data stream cannot be easily found. | Slightly different assumptions led to a radically different outcome. First, assume a can opener. :) Actually, I'll bet you I can pick out your encrypted data for the common case, which will continue to be a modem, which can't handle heavy back traffic flows for the sake of hiding who is speaking. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From rich at c2.org Tue Mar 12 22:48:31 1996 From: rich at c2.org (Rich Graves) Date: Wed, 13 Mar 1996 14:48:31 +0800 Subject: all.net Message-ID: <199603130343.TAA27040@Networking.Stanford.EDU> At 04:55 PM 3/12/96 -0500, anonymous at extropia.wimsey.com wrote: >Has anyone else received one of these? > >> From: root at all.net (root) >> >> A user at your site has just attempted to telnet into our site without >> proper authorization. We consider this inappropriate behavior and would >> like an explanation of this action as soon as possible. >> This message is generated automatically at the time of the attempted >> entry and is sent to our administrators and the postmaster at the >> machine making the attempt. We have included any information provided >> by your ident daemon (if in use) on the subject line of this message. >> We also do a reverse finger for future reference. >> >> Fred Cohen - fc at all.net - tel:US+216-686-0090 How annoying that all is. I wonder what they all do there. "All sorts of things," I guess. Wouldn't it be interesting if we ALL linked to... gopher://all.net:23/0howdy -rich All Things, Inc. (ALL2-DOM) PO Box 1480 Hudson, OH 44236 Domain Name: ALL.NET Administrative Contact: Cohen, Fred (FC34) fc at ALL.NET (216) 686-0090 Technical Contact, Zone Contact: Network Information and Support Center (PSI-NISC) hostinfo at psi.com (518) 283-8860 Record last updated on 31-Jan-95. Record created on 31-Oct-94. Domain servers in listed order: NS.PSI.NET 192.33.4.10 NS2.PSI.NET 38.8.50.2 From unicorn at schloss.li Tue Mar 12 22:52:11 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 13 Mar 1996 14:52:11 +0800 Subject: all.net In-Reply-To: <199603130343.TAA27040@Networking.Stanford.EDU> Message-ID: On Tue, 12 Mar 1996, Rich Graves wrote: > At 04:55 PM 3/12/96 -0500, anonymous at extropia.wimsey.com wrote: > >Has anyone else received one of these? > > > >> From: root at all.net (root) > >> > >> A user at your site has just attempted to telnet into our site without > >> proper authorization. We consider this inappropriate behavior and would > >> like an explanation of this action as soon as possible. > >> This message is generated automatically at the time of the attempted > >> entry and is sent to our administrators and the postmaster at the > >> machine making the attempt. We have included any information provided > >> by your ident daemon (if in use) on the subject line of this message. > >> We also do a reverse finger for future reference. > >> > >> Fred Cohen - fc at all.net - tel:US+216-686-0090 I would LOVE to see someone write a script to telnet repeatedly to this site and run it from behind some nice firewall for several weeks. But, that's just me talking. Far be it from me to actually encourage such horidly irresponsible behavior. --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From an534774 at anon.penet.fi Tue Mar 12 23:29:14 1996 From: an534774 at anon.penet.fi (an534774 at anon.penet.fi) Date: Wed, 13 Mar 1996 15:29:14 +0800 Subject: Crypto Exposure Message-ID: <9603130405.AA27432@anon.penet.fi> A few questions concerning the access to crypto software from foreigners living in the US: - Suppose that an ISP (or a University) provides an account to a foreigner (i.e. the foreigner can access a few UNIX machines that are property of the ISP). Suppose now that PGP (for example) is installed on these machines, then the ISP expose the foreigner to crypto software, right? Is the ISP (or University) punishable by law? - Which version of PGP is the foreigner allowed to use in the US? He would violate export restriction if he uses the US version and he would violate the RSA copyrights if he uses the internation version, right? - What if the foreigner actually write crypto code while in the US? Does he (or the Uni/ISP) violate export restrictions each time he access the source code or execute his program if they are stored on a public (Uni/ISP) machine? --****ATTENTION****--****ATTENTION****--****ATTENTION****--***ATTENTION*** Your e-mail reply to this message WILL be *automatically* ANONYMIZED. Please, report inappropriate use to abuse at anon.penet.fi For information (incl. non-anon reply) write to help at anon.penet.fi If you have any problems, address them to admin at anon.penet.fi From thad at hammerhead.com Tue Mar 12 23:43:21 1996 From: thad at hammerhead.com (Thaddeus J. Beier) Date: Wed, 13 Mar 1996 15:43:21 +0800 Subject: all.net Message-ID: <199603130606.WAA08192@hammerhead.com> This is the message that I got when I mistakenly typed "telnet all.net" [previously quoted message not repeated...] P.S. At this time, there is what appears to be a criminal conspiracy underway to excersize our detection system. Criminal because it is an attempt to attack a Federal Interest Computer - conspiracy because some of the participants have, after the fact, decided to participate in the criminal activity by refusing to identify the source of the attack. This is a result of a posting to a mailing list by someone who was apparently upset at having their activities detected. A recent threat to break into this site was posted, and we have contacted federal authorities. As this incident quantitatively increases, the level of our work to check out each part of the incident (by administrators such as yourself) may reach a total of $5,000. At that point, the FBI will be called in and participants in this activity may find that they are under federal investigation. Please advise your users to cease and desist and advise them to advise others to do so as well. It would also help us to limit the damage and establish culpability (and innocence) if you could get copies of the posting sent to your users so we can track down the source of the threat and determine what response, if any, is appropriate regarding your users who may be innocent victims of (and accidental conduits for) this attack. March 1996 - FC -- Thaddeus Beier thad at hammerhead.com Technology Development 408) 286-3376 Hammerhead Productions http://www.got.net/~thad From sandfort at crl.com Tue Mar 12 23:53:45 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Wed, 13 Mar 1996 15:53:45 +0800 Subject: How's that again? In-Reply-To: Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Tue, 12 Mar 1996, Dr. Dimitri Vulis wrote: > "Cypherpunk" is not a trademarked name. I've seen people say on this list > (paraphrased)..."I'm hosting a cypherpunks meeting and X will not be > permitted to come because I don't like his political views". I like > reading this list, but if these views are compatible with being a > cypherpunk, then I'm not one. No one has ever made an announcement on the Cypherpunks list such as the one you "paraphrased." The meetings have always been open to everyone. If the good doctor is referring to my univiting of Jim Bell to a private party held AFTER a Cypherpunk meeting he had better get his facts straight. Jim Bell would have been welcome at the Cypherpunks meeting. He would not have been welcome at my party, though, because of his intemperate bad manners, NOT his politics. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From hal9001 at panix.com Tue Mar 12 23:55:48 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Wed, 13 Mar 1996 15:55:48 +0800 Subject: PGP reveals the key ID of the recipient of encrypted msg Message-ID: At 16:36 3/11/96, John Pettitt wrote: >I can see a case where one would want to broadcast a message (say on usenet) >with *no* indication of the intended recipient (not even a non registered >key-id). It would seem to be easy enough to hack up something that does not >have key-IDs - to know if it's for you try decryption and if it works then >it was for you. This does not scale well as the recipient must trial >decrypt all messages which could use *a lot* (tm) of CPU time. There is also the problem of knowing WHICH key to use (ie: Even when you know the message is intended for you, you must do a test run with each of your keys until one works). Thus you want private keys whose ownership is not publicly linked to your known identity (but is known to your correspondents). So long as you have your corespondent's published Public Key, you can use it to do a one-time transmission of a private Public Key to be used to do anonymous (ie: Not Linked to your Public Identity) transmissions to you. From stewarts at ix.netcom.com Wed Mar 13 00:01:56 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 13 Mar 1996 16:01:56 +0800 Subject: frequency of remailer use? (fwd) Message-ID: <199603130447.UAA07724@ix3.ix.netcom.com> Multi-hop messages are probably more important than cover traffic. If the average message does two hops, then dive your estimates by two, etc. In a real privacy environment, almost nobody would send serious messages by just one remailer hop. On the other hand, for posting minor spam and non-professionally-secure messages to mailing lists, one hop will do. A first step at estimating this would be to check the fraction of mail addresses to known remailers (since most remailers are more likely to track destinations than sources.) Most of pamphlet's bouncemail is from other remailers, but that seems to be more of a configuration issue, or people sending test mail to mixmasters or something. >One could make some attempt to account for all known cover traffic. Given a >known average quantity of cover traffic, the rest is either real or >independent cover. >> > I would be very grateful for pointers to data concerning the number of >> > messages that pass through remailers. (Not anon.penet.fi -- real >> > remailers.) I am currently in a conversation with a journalist who should >> > know better, but claims that secure anonymous remailers are never used by >> > anyone -- just a curiosity. >>Good question. How do we determine this without ourselves being able >>to distinguish between cover traffic and "real" traffic? #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From dlv at bwalk.dm.com Wed Mar 13 00:07:11 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Wed, 13 Mar 1996 16:07:11 +0800 Subject: How's that again? In-Reply-To: Message-ID: jim bell writes: > At 02:38 PM 3/12/96 -0800, Sandy Sandfort wrote: > >Hey, Jim, don't forget me. You are the only person I have ever > >specifically UNinvited to one of my parties in over a decade of > >hosting same. I guess that makes you special. > > You're confused. You're describe YOUR reaction to ME, not MY reaction to > YOU. And I am unaware of being invited to a "party," and now that I've > discovered what a sleazy person Alan Olsen and his merry band are, it is > really doubtful that I would have enjoyed what was advertised as a > cypherpunks meeting, but which you now claim was a "party." Your level of > "honesty" is showing. "Cypherpunk" is not a trademarked name. I've seen people say on this list (paraphrased) "I'm a cypherpunk, and I oppose unrestricted free speech because we must silence {homophobes}child pornographers|terrorists}" or "I'm hosting a cypherpunks meeting and X will not be permitted to come because I don't like his political views". I like reading this list, but if these views are compatible with being a cypherpunk, then I'm not one. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From jimbell at pacifier.com Wed Mar 13 00:12:13 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 13 Mar 1996 16:12:13 +0800 Subject: Do you feel lucky, punk? Message-ID: At 05:54 PM 3/11/96 -0500, Black Unicorn wrote: > > >[rant including some very dubious abstracts of legal opinions deleted] > >Not only is your law poor and badly reasoned, Just what George Will said about this recent Bennis SC decision. > your mastery of the jurisprudence of forfeiture law flawed, Ditto, and I notice you give no specific examples. Why is that? > and your rhetoric twisted, Again, you give no specific examples. And what is "twisted rhetoric", at least as you've used it here? >but you don't seem to know the difference between dicta and holdings. I didn't use either term. Neither did George Will. Maybe you read that item too rapidly to notice that most of it was George Will's column, not my wording. BTW, I get particularly suspicious when people "respond" to my posts and quote NOTHING that I have said. This seems to be a pattern: The person clearly disagrees with my position in general, but can't cite specifics and in fact studiously avoids them. Padgett Peterson is an expert at this, it appears you're trying to emulate him. What, then, was the point of sending me the note, as well as wasting bandwidth on CP to share your unhappiness? Jim Bell jimbell at pacifier.com From anonymous at extropia.wimsey.com Wed Mar 13 00:14:19 1996 From: anonymous at extropia.wimsey.com (anonymous at extropia.wimsey.com) Date: Wed, 13 Mar 1996 16:14:19 +0800 Subject: all.net Message-ID: <199603122155.QAA04971@miron.vip.best.com> Has anyone else received one of these? > From: root at all.net (root) > > A user at your site has just attempted to telnet into our site without > proper authorization. We consider this inappropriate behavior and would > like an explanation of this action as soon as possible. > > This message is generated automatically at the time of the attempted > entry and is sent to our administrators and the postmaster at the > machine making the attempt. We have included any information provided > by your ident daemon (if in use) on the subject line of this message. > We also do a reverse finger for future reference. > > Fred Cohen - fc at all.net - tel:US+216-686-0090 From ethridge at Onramp.NET Wed Mar 13 00:19:40 1996 From: ethridge at Onramp.NET (Allen B. Ethridge) Date: Wed, 13 Mar 1996 16:19:40 +0800 Subject: AMEX and Netscape Message-ID: >American Express Platinum card holders might want to look at the bottom >of their statement: > >CARD USE ON THE INTERNET -- Cardmembers should only conduct transactions > >(Any Gold or Green card holders have the same notice?) Green - yes. allen From unicorn at schloss.li Wed Mar 13 00:26:41 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 13 Mar 1996 16:26:41 +0800 Subject: How's that again? In-Reply-To: Message-ID: On Tue, 12 Mar 1996, Dr. Dimitri Vulis wrote: > jim bell writes: > > At 02:38 PM 3/12/96 -0800, Sandy Sandfort wrote: > > >Hey, Jim, don't forget me. You are the only person I have ever > > >specifically UNinvited to one of my parties in over a decade of > > >hosting same. I guess that makes you special. > > > > You're confused. You're describe YOUR reaction to ME, not MY reaction to > > YOU. And I am unaware of being invited to a "party," and now that I've > > discovered what a sleazy person Alan Olsen and his merry band are, it is > > really doubtful that I would have enjoyed what was advertised as a > > cypherpunks meeting, but which you now claim was a "party." Your level of > > "honesty" is showing. > > "Cypherpunk" is not a trademarked name. I've seen people say on this list > (paraphrased) "I'm a cypherpunk, and I oppose unrestricted free speech > because we must silence {homophobes}child pornographers|terrorists}" or > "I'm hosting a cypherpunks meeting and X will not be permitted to come > because I don't like his political views". I like reading this list, You're a cypherpunk then. --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From stewarts at ix.netcom.com Wed Mar 13 01:05:39 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 13 Mar 1996 17:05:39 +0800 Subject: Remailer passphrases Message-ID: <199603130737.XAA22807@ix15.ix.netcom.com> >Bill Frantz writes: >> One of the reasons classical (government) crypto users change keys >> frequently is to minimize the amount of data compromised by a broken key. >> We keep hearing about NSA decrypting 20 year old cyphertext and showing >> more of the workings of the atomic spy rings operating in the 40s and 50s. The NSA's decryption of old cyphertext that's been publicized, other than World War II cyphers such as Enigma and Purple, has primarily been Russian "One Time Pads". OTPs are perfectly secret - if they're made with real random numbers and only used once, which the Russians were sloppy about. Minimizing exposure is good. perry at piermont.com replied >Signed Diffie-Hellman key exchanges have the property known as >"Perfect Forward Secrecy". Even if the opponent gets your public keys >it still will not decrypt any traffic for him at all -- it just lets >him pretend to be you. Thats one reason why protocols like Photuris >and Oakley use the technique. DH key exchange is really only Exponentially Good Forward Secrecy, and in its primary use (exchanging keys for symmetric-key algorithms) the system is at best Good Enough Forward Secrecy. The difference between exponentially good and perfect is exponentially small, which is fine if your keys are long enough. On the other hand, cracking a symmetric-key algorithm is generally the weak link, unless you're using 112-bit or better secret keys, and even 112s might be crackable during the lifetime of the current universe. How much information leaks if you reveal (say) 128 bits of a 1024-bit Diffie-Hellman key? Does it tell you anything at all about any of the remaining 896 bits? Is it safe to use 8 slices of the 1024-bit key if 7 are revealed? Does RSA have the same problem? This is partly an efficiency hack (cutting the number of big slow calculations by 8) and partly a question of other uses one might make of the bits, such as stealthing PGP headers. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From stewarts at ix.netcom.com Wed Mar 13 01:07:35 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 13 Mar 1996 17:07:35 +0800 Subject: Crypto Exposure Message-ID: <199603130737.XAA22803@ix15.ix.netcom.com> At 04:05 AM 3/13/96 UTC, an534774 at anon.penet.fi wrote: >A few questions concerning the access to crypto >software from foreigners living in the US: > >- Suppose that an ISP (or a University) provides an account to >a foreigner (i.e. the foreigner can access a few UNIX machines >that are property of the ISP). Suppose now that PGP (for >example) is installed on these machines, then the ISP expose >the foreigner to crypto software, right? Is the ISP (or >University) punishable by law? There isn't a good answer to this, but it's probably a bad idea for any US-based school or ISP that permits foreigners to access its files to provide crypto capability, unless it limits it to Yankees (e.g. though Unix group permissions.) It's certainly a bad idea for any _small_ organization, or organization with a small legal budget, to do so. >- Which version of PGP is the foreigner allowed to use in the >US? He would violate export restriction if he uses the US >version and he would violate the RSA copyrights if he uses >the internation version, right? No - this one there _is_ a good answer to :-) US Law doesn't restrict use of encryption by foreigners located within its borders (except maybe special circumstances like agents of foreign governments; I'll pass on answering that) - only on whether US persons can give them munitions, and of course patents. The clean approach is for the foreigner to bring a copy of the US version of PGP into the US, either on magnetic media or by downloading from ftp.ox.ac.uk or other free-world site. >- What if the foreigner actually write crypto code while in >the US? Does he (or the Uni/ISP) violate export restrictions each >time he access the source code or execute his program if they are >stored on a public (Uni/ISP) machine? The foreigner isn't a US person, so he doesn't violate the law by reading the code himself. If the Uni or ISP knows that it's providing encryption software to the foreigner, it may be liable, but without scienter it's tough to have guilt. Probably the foreigner should not keep encryption software on University or ISP machines - floppy disks should do just fine :-) Encryption material used only for authentication, of course, is just fine, at least unless the foreigner is from a country the US State Department considers to be an enemy, like Cuba. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From wlkngowl at unix.asb.com Wed Mar 13 01:10:04 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Wed, 13 Mar 1996 17:10:04 +0800 Subject: frequency of remailer use? In-Reply-To: Message-ID: <31467016.662D@unix.asb.com> Mark M. wrote: > > On Sat, 9 Mar 1996, Michael Froomkin wrote: > > > I would be very grateful for pointers to data concerning the number of > > messages that pass through remailers. (Not anon.penet.fi -- real > > remailers.) I am currently in a conversation with a journalist who should > > know better, but claims that secure anonymous remailers are never used by > > anyone -- just a curiosity. > > For most remailers, you can get the usage statistics by sending a message > to the remailer with the subject line "remailer-stats." Problem is that chaining interferes with this. A better way is to skin certain types of newsgroup headers over a period of time (a week or two) for messages sent from remailers. It will also give some stats as to what kinds of topics to people prefer anonymity. It's also rather interesting to see how much remailer traffic is used for posting rants/erotica/politically unpopular deas/heresies/criticism/ whistleblowing [I put these in the same category because they are related] and how many use them for the sake of just being anonymous [a regular participant who signs with an anonymous id/pgp-key but isn't necessarally posting something that requires anonyimity... hard to distinguish from first one though]. --Rob From JonWienke at aol.com Wed Mar 13 01:35:04 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Wed, 13 Mar 1996 17:35:04 +0800 Subject: Beat Remote Monitor Snooping? Message-ID: <960312193120_444876976@emout09.mail.aol.com> I know that monitors emit RF signals that can be detected and decoded for a considerable distance. I have a question about this. Obviously, the difference between black and white (white text on black background, or vice versa) would be the most detectable, because the difference in signal levels would be the greatest. Would it be possible to reduce or prevent this kind of snooping by using color schemes that all use the same signal levels? For example, the color purple uses the red and blue color guns, and yellow uses the red and green color guns. Would purple text on a yellow background be able to be read by a remote snooper? If not, then perhaps these color schemes could be used to echo pass phrases--assuming the user isn't worried about someone looking over their shoulder. Any comments? Jonathan Wienke From knapper at bga.com Wed Mar 13 01:53:35 1996 From: knapper at bga.com (Woodrow W. Baker) Date: Wed, 13 Mar 1996 17:53:35 +0800 Subject: CD-reading for random keys Message-ID: <4i5gtu$99i@news2.realtime.net> Doe anyone know where sample code exists to enable one to read the digital stream from an audio CD? If so, I'd appreciate some pointers to it via email. It seems to me like an Audio Cd would make the perfect one-time crypto system. You merely start reading at a specific spot, tossing away bytes using a reproducable random number generator, then permuting those to form a XOR one time key of any length you want. All that would be required to decrypt it would be a CD, the starting point, and the encryption/decryption software. The first step is to be able to read an arbitray sequence of digital samples from an arbitrary spot on a CD. I'm currently looking for software (perferably source) to enable me to do that. Cheers Woody -- Woody Baker Postscript consultant/ hired software gun /flintknapper knapper at bga.com woody at knapper.cactus.org "If you ain't bleedin' you ain't knappin'" -->go ahead, ask me! From alano at teleport.com Wed Mar 13 02:51:25 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 13 Mar 1996 18:51:25 +0800 Subject: How's that again? Message-ID: <2.2.32.19960313102923.008ca650@mail.teleport.com> At 10:43 PM 3/12/96 -0800, Sandy Sandfort wrote: >On Tue, 12 Mar 1996, Dr. Dimitri Vulis wrote: > >> "Cypherpunk" is not a trademarked name. I've seen people say on this list >> (paraphrased)..."I'm hosting a cypherpunks meeting and X will not be >> permitted to come because I don't like his political views". I like >> reading this list, but if these views are compatible with being a >> cypherpunk, then I'm not one. > >No one has ever made an announcement on the Cypherpunks list such >as the one you "paraphrased." The meetings have always been open >to everyone. > >If the good doctor is referring to my univiting of Jim Bell to >a private party held AFTER a Cypherpunk meeting he had better >get his facts straight. Jim Bell would have been welcome at the >Cypherpunks meeting. He would not have been welcome at my party, >though, because of his intemperate bad manners, NOT his politics. Jim Bell is confused. He was assuming that you were refering to the Feb Cypherpunks meeting held in Portland. The meeting was held in a private residence and Jim was asked not to attend because the owner of the apartment did not want to deal with Mr. Bell's poor behaviour. It had nothing to do with his political beliefs. It had everything to do with how he handles himself when his views are challenged. But then, everything that happens in Portland that is not to Jim's satisfaction is somehow my fault... --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From alano at teleport.com Wed Mar 13 02:52:53 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 13 Mar 1996 18:52:53 +0800 Subject: How's that again? Message-ID: <2.2.32.19960313102924.008b1330@mail.teleport.com> At 10:52 PM 3/12/96 -0800, Sandy Sandfort wrote: >Jim and interested C'punks, > >In response to a Jim Bell post I wrote: > >> >Hey, Jim, don't forget me. You are the only person I have ever >> >specifically UNinvited to one of my parties in over a decade of >> >hosting same. I guess that makes you special. > >To which Jim replied: > >> You're confused. You're describe YOUR reaction to ME, not MY reaction to >> YOU. And I am unaware of being invited to a "party," and now that I've >> discovered what a sleazy person Alan Olsen and his merry band are, it is >> really doubtful that I would have enjoyed what was advertised as a >> cypherpunks meeting, but which you now claim was a "party." Your level of >> "honesty" is showing. > >A) It is you who is confused (see below) > >B) I'm not Alan Olsen (nor a member of his merry band, so I have > no idea what you are talking about. Wrong area of the country. My branch of the Illuminati only controls the area around portland. >C) There was a Cypherpunk meeting followed by a party. The > pictures are on the Web. A party which I missed. (It looked like ALOT of fun!) >D) It is your level of honesty that is showing. As can be seen > from the two messages (below) I sent you at the time. They > quote you in pertinent part. [quoted text removed for space] I found out along time ago that Jim only sees what Jim *WANTS* to see. This whole tantrum of his is because I challenged his views on the list and happened to mention a "cunning plan" on his. Jim demanded an apology for treating him differently than what he wanted to be treated. (He felt that I owed him some sort of "respect", something I lost for him when I met him in person.) He never once wanted to deal with it in a civil manner. Instead he wanted to vent in public and get some sort of emotional satisfaction. (Something I would guess he does not recieve in real life.) Since that time, he has taken every opertunity to slander me on this list. (And, for the most part, I ignore him.) I have found that the best way to counter any idea that Jim has is to just let him go on about it. His lack of tact, his refusal to deal with any argument against his closely held convictions, his habit of ad hominem attacks with little or no information, and his general loonieness make any ideas he may have easlly discardable as being from a certified crank. (And he does an even better job at it in person!) I do find it quite humerous that he feels that I somehow have control over those who think he is a twit. It shows just how disconnected he is from anything resembling reality. (Maybe he should spend more time on alt.conspiracy. He might find a few people who will humor him.) If I had such unwavering control over then, more of them would post on the national list! Well, I have better things to do than rant about Mr. Bell's more pavlovian responses and you have better things to do than reading them... Back to more productive things. | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From jimbell at pacifier.com Wed Mar 13 04:09:29 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 13 Mar 1996 20:09:29 +0800 Subject: How's that again? Message-ID: At 12:55 AM 3/12/96 +0600, David K. Merriman wrote: >I've *finally* had a chance to try and catch up on my CyP (vice CoP) reading, including the running tit-for-tat between Jim Bell and (most of) the rest of the list. I think this is an exaggeration... I"ve been told that this list goes to over a thousand addresses. Weighted only among those who choose to post (a self-selected group, obviously), I do raise some heat, but it isn't clear that "most" or even a large minority of the list disagree with my conclusions. I'm not assuming they agree, but you seem to be assuming they disagree. >While Mr. Bell's Assassination Politics idea has a lot of interesting ramifications, I've found that his >apparent in-your-face-and-wha'cha-gonna-do-about-it-PUNK attitude makes reading his postings very tedious. In the last few days, I'm basically ignoring AP, and am fighting a fire that some people around here think is just fine. You might note that the same people who have been most critical of my stance on the Leahy bill are the same ones who vigorously opposed AP, suggesting that their motives are questionable and certainly a bit "predictable." As I've mentioned before, and as a contrary example, I've seen (on other lists/echoes) at least two separate instances where people who (proudly?) claim they "always" oppose everything I say, say that my stance on the Leahy bill is quite accurate. _THOSE_ people are at least honest enough to not (always) oppose a position simply because "Jim Bell" supports it, or vice versa. >Perhaps if 'we' were to simply read his postings, and respond *only* to those that maintain a civil tone, it would finally sink in with him that his Terrible Two's antics aren't appreciated. There's is a better tactic you could take. If somebody says something to me, or for that matter to the entire list, that you consider foolish and unsupported or elitist or just plain wrong, rather than expect _me_ to wipe the floor with him, _you_ criticize in a far more tactful manner. Frankly, I get tired of doing the heavy lifting for all the slackers out there who are seemingly content to just sit back and watch the fray. Normally, there's nothing wrong with just READING, per se, but when people like you make statements like: >I've *finally* had a chance to try and catch up on my CyP (vice CoP) reading, including the running tit-for-tat between Jim Bell and (most of) the rest of the list. ...there is at least the (false) implication that the dispute is between me and "the silent majority", a term pioneered by Richard Nixon, in case you either don't recall or weren't around when it happened. You (and he) were falsely suggesting that anybody out there who doesn't say a thing MUST be on your side. >The only other options I see are: > Someone gets his snailmail address and sends him a Dale Carnegie book, or > there's a mass kill-filing, with him as the guest of (dis)honor. > >As noted, his AP idea seems worth discussing, I'd be reluctant to lose it. I'd hate to see him turned into LD-2 (Son of LD? :-) because he doesn't seem to have learned Tact and Manners yet. You will notice, I assume, that I have been and can be tactful to most people; where exceptions exist, they are typically among anonymous posters (such as this "Black Unicorn") who has now admitted he's an elitist legal snob and doesn't want anybody who hasn't spent a few years in law ("mental reform") school to pass judgment on the judges, no matter how outrageous their actions become. Oh, yes, and I can't forget Padgett Peterson, who has raised spinelessness to a new art form. Jim Bell jimbell at pacifier.com From gary at kampai.euronet.nl Wed Mar 13 04:34:00 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Wed, 13 Mar 1996 20:34:00 +0800 Subject: How's that again? Message-ID: <199603131156.MAA00319@kampai.euronet.nl> Bill Stewart wrote: > At 05:40 PM 3/12/96 -0500, Black Unicorn wrote: > >Revise your statement to: > >"doesn't want anyone who hasn't spent a few years in law school to pass > >judgement on pending legislation and the effect of supreme court decision > >thereon..." > >and you'd be right on the money. > > I'm not a lawyer, though I've played a politician on TV. I'll grant you > that lawyers and other trained legal professionals can do a far better > job of finding and analyzing cases than amateurs like myself, though I suspect > a month or two's experience with Lexis would be enough to let many > of "the rest of us" outsearch the average lawyer of 50 years ago > who had to rely on his or her wits alone. But if the average intellegent > person _can't_ evaluate a law and have a reasonable chance of figuring > out what it says and what it means, there's something seriously wrong > with the way new laws are written, as well as enforced. This is especially true in the UK, since the magistrates (the panel of "judges") in the bottom level of courts (the magistrate courts) consist of entirely of "respectable" members of the community (eg. headmasters of local schools etc.). They are very rarely legal professionals. > [* Is it true that the reason Election Day is on the _second_ > Tuesday of November is to guarantee it never falls on Guy Fawkes' Day?] Ah, Guy Fawkes, the only man to enter parliament with honest intentions ... Gary From tj_lists at prado.com Wed Mar 13 04:52:26 1996 From: tj_lists at prado.com (tj_lists at prado.com) Date: Wed, 13 Mar 1996 20:52:26 +0800 Subject: steganographic trick Message-ID: <199603131203.EAA16094@zoe.prado.com> ** Reply to note from Alan Horowitz 03/09/96 7:13pm -0500 > Vladimir, > > Imagine you're an FBI agent or something like that. You've been assigned > to investigate some guy, to include sniffing out any data he may have > stored in encrypted format to keep private. > > You de-crypt the data from some elaborate stego scheme, and find - a > recipe for chocolate cookies. > > The federal agents I know, are clever enough to say to themselves: > "what's wrong with this picture?" Really? I'm sure some of them are, but I remember reading in G. Gordon Liddy's "Will" that FBI Agents were assigned to check up on novelist Nelson Algren ("Man With the Golden Arm") who was living with Simone de Beauvoir at the time. Seeing both names on the mailbox of the residence, the agents filled in the surveillance form with Subject: Nelson Algren, alias Simone de Beauvoir. cc: Alan Horowitz From rah at shipwright.com Wed Mar 13 05:11:07 1996 From: rah at shipwright.com (Robert Hettinga) Date: Wed, 13 Mar 1996 21:11:07 +0800 Subject: Ecash press release Message-ID: --- begin forwarded text Comments: Authenticated sender is From: "Paul Dinnissen" Organization: DigiCash bv To: ecash at digicash.com Date: Wed, 13 Mar 1996 11:24:54 +1 Subject: Ecash press release Reply-to: paul at digicash.com Priority: normal Sender: owner-ecash at digicash.com Precedence: bulk Release date: Contact EUnet Amsterdam: Wednesday, March 13, 1996 Mr. Graham Wilson Amsterdam, The Netherlands Tel: +31 20 623 3803 Fax: +31 20 662 4657 Contact DigiCash Amsterdam: email: media at EU.net Mr. Paul Dinnissen http://www.eu.net/ Tel: +31 20 665 2611 Fax: +31 20 665 1126 Contact Merita Bank Helsinki: email: press at digicash.com Mr. Timo Nikinmaa http://www.digicash.com/ Tel: +358 0 1654 2471 =============================================== Europeans Can Now Make Cash Purchases on the Information Superhighway =============================================== First European Electronic Cash System Opens for Business on the Internet Today EUnet, Europe's leading provider of Internet services, and DigiCash, the leading innovator in electronic payment technology, have launched a system that lets consumers make and receive payments over the Internet--using an electronic form of cash. The "ecash" technology gives even very small payments of a few cents the level of security once reserved exclusively for large-value wire transfers, while providing users with the familiar irrefutability, privacy, and person-to-person payment capability of paper money. The system is first being launched in Finland, the country with one of the highest number of Internet connections per person in the world. Merita, Finland's largest bank, already provides over 3,000,000 account holders with access to its Solo payment service. This now allows users to visit a "virtual ATM" on the World Wide Web, and withdraw money directly from their bank account into their ecash "purse". With this money they can make electronic payments to each other as well as to on-line merchants. The merchants already accepting ecash on launch day range from popular magazines and newspapers, to those selling stock quotes and GSM paging through email. Soon, while travelling anywhere in Europe, you will be able to dial a local number and pay for your Internet access, via EUnetTraveller, using ecash. Following a successful launch in Finland, EUnet, working with major banks, intends to roll out the service during 1996, in more of the 41 countries in which it operates. "We are delighted to be the first Internet Service Provider in the world to make the benefits of ecash fully available to Internet users" says Wim Vink, EUnet's Managing Director. "We see the ecash system as a major enabling technology that will make electronic commerce into an effective new way of doing business. Its simplicity and security features mean that users can make purchases electronically with confidence, convenience and privacy." "We are happy to contribute to the development of a variety of secure payment systems on the Internet," says Matti Karvonen, First Vice President of Merita Bank. "Electronic commerce is likely to increase as users are able to choose a payment system that suits them best. Merita has around 200,000 customers who already use terminals for their daily banking. We believe that the number will increase further with the introduction of ecash and Solo payments." "This launch and EUnetTraveller are really exciting new uses of ecash. As transaction costs drop, low-value payments will be catalytic to growth in electronic commerce" says Dr. David Chaum, the inventor of electronic cash and Managing Director of DigiCash. "This will let the unique advantages of ecash shine through: protecting the interest of society better than paper money, while helping people protect their own interests and enjoy the privacy and freedom they are accustomed to with cash." * * * (DigiCash and ecash are registered trademarks and should always be referred to as such) -- end -- DigiCash Background ------------------- Since beginning operation in April 1990, DigiCash's mission and primary activity has been to develop and license competitive payment techniques that show the true capability of technology to protect the interests of all participants. Dr. David Chaum, Managing Director of DigiCash, received his Ph.D. in Computer Science from the University of California at Berkeley, then taught at New York University Graduate School of Business Administration and at the University of California, and headed the Cryptography Group at CWI, the Dutch nationally-funded centre for research in mathematics and computer science, before taking his current position. He has published over 45 original technical articles on cryptography and also founded the International Association for Cryptologic Research. EUnet Background ---------------- EUnet is Europe's leading commercial Internet Service Provider, offering the full range of Internet Services, serving over 100,000 customers and over 750,000 users in 41 countries. EUnet, which manages its own dedicated network infrastructure, offers full local support services in each country of operation. Outside Europe, EUnet has developed an expanding network of national and regional service providers, with the aim of continually extending the services it offers to customers world-wide. Merita Bank Background ---------------------- Merita Bank Ltd was formed in June 1995 from the merger of the largest commercial banks in Finland, Union Bank of Finland Ltd and Kansaills-Osake-Pankki. In Finland, Merita provides a full range of finance, payment and asset-management services for households, companies and institutions. The retail bank serves some 3,000,000 personal customers and over 100,000 small and medium-sized businesses. At the end of September 1995, the total consolidated assets of the Merita Group stood at FIM 283 billion. Merita Bank's market share of total Finnish markka lending was 43.5 per cent, and its market share of total Finnish markka deposits was 43.3 per cent. The number of employees was 16,870. Companies That Welcome Ecash in Finland --------------------------------------- City Magazine -- City Magazine is the most popular magazine among Finland's 18-35 year-olds. With interviews, fashion, the latest trends, current affairs and local events, City's nationwide circulation is 225,000. Over the last eighteen months, City Magazine's online service, `Surf City', has grown to a consistent 30,000 hits per month. Now, when placing a classified ad in either the paper or the online magazine, customers will be welcome to pay with ecash SOM -- SOM, the Finnish Securities and Derivatives Exchange and Clearing House, established in 1987, serves as a neutral integrated securities and derivatives exchange and clearing house. SOM offers real-time financial market information on stocks, options and futures via the Internet, with invoices payable in ecash. Somtel for Windows -the application that offers real-time feed, as well as simulation and position-analysis functions-, is already available via leased line. "The use of money makes stock trading less complicated, with money acting as a practical intermediary between the transactions." states Asko Schrey, President of SOM. "However, since stock trades, as well as the shares themselves, are electronic nowadays, this conventional transmission of money has actually become a bottleneck and a threat to the development of the financial world. Therefore, SOM actively participates in projects to promote and improve the efficiency of payment traffic. We believe that electronic money will offer interesting new possibilities." Yomi Media -- Yomi Media Ltd., a part of KSP Phone Companies Group, offers solutions in the field of digital media, information networks and multimedia. Yomi Media has opened a virtual shop which sells phone accessories and other telecommunication-related products via the Internet. And they are pleased to accept ecash. Yomi Media will provide ecash transaction services for other companies in the near future. Finnish Keltainen Porssi -- Finland's third best-selling paper, Keltainen Porssi now accepts ecash payments. "Keltainen Porssi's business has two features that make ecash the perfect means of payment to us" explains Ari Ahola, CEO of Infosto Group. "Firstly the large number of transactions (some 500,000 weekly readers for the printed media) and secondly the low cost of each transaction. The large number of small transactions is most easily managed using DigiCash's ecash." Ahola concluded "Keltainen Porssi features some 80,000 classified ads per week in two printed issues. The advantages of Dynamic Database Publishing are very attractive in our type of media: The ability to crosscheck and analyse data, enter and browse the ads in real time are just a few of the new features which will be introduced in our Internet edition." added Ahola. MTV3 Internet -- MTV3 Finland is a nationwide commercial TV channel which, with 43% share of the audience, is by far the most popular TV channel in Finland. Since the autumn the MTV3 Web service (http://www.mtv3.fi/) has been developing a media that combines news and entertainment with the possibility to include advertising. With ecash it is now possible to do real-time shopping at the MTV3 Marketplace. MicroMedia -- MicroMedia is a private Finnish direct marketing service house specialized in business-to-business marketing. The Address File lists 300,000 Finnish decision makers at 135,000 offices. How does ecash work? -------------------- Using ecash is like using a virtual ATM (Automatic Teller Machine). When connecting to it over the Internet, you must first authenticate your ownership of the account, and then request the amount of ecash you want to withdraw. But instead of putting paper cash in your wallet, your software stores the digital cash it receives on the hard disk of your PC. When you want to make a payment, you simply confirm the amount and the payee (you can add a description of the items bought, or services wanted, if it is helpful) and then your ecash software transfers coins of the correct value from your PC direct to the payee. Merchants, (ranging from casual participants in the global Internet bazaar to mega-retailers), can deposit the digital coins they receive into their ecash accounts. Behind the user interface, your computer actually creates some 'serial' numbers for the electronic coins based on a random seed. Then it hides them in special encryption envelopes, sends them to the electronic bank for signature and, when they are returned, removes the envelopes while retaining the bank's validating digital signature on the 'serial' numbers. This way, when the bank (eventually) receives the coins you spend, it cannot recognize them as coming from any particular withdrawal because they were hidden from the bank by the envelopes during the withdrawal process. Therefore the bank cannot know when or where you used a shop, or what you bought. The number of each signed coin is unique, allowing the bank to be sure that it never accepts the same coin twice. In case you wish to identify the recipient of any of your payments, you may subsequently decide to reveal the unique coin number and use your ecash software to prove that you created it. How safe is ecash? ------------------ Security is fundamental to electronic cash. The cryptographic coding that protects every 5 cent ecash payment is the same as that routinely relied upon for authenticating requests to move huge sums between banks and even for national security. But in principle ecash goes beyond such communications security to achieve true multiparty security: no one (buyer, seller, bank) can cheat anyone else, no matter how they might modify their own software. Even if two parties collude, they cannot cheat the third. Replacing paper and coins with ecash would make life much harder for criminals. Because the payer's computer chooses the serial numbers of the coins, he or she can later irrefutably identify blackmarketeers, extortionists, and acceptors of bribes--were they to accept ecash. Paper notes, briefcases full of which can be passed from hand to hand without leaving any record, allow money laundering and tax evasion today. With ecash, however, all the amounts each person receives are known to their bank. Significant criminal activity could thus be thwarted by completely replacing paper money; moreover, the privacy of ecash would be essential to widespread acceptance of any electronic payment system. For more information on ecash please contact DigiCash. info at digicash.com, http://www.digicash.com/, fax: +31 20 6651126 +-----------------------------------------------------+ Join the new ecash mailing-list! Mail to ecash-request at digicash.com and type 'help' or 'subscribe' in the first line of your message +-----------------------------------------------------+ // Paul Dinnissen, DigiCash bv, http://www.digicash.com/ // Experience is what you get, when you don't get what you want --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From unicorn at schloss.li Wed Mar 13 06:08:01 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 13 Mar 1996 22:08:01 +0800 Subject: How's that again? In-Reply-To: Message-ID: On Tue, 12 Mar 1996, jim bell wrote: > some people around here think is just fine. You might note that the same > people who have been most critical of my stance on the Leahy bill are the > same ones who vigorously opposed AP, suggesting that their motives are > questionable and certainly a bit "predictable." Or that your tone and method of delivery combined with your knowledge of the subject matter at hand is consistantly lacking. > You will notice, I assume, that I have been and can be tactful to most > people; where exceptions exist, they are typically among anonymous posters > (such as this "Black Unicorn") who has now admitted he's an elitist legal > snob and doesn't want anybody who hasn't spent a few years in law ("mental > reform") school to pass judgment on the judges, no matter how outrageous > their actions become. I believe my concern was with your review of legislation and the impact of cases without any legal background. Revise your statement to: "doesn't want anyone who hasn't spent a few years in law school to pass judgement on pending legislation and the effect of supreme court decision thereon..." and you'd be right on the money. And I confirm again that I'm an elitist legal snob. At least I know what I'm talking about. > Jim Bell > jimbell at pacifier.com --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jimbell at pacifier.com Wed Mar 13 06:48:07 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 13 Mar 1996 22:48:07 +0800 Subject: [noise] Re: Do you feel lucky, punk? Message-ID: At 06:03 AM 3/12/96 -0500, Gary Howland wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >Black Unicorn write: >> On Mon, 11 Mar 1996, jim bell wrote: >> > Remember, one of the basic assumptions that any supporter of the Leahy bill >> > could be making is that it will be interpreted INTELLIGENTLY by courts. > >> Wrong. The assumption is that the rules of statuatory construction and a >> long history of weighing legislative history will be used in intrepreting >> the statute. > >Surely one of the basic assumptions of the supporter of any bill is that it >_will_ be interpreted intelligently? [Note - Jim is not saying this is the >_only_ assumption]. Exactly! >It's hard to make bills foolproof, since fools are so ingenious ... And hard-working, too! From matthew at itconsult.co.uk Wed Mar 13 13:48:22 1996 From: matthew at itconsult.co.uk (Matthew Richardson) Date: Thu, 14 Mar 1996 05:48:22 +0800 Subject: PGP reveals the key ID of the recipient of encrypted msg In-Reply-To: Message-ID: <3146910b.90015235@itconsult.co.uk> On Wed, 13 Mar 1996 00:28:48 -0500, "Robert A. Rosenberg" wrote: >There is also the problem of knowing WHICH key to use (ie: Even when you >know the message is intended for you, you must do a test run with each of >your keys until one works). I believe that provided all your keys are in your secret keyring, PGP will automatically pick the correct one for you. Best wishes, Matthew From ses at tipper.oit.unc.edu Wed Mar 13 13:52:55 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 14 Mar 1996 05:52:55 +0800 Subject: Remailer passphrases In-Reply-To: <199603121951.OAA02237@jekyll.piermont.com> Message-ID: On Tue, 12 Mar 1996, Perry E. Metzger wrote: > > Signed Diffie-Hellman key exchanges have the property known as > "Perfect Forward Secrecy". Even if the opponent gets your public keys Just to clarify Perry's statement- Diffie-Helman key exchanges can provide Perfect forward secrecy if fresh parameters are used each time- protocols like the old version of SKIP, which do not use fresh paramaters each time, do not provide perfect forward secrecy. Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From perry at piermont.com Wed Mar 13 13:52:58 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 14 Mar 1996 05:52:58 +0800 Subject: ADL_mil (militias and the USAF) In-Reply-To: <199603122050.VAA21740@utopia.hacktic.nl> Message-ID: <199603122142.QAA18797@jekyll.piermont.com> Thank you, but this has nothing to do with Cypherpunks, and it isn't appreciated. Had you been polite enough to include a return address I would have replied privately, but unfortunately there is no way to do that. Anonymous writes: > > ADL Report > "The Anti-Defamation League has committed defamation. From cmca at alpha.c2.org Wed Mar 13 13:53:56 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Thu, 14 Mar 1996 05:53:56 +0800 Subject: Remailer passphrases In-Reply-To: <199603121951.OAA02237@jekyll.piermont.com> Message-ID: <199603122332.PAA04146@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: perry at piermont.com] [cc: cypherpunks at toad.com] [Subject: Re: Remailer passphrases ] [In-reply-to: Your message of Tue, 12 Mar 96 14:51:47 EST.] <199603121951.OAA02237 at jekyll.piermont.com> "Perry E. Metzger" enscribed: >Bill Frantz writes: >> One of the reasons classical (government) crypto users change keys >> frequently is to minimize the amount of data compromised by a broken key. >> We keep hearing about NSA decrypting 20 year old cyphertext and showing >> more of the workings of the atomic spy rings operating in the 40s and 50s. >> If an opponent can rubber hose the key, her job is easy. If she has to >> perform cryptoanalysis, it is much harder. Remailers should regularly >> change their keys to avoid compromising previously recorded traffic. (They >> can have a long lived key for signing their traffic keys.) >Signed Diffie-Hellman key exchanges have the property known as >"Perfect Forward Secrecy". Even if the opponent gets your public keys >it still will not decrypt any traffic for him at all -- it just lets >him pretend to be you. Thats one reason why protocols like Photuris >and Oakley use the technique. True, but when the problem at hand is sending mail to a remailer, the technique is of little or no value, since there is no initial exchange, right? So this is a misleading argument. At least it is related to cryptography and The Cypherpunk Agenda(tm)! Chris McAuliffe (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMUX9UIHskC9sh/+lAQGItwP+IfITBi+LUAcV9O1w6071zvmNaDQNC5nG OVe34+h5kKDyBnb2bLuVX5zEtuS56tiE0mgEaD5nevoRLijW1qqCRAsxi9/pfKcp tjWzU1qbUptkJn8LBZPzFXGsXuHh6cF/W1Zk1q+81KURRkH0glYI2u0HY740YF7J dxidEBZRQKc= =8F6m -----END PGP SIGNATURE----- From sandfort at crl.com Wed Mar 13 13:54:06 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 14 Mar 1996 05:54:06 +0800 Subject: How's that again? Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jim and interested C'punks, In response to a Jim Bell post I wrote: > >Hey, Jim, don't forget me. You are the only person I have ever > >specifically UNinvited to one of my parties in over a decade of > >hosting same. I guess that makes you special. To which Jim replied: > You're confused. You're describe YOUR reaction to ME, not MY reaction to > YOU. And I am unaware of being invited to a "party," and now that I've > discovered what a sleazy person Alan Olsen and his merry band are, it is > really doubtful that I would have enjoyed what was advertised as a > cypherpunks meeting, but which you now claim was a "party." Your level of > "honesty" is showing. A) It is you who is confused (see below) B) I'm not Alan Olsen (nor a member of his merry band, so I have no idea what you are talking about. C) There was a Cypherpunk meeting followed by a party. The pictures are on the Web. D) It is your level of honesty that is showing. As can be seen from the two messages (below) I sent you at the time. They quote you in pertinent part. >From sandfort at crl10.crl.comTue Mar 12 19:04:00 1996 Date: Sat, 20 Jan 1996 22:59:47 -0800 (PST) From: Sandy Sandfort To: jim bell Subject: Re: PARTY-PARTY-PARTY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jim, You wrote: > Putting the nearest city in the note would have been helpful. Did you try looking at the actual invitation? S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >From sandfort at crl12.crl.comTue Mar 12 19:04:17 1996 Date: Sun, 21 Jan 1996 08:24:26 -0800 (PST) From: Sandy Sandfort To: jim bell Subject: Re: PARTY-PARTY-PARTY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jim, You moaned: > I didn't feel inclined to waste 2-3 minutes of my time cranking > up Netscape, and looking at a homepage or whereever the actual > information was. > > I consider such behavior exceedingly rude. I feel your pain. Invitation withdrawn; problem solved. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOW do you remember? S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From tcmay at got.net Wed Mar 13 14:50:55 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 14 Mar 1996 06:50:55 +0800 Subject: Beat Remote Monitor Snooping? Message-ID: At 12:31 AM 3/13/96, JonWienke at aol.com wrote: >I know that monitors emit RF signals that can be detected and decoded for a >considerable distance. I have a question about this. Obviously, the >difference between black and white (white text on black background, or vice >versa) would be the most detectable, because the difference in signal levels >would be the greatest. Would it be possible to reduce or prevent this kind >of snooping by using color schemes that all use the same signal levels? For >example, the color purple uses the red and blue color guns, and yellow uses >the red and green color guns. Would purple text on a yellow background be >able to be read by a remote snooper? If not, then perhaps these color >schemes could be used to echo pass phrases--assuming the user isn't worried >about someone looking over their shoulder. Any comments? I encourage you or anyone else to do experiments on RF emissions (so-called van Eck radiation). I'm not being catty. If I had my old lab at Intel I'd surely answer this question for myself by doing some experiments. (As it is, it may be possible to do some reasonable experiments just with t.v.s tuned to pick up the emissions, radios tuned in, etc.). Some of you out there may actually have hands-on expertise, as opposed to first principles academic views. If so, you aren't speaking up. So, a good opportunity for one of you to become an actual expert in van Eck emissions, and the real or imagined risks of keyboard/CRT snooping from afar. (Personally, I'm not too worried. Easier ways to crack my security. Echoing a passphrase on a CRT is not really needed, and I'm not sure reasonably-available van Eck monitoring equipment can pick up keyboard-only signals. Again, some experiments would be useful.) If this actually is a real threat (and bear in mind there's a limit to how many vans can be positioned...), then of course some fixes are possible: use LCDs (where the RF emissions are orders of magnitude lower), use visual-metaphor passphrase selection (e.g., where one clicks on letters displayed on a color raster...unlikely that a monitor van can distinguish the region selected unless it can monitor the mouse signals), and so on. For the academic/theoretical point of view, Alta Vista shows a bunch of hits on "van Eck" (or "Van Eck"), including our own Cypherpunks archives. Also, some Usenet articles in sci.electronics, etc. But someone actually reporting to us what they've found with modern systems would be more interesting than rehashes of the old papers. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From JonWienke at aol.com Wed Mar 13 14:55:53 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Thu, 14 Mar 1996 06:55:53 +0800 Subject: Multiple spinners as sources of entropy? Message-ID: <960313131931_245051343@mail06.mail.aol.com> In a message dated 96-03-13 02:04:12 EST, you write: >Practically there may be less entropy from a couple of bits than from >several bits. I've done tests with keyboard sampling on DOS machines. >Especially when I've tried setting the system clock to a higher rate. >In one case the samples were 3/4 of the time even. > >It seems better to estimate the entropy based on how-often samples >occur (akin to arithmetic compression, only we're just counting bits) >and output hashed data. > >Of course, if the raw samples are predictable enough, that *is* a >problem. Depending on the source, how does one test if a method is >"truly" random? > >BTW, fast timing measurements from disk access seem to be pretty >good... Another thing to try is to take the low-order byte of 2 timer readings based on keystrokes (check the timer value when the key is pressed), flip one around (so bit 0 is exchanged with bit 7, bit 1 is exchanged with bit 6, etc.) and then XOR them together. This will minimize the skew of any individual bit. You could do this with sound card samples as well. Input noise into your sound card (seperate noise sources for the left and right channels) and take 16-bit samples. Take the low-order bytes of the left and right samples, flip one around, and XOR them together. Should be extremely random. For a cheap noise source, use 2 Walkmans, each tuned to a different FM station gap. Connect them to the line inputs of the sound card, and adjust the volume so they are almost, but not quite clipping. Whatever method is used, running the data through a good hash function breaks up any patterns even more. I am working on an RC4 mutation that allows random input and output to be processed continuously. It stores the S-box and the counters I and J in static variables that are preserved between calls, and uses a status parameter to determine whether to output a byte or input one. Email me if interested in details. Jonathan Wienke From jimbell at pacifier.com Wed Mar 13 15:17:03 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 14 Mar 1996 07:17:03 +0800 Subject: Why escrow? (was Re: How would Leahy bill affect crypto over HAM Message-ID: At 01:39 AM 3/13/96 +0000, Deranged Mutant wrote: >They may use secret sharing or splitting methods and handle parts by >different organizations within themselves and hand other parts to an >outside agent. Sometimes this makes sense when there are political >rivalries within an organization. They want the ability to get into >Dilbert's files if he drops dead, but they want an objective party to >hold part of the key so his rivals don't try to steal his files. Notice, however, how the government seems to be assuming that "key escrow" (to the extent that it is implemented at all!) gets implemented in a way which is "friendly" to government agents. They assume that there is one key that is available at one location, one that is well-marked and identified, unencrypted, and is available for pickup 24 hours per day assuming they present the proper credentials or court order. Even the most limited planning could easily develop a system that achieves all the benefits of escrow for the user, but is essentially impossible for government agents (or for that matter, anyone else!) to use to the detriment of the user. From unicorn at schloss.li Wed Mar 13 15:54:59 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 14 Mar 1996 07:54:59 +0800 Subject: Leahy bill nightmare scenario? In-Reply-To: Message-ID: On Tue, 12 Mar 1996, jim bell wrote: > At 09:09 PM 3/11/96 -0800, Timothy C. May wrote: > > >Yes, I read Junger's analysis. A nice analysis. What does this have to do > >with the points I was making? I'm a government stooge, to use your terms, > >because of my points about hotel rooms? > > Fortunately for me, Tim, and unfortunately for you, a friend of mine visited > me last night, an ex-cop who is now a cabbie (he left the force due to an > accident, slipping on glare ice chasing a "perp", which caused an inoperable > back injury). Being a cabbie (in the same town he was a cop), and very > familiar with the "drug" and "prostitute" sections of town, I asked him > whether or not he was aware of a hotel or motel ever being siezed by the > govt. for "tolerating" drugs and/or prostitution. > > His reply was that as we speak, he knows exactly where a motel has been > closed, locked up, and BARRICADED with _city_ signs and POLICE TAPE (you > know the kind, "Police line: Do not cross."). We're not talking of a > bankrupty, or a voluntary shutdown, either. His understanding was that this > was on the news a while back. Would you like the name and address? I > didn't ask him for it, but I'm sure he'll be driving by it again > within the next week or so. This is getting out of hand. There's a distinct difference between tolerating prostitution and actively supporting it. Your example lacks facts (as usual) which I'm sure you will fill in at your next opportunity with a load of dung you pull out of the air. In the event a hotel knowingly supported prostitution, charged by the hour only to prostitutes, paid off police to avoid their notice, was owned by those connected with the illegal enterprise of prostitution and otherwise supported an ongoing criminal enterprise actively and directly, of course it will be seized. This, as far as I can tell, has almost nothing to do with Mr. May's example which proffered a passive role, a tacid understanding and looking the other way by the hotel management. A judge who upheld such a seziure would be asked, probably less politely than my last example, to leave the bench. That a hotel is being seized, absent any showing of reason or circumstance, has so little to do with this point as to be amusing. I cannot say, however, that I am surprised. If there is enough interest, outside of you Mr. Bell, I will post a summary of asset forfeiture requirements under RICO and common law to the list. Mr. Bell, your chronic out of context examples, stuffing of words into other peoples mouths (or posts), ignorance, and flatulant expositions have easily qualified you, in my book, as the most annoying and useless poster on the list. > I accept your anticipated apology, Tim. I have a feeling, not to speak for Mr. May, that you have a long wait. > Jim Bell > jimbell at pacifier.com --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From WlkngOwl at UNiX.asb.com Thu Mar 14 05:21:40 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Thu, 14 Mar 1996 08:21:40 -0500 Subject: Why escrow? (was Re: How would Leahy bill affect crypto Message-ID: <199603141305.IAA07488@UNiX.asb.com> On 13 Mar 96 at 15:27, jim bell wrote: [..] > That's why I'm more than a little > disturbed about the one really bad portion of the Leahy bill: The one that > makes using encryption to thwart an investigation a crime...... Same here. If crypto becomes commonplace in everything, one may not have a choice if one is in the midst of a crime. And what if the "crime" is planning a demonstration that say, interferes with some government activity? You don't want the COINTELPRO busybodies to know what you're planning, but when you're arrested it's another charge they can throw in. [..] > If I were trying to detect government investigation in such a situation, I > would buy a crypto phone, open an "escrow account" on a totally voluntary > basis, give them a phony key, and then (as part of the (presumably?) [..] Would it be legal to deceive an escrow agent? Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From markm at voicenet.com Wed Mar 13 16:23:44 1996 From: markm at voicenet.com (Mark M.) Date: Thu, 14 Mar 1996 08:23:44 +0800 Subject: anonymous web pages (Was: SurfWatch) In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 12 Mar 1996, Bruce Zambini wrote: > On Sun, 10 Mar 1996, Mark M. wrote: > > > On Sat, 9 Mar 1996, Dan Cross wrote: > > > > > This is an interesting idea, though I think a really really insecure one. > > > What's keeping someone from posting ``trojan web pages'' and then waiting > > > for the pages to be soaked up by servers? Something that says ``click > > > to see the /etc/passwd file for this site!'' which runs some funky > > > CGI thing to cat /etc/passwd or, ``Enter your credit card number to buy > > > super wiz-bang gadget!'' or the like is a really scary, but very real, > > > possibility if great care is not taken in setting this kind of thing up. > > > News servers, on the other hand, don't suffer from this problem because > > > the data which they contain is much more passive in nature (at least, while > > > in the spool..) than HTML. > > > > The obvious fix would just be to disallow the use of CGI scripts in anonymous > > web pages. In order for a file to be designated a CGI script, the must > > be explicitly specified as such in the httpd configuration. The web is > > every bit as passive as Usenet. The only difference is you can't make a > > program that will execute on the NNTP server everytime it is retrieved (which > > would be the Usenet equivalent of CGI). > > Doesn't solve the problem completely, or even the individual example > given above. > > >From your public html directory, try 'ln -s /etc/passwd passwords.txt'. > > Then add a link to your homepage.... In order to add a symbolic link on a file system, you have to have shell access to that system. The whole point of this anonymous web pages thread is that web pages could be distributed among different servers which could store the pages on the filesystem and make access available through the web. An attacker could not put a link to the password file simply through anonymous web pages. Besides, password file should be shadowed anyway, and httpd should never be run as root. - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMUXe8bZc+sv5siulAQHu8gP9FAy5ylQULMIUxRWB36Ab/33CdpTexa+5 cv0ezgxAkD06Ui6Epfn4Vj1qmNl9YFs4klHUmGT3dloxiJE7/jHmgLzvb/ka7NUT 5IxXBIsHbD+UOrUkn4g4iHjjAS6PJpMEElvtpN2EAZP8lTyjrTmo+D/8lLEvbL+D 5df/zqRYd6E= =JekR -----END PGP SIGNATURE----- From perry at piermont.com Thu Mar 14 05:46:57 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 14 Mar 1996 08:46:57 -0500 Subject: Remailer passphrases In-Reply-To: <199603130737.XAA22807@ix15.ix.netcom.com> Message-ID: <199603131656.LAA00295@jekyll.piermont.com> Bill Stewart writes: > perry at piermont.com replied > >Signed Diffie-Hellman key exchanges have the property known as > >"Perfect Forward Secrecy". Even if the opponent gets your public keys > >it still will not decrypt any traffic for him at all -- it just lets > >him pretend to be you. Thats one reason why protocols like Photuris > >and Oakley use the technique. > > DH key exchange is really only Exponentially Good Forward Secrecy, > and in its primary use (exchanging keys for symmetric-key algorithms) > the system is at best Good Enough Forward Secrecy. No, signed D-H like STS is in fact perfect forward secrecy in the sense that breaking the RSA keys gives you no information about the session keys, and breaking one of the D-H exchanges does not (in theory) give you any information about any of the others. Perry From warlord at MIT.EDU Thu Mar 14 05:48:30 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 14 Mar 1996 08:48:30 -0500 Subject: PGP reveals the key ID of the recipient of encrypted msg In-Reply-To: <3146910b.90015235@itconsult.co.uk> Message-ID: <199603131602.LAA29467@toxicwaste.media.mit.edu> > I believe that provided all your keys are in your secret keyring, PGP > will automatically pick the correct one for you. Unfortunately, PGP 2.6.2 will do this only if the PGP message has proper keyIDs. It finds the proper key by matching the keyID in the PGP message to the keyIDs in the secret keyring. If you remove the keyIDs from the message (as stealth does), PGP 2.6.2 cannot find the secret key to use. One fix would be to have PGP (say, PGP3 ;) try all the keys on your secret keyring if the keyID in the message is 0. In other words, you can pseudo-stealth a message by leaving off the keyID and PGP3 would attempt all the secret keys. If one worked, you'd be able to read it. This doesn't solve the whole problem of stealth; you still know that what you have is a PGP message, and even that it is an encrypted message, but you do not know to whom it has been encrypted. The nice thing about this approach is that this works for multiple recipients, too! NOTE: while the PGP3 API should be able to handle this case, I do not know if support for this feature will be implemented in PGP 3.0 -derek From junger at pdj2-ra.F-REMOTE.CWRU.Edu Thu Mar 14 05:50:12 1996 From: junger at pdj2-ra.F-REMOTE.CWRU.Edu (Peter D. Junger) Date: Thu, 14 Mar 1996 08:50:12 -0500 Subject: Crypto Exposure In-Reply-To: <199603130737.XAA22803@ix15.ix.netcom.com> Message-ID: Bill Stewart writes: : >- What if the foreigner actually write crypto code while in : >the US? Does he (or the Uni/ISP) violate export restrictions each : >time he access the source code or execute his program if they are : >stored on a public (Uni/ISP) machine? : : The foreigner isn't a US person, so he doesn't violate the : law by reading the code himself. If the Uni or ISP knows : that it's providing encryption software to the foreigner, : it may be liable, but without scienter it's tough to have guilt. : Probably the foreigner should not keep encryption software on : University or ISP machines - floppy disks should do just fine :-) If the foreigner doesn't have a green card he is a foreign person and allowing himself to read his own code would be disclosing that code to a foreign person and that is a felony unless he first gets a license which he can't get because he is a foreign person or a favorable commodity jurisdiction determination which he can't get without first reading his code and sending a copy of it to the Office of Defense Trade Controls. -- Peter D. Junger--Case Western Reserve University Law School--Cleveland, OH Internet: junger at pdj2-ra.f-remote.cwru.edu junger at samsara.law.cwru.edu From dch at uriacc.uri.edu Thu Mar 14 05:52:24 1996 From: dch at uriacc.uri.edu (D. C. Hilliard) Date: Thu, 14 Mar 1996 08:52:24 -0500 Subject: LACC: PC Phones Home? Message-ID: Listers, I came across a blurb in the local paper today and was interested if someone here could provide some substance to the story: "Software to the rescue: If somoeone steals your PC, you may be able to get it back because of software that acts as a kind of tracking device. Home Office Computing magazine reports that the software CompuTrace TRS will automatically dial the office of its creator, Absolute Software, if a thief hooks up a stolen PC's modem to a phone line. The software reveals the location of the PC and Absolute Software will call the police" - Providence Journal-Bulletin - March 12, 1996. Any Comments? Regards, Dennis C. Hilliard, M.S. Director/Assistant Professor Rhode Island State Crime Laboratory 220 Fogarty Hall - URI 41 Lower College Road Kingston, RI 02881-0809 Voice: 401-792-2893; Fax: 401-792-2181 ******************************** From tcmay at got.net Thu Mar 14 05:52:41 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 14 Mar 1996 08:52:41 -0500 Subject: The Leahy Bill is Rancid Sausage Message-ID: It is said that, as with sausage, one should never watch law being made. Well, the Leahy bill is rancid sausage. At 4:07 PM 3/13/96, jamesd at echeque.com wrote: >Looking for "good guys" in Washington is like Ronald Reagan looking >for "moderates" in Iran. On crypto, and on taxes, our interests >and their their interests are completely opposed. We should not >care about, or take any interest in, the slight difference between >the "moderate" and extremist members of the Senate and the House >of Representatives. > > >The best bill we can ever hope to get out of Washington is no >bill at all. I think this is true. The Leahy bill is so filled with caveats, qualifications, and references to "legitimate needs of law enforcement" that it appears to be _WORSE_ than what we now have, where there are currently few if any laws about domestic encryption. This is not a "Congress shall make no law" sort of bill. This does not in clear and unambiguous language say there shall be no restrictions on cryptography. Rather, it is more of a "We think crypto is pretty important, especially for our friends in business, provided it is not used by bad people, is not used to repress marginalized people of color, is not used to evade the taxes we covet so much in Washington, and provided that law enforcement's legitimate needs are satisfied" sort of bill. And it is likely to get even worse as the Administration starts whacking at it. (I'm exaggerating a bit, but the more I see of the Leahy bill and of the analyses done of it, the more concerned I get.) The last time the EFF pushed for repressive legislation--the Digital Telephony Act (aka The Wiretap Act)--it nearly finished them off (*). This time, the support of the EFF may truly finish them off. And the same may happen to the other lobbying groups if they support the Leahy bill. (* In the aftermath of Digital Telephony, it was explained by various EFF spokeswonks that EFF had little choice but to support DT, and that it had emerged stronger and more influential than ever. Right. Sure. Whatever. Shortly thereafter, various staff shakeups and departures occurred, the EFF pulled up stakes and moved to San Francisco, and is now but a shadow of its former self. Sorry if my views offend EFF founders, but I call 'em as I see 'em.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jimbell at pacifier.com Wed Mar 13 17:21:54 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 14 Mar 1996 09:21:54 +0800 Subject: How's that again? Message-ID: At 11:37 PM 3/12/96 -0800, Bill Stewart wrote: >At 05:40 PM 3/12/96 -0500, Black Unicorn wrote: >>Revise your statement to: >>"doesn't want anyone who hasn't spent a few years in law school to pass >>judgement on pending legislation and the effect of supreme court decision >>thereon..." >>and you'd be right on the money. > >I'm not a lawyer, though I've played a politician on TV. I'll grant you >that lawyers and other trained legal professionals can do a far better >job of finding and analyzing cases than amateurs like myself, though I suspect >a month or two's experience with Lexis would be enough to let many >of "the rest of us" outsearch the average lawyer of 50 years ago >who had to rely on his or her wits alone. But if the average intellegent >person _can't_ evaluate a law and have a reasonable chance of figuring >out what it says and what it means, there's something seriously wrong >with the way new laws are written, as well as enforced. Well said. If more people lambasted this "Black Unicorn" fellow for his legal-elitist ways, he'd actually be forced to either shut up or use reasoned argument to support his odd position. Laws, as I understand it, used to be written so that ordinary people could understand them. That's the way it ought to be today, but isn't, precisely because the elitists have had their way for so long. There used to be a saying, "Ignorance of the law is no excuse." The presumption was that you had a responsibility to know what the law said, and that most people could understand what it said, and if you didn't take the time to know it you were guilty despite this. Today, that saying is laughably out of date: When people like "Black Unicorn" claim that ordinary people haven't the skills to evaluate any law or proposed law, it is obvious that he and his ilk is a major portion of the problem. >(I suppose I've complained enough that there _is_ something >seriously wrong them that I'm not adding any new weight here; >if the author of a portion of a law can get up on the Senate floor >and say that he realizes that part of the law he's proposed is >unconstitutional and unenforceable, and that this doesn't bother him*, >I guess it's no surprise that one of the more-or-less "good guys" >in the Senate can propose a law so ambiguously worded that it >looks good on the face until a good lawyer takes the time to rip >it apart - maybe Leahy will read some of Junger's review?) The system is sick, perhaps irretrievably so. Dr. Strangelove (in the movie of the same name) stated that "deterrence is the art of making the enemy FEAR to attack." I think the main problem (and the most direct solution) to the "politician-problem" in this country is to make government agents FEAR to do the wrong thing. >> And I confirm again that I'm an elitist legal snob. >> At least I know what I'm talking about. > >[* Is it true that the reason Election Day is on the _second_ >Tuesday of November is to guarantee it never falls on Guy Fawkes' Day?] It's going to take a lot more than gunpowder to solve this problem. Although that would be a good start... Jim Bell jimbell at pacifier.com From nobody at REPLAY.COM Thu Mar 14 06:23:00 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 14 Mar 1996 09:23:00 -0500 Subject: How's that again? Message-ID: <199603141404.PAA14993@utopia.hacktic.nl> adam at lighthouse.homeport.org writes: | I disagree with your thoughts, and find you annoying and | unwilling to answer substantitive questions raised about your plans. | Furthermore, most of your posts are way too long. Your posts more annoying, and too short. From jpp at software.net Wed Mar 13 17:30:21 1996 From: jpp at software.net (John Pettitt) Date: Thu, 14 Mar 1996 09:30:21 +0800 Subject: PGP reveals the key ID of the recipient of encrypted msg Message-ID: <2.2.32.19960313172644.012b0ff4@mail.software.net> At 12:28 AM 3/13/96 -0500, Robert A. Rosenberg wrote: > So long as you have your corespondent's published Public >Key, you can use it to do a one-time transmission of a private Public Key >to be used to do anonymous (ie: Not Linked to your Public Identity) >transmissions to you. > > > Yes but even a non pub keyid leaks information usefull for traffic analysis. John Pettitt, jpp at software.net VP Engineering, CyberSource Corporation, 415 473 3065 "Technology is a way of organizing the universe so that man doesn't have to experience it." - Max Frisch PGP Key available at: http://www-swiss.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=0xB7AA3705 From hfinney at shell.portal.com Wed Mar 13 17:56:50 1996 From: hfinney at shell.portal.com (Hal) Date: Thu, 14 Mar 1996 09:56:50 +0800 Subject: A lengthy preliminary analysis of the Leahy bill. Message-ID: <199603131739.JAA01998@jobe.shell.portal.com> From: "Peter D. Junger" > From the point of view of one who is concerned with first amendment > rights rather than selling cryptographic software as a commodity, the > really unfortunate part is that this provision authorizes export > contols on ``software''. Now the Leahy bill does not define software, > but there is a definition of lying around in the International Traffic > in Arms Regulations (``ITAR'') that I fear Commerce might adopt---it > may even be the language that the draftsmen of the Leahy bill had in > mind. And this definition of ``software'' includes a great deal of > material that cannot constitutionally be controlled. Here is that > definition from the ITAR \S 121,8(f): ``Software includes but is not > limited to the system functional design, logic flow, algorithms, > application programs, operating systems and support software for > design, implementation, test, operation, diagnosis and repair.'' > [...] > Even if that definition is adopted, the fact remains that software is > still nothing but information, and that it is the communication of > information that is protectected by the first amendment to the United > States constitution. (If you aren't convinced that software is > protected by the first amendment, notice that software is > copyrightable as a ``literary work''.) Note that the paradigmatic > violation of the first amendment is a scheme under which the > government requires publishers to obtain a license before publishing. Are you familiar with the Posey case? That decision by the 9th district court (which oversees export cases) explicitly rejected the contention that restrictions on export of written materials violate the First Amendment. Although I am not a lawyer, I wrote some notes on this case at: . Below is an excerpt from that court decision in which they make it quite clear that the First Amendment doesn't apply. In this case, the item being exported was a technical manual obtained from the US government itself under the Freedom of Information Act. Surely this is even closer to what the framers of the constitution had in mind when they conceived of the First Amendment, yet the constitutionality of restrictions on its export has been upheld. So you should be aware that the status quo is that the restrictions you fear being legitimized by the Leahy bill are already in place. Here is part of the Posey decision [864 F2d 1487] (the AECA is the Arms Export Control Act, which is what currently forbids the export of encryption devices, and the CAAA is the Comprehensive Anti-Apartheid Act, which applied specifically to South Africa, where the materials in this case were sent): VII. FIRST AMENDMENT Appellant's final argument is that the First Amendment bars the government from restricting the export of information that is already available to the public. He insists that the data he sent abroad was available under the Freedom of Information Act, and therefore could be legally obtained by virtually everyone in the world. He contends that the First Amendment prohibits the application of the AECA and CAAA to the export of such publicly available information. Our Court has already considered and rejected this argument. In United States v. Edler Industries, 579 F2d 516 (9th Cir. 1978), we rejected an essentially identical challenge to the predecessor of the AECA. The defendant was convicted of exporting certain manufacturing designs that were on the Munitions List but were not classified. He challenged his conviction on First Amendment grounds, arguing that the government could not constitutionally prohibit the export of techno- logical data that was widely distributed within the United States. In rejecting that claim, we explained that even assuming that the First Amendment offers some protection to the dissemination of technical data, the government has a strong interest in regulating the export of military information: The federal government undeniably possesses the power to regulate the international arms traffic.... As a necessary incident to the power to control arms export, the President is empowered to control the flow of information concerning the production and use of arms. The authority to regulate arms traffic would be of negligible practical value if it encompassed only the exportation of particular military equipment but not the exportation of blueprints specifying the construction of the very same equipment. 579 F2d at 520. We accordingly concluded that the government could permissibly restrict the flow abroad of data included in the Munitions List. 579 F2d at 521. Finally, we held that the government's power to issue such restrictions was not affected by the domestic availability of the regulated data: Given the unquestionable legitimacy of the national interest in restricting the dissemination of military information, the claim of public availability in the United States is not a defense recognized by the Constitution. 579 F2d at 522. Appellant attempts to distinguish Edler from the present case by pointing out that the exported data in Edler was "cutting edge" technology and was not widely used in this country. [Citation]. Whether or not this was factually true of the technology at issue in Edler, however, the Edler decision clearly assumed for purposes of its decision that the material was extensively available in the United States. See 579 F2d at 518, 522. Moreover, we believe Edler should not be read as permitting the govern- ment to restrict the export of only that information which is not widely available domestically. Under appellant's reading of Edler, if the government wished to prevent technical data from being sent to foreign powers, it would be required to suppress the information alto- gether, at home as well as abroad. This outcome would blur the fact that national security concerns may be more sharply implicated by the export abroad of military data than by the domestic disclosure of such data. Technical data that is relatively harmless and even socially val- uable when available domestically may, when sent abroad, pose unique threats to national security. It would hardly serve First Amendment values to compel the government to purge the public libraries of every scrap of data whose export abroad it deemed for security reasons necessary to prohibit. We conclude that appellant's conviction does not violate the First Amendment. From cp at proust.suba.com Wed Mar 13 18:28:50 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Thu, 14 Mar 1996 10:28:50 +0800 Subject: Remailer passphrases In-Reply-To: <199603122030.PAA05252@jekyll.piermont.com> Message-ID: <199603131713.LAA00824@proust.suba.com> If we ignore the obvious problem (ie., no one is going to put much effort or expense into running a free remailer), wouldn't splitting the remailer across two machines help fix the security problem? Suppose one unix box accepts the mail and puts it a queue directory. Then a second box periodically grabs files from the first box's queue with ssh (the second box initiates the connection), processes them, and then passes them out to the smtp server on the first box. The second box doesn't accept incoming connections on any port except for the ssh port so there are no sendmails or httpds to hack. The remailer files could be running on a cfs drive (with nfs/cfs only accepting connects from localhost), and you could disable getty so that it would be hard to physically grab the machine and read the contents of the disk. If you had enough ram you wouldn't need a swap file, so there'd be nothing there for someone who grabbed the machine. If you set the machine up while it's plugged into a small lan that's not connected to the net no one could come in and hide something before you had secured everything. You'd also have to try to make as sure as is humanly possible that there is no way an attacker can construct a trojan remailer packet that would do something unpleasant. Finally, don't tell anyone what you're doing or how you're doing it, and don't post about it to cypherpunks. It may be unwise to depend on obscurity for security, but as an extra layer it can't hurt and it might cause a physcial attacker to come unprepared to hack the machine without powering it down and rebooting. I know an attacker could interrupt service, and I'd guess that a skillful attacker could probably find a way to grab the cfs and remailer passphrases if he could grab the machine and the control the site physically (to work on it while it's running) for awhile, but how would an attacker come in over the net and hack the remailer box? What have I overlooked? From jamesd at echeque.com Wed Mar 13 18:43:49 1996 From: jamesd at echeque.com (James A. Donald) Date: Thu, 14 Mar 1996 10:43:49 +0800 Subject: Leahy bill, legalize crypto In-Reply-To: Message-ID: <199603131524.HAA22538@dns2.noc.best.net> schlafly at bbs.cruzio.com sez: > > It would be nice if the bill put in some user protections, such as > > requiring notification of the user if the escrow agent divulges his > > key, but it does not. > ^^^^^^^^^^^ eck at panix.com (Mark Eckenwiler) wrote: >False. See, for instance, proposed section 2802(c)(3)(C). What copy of the Bill are you reading, Mark? My copy says that escrowed keys must be given to the government secretly on demand, NO WARRANT NEEDED, and the fact that they were given MUST BE KEPT SECRET. This bill is a small but significant step towards the police state. If the bill becomes law, no one in their right mind will "voluntarily" escrow their keys, and then we shall see steadily increasing compulsion to "voluntarily" escrow keys, like the "voluntary" self assessment of income tax. Section 2802(c) > "(c) REQUIREMENTS FOR RELEASE OF DECRYPTION KEY TO > INVESTIGATIVE; OR LAW ENFORCEMENT OFFICER.- > > "(1) CONTENTS OF WIRE AND ELECTRONIC COMMUNICATIONS.- > A key holder is authorized to release a decryption key > or provide decryption assistance to an investigative or > law enforcement officer authorized by law to conduct > electronic surveillance under chapter 119, only if- > [...] or "(ii) a certification in writing by a person > specified in section 2518(7) [...] stating that- "(I) > no warrant or court order is required by law; > [...] > "(4) NONDISCLOSURE OF RELEASE.-No key holder, officer, employee, or > agent thereof shall disclose the key release or provision of > decryption assistance pursuant to subsection (b), except as may > otherwise be required by legal process and then only after > prior notification to the Attorney General or to the principal > prosecuting attorney of a State or any political subdivision of > a State, as may be appropriate. Section 2802(c)(3)(C) is worthless piety. Every time I come back to this bill it looks more and more repressive. Section 2802(c)(3)(C) reads: > "(C) The inventory required to be served pursuant to section > 2518(8)(d) on persons named in the order or the application under > section 2518(7)(b), and such other parties to intercepted > communications as the judge may determine, in the interest of > justice, shall, in the event that encrypted wire or electronic > communications were intercepted, include notice of the fact that > during the period of the order or extensions thereof a key to, or > decryption assistance for, any encrypted wire or electronic > communications of the person or party intercepted was or was not > provided by a key holder. If you chase 2802(c)(3)(C) to its end, you will find that it means stuff all, like most of the other supposedly freedom protecting provisions in this act. Any crypto bill that we could realistically get out of Washington will substantially reduce liberty. The best that we can hope for is for Washington to forget about crypto until it is too late to stop. --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we are. True law derives from this right, not from the arbitrary power of the omnipotent state. http://www.jim.com/jamesd/ James A. Donald jamesd at echeque.com From panzer at dhp.com Wed Mar 13 18:51:46 1996 From: panzer at dhp.com (Matt 'Panzer Boy') Date: Thu, 14 Mar 1996 10:51:46 +0800 Subject: all.net In-Reply-To: <199603130606.WAA08192@hammerhead.com> Message-ID: <4i6ues$9rf@dhp.com> More ALL.NET spew, hit D now if you don't care. A user of system, or something triggered the initial email to our postmaster account here at DHP. I replied with a rewording of the message, as seen below. This resulted in Fred Cohen deciding that I was part a huge consipiracy to invade his computer system and decided that CERT needed to get in on the mailings. Based on the services available via ALL.NET's web page, I find this quite funny, so I replied to both CERT and his provider, PSI. Please be sure to check out the provided URL's available at ALL.NET. My included response to CERT and , including all previous email in quoted form. -Matt (panzer at dhp.com) DI-1-9026 "That which can never be enforced should not be prohibited." -----------------------------------------Cut Here or hit D Now------------- >From panzer at dhp.comWed Mar 13 11:50:26 1996 Date: Mon, 11 Mar 1996 02:35:24 -0500 (EST) From: Matt 'Panzer Boy' To: cert at cert.org, postmaster at psi.net Cc: postmaster at all.net, admin at dhp.com Subject: Re: Attempted-entry-in.telnetd-by-unknown at dhp.com (fwd) This administrator at all.net (I assume the whois information is true) is making unwarrented threats and accusations. These threats and warnings coming from a site that offers to do port scans on any host via a web interface is quite absurd. References: "http://all.net/tests/testsuite.html" For a description of what they do "http://all.net/tests/one-time-test.html" To actually try it out -Matt (panzer at dhp.com) DI-1-9026 ---------- Forwarded message ---------- Date: Sat, 9 Mar 1996 16:16:33 -0500 (EST) From: Fred Cohen To: cert at cert.org Cc: panzer at dhp.com Subject: Re: Attempted-entry-in.telnetd-by-unknown at dhp.com (fwd) The systems administrator at the following site is apparently a party to the attmpted entry to our site reported below. What is the procedure for contacting federal authorities to investigate attempted breakins to Federal Interest Computers? Forwarded message: > From admin at dhp.com Sat Mar 9 16:11:03 1996 > Date: Sat, 9 Mar 1996 16:11:57 -0500 (EST) > From: DHP Administrator > To: root > Subject: Re: Attempted-entry-in.telnetd-by-unknown at dhp.com > In-Reply-To: <9603090948.AA25300 at all.net> > Message-Id: > Mime-Version: 1.0 > Content-Type: TEXT/PLAIN; charset=US-ASCII > > On Sat, 9 Mar 1996, root wrote: > > A user at your site has just attempted to telnet into our site without > > proper authorization. We consider this inappropriate behavior and would > > like an explanation of this action as soon as possible. > > > > This message is generated automatically at the time of the attempted > > entry and is sent to our administrators and the postmaster at the > > machine making the attempt. We have included any information provided > > by your ident daemon (if in use) on the subject line of this message. > > We also do a reverse finger for future reference. > > > > Fred Cohen - fc at all.net - tel:US+216-686-0090 > > A user at your site has just attempted to finger into our site without > proper authorization. We consider this inappropriate behavior and would > like an explanation of this action as soon as possible. > > Please refrain from such a waste of bandwidth in the future. Setting > alarms off with a telnet is both stupid, and most likely to get people in > trouble for no proper reason. > > -Matt (panzer at dhp.com) > > > > > > -> See: Info-Sec Heaven at URL http://all.net/ Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236 -- -Matt (panzer at dhp.com) DI-1-9026 "That which can never be enforced should not be prohibited." From stewarts at ix.netcom.com Wed Mar 13 19:07:45 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 14 Mar 1996 11:07:45 +0800 Subject: How's that again? Message-ID: <199603130737.XAA22798@ix15.ix.netcom.com> At 05:40 PM 3/12/96 -0500, Black Unicorn wrote: >Revise your statement to: >"doesn't want anyone who hasn't spent a few years in law school to pass >judgement on pending legislation and the effect of supreme court decision >thereon..." >and you'd be right on the money. I'm not a lawyer, though I've played a politician on TV. I'll grant you that lawyers and other trained legal professionals can do a far better job of finding and analyzing cases than amateurs like myself, though I suspect a month or two's experience with Lexis would be enough to let many of "the rest of us" outsearch the average lawyer of 50 years ago who had to rely on his or her wits alone. But if the average intellegent person _can't_ evaluate a law and have a reasonable chance of figuring out what it says and what it means, there's something seriously wrong with the way new laws are written, as well as enforced. (I suppose I've complained enough that there _is_ something seriously wrong them that I'm not adding any new weight here; if the author of a portion of a law can get up on the Senate floor and say that he realizes that part of the law he's proposed is unconstitutional and unenforceable, and that this doesn't bother him*, I guess it's no surprise that one of the more-or-less "good guys" in the Senate can propose a law so ambiguously worded that it looks good on the face until a good lawyer takes the time to rip it apart - maybe Leahy will read some of Junger's review?) > And I confirm again that I'm an elitist legal snob. > At least I know what I'm talking about. [* Is it true that the reason Election Day is on the _second_ Tuesday of November is to guarantee it never falls on Guy Fawkes' Day?] #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From alan.pugh at internetmci.com Wed Mar 13 19:09:05 1996 From: alan.pugh at internetmci.com (amp) Date: Thu, 14 Mar 1996 11:09:05 +0800 Subject: WSJ on E-Notaries Message-ID: <01I29JRULOJM9KQLVS@MAIL-CLUSTER.PCY.MCI.NET> -- [ From: amp * EMC.Ver #2.3 ] -- THE WALL STREET JOURNAL. (c) 1996 Dow Jones & Company, Inc. ------------- TUESDAY, MARCH 12, 1996 Legal Beat: Will Notaries Still Reign Over Red Tape When Documents Move Electronically? By Margaret A. Jacobs Staff Reporter of The Wall Street Journal When Jack Gillis recently refinanced his home mortgage, he was dismayed by the number of documents that had to be signed by a notary public. "I never could figure out why I had to have half of them notarized," says Mr. Gillis, a Washington, D.C., public relations consultant. "Who are notaries anyway?" he asks. "What purpose do they serve?" To anyone who has endured the hassle of trying to find a notary in a hurry, such questions probably have a familiar ring. And these days they have an extra edge: The digital age notwithstanding, notaries toil on -- improbably -- in a sea of paper. Their quaint ledger books and embossed seals are meant to deter fraud, but are hardly a match for the unscrupulous. And amid accumulating evidence of sloppy practices, some government officials are suggesting that notaries may be obsolete. There is even a move afoot to push notaries into the 21st century: A committee of the American Bar Association has recommended creating a new legal subspecialty of "cybernotary." These attorneys would combine legal and computer expertise, and would verify the authenticity of electronic documents produced in global business transactions. Part of their job would be to assure that a document's "digital signature," or unique computer code, is genuine. Though use of digital signatures is limited today, most people familiar with the technology predict it will be commonplace within a few years. Charles Faerber of the National Association of Notaries in Canoga Park, Calif., stoutly defends notaries as effective bulwarks against fraud; without them, he adds, the courts would be awash in cases challenging the authenticity of documents. The notary's duties have changed little over the centuries. The first notaries were the scribes of ancient Rome who wrote official documents. Today, they exist all over the world, virtually wherever there is paperwork. In the U.S., some 4.5 million notaries are licensed by state governments to verify the identities of people who sign documents, such as realestate deeds and court affidavits. Lawyers make copious use of notaries. To cut red tape, Congress in recent years has dropped notarization requirements for some documents filed with the federal government, including trademark applications and certain court papers. Instead, signers can declare under penalty of perjury that their information is "true and correct." At least one federal judge has also expressed doubts about the need for notaries. "It may be questioned whether notarization is actually an improvement upon the mere signature," U.S. District Judge John F. Grady of Chicago wrote in a 1990 opinion concerning proper procedures for serving a lawsuit. To ensure that people who sign documents are who they say they are, notaries are supposed to ask for identification if they don't personally know the signer. Then they are required to sign the document themselves, affixing their stamp or seal. They typically charge a fee of $2 or less. But almost anyone over 18 who pays the $25 or $30 license fee is eligible to notarize documents. In some states notary seals are available by mail order, without any required proof -- or notarization, for that matter -- that the recipient is authorized to use it. The absence of oversight has led to lax practices, critics complain. Janice Shields, director of the corporate accountability project at the Center for the Study of Responsive Law in Washington, D.C., says that when she sold her car and had the bill of sale notarized, "the notary didn't have a clue who I was. I could have stolen the car, for all the notary knew." In a 1990 survey by New York's notary trade group, only one of 217 randomly selected notaries there properly dealt with a simple affidavit. More than 82% failed to check identification, for example. Four years ago, Florida officials threatened to do away with notaries entirely if slipshod practices persisted. It tightened up on rules that are often flouted, insisting that documents be signed in a notary's presence, for example. The crackdown arose after notaries had failed to detect a rash of fraudulent boat sales, among other complaints. Earlier this year, California began requiring notaries to take signers' thumbprints before notarizing real estate deeds. Besides trying to prevent fraud, the state acted to impress upon low-income and elderly people the significance of signing away their homes, says Mr. Faerber of the national notary association. Mr. Faerber, whose 125,000-member group advocates entrance tests and training to professionalize the field, says notaries can prevent the ailing elderly from being coerced into changing their wills or making large gifts. "Nursing homes and hospitals are notary battlegrounds," he says. "They're where lots of wrongdoing is attempted." Yet for people in need of a notary, simply tracking one down in a hurry can be a challenge. Few notaries advertise; usually they perform their service as a sideline to another full-time job. Dan Holly, who works on Capitol Hill, recalls searching in vain for a notary several years ago while he was working as a newspaper reporter. He later found out that the managing editor's secretary was a notary. "I would never have known," he says. Even some notaries find notarization a nuisance. In New York, where notaries must renew their licenses every two years, real-estate broker Jane Tjian has found herself in need of notarization just as her own notary license had expired. "You count on another broker-notary being around and they're not," she says. "Then you have to scramble to find someone or run to the bank" to track one down. But Mr. Faerber of the national association says it's too soon to write his profession's obituary. If notaries were eliminated, he says, "the courts would be flooded with challenges that signatures were coerced or forged." He adds: "It may seem minor, but looking someone in the eye does impress upon people the importance of telling the truth." * * END OF DOCUMENT * * From jamesd at echeque.com Wed Mar 13 19:32:22 1996 From: jamesd at echeque.com (James A. Donald) Date: Thu, 14 Mar 1996 11:32:22 +0800 Subject: Leahy bill, legalize crypto In-Reply-To: Message-ID: <199603131442.GAA29487@dns1.noc.best.net> schlafly at bbs.cruzio.com wrote: > Obstruction of justice is already a crime. Why add penalties for > using encryption? Intimidate crypto users? Discourage use of > encryption? Give the feds jurisdiction over crypto matters? There are several different interpretations of the most controversial sections of the bill, it is vague and ambiguous. The only interpretation that I have seen that gives effect to the stated purposes of the bill is that if a cop is investigating a felony, he can demand your secret key, and if you refuse to give it to him, you get five years for obstruction. If the objectionable parts mean anything at all, they must *widen* the already alarmingly broad concept of "obstruction of justice". That is to say, of the many possible interpretations of this section, the only one that gives effect to the stated purposes of this legislation, delegates judicial powers to cops. > I see nothing good in this bill, except the export rule relaxation. This bill is a net loss: It gives the software companies considerably less than they thought they were getting, and violates the rights of individuals. The best bill we can hope to obtain is no bill at all. Crypto is profoundly harmful to the vested interest of Washington, and the more attention they pay to it the worse we will be: Any bill that Washington could pass is a bad bill. Any attempt to fix this bill is likely to make it worse. > >Roger --------------------------------------------------------------------- We have the right to defend ourselves and our property, because of the kind of animals that we are. True law derives from this right, not from the arbitrary power of the omnipotent state. http://www.jim.com/jamesd/ James A. Donald jamesd at echeque.com From adam at lighthouse.homeport.org Wed Mar 13 19:37:54 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Thu, 14 Mar 1996 11:37:54 +0800 Subject: How's that again? In-Reply-To: Message-ID: <199603131503.KAA10011@homeport.org> jim bell wrote: | I think this is an exaggeration... I"ve been told that this list goes to | over a thousand addresses. Weighted only among those who choose to post (a | self-selected group, obviously), I do raise some heat, but it isn't clear | that "most" or even a large minority of the list disagree with my I disagree with your thoughts, and find you annoying and unwilling to answer substantitive questions raised about your plans. Furthermore, most of your posts are way too long. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From adam at lighthouse.homeport.org Thu Mar 14 08:44:23 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Thu, 14 Mar 1996 11:44:23 -0500 Subject: How's that again? In-Reply-To: <199603141404.PAA14993@utopia.hacktic.nl> Message-ID: <199603141439.JAA13388@homeport.org> Anonymous wrote: | adam at lighthouse.homeport.org writes: | | | I disagree with your thoughts, and find you annoying and | | unwilling to answer substantitive questions raised about your plans. | | Furthermore, most of your posts are way too long. | | Your posts more annoying, and too short. "Your posts ARE more annoying" you mean. If you're going to flame me, at least do so in decent English. Sheesh. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From mark at unicorn.com Thu Mar 14 08:44:52 1996 From: mark at unicorn.com (Rev. Mark Grant, ULC) Date: Thu, 14 Mar 1996 11:44:52 -0500 Subject: Stealth for Mac? Message-ID: I've had a request from someone for a copy of Stealth that can run on a Mac (I have the README for the DOS/Unix version on my Web site). Has anyone ported it? Or if not, would anyone be able to? You should be able to just hack up a simple GUI around the main filter code to select input and output files. Mark From WlkngOwl at UNiX.asb.com Wed Mar 13 20:09:05 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Thu, 14 Mar 1996 12:09:05 +0800 Subject: Why escrow? (was Re: How would Leahy bill affect crypto over HAM Message-ID: <199603130646.BAA03568@UNiX.asb.com> jim bell > Well, okay, but we've really got to define whose key is being escrowed, > anyway. Most corporations will probably handle it themselves, OR they will > only give an ENCRYPTED escrowed key to the escrow agent. This would prevent [..] They may use secret sharing or splitting methods and handle parts by different organizations within themselves and hand other parts to an outside agent. Sometimes this makes sense when there are political rivalries within an organization. They want the ability to get into Dilbert's files if he drops dead, but they want an objective party to hold part of the key so his rivals don't try to steal his files. Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From stewarts at ix.netcom.com Wed Mar 13 20:11:54 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 14 Mar 1996 12:11:54 +0800 Subject: PGP reveals the key ID of the recipient of encrypted msg Message-ID: <199603130447.UAA07749@ix3.ix.netcom.com> >On Mon, 11 Mar 1996 savron at world-net.sct.fr wrote: >> I began testing PGP a few days ago ( I'm a PGP newbie ) and I found >> that it gives out the key ID of an encrypted message . From this you >> can get the identification of the recipient of the message , if it's >> someone who has publicaly distributed his key (keyserver , homepage >> ...) . So even if you are unable to decode the message you can find >> who is the recipient of a given message . I think this is a big >> privacy problem . How much of a problem it is depends on the application you're using PGP for, but yes, it's a concern. There's a program called "stealth" by "Harry Hastur" which lets you remove or hide this information, as well as hiding most of the PGP headers. (There are some aspects of PGP file structure that are difficult to hide, at least without doing almost as much work as PGP was already doing, and I don't know if it adjusts for the mathematical properties of RSA-encrypted data which make it possible to identify the public key over some number of messages.) When the new PGP 3.0 comes out, there will be some support for shorter keyIDs (which isn't perfect, but for instance a 4-bit keyID would let you not try to decrypt 15/16ths of the messages, while not really fingering you as the recipient.) Also, if you have someone you frequently correspond with on some topic (perhaps a mailing list) and want to be able to send them messages that don't identify them, have them generate a public key they use just for that application. You can send your request by anonymous remailer, and they can send you a reply by anonymous remailer or post to alt.anonymous.messages. This still permits traffic analysis (nobody knows who keyid 0x12345678 is, but they know you sent him ten messages in the last month.) >> The problem is carried along when you encrypt a message for multiple >> recipients , you get the key IDs of all the recipients and same >> problem as above . I think something like 'blind email copy' should >> be used , because the recipients don't have to know the identity of >> each other . markm at voicenet.com replied: >You could just encrypt a message to different key ID's seperately, rather than >in one pass of PGP. The would have the effect of Bcc. Yep. That was the original PGP approach (i.e. "do nothing special"), and multiple-recipients were added as an efficiency measure. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From tcmay at got.net Wed Mar 13 20:27:08 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 14 Mar 1996 12:27:08 +0800 Subject: Leahy bill, legalize crypto Message-ID: At 3:18 PM 3/13/96, James A. Donald wrote: >Any crypto bill that we could realistically get out of Washington will >substantially reduce liberty. The best that we can hope for is for >Washington to forget about crypto until it is too late to stop. This is our best hope at this point: that Washington moves on to other things as the campaign heats up and forgets about crypto. One reason Washington pushed for the Wiretap Act (aka Digital Telephony) was because digital switches have made conventional methods of wiretapping and pen registers harder and harder to do. (I'm not a phone phreaker expert, as some of you no doubt are, so I don't know the details of how wiretaps were done prior to the advent of digital switches...I picture wires connected to the back of PBX systems, and I presume the ESS systems and their ilk changed this dramatically.) However--and here's the kicker!--they blew it. If you look at Louis Freeh's testimony before Congress a couple of years ago (which I did in detail, as I scanned and OCRed it for Whit Diffie, who may make it available soon) he was clearly worried about the phone system becoming so complex and "so digital" that FBI surveillance capabilities would fall behind the technology curve. So, he and his supporters (including the EFF) pushed for the Wiretap Act. (No money has yet been allocated, last I heard, so the $500 million supposedly to reimburse the telcos for providing wiretap capability, hasn't happened.) The main way they blew it is that the Wiretap Act ostensibly does not cover end-to-end encryption, especially as computers are used in place of telephones. And as Internet voice systems become widespread, especially with transparent, easy-to-use encryption (Nautilus, PGPhone, etc., in a couple of version iterations), even some goombah in Little Sicily will be able to communicate securely and essentially unbreakably. That they are realizing this, belatedly (although hints of this recognition can be found in Freeh's comments to Congress), may be why a couple of moves are occurring: - a fast-track review by the FCC to determine if "Internet voice" services are to be regulated, controlled, enacted, redacted, and impacted. (The traditional phonecos are the ones squealing most loudly, but others are expressing concern over the "anarchy" of unlicensed Internet applications.) - the Leahy Bill, which would as various analysts have noted make disclosure of keys mandatory, would protect the legitimate needs of law enforcement, blah blah blah. Speculatively, I can see something coming on the horizon. Suppose the FCC, under the Telecommuications Act, the Leahy Act (or whatever), and the Digital Telephony Act, extended to the Internet the same general restrictions on cryptography that currently apply to the airwaves? Suppose encryption is allowed, but only with key escrow? While I can think of various problems with enforcement--the very points many of us have raised over the past several years--I can also see this as having wide support. And it might pass constitutional muster (for the same reasons the FCC jurisdiction over airwaves and the ban on encryption by ham operators, got approval. Sure, I understand that Internet bandwidth is not the same as the "public airwaves," but this subtlety may not be enough to stop the parallel from being successfully drawn. Especially if the phone companies and other threatened players are pushing hard for the FCC to step in and regulate. Food for thought. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From koontz at netapp.com Thu Mar 14 09:47:10 1996 From: koontz at netapp.com (Dave Koontz) Date: Thu, 14 Mar 1996 12:47:10 -0500 Subject: Commercial Key Escrow as Prerequisite to 64 bit Export Message-ID: <9603141517.AA21378@supernova.netapp.com> SIGNAL, March 1996, page 9: U.S Allows Firewall Export The U.S. government has approved a 56-bit data encryption standard (DES) encrypted firewall for export. The device could create a global virtual private network by encrypting the Internet protocol layer of the communications stream among firewalls. The system's manufacturer has obtained permission to exports its 56- bit, DES-encrypted firewall by incorporating a proprietary commercial key escrow recovery technology into the firewall. The U.S. govern- ment will allow the export of cryptographic products with key lengths of up to 64 bits, provided that a capability allows emergency access to encryption keys for law enforcement and national security reasons. Terms of the export license require the manufacturer, Trusted Information Systems, Incorporated, Glenwood, Maryland, to maintain a commercial key escrow data recovery center in the United STates. --- 1) Is there a market for products overseas that the U.S. government can peer through? 2) Will we ever hear what constitutes a demand for disclosure of keys for "national security reasons"? {please CC: koontz at netapp.com, currently not subscribed to cypherpunks} From eric at remailer.net Thu Mar 14 09:58:13 1996 From: eric at remailer.net (Eric Hughes) Date: Thu, 14 Mar 1996 12:58:13 -0500 Subject: Kid Gloves or Megaphones Message-ID: <199603141529.HAA12877@largo.remailer.net> I've been engaged in a background discussion with some folks about how to treat a new protocol, when to speak, etc. Elements of that discussion have become relevant to the list widely. The situation is thus. Ian Goldberg et al. have developed a protocol for simultaneous payer and payee anonymity. It appears to be novel, albeit not entirely unanticipated. The protocol works with the existing bank signing oracle and could interoperate with Mark Twain's current system. The suggestion was made, paraphrasing -- couldn't we just not talk about this too loudly yet? ... NO! Perhaps the single most important lesson I've learned from cypherpunks is that code alone doesn't cut it. Not code alone, not code widely distributed, not even code widely used. Some measure of toleration in society for activities conducted in private is _necessary_ for long term success. Not convenient, not easier, but necessary. The whole Clipper situation testifies to this. Unless there is a public concensus that people generally should be able to use their own cryptography, then such use will become marginalized. Legislatures will outlaw, the public will disapprove, and vigilantes will hunt down improper use. That, in my book, means we've lost. Code is clearly still necessary. Code demonstrates what actually happens. To write code is to invoke and evoke the latent and insufficiently articulated desires for privacy in the world at large. Similarly with anonymous transactions. Unless a similar concensus exists, we will have another marginal activity. Again, I count this a loss. Backlash will result from later disclosure that the payment systems we generally as cypherpunks have undisclosed properties, that we as a loose group have dissimulated and even lied outright about the capabilities of the systems we advocate. This backlash will wipe away many gains we might have made and eliminate the possibility of future ones. The backlash will be justified, because it will be the natural result of a demonstration of bad faith. One such demonstration now, and who would know when the next was coming, or that we had not hoarded encrypted agendas all along in our hearts? And then, since we would not be believed, all the propaganda of our opponents will triumph. The Four Horsepersons will come trotting out in grand inquisitional spectacle, and there will be no counterpoint, because the devil's advocate will have been discovered to have been guilty himself. It is foolishness itself to deceive a public which is substantially in favor of the program of complete privacy. We must appeal to the public that finally will decide, not to some officials today who have power and tomorrow who will not. Clipper itself was not defeated by constructive engagement with the Clinton wiretap administration. Clipper was defeated by a general call to arms. Therefore, shout out to the world that payee anonymity is possible with ecash(TM)! Eric From jya at pipeline.com Thu Mar 14 10:21:38 1996 From: jya at pipeline.com (John Young) Date: Thu, 14 Mar 1996 13:21:38 -0500 Subject: The Path to Anonymity Message-ID: <199603141540.KAA29000@pipe3.nyc.pipeline.com> Thanks to anonymous and AJ the exemplary report: Privacy-enhancing Technolgies: The Path to Anonymity Registratiekamer, The Netherlands Information and Privacy Commissioner/Ontario, Canada August 1995 Volume I Volume II is available at: http://www.replay.com/mirror/privacy/ _________________________________________________________ Introduction [Excerpts] The Dutch Data Protection Authority (the Registratiekamer) and the Information and Privacy Commissioner for the Province of Ontario, Canada (IPC) are both privacy protection agencies that oversee compliance with their respective juridiction's privacy laws. The Registratiekamer and IPC decided to pool their resources and collaborate in the production of a report exploring privacy technologies that permit transactions to be conducted anonymously. The first international paper of this type includes a survey of companies that might be expected to offer such technologies, and organizations that might use them. In addition to anonymous transactions, the range of security features commercially available for use and the types of services actually being used by various organizations were also examined (see 2.1 Survey methodology). The Registratiekamer and IPC felt that a joint report outlining the practices followed in their respective jurisdictions would shed some light on this little-studied but extremely important area where the future of privacy-protection in an electronic world may lie. Consumer polls have repeatedly shown that individuals value their privacy and are concerned with its potential loss when so much of their personal information is routinely stored in computer databases, over which they have no control. Protecting one's identity goes hand in hand with preserving one's ability to remain *anonymous* -- a key component of privacy. While advances in information and communications technology have fuelled the ability of organizations to keep massive amounts of personal data, this has increasingly jeopardized the privacy of those whose information is being collected. Minimizing identifying data would restore privacy considerably, but would still permit the collection of needed information. When assessing the need for identifiable data during the course of a transaction, the key question one must start with is: how much personal information/data is truly required for the proper functioning of the information system involving this transaction? This question must also be asked at the outset -- prior to the design and development of any new system. But this is not the case today. This question is rarely asked at all since there is such a clear preference in favour of collection identifiable data, 'the more the better'. However, with the growth of networked communications and the ability to link a wide number of diverse databases electronically, people will become more and more reluctant to leave behind a trail of identifiable data. What is needed is a paradigm shift away from a 'more is better' mindset to a minimalist one. Is it possible to minimize the amount of identifiable data presently collected and stored in information systems, but still meet the needs of those collecting the information? We believe that it is. The technology needed to achieve this goal exists today. We will describe some of the privacy technologies that permit one to engage in transactions without revealing one's identity by introducing the concept of an *identity protector*. The notion of *pseudonymity* will also be introduced as an integral part of protecting one's identity. These technologies are available now and within our reach; what is needed is the will to implement privacy technologies over the tracking technologies that are in use today. When organizations are asked what measures they have in place to protect privacy, they usually point to their efforts at keeping information secure. While the use of security measures to prevent unauthorized access to personal data is a very important component of privacy, it does not equal privacy protection. The latter is a much broader concept which starts with the questioning of the initial collection of the information to ensure there is a good reason for doing so and that its uses will be restricted to legitimate ones that the data subject has been advised of. Once the data has been collected, security and confidentiality become paramount. Effective security and confidentiality will depend on the implementation of measures to create a secure environment. Alternatively, instead of restricting the focus to security alone, a more comprehensive approach would be to seek out ways in which technology may be used to enhance the protection of informational privacy or data protection. We use the term *privacy technologies* to refer to a variety of technologies that safeguard personal privacy by minimizing or eliminating the collection of identifiable data. Not only are measures that safeguard privacy becoming an important mark of quality, but increasingly, consumers are demanding that organizations pay attention to their privacy concerns. Social acceptance of demands for one's personal information, without adequate assurances of protection, appears to be on the decline. Not only do consumers wish to maintain control over their personal data and be informed of its uses, but insufficient protection will be reason enough for consumers to take their business elsewhere -- to companies that follow privacy-protective practices. ----- From JonWienke at aol.com Thu Mar 14 10:36:52 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Thu, 14 Mar 1996 13:36:52 -0500 Subject: entropy masking (was Re: Multiple spinners as sources of entropy?) Message-ID: <960313234757_350663563@emout09.mail.aol.com> In a message dated 96-03-13 18:35:51 EST, Matt Blaze writes: >I would go even further than this. I wouldn't trust ANY >environmentally-based random source (cycle spinner, keyboard >timer, disk noise, whatever) against adversaries on the >same system. In DOS, the keyboard, mouse, and disk drives run on interrupts, not timers. If you use a timer as a spinner, such as the Windows GetCurrentTime() function, (I MSec. resolution) and check its value each time a key is pressed and released, It would appear that the results should be quite random, because the keystroke is not processed in conjunction with the timer, but rather whenever the interrupt occurs. My tests in this area indicate that any 8 bit value can be achieved with this method, with a fairly uniform distribution. My tests are not thorough (I haven't sat down and typed for 2 hours to test the distribution of the output), but results look reasonably good so far. Jonathan Wienke From merriman at arn.net Thu Mar 14 10:39:14 1996 From: merriman at arn.net (David K. Merriman) Date: Thu, 14 Mar 1996 13:39:14 -0500 Subject: Anon email accounts available Message-ID: <2.2.32.19960313171431.00682f34@arn.net> -----BEGIN PGP SIGNED MESSAGE----- Just letting folks know that shellback.com is offering anon email accounts. Price is $5/month, prepaid via cash or money order. Weekly notices starting 30 days before account expires. See our page at http://www.shellback.com/anonmail.htm (yes, we're really leaving the last 'l' off :-) Also want to let folks know that the remailer is not _yet_ functioning (saw a couple messages try to fly through while setting up the mail server). Real Soon Now. Honest. Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUbmAMVrTvyYOzAZAQEE0QP/Tg5wqn49bFVx8hwYbGP9UK3SsU7bgh+U yt6rZRrxTfIpJk01emWY6SXPL1XjCSSV8YXnukaScJdpmIJ9vRZkG1wpznNFWeER GtLP8YTdcyQxOzC7qY9UWwebweVTNjwH998x09jiUhp2wY1qkTjHqk2qMxSStZrZ 2U1IQc/BDt0= =uH+x -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From tcmay at got.net Thu Mar 14 10:41:33 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 14 Mar 1996 13:41:33 -0500 Subject: LACC: PC Phones Home? Message-ID: At 3:41 AM 3/14/96, Jim McCoy wrote: >A few questions: > >1- How does the PC know where it is? >2- How does the PC know it has been stolen? The Web reveals all: 1. If the PC has been _reported_ stolen by the owner, any call from that PC triggers a phone trace, says the company. 2. See #1 (the key is that owner must call and report a particular PC stolen). >Since this is a software product I am assuming that the answer to #1 >is the use of CallerID on the line when the software calls, which is >defeated by the use of line blocking by the thief. The obvious answer >to #2 seems to me to have the system call the CompuTrace office at >odd intervals to see if it has been reported stolen yet... > >Obvious solution for potential thieves: wipe the disks and reinstall >an OS once you steal a PC. This should be done anyway to remove any >bits of data which might identify the original owner. These points assume the thief is relatively sophisticated and that the thief is aware that the CompuTrace system is installed. I suspect that neither is likely, at least not until the system gets sufficient publicity so that the first thing thieves and purchasers of suspected-to-be-hot PCs do is to make plans to avoid this (reformat disks, etc.). I think the scenario I described in my earlier post on this topic covers about 97% of all PC thefts: relatively unsophisticated thieves who warehouse the merchandise until buyers are found. The buyers, in turn, are also relatively unsophisticated. They may be immigrant businesses looking for a really good deal on PCs, they may be school systems strapped for cash, they may be your mother buying her first PC at a flea market. And they may be any of us, buying a surplus PC. In none of these cases is the user likely to take steps to disable Caller ID (and the company may actually do old-fashioned tracing). >Conclusion: Yet another useless piece of software riding the >computer security bandwagon. I'm not convinced it's software I would want to buy, but it fills a niche, I think. And it's definitely not the snake oil we've seen recently, as it makes no outrageous technical claims and seems to be going after a limited market. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From nobody at REPLAY.COM Wed Mar 13 21:41:39 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 14 Mar 1996 13:41:39 +0800 Subject: House Votes to Weaken Anti Terror Bill Message-ID: <199603140315.EAA23375@utopia.hacktic.nl> House Votes to Weaken Anti Terror Bill Washington, March 13 (Reuter) -- The House of Representatives Wednesday removed major provisions of an anti-terrorism bill in a vote that sponsors of the legislation said would gut the measure. An amendment, adopted 246-171 by conservative Republicans and some liberal Democrats, removed language that would give the government authority to label groups as terrorist so foreign members can be deported more easily. It also prohibits use of wiretap evidence obtained without a warrant. "We do not need to give our government vast new powers," Georgia Republican Bob Barr, the amendment's author, said before the vote. He said current laws were strong enough. "With the Barr amendment this is not a real anti-terrorism bill," said Republican Henry Hyde of Illinois, the bill's main sponsor and chairman of the House Judiciary Committee. Hyde said an unusual coalition of groups including the conservative National Rifle Association and the liberal American Civil Liberties Union were opposing the bill because they thought it gave the federal government too much power. Hyde said one Republican colleague told him privately, " 'I trust Hamas (the militant Islamic group) more than my own government.' " From adam at lighthouse.homeport.org Thu Mar 14 10:43:25 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Thu, 14 Mar 1996 13:43:25 -0500 Subject: Remailer passphrases In-Reply-To: <199603131713.LAA00824@proust.suba.com> Message-ID: <199603140450.XAA12195@homeport.org> Alex Strasheim wrote: | If we ignore the obvious problem (ie., no one is going to put much effort | or expense into running a free remailer), wouldn't splitting the remailer | across two machines help fix the security problem? This is a long standing debate in the security community. Some folks like multiple box security. Others point out that using two boxes means both need to be well secured, and you have twice as many places to make mistakes. | Suppose one unix box accepts the mail and puts it a queue directory. Then | a second box periodically grabs files from the first box's queue with ssh | (the second box initiates the connection), processes them, and then passes | them out to the smtp server on the first box. The second box doesn't | accept incoming connections on any port except for the ssh port so there | are no sendmails or httpds to hack. Lets say the boxes are called workstation and blackbox. If I break into workstation, I can provide bogus files for blackbox. Since blackbox extends some trust to workstation, it might not be expecting to see a message with a return address of "`|telnet evil.fbi.gov`". I'd argue that setting up a simple mailer which uses workstation as a relay host gives you as much security, and lessens your dependance on workstation, which we expect will be comprimised. (Of course we expect ws to be comprimised. Why else are we setting up bb as a seperate machine?) | The remailer files could be running on a cfs drive (with nfs/cfs only | accepting connects from localhost), and you could disable getty so that it | would be hard to physically grab the machine and read the contents of the | disk. If you had enough ram you wouldn't need a swap file, so there'd be | nothing there for someone who grabbed the machine. If you set the machine | up while it's plugged into a small lan that's not connected to the net no | one could come in and hide something before you had secured everything. Turning of getty and removing the swap file strike me as a bit extreme. A panic login system, otoh, that accepts a bad password and wipes the disk, might not be a bad idea. (Of course, if this becomes popular, the bad guys will just rip out your disk and read it on another machine.) | I know an attacker could interrupt service, and I'd guess that a skillful | attacker could probably find a way to grab the cfs and remailer | passphrases if he could grab the machine and the control the site | physically (to work on it while it's running) for awhile, but how would an | attacker come in over the net and hack the remailer box? Be awful tough if it only listens to ssh & smtp. Are you sure your kernel doesn't do anything bogus with ICMP? Data overflows in ssh or smap? DNS, syslogd, tty overloads? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From mccoy at communities.com Wed Mar 13 21:49:16 1996 From: mccoy at communities.com (Jim McCoy) Date: Thu, 14 Mar 1996 13:49:16 +0800 Subject: LACC: PC Phones Home? Message-ID: Dennis Hilliard writes: > >"Software to the rescue: >If somoeone steals your PC, you may be able to get it back because of >software that acts as a kind of tracking device. Home Office Computing >magazine reports that the software CompuTrace TRS will automatically dial >the office of its creator, Absolute Software, if a thief hooks up a stolen >PC's modem to a phone line. The software reveals the location of the PC and >Absolute Software will call the police" - Providence Journal-Bulletin - >March 12, 1996. > >Any Comments? A few questions: 1- How does the PC know where it is? 2- How does the PC know it has been stolen? Since this is a software product I am assuming that the answer to #1 is the use of CallerID on the line when the software calls, which is defeated by the use of line blocking by the thief. The obvious answer to #2 seems to me to have the system call the CompuTrace office at odd intervals to see if it has been reported stolen yet... Obvious solution for potential thieves: wipe the disks and reinstall an OS once you steal a PC. This should be done anyway to remove any bits of data which might identify the original owner. Conclusion: Yet another useless piece of software riding the computer security bandwagon. jim From alanh at infi.net Wed Mar 13 21:52:19 1996 From: alanh at infi.net (Alan Horowitz) Date: Thu, 14 Mar 1996 13:52:19 +0800 Subject: Beat Remote Monitor Snooping? In-Reply-To: <960312193120_444876976@emout09.mail.aol.com> Message-ID: Visual contrast is not the same thing as frequency diffrence. It is quite easy to measure extremely small changes of phase. As in, your plain-vanilla FM receiver. What's his name put this stuff together in the mid 1930's. Nice try, but no cigar. From JonWienke at aol.com Thu Mar 14 11:13:30 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Thu, 14 Mar 1996 14:13:30 -0500 Subject: Remailer passphrases Message-ID: <960314111212_446292183@emout04.mail.aol.com> In a message dated 96-03-14 01:52:14 EST, you write: >It is probably possible. Put a clip across the CPU chip, and take over >from it by raising it's chip disable will work with some microprocessors. >However, the proper application of various kinds of rubber hose to the >operator should make that kind of attack unnecessary. In general, this is an excellent way to make smoke and big sparks, which (since shorts tend to overtax the power supply and drop voltage levels) is a good way to clear system RAM, thus defeating the purpose of the exercise. Software hacks can do the job just as well, and don't require special breathing apparatus. Jonathan Wienke From bryce at digicash.com Thu Mar 14 11:13:46 1996 From: bryce at digicash.com (bryce at digicash.com) Date: Thu, 14 Mar 1996 14:13:46 -0500 Subject: e$ and markets and meta-markets. quote with little comment Message-ID: <199603141142.MAA16076@digicash.com> I just thought I would re-print this extract from the recent press release regarding the EUNet/Merita ecash roll-out. Favorite phrase: "interesting new possibilities." Follow-ups directed toward e$. If you post to cpunks without Cc'ing me I probably won't see it. Bryce ******* begin quote from the "companies that accept ecash" section SOM -- SOM, the Finnish Securities and Derivatives Exchange and Clearing House, established in 1987, serves as a neutral integrated securities and derivatives exchange and clearing house. SOM offers real-time financial market information on stocks, options and futures via the Internet, with invoices payable in ecash. Somtel for Windows -the application that offers real-time feed, as well as simulation and position-analysis functions-, is already available via leased line. "The use of money makes stock trading less complicated, with money acting as a practical intermediary between the transactions." states Asko Schrey, President of SOM. "However, since stock trades, as well as the shares themselves, are electronic nowadays, this conventional transmission of money has actually become a bottleneck and a threat to the development of the financial world. Therefore, SOM actively participates in projects to promote and improve the efficiency of payment traffic. We believe that electronic money will offer interesting new possibilities." From bruce at omega.co.nz Thu Mar 14 11:16:18 1996 From: bruce at omega.co.nz (bruce at omega.co.nz) Date: Thu, 14 Mar 1996 14:16:18 -0500 Subject: CD-reading for random keys In-Reply-To: <4i5gtu$99i@news2.realtime.net> Message-ID: <4i91h4$lp5@nero.omega.co.nz> >Doe anyone know where sample code exists to enable one to read the digital >stream from an audio CD? If so, I'd appreciate some pointers to it via >email. It seems to me like an Audio Cd would make the perfect one-time cdgrab (registered) will let you read "frames" (1/75sec of audio) directly into a wav file. From there it's easy.. But: >crypto system. You merely start reading at a specific spot, tossing away >bytes using a reproducable random number generator, then permuting >those to form a XOR one time key of any length you want. The "entropy" or randomness of audio data is LOW. That's why audio compresses so well. However, the idea of keeping a one-time key on CD-ROM is good. I would suggest recording thermal noise (Eg the hiss from an untuned FM radio), perhaps XORing with a pseudo-random sequence to remove residual bias. Record 600M of this onto a pair of writable CDs, and have your friend come and collect one of them personally. Then you can send up to 600M of totally secure data before you dispose of the disks (Microwave oven is fun :) and write a new pair. -- bruce at omega.co.nz .-'~~~-. Fax: +64 7 847-5513 .'o oOOOo`. Voice: NISTIM0L0C :~~~-.oOo o`. Fight Elected Dictatorship PGP key available at: `. \ ~-. oOOo. pgp-public-keys at keys.pgp.net `.; / ~. OO: 2001/009734B1 or .' ;-- `.o.' SPLIT YOUR VOTE! 1024/842510D9 ,' ; ~~--'~ \|/ ; ; ____\|//_______\|/________\\;_\\//___\|/___ From hal9001 at panix.com Wed Mar 13 22:53:09 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Thu, 14 Mar 1996 14:53:09 +0800 Subject: PGP reveals the key ID of the recipient of encrypted msg Message-ID: At 4:12 3/13/96, Matthew Richardson wrote: >On Wed, 13 Mar 1996 00:28:48 -0500, "Robert A. Rosenberg" > wrote: > >>There is also the problem of knowing WHICH key to use (ie: Even when you >>know the message is intended for you, you must do a test run with each of >>your keys until one works). > >I believe that provided all your keys are in your secret keyring, PGP >will automatically pick the correct one for you. I know that. The situation was that the hypothetical message format itself contained NO INDICATION of who is was for or what key was used to encode it. PGP selects the right key by using the indication that is in the message of what key is to be used. From gjeffers at ns.htc.net Thu Mar 14 12:10:54 1996 From: gjeffers at ns.htc.net (Gary Lee Jeffers) Date: Thu, 14 Mar 1996 15:10:54 -0500 Subject: recent ( 3 months ) software developements? Message-ID: <9603141743.AA18898@ns.htc.net> Dear Cypherpunks, Due to really lousey circumstances, I have been unable to monitor my mail for the last 3 months. Also, last 3 months mail currently unavailble to me. I am interested in finding out if there have been any new soft- ware offerings or software upgrades in that time. My particular interest is Dos/Windows. Also, locations where software can be downloaded. Note that a brief description of recent software developements maybe helpful to other Cypherpunks with little time to monitor Cypherpunks list. Beat State, Gary Jeffers  From tcmay at got.net Thu Mar 14 12:33:13 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 14 Mar 1996 15:33:13 -0500 Subject: Leahy bill, legalize crypto Message-ID: At 2:41 PM 3/14/96, Robichaux, Paul E wrote: >Tim May said: >>Suppose encryption is allowed, but only with key escrow? [...] >>And it might pass constitutional muster (for the same reasons the FCC >>jurisdiction over airwaves and the ban on encryption by ham operators, got >>approval. > >The restriction on using encryption on the ham bands is an outgrowth of the >world-wide spectrum allocation process. Spectrum's allocated by the >International Telecommunications Union (ITU); every four years, the World >Amateur Radio Council (WARC) meets to go over existing allocations. >Sometimes hams lose (as when the 220MHz band went away) and sometimes they >win. > >The ITU accords were originally signed around WW I, when use of encryption >on the radio bands was of great concern. The whole licensing system is based >on the concept of an Amateur Radio _Service_, whose operators are licensed >by the FCC to use a "public" resource. Said use is restricted by >international treaties to which the US is a signatory. > >The difference here is that the courts have upheld government restrictions >on broadcast spectrum because it's a scarce resource. In the special case of >encryption on ham bands, no one's ever even challenged the restriction >AFAIK. As Duncan Frissell has preached here many times, bandwidth is no >longer as scarce, so I think a constitutional challenge to an encryption ban >would probably be workable. Yes, and I said as much--about the bandwidth limitations--in my post. In the very next line after you stopped quoting!!!!!: "Sure, I understand that Internet bandwidth is not the same as the "public airwaves," but this subtlety may not be enough to stop the parallel from being successfully drawn. Especially if the phone companies and other threatened players are pushing hard for the FCC to step in and regulate." I'm not usually such a quibbler, but it irks me when people stop the quoting at a certain point, then make the same point made in the elided section, then say, "But bandwidth is a scarce resource." Besides which, I think the "scarce resource" argument against crypto over the airwaves is clearly a fig leaf. Only amateur, non-corporate users are affected. The intent of the rules, never repealed, seems more of an attempt to limit the widespread deployment of ham radio for espionage purposes (e.g., a ham sitting above a harbor area reporting on ship movements). This is why I said I could see a parallel argument for limiting crypto. And if other countries are needed to get an international treaty signed, there will be no shortage of such lap dogs available to do the bidding of the U.S. The most otherwise-hostile countries to the U.S. will jump at the chance to impose a worldwide ban on encrypted communications. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From roger at coelacanth.com Wed Mar 13 23:50:59 1996 From: roger at coelacanth.com (Roger Williams) Date: Thu, 14 Mar 1996 15:50:59 +0800 Subject: Beat Remote Monitor Snooping? In-Reply-To: Message-ID: <9603140628.AA4032@sturgeon.coelacanth.com> >>>>> Alan Horowitz writes: > Visual contrast is not the same thing as frequency diffrence. It > is quite easy to measure extremely small changes of phase. Apropos of *what*?! If it was an NTSC colour TV; yes, you could measure the colour by the phase of the 3.579 colour burst. But modern computer monitors (i.e. VGA) don't represent colour that way at all -- they use separate red, green, and blue video signals. And the original poster is correct -- it is extremely difficult to determine which guns are generating any given pixel, using van Eck monitoring. The only com/mil ELINT demo I've ever seen of a VGA monitor generated a greyscale display. > Nice try, but no cigar. If the shoe fits... -- Roger Williams PGP key available from PGP public keyservers Coelacanth Engineering consulting & turnkey product development Middleborough, MA wireless * DSP-based instrumentation * ATE tel +1 508 947-8049 * fax +1 508 947-9118 * http://www.coelacanth.com/ From unicorn at schloss.li Thu Mar 14 01:07:12 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 14 Mar 1996 17:07:12 +0800 Subject: AMEX and Netscape Message-ID: American Express Platinum card holders might want to look at the bottom of their statement: CARD USE ON THE INTERNET -- Cardmembers should only conduct transactions over the internet using broswer software that supports industry-standard encryption protocols, such as those offered by Netscape or CyberCash. We anticipate that additional and improved encryption protocols for Card transactions will become available over the next 3-6 months. American Express will keep you informed of new developments in this area. (Any Gold or Green card holders have the same notice?) --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From anon-remailer at utopia.hacktic.nl Thu Mar 14 01:11:41 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Thu, 14 Mar 1996 17:11:41 +0800 Subject: To IEEE: Don't Support Leahy Crypto Bill Message-ID: <199603122236.XAA27019@utopia.hacktic.nl> (To: medialink-list at WELL.com, cypherpunks at toad.com, action at eff.org, hal at hal.hpl.hp.com, farber at central.cis.upenn.edu, junger at pdj2-ra.F-REMOTE.cwru.edu) 12 March 1996 Before IEEE decides to "applaud" Leahy's bill publicly, I hope that the organization carefully considers the bill's shortcomings. In particular it might want to consider the critique written by Peter Junger of Case Western University Law School. Junger writes that with Leahy's legislation: "The major threat is that, for the first time, there would be at least colorable Congressional authority for the requirement that one obtain a license before publishing or otherwise disclosing information. And software is, after all, nothing but information." I urge the IEEE to rethink its position. At the very least, please consider supporting Rep. Goodlatte's bill which includes a more explicit prohibition on the executive branch mandating key escrow. It is important that we back that bill before it goes to conference, since we can have little impact on it thereafter. Please redistribute this letter as appropriate. Warmly, Philomela =-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= DRAFT -- Do NOT Redistribute! IEEE Applauds Leahy Encryption Bill =-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= DRAFT March 12, 1996 The Committee on Communications and Information Policy of the Institute of Electrical and Electronics Engineers, United States Activities applauds the proposed Encrypted Communications Privacy Act. This legislation, introduced by Senators Pat Leahy (D-VT), Patricia Murray (D-WA) and Conrad Burns (R-MT), will remove unnecessarily restrictive controls on the export of encryption technology. Current restrictions on the export of encryption technology harm the interests of the United States in three ways: they handicap American producers of software and hardware, prevent the development of a secure information infrastructure, and limit the ability of electronically active Americans to maintain their privacy. The proposed legislation addresses all of these issues, while maintaining prohibition on the use of cryptography to hide criminal activities. Technological progress has moved encryption from the realm of national security into private sphere. Current policies, as well as the policy-making processes, should reflect this new reality. We applaud recent changes in information policy which mitigate the severity of controls on encryption technologies. With the additional changes sought by Senators Leahy, Murray and Burns, the United States can maintain its historical leadership in cryptography. Without the handicap of limitations on their ability to export secure systems, American software and hardware producers have the potential to excel in the global market for secure products. The removal of unnecessary restrictions on exports will also enable the creation of a Global Information Infrastructure sufficiently secure to provide seamless connectivity to customers previously unreachable by American companies. The United States is a leader in Internet commerce. However, Internet commerce requires cryptography. Thus American systems have been hindered by cold-war restraints on the necessary cryptography as these systems have moved from the laboratory to the marketplace. This legislation would open the market to secure, private, ubiquitous electronic commerce. The cost of not opening the market to secure American Internet products may include the loss of decades of leadership in Internet technologies, just as the Internet is entering its most profitable period. Finally, Sen. Leahy, Murray and Burns would be serving all users of electronic information systems in creating a truly global market for secure desktop environments. Having secure and private electronic spaces is of particular interest to the Institute of Electrical and Electronics Engineers, United States Activities and its members. The Committee on Communications and Information Policy of the Institute of Electrical and Electronics Engineers, United States Activities applauds Senators Pat Leahy (D-VT), Patricia Murray (D-WA) and Conrad Burns (R-MT) for their foresight and supports the proposed legislation to liberalize controls on cryptography. Sincerely, [Signed] Visit http://www.ieee.org/ for more information. From Raymond at advcable.com Thu Mar 14 01:16:40 1996 From: Raymond at advcable.com (Raymond Mereniuk) Date: Thu, 14 Mar 1996 17:16:40 +0800 Subject: LACC: PC Phones Home? -Reply Message-ID: Jim Writes >A few questions: >1- How does the PC know where it is? >2- How does the PC know it has been stolen? ...deleted text... > #1 is the use of CallerID on the line when the software calls, >which is defeated by the use of line blocking by the thief. The ...deleted text... >Obvious solution for potential thieves: wipe the disks and reinstall >an OS once you steal a PC. This should be done anyway to remove any >bits of data which might identify the original owner. >Conclusion: Yet another useless piece of software riding the >computer security bandwagon. >jim You should visit their web site at http://absolute.com for more information as they can do what they say they can. A high level format does not change bad track assignments and neither will fdisk so if you hide something in an assigned bad track (cylinder or cluster or whatever it is called) nothing will see it. Now all you have to do is activiate the software in the bad track, I don't know how that is done (trade secret??) but maybe someone has figured out how to do it. Calls to 1-800 numbers can not block caller-ID, call-blocking will not stop the calling number from being passed to the appropriate equipment setup at the receiving end. Maybe these people have developed the ultimate virus, you can't detect it, you can't remove it, and you don't know it even exists. I don't really know how well this software package works but your comments had many errors. Normally Lurking Raymond From frantz at netcom.com Thu Mar 14 14:25:16 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 14 Mar 1996 17:25:16 -0500 Subject: Leahy bill, legalize crypto Message-ID: <199603141930.LAA03097@netcom6.netcom.com> At 11:50 AM 3/14/96 -0800, Timothy C. May wrote: >At 2:41 PM 3/14/96, Robichaux, Paul E wrote: >>Tim May said: >Besides which, I think the "scarce resource" argument against crypto over >the airwaves is clearly a fig leaf. Only amateur, non-corporate users are >affected. The intent of the rules, never repealed, seems more of an attempt >to limit the widespread deployment of ham radio for espionage purposes >(e.g., a ham sitting above a harbor area reporting on ship movements). I think Tim is absolutely right. If you look at "The Code Breakers" that kind of thinking was common in the WW1-WW2 era. The age of the 30 minute war somewhat diminished the strength of the argument. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From cmca at alpha.c2.org Thu Mar 14 14:26:35 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Thu, 14 Mar 1996 17:26:35 -0500 Subject: PGP reveals the key ID of the recipient of encrypted msg In-Reply-To: <3146910b.90015235@itconsult.co.uk> Message-ID: <199603140140.RAA06876@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: matthew at itconsult.co.uk (Matthew Richardson)] [cc: cypherpunks at toad.com] [Subject: Re: PGP reveals the key ID of the recipient of encrypted msg ] [In-reply-to: Your message of Wed, 13 Mar 96 09:12:10 GMT.] <3146910b.90015235 at itconsult.co.uk> matthew at itconsult.co.uk (Matthew Richardson) came full circle with: >On Wed, 13 Mar 1996 00:28:48 -0500, "Robert A. Rosenberg" > wrote: >>There is also the problem of knowing WHICH key to use (ie: Even when you >>know the message is intended for you, you must do a test run with each of >>your keys until one works). >I believe that provided all your keys are in your secret keyring, PGP >will automatically pick the correct one for you. But PGP can only do this because the keyID is there in the encrypted text, and the point of this discussion was to strip off the keyIDs so that you couldn't tell who the message was being sent to any more... Arrgh. Chris McAuliffe (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMUdvyIHskC9sh/+lAQH+WwP/aDYO2Pp9b9+x7UxYYITIG46WxaM8uaxg 9hQg/1ZaoRRC5Ha/8kF4W2gUu3ecCJ6Kh1E/mCOVm3TUVWV+47tzolLsT8tM3530 13pLr6wmbwir+CFs4cURxjMpEKx/CixbyzvzZWD939woiKIjYiivoBEhwoBZE9bz 2cdUHnYjvro= =1Lhv -----END PGP SIGNATURE----- From tcmay at got.net Thu Mar 14 03:01:20 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 14 Mar 1996 19:01:20 +0800 Subject: Leahy bill nightmare scenario? Message-ID: At 11:29 PM 3/11/96, jim bell wrote: >Welcome to prison, Tim. Your optimism will serve you well, there. > >BTW, it is clear that you haven't yet read Mr. Junger's analysis of the >bill. Nobody except a government stooge could read that and not wonder why >anybody would support that bill. A complete re-write is called for. A question, Jim: do you _ever_ just respond calmly to a post you disagree with, or is everyone you disaagree a stooge, a cretin, an agent for the Feds, or someone who should be disposed of with your "assassination politics"? Yes, I read Junger's analysis. A nice analysis. What does this have to do with the points I was making? I'm a government stooge, to use your terms, because of my points about hotel rooms? (On second thought, don't answer. In fact, I hope you take this opportunity to add me to your kill file, the computer version, not the Assassination Poltics (tm) version.)) --TCM Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Thu Mar 14 03:03:17 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 14 Mar 1996 19:03:17 +0800 Subject: Leahy bill nightmare scenario? In-Reply-To: Message-ID: On Mon, 11 Mar 1996, jim bell wrote: > At 12:01 PM 3/11/96 -0800, Timothy C. May wrote: > > > >If I lend my chain saw to my next-door neighbor without confirming his > >identity, and he carves up his wife, am I liable? Not in these parts. > > "Criminally", probably not. Civilly, probably if the victim's family > has a good enough lawyer. This is a load of hooey. I don't know How Mr. Bell thinks the law works in the United States, but I do know it has so little basis in reality as to be laughable. I'm sure Mr. Bell will ask me now to cite three cases which indicate that lending a chainsaw to someone without asking for ID is negligant. > >(If I lend my chain saw to a ranting, foaming maniac, am I liable? Perhaps.) > > Actually, then you're CRIMINALLY liable, as well. I would laugh out loud if I didn't think some people were taking Mr. Bell seriously. > >If I let someone use my telephone without confirming his identity, am I > >liable for crimes committed with this phone? > >This last example is, I submit, a nearly perfect parallel to anonymous > >remailers. And not because the telephone system is a "common carrier," but > >because of scienter: I have no knowledge, and cannot be expected to have > >knowledge, of crimes committed with my phone. > > Actually, that's wrong. The question will be asked, "Do you regularly > lend your phone to strangers who you can't even see, no questions asked, > without listening in to see that nothing untoward is being plotted?" > _THAT's_ a more apt analogy. Medication time... medication time. > >If I have visitors at my house, perhaps at a party, and I let a stranger go > >ahead and make a call from the phone in a bedroom, for example, and he > >plans a drug deal, can my house be automatically seized? Not that I have > >ever heard about. > > If your phone was already tapped, and the delivery occurred in your > house, you'd better look for new accomodations. Delivery is another matter, but the judge that affirms the seizure of a house on the basis of a single delivery to a guest in the residence will be politely asked to leave the bench. Unless the guest has some ownership of the house.... But did we expect Mr. Bell to actually be correct at this point? > >Now if I operate a pay phone and encourage dealers and pimps to use it, > >then maybe the public nuisance, RICO, or "crack house" laws can be used to > >shut it down. (The public nuisance laws are what I would look to to see > >remailers shut down, which will just move them offshore, of course. Absent > >laws about sending encrypted packets outside the country, nothing can be > >done.) > > Justa sec: The Leahy bill makes "encryption furtherance of a felony" > illegal. Sending encrypted packets out of the country, containing material > you don't know (because they're encrypted) sounds like a classic opportunity > to declare you in violation of some "conspiracy to violate the law" of some > OTHER country, which is probably considered a Federal felony. Mr. Bell, I suggest you take a correspondence course. Perhaps the one on T.V. with Sally Struthers. I believe they offer "Legal Secretary" as an option. You would about double your practical knowledge of the law in this fashion. I STRONGLY suggest that readers afford Mr. Bell's writings and conclusions a healthy degree of skepticism. > Jim Bell > jimbell at pacifier.com --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jamesd at echeque.com Thu Mar 14 16:31:46 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Thu, 14 Mar 1996 19:31:46 -0500 Subject: How's that again? Message-ID: <199603131614.IAA03491@dns1.noc.best.net> At 11:37 PM 3/12/96 -0800, Bill Stewart wrote: > I guess it's no surprise that one of the more-or-less "good guys" > in the Senate can propose a law so ambiguously worded that it > looks good on the face until a good lawyer takes the time to rip > it apart Looking for "good guys" in Washington is like Ronald Reagan looking for "moderates" in Iran. On crypto, and on taxes, our interests and their their interests are completely opposed. We should not care about, or take any interest in, the slight difference between the "moderate" and extremist members of the Senate and the House of Representatives. The best bill we can ever hope to get out of Washington is no bill at all. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From WlkngOwl at UNiX.asb.com Thu Mar 14 16:32:51 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Thu, 14 Mar 1996 19:32:51 -0500 Subject: Why escrow? (was Re: How would Leahy bill affect crypto Message-ID: <199603132123.QAA03328@UNiX.asb.com> On 13 Mar 96 at 9:41, jim bell wrote: > Notice, however, how the government seems to be assuming that "key escrow" > (to the extent that it is implemented at all!) gets implemented in a way > which is "friendly" to government agents. They assume that there is one key Since when is the government intentionally going to let any bill or policy go through that isn't friendly to themselves??? (You don't have to be an anarchist to figure that out!) [..] > Even the most limited planning could easily develop a system that achieves > all the benefits of escrow for the user, but is essentially impossible for > government agents (or for that matter, anyone else!) to use to the detriment > of the user. Nothing is safe from abuse, by the goverment or non-government fols alike. There's always more loopholes to clean up. (Not that this means we shouldn't clean them up... obviously bad policies should be fixed...). Just as no crypto is 100% foolproof, no legal system is 100% abuse-proof. Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From unicorn at schloss.li Thu Mar 14 16:36:11 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 14 Mar 1996 19:36:11 -0500 Subject: [Noise] Jim Bell: Legal Reformer In-Reply-To: Message-ID: On Wed, 13 Mar 1996, jim bell wrote: > At 11:37 PM 3/12/96 -0800, Bill Stewart wrote: > >At 05:40 PM 3/12/96 -0500, Black Unicorn wrote: > >>Revise your statement to: > >>"doesn't want anyone who hasn't spent a few years in law school to pass > >>judgement on pending legislation and the effect of supreme court decision > >>thereon..." > >>and you'd be right on the money. > > > >I'm not a lawyer, though I've played a politician on TV. I'll grant you > >that lawyers and other trained legal professionals can do a far better > >job of finding and analyzing cases than amateurs like myself, though > >I suspect a month or two's experience with Lexis would be enough to > >let many of "the rest of us" outsearch the average lawyer of 50 years ago > >who had to rely on his or her wits alone. But if the average intellegent > >person _can't_ evaluate a law and have a reasonable chance of figuring > >out what it says and what it means, there's something seriously wrong > >with the way new laws are written, as well as enforced. This I never denied. I agree with Mr. Stewart, it's unfortunate that the law is so complex sometimes. Unfortunate also is the fact that there is no solution. "Thou shall not kill," while simple in concept, and generally understood, lacks specificty. Kill what? Do animals count? Define kill? Does self defense apply? What about suicide? Is the self included in the realm of those not to be killed? (Incidently, the common understanding is incorrect in any event, the closer translation is "Thou shall not commit Murder.") As legal jurisprudence moved from legal formalism (apply the letter of the law, and only the letter of the law, and damn the result, even if unjust or beyond the intention of the legislature) moved into legal realism, and progressive legal thought, it became more and more difficult to predict what the results of litigation might be. This is because judges were no longer, at least to the extent they were in the early 19th and late 18th centuries, simple clerks who read the law and enforced it, but rather individuals who intrepreted the intent of the law makers, and applied the law with a mind to avoiding injustice. The "Seal" is a classic example. At one point, if your name was on a contract, that was it, you were bound by it. Seems ideal in some ways, but what if you were intoxicated, or couldn't read? What if you were told that the contract was a lease, and only after signing it did you discover it was a contract for your endentured servitude? Legal formalism says: "Is this your name here?" "Yes, but-" "Judgement for the plaintiff." Well now. How do you write a law that expresses the will of the lawmakers on a complex subject with the added twist of judicial intrepretation? Judges are people too. Some judges look at the congressional record to see what it was congress was trying to do exactly, some believe legislative history is a bunch of hooey. Mr. Bell, apparently, thinks he can do a better job. I'd like to seem him try. I don't want to be an apologist for attorneys, I have a lot of problems with the legal profession in general. This doesn't change the fact that not everyone on the planet can read a bill and a complicated supreme court decision and apply them together to an entirely unrelated area. In fact, most lawyers will have problems too. If not, then there would never be court cases. The parties to litigation would already know the outcome, and fighting it would be pointless. Do you really think this is ever going to happen? Someone with almost no legal experience, on the other hand, is simply out of their league. Mr. Bell, this means you. I'm sorry we can't all run like Carl Lewis, I know that would be a perfect world, well in some people's view anyhow. But this kind of finger pointing, and name calling, and cries of "elitist" it begins to look like the kind of left-speak that argues that everyone has the same potential in life. Mr. Bell's opinion aside, (I already know what he thinks) I'd have to be an idiot to go to law school for 3 years plus post grad work and still come out knowing no more than someone who looks at lexis a lot. Sorry, if that makes me elitist, so be it. (I happen to be elitist for other reasons, but that's beside the point). Can the average person read a criminal statute and tell how old a sexual partner has to be to avoid statuatory rape charges in their state? Sure. That's easy. That part of the law is fairly available. Now take the same person and ask them what the supreme court case ruling that parents can sue a man for "corruption of a child" (taking her viginity) even after the pair is legally married means in their specific case. Not so easy anymore. Point being, it's easier to look at criminal law and decide what it is you are not supposed to do (because such statutes are fairly specific about the conduct they are trying to restrict, and need very little complexity) than it is to apply complex regulatory statutes to asset seizure cases and entirely distinct fields. Mr. Bell seems to think that because he knows when he will get a parking ticket, he's qualified to render his legal opinions to the list as if they were gospel, and no one is entitled to question his qualifications. > Well said. If more people lambasted this "Black Unicorn" That's Mr. Black Unicorn to you. > fellow for his > legal-elitist ways, he'd actually be forced to either shut up or use > reasoned argument to support his odd position. 1) You wouldn't know reasoned argument if it bit you on the ass. 2) My position (Which I am assuming you are even intrepreting correctly) is hardly odd or uncommon. I would say it's fairly common knowledge that you will be in better shape if you e.g. hire a lawyer to do your will than if you do it alone. I would say you'd have to be an idiot to even try to represent yourself in the most simple criminal case for assault. > Laws, as I understand it, used to be written so that ordinary people could > understand them. And thus were patently inflexible. That's legal formalism. I might add that laws were not always so written. Nero posted all the laws publically, and wrote them clearly. At the same time, he posted them at the top of the columns in the senate, so no one could read them. Writing law so it's accessible to the common man is not an easy thing. One could easily make the arguement that laws were never accessible in that way, Mr. Bell's unsupported assertion aside. > That's the way it ought to be today, See my contract example above as to why this is complete ignorance and shortsightedness. > but isn't, precisely > because the elitists have had their way for so long. Simplicty and fair law simply do not go together. If the elitists have had their way for so long, perhaps you should look to the electorate who continually sends them to the capitol. I might add that I have never seen simple legislation in the way that you mean it from the law makers that have never even been to law school either. (There are plenty of them too). > There used to be a > saying, "Ignorance of the law is no excuse." The presumption was that you > had a responsibility to know what the law said, and that most people could > understand what it said, and if you didn't take the time to know it you were > guilty despite this. Today, that saying is laughably out of date: When > people like "Black Unicorn" claim that ordinary people haven't the skills to > evaluate any law or proposed law, it is obvious that he and his ilk is a > major portion of the problem. I don't believe this is obvious at all. First, what does my acknowledgement of the complexity of law, and the need for a profession to intrepret it have to do with my contribution of the problem? Second, you say: > Laws, as I understand it, used to be written so that ordinary people could > understand them. That's the way it ought to be today. Forgive me, Mr. Bell, but isn't this exactly what you are accusing me of saying? "Ordinary people can't understand the law," is your point, yes? Why then aren't you part of the problem? Or is it just when ">people like "Black Unicorn" claim that ordinary people [can't understand the law]" that there is a problem? Your entire point hinges on your personal dislike of either me, or lawyers, as you have said exactly the same thing I have said all along. Law is so complicated, you need a lawyer to figure it out. Funny, that's precisely what I was trying to get at in telling you to stop posting to the list your ravings about Supreme Court cases because you had no idea what you were talking about. Seems you've conceeded my point. I may be elitist, but even you, in your own words, admit that my ilk is necessary. > >(I suppose I've complained enough that there _is_ something > >seriously wrong them that I'm not adding any new weight here; > >if the author of a portion of a law can get up on the Senate floor > >and say that he realizes that part of the law he's proposed is > >unconstitutional and unenforceable, and that this doesn't bother him*, > >I guess it's no surprise that one of the more-or-less "good guys" > >in the Senate can propose a law so ambiguously worded that it > >looks good on the face until a good lawyer takes the time to rip > >it apart - maybe Leahy will read some of Junger's review?) > > The system is sick, perhaps irretrievably so. Dr. Strangelove (in the movie > of the same name) stated that "deterrence is the art of making the enemy > FEAR to attack." I think the main problem (and the most direct solution) to > the "politician-problem" in this country is to make government agents FEAR > to do the wrong thing. I'm sure this has something to do with the point at hand. > Jim Bell > jimbell at pacifier.com --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jimbell at pacifier.com Thu Mar 14 20:23:57 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 14 Mar 96 20:23:57 PST Subject: Why escrow? (was Re: How would Leahy bill affect crypto Message-ID: At 06:25 PM 3/14/96 +0000, Deranged Mutant wrote: >On 14 Mar 96 at 12:00, jim bell wrote: > >> At 07:57 AM 3/14/96 +0000, Deranged Mutant wrote: >> >Would it be legal to deceive an escrow agent? >> >> It _should_ be legal. At least, assuming the arrangement is truly voluntary >> and the escrow agent gets his part of the bargain (his usual fee) he has no >> interest in knowing whether or not the data he's holding for you is "real" >> or "imaginary." > >I mean illegal in the sense that your true purpose is to decieve law >enforcement. (Yes, it'll also fake out anyone who bribes the escrow >agent for your keys, though....) As long as they claim that escrowing keys is "voluntary" in the first place, then I find it hard to imagine that they would have a legal claim against you if the key you "escrowed" was phony. OTOH, if one potentially-valid interpretation of the law is that failing to give the keys when you're asked is a crime, presumably even if you never had them in the first place, then all bets are off. IMO, a properly-designed crypto telephone keeps nothing with it that would later be useable to decrypt the conversations it has transmitted or received; one danger in this bill is that its very existence might make the manufacture of crypto phones with this characteristic illegal, on the theory that because they keep no keys, the user is going to be in violation of this law automatically. It's a stretch, but a stretch the government is always anxious to make. And if you recall the requirements the government wanted to put on telephones equipped with Clipper, one thing they eventually admitted was that they were insisting that such phones be designed to be inoperable with a telephone that had its "key-escrow" not "enabled". And they still wanted to call it "voluntary! That's a laugh! >Of course that depends how you give your key to an escrow agent. If >it's already escrowed when you buy a phone, for instance... That's the real danger with any such legislation. Individuals can generally only get things that are manufactured for sale. (You can't buy a car with a 7-cylinder engine, for instance...) If manufacturers are dissuaded from building a good crypto telephone, then key-escrow can be as "voluntary" as you want and you still won't be able to exercise your rights. Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Thu Mar 14 21:16:32 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 14 Mar 96 21:16:32 PST Subject: Why escrow? (was Re: How would Leahy bill affect crypto Message-ID: At 07:30 PM 3/14/96 -0500, Yawn82 at aol.com wrote: >How the hell do I get off this list? You can check out any time you want, but you can never leave. From jimbell at pacifier.com Thu Mar 14 21:21:05 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 14 Mar 96 21:21:05 PST Subject: RICO and remailers (brief treatment, if long) Message-ID: At 07:30 PM 3/13/96 -0500, Black Unicorn wrote: >0 >Several people expressed interest in a small treatment of seizure law >jurisprudence, and the Bennis case (seizure of an automobile used for >soliciting prostitution was upheld even where one of the owners knew >nothing about its use for a crime and which Mr. Bell has relied on >fairly heavily in pointing out that the Supreme Court has its "head >up its ass.") "Relied on"? Hell no! Not when I get the following text, from an anonymous source. Begin quotation: So he wants a cite of Supreme Court decisions from you bearing on legislative history & congressional intent, does he? I've attatched the relevant syllabus which is from the Supreme Court reporter & carries no legal weight, along with the UNANIMOUS decision in Neal written by Kennedy. It's an acid case, the Supreme court having ruled a long time ago in Chapmann that the ENTIRE weight of of LSD AND blotter paper, which usually contains 100mcg or 0.1mg of actual LSD-25 per dose, vs. the enormous weight of the paper. This entire weight of basically all paper has been used to give 21 year old 1st offenders 10 YEARS, which under current Federal Rules works out to about 8.5 years FLAT time in the joint. The original absurdity was challenged in Chapman but the SC blindly stuck to it's own reading of "mixture or substance", blindly ignoring reality & Congressional intent that "cuts" of drugs such as heroin or cocaine being an attempt to increase the amount sold & therefore profit, should be punished, while the LSD paper was merely a way to transport & distribute it. As far as congressional intent goes, Joseph Biden has said that as chairman of the senate judiciary committee, they gave little thought to LSD but they definitely did NOT mean weigh the whole blotter paper in handing out nickels & dimes. Now the US Sentencing Commission has changed the guidelines by changing the way the dosage is calculated to something reasonable, the SC refuses to make the change retroactive to help a lot of people. Note where Kennedy basically says that if Congress passees laws that are poorly worded & subject to create great unfairness in sentences, the SC, once they've made a stupid decision in interpretation will stick to it no matter how unfair it is in order to make congress write laws that are linguistically intelligible. This would be fine if those on the sharp end of them were congressmen. The more Supreme Cocksucker decisions I read like this, the better BOTH your big ideas sound. This & all recent other decisions of the 9 in-Justices are available at the below address. http://spoke.law.cornell.edu:8001/supct/opinionlist.1995.html Syllabus: NOTE: Where it is feasible, a syllabus (headnote) will be released, as is being done in connection with this case, at the time the opinion is issued. The syllabus constitutes no part of the opinion of the Court but has been prepared by the Reporter of Decisions for the convenience of the reader. See United States v. Detroit Lumber Co., 200 U. S. 321, 337. SUPREME COURT OF THE UNITED STATES Syllabus NEAL v. UNITED STATES certiorari to the united states court of appeals for the seventh circuit No. 94-9088. Argued December 4, 1995-Decided January 22, 1996 When the District Court first sentenced petitioner Neal on two plea- bargained convictions involving possession of LSD with intent to distribute, the amount of LSD sold by a drug trafficker was deter- mined, under both the federal statute directing minimum sentences and the United States Sentencing Commission's Guidelines Manual, by the whole weight of the blotter paper or other carrier medium containing the drug. Because the combined weight of the blotter paper and LSD actually sold by Neal was 109.51 grams, the court ruled, among other things, that he was subject to 21 U. S. C. 841(b)(1)(A)(v), which imposes a 10-year mandatory minimum sen- tence on anyone convicted of trafficking in more than 10 grams of ``a mixture or substance containing a detectable amount'' of LSD. After the Commission revised the Guidelines' calculation method by instructing courts to give each dose of LSD on a carrier medium a constructive or presumed weight, Neal filed a motion to modify his sentence, contending that the weight of the LSD attributable to him under the amended Guidelines was only 4.58 grams, well short of 841(b)(1)(A)(v)'s 10-gram requirement, and that the Guidelines' presumptive-weight method controlled the mandatory minimum calculation. The District Court followed Chapman v. United States, 500 U. S. 453, 468, in holding, inter alia, that the actual weight of the blotter paper, with its absorbed LSD, was determinative of whether Neal crossed the 10-gram threshold and that the 10-year mandatory minimum sentence still applied to him notwithstanding the Guidelines. In affirming, the en banc Seventh Circuit agreed with the District Court that a dual system now prevails in calculat- ing LSD weights in cases like this. Held: Section 841(b)(1) directs a sentencing court to take into account the actual weight of the blotter paper with its absorbed LSD, even though the Sentencing Guidelines require a different method of calculating the weight of an LSD mixture or substance. The Court rejects petitioner's contentions that the revised Guidelines are entitled to deference as a construction of 841(b)(1) and that those Guidelines require reconsideration of the method used to determine statutory minimum sentences. While the Commission's expertise and the Guidelines' design may be of potential weight and relevance in other contexts, the Commission's choice of an alternative method- ology for weighing LSD does not alter Chapman's interpretation of the statute. In any event, stare decisis requires that the Court adhere to Chapman in the absence of intervening statutory changes casting doubt on the case's interpretation. It is doubtful that the Commission intended the Guidelines to displace Chapman's actual- weight method for statutory minimum sentences, since the Commis- sion's authoritative Guidelines commentary indicates that the new method is not an interpretation of the statute, but an independent calculation, and suggests that the statute controls if it conflicts with the Guidelines. Moreover, the Commission's dose-based method cannot be squared with Chapman. In these circumstances, this Court need not decide what, if any, deference is owed the Commis- sion in order to reject its contrary interpretation. Once the Court has determined a statute's meaning, it adheres to its ruling under stare decisis and assesses an agency's later interpretation of the statute against that settled law. It is the responsibility of Congress, not this Court, to change statutes that are thought to be unwise or unfair. Pp. 4-12. 46 F. 3d 1405, affirmed. Kennedy, J., delivered the opinion for a unanimous Court. end of anonymous quotation. JB. My commentary continues below: JB. Note the sentence above, "It is the responsibility of Congress, not this Court, to change statutes that are thought to be unwise or unfair." As far as I am aware, there is no _legal_ mechanism, short of impeachment (but how practical is that?), to remove a sitting SC justice, no matter how damaging his effect on the country by his decisions. Thus, I propose re-writing the above sentence a bit: "It is the responsibility of the citizenry, not Congress, to 'change' Supreme Court Justices that are thought to be unwise or unfair." Since that change can be accomplished if that 'Justice' dies or becomes disabled, (or retires, perhaps because he's in fear for his life) I think the answer to boneheaded decisions like the Bennis one is obvious. Jim Bell jimbell at pacifier.com From frantz at netcom.com Thu Mar 14 22:54:02 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 14 Mar 96 22:54:02 PST Subject: FCC-type Regulation of Cyberspace Message-ID: <199603150556.VAA12675@netcom6.netcom.com> At 9:26 PM 3/14/96 -0800, Timothy C. May wrote: >Mr. Frantz, unless you can prove your claims here, forthwith, I must inform >you that they are in violation of the Truth in Speech Act of 1996. Please >retract them, now. Political speech, not commercial speech. The act doesn't apply or is unconstitutional. >Do you see the problem? Of course. Why do you think I said (in the 4th paragraph which you didn't quote) (ZING :-) ): >In thinking back over the discussion, I would like to eliminate the >restrictions without making markets less free by adding yet more barriers >to market entry. We certainly need more robust reputation agencies than we >have now. I just don't know how to encourage their formation. BTW - I consider non-free markets, produced primarily by oligarchic combines of large organizations to be a major impediment to removing government influence from the economic system. Easing market entry is one way to reduce the power of these oligarchic combines. I don't want to just trade elected government oppression for unelected corporate oppression. To put it bluntly, to suppress the 19th century coal mining strikes, the companies hired the Pinkertons. I don't see a whole lot of difference between this kind of private enterprise transaction, and Ruby Ridge. Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From hfinney at shell.portal.com Thu Mar 14 19:06:53 1996 From: hfinney at shell.portal.com (Hal) Date: Fri, 15 Mar 1996 11:06:53 +0800 Subject: Kid Gloves or Megaphones Message-ID: <199603141818.KAA16974@jobe.shell.portal.com> From: eric at remailer.net (Eric Hughes) > The situation is thus. Ian Goldberg et al. have developed a protocol > for simultaneous payer and payee anonymity. It appears to be novel, > albeit not entirely unanticipated. The protocol works with the > existing bank signing oracle and could interoperate with Mark Twain's > current system. > [...] > It is foolishness itself to deceive a public which is substantially in > favor of the program of complete privacy. We must appeal to the > public that finally will decide, not to some officials today who have > power and tomorrow who will not. Clipper itself was not defeated by > constructive engagement with the Clinton wiretap administration. > Clipper was defeated by a general call to arms. > > Therefore, shout out to the world that payee anonymity is possible with > ecash(TM)! As is well known, Chaum has been saying that one of the good features of ecash (from the point of view of regulators and law enforcement) is that payee anonymity is not supposed to be possible. This means that if someone sets up a shop to sell something illegally, they can be caught. (I suspect that is at least part of the reason why you have to fill out a multi page form to open an ecash account, so they have enough information to arrest you if you break the law.) It also means that various kinds of crimes would be prevented as well, such as theft of funds or extortion. Imagine that someone starts lobbing mailbombs at the cypherpunks list, and demands a payment of $1 a week from each subscriber to keep him from doing it, said payments to be posted to some newsgroup encrypted with a specified PGP key. Right now he could be caught when he tries to deposit his ill-gotten riches. But with payee anonymity that could be avoided. As a remailer operator I unfortunately see more of the seamy side of anonymity than most people. I do think there are people who will take advantage of this technology in harmful ways. So payee anonymity will certainly make life more interesting. However, Mark Twain Bank presumably went into this business with the expectation that they were providing a non-payee-anonymous payment system. They have already shut down at least a couple of merchants who were selling materials not to MTB's taste. So if they find out that they are now providing the perfect payment system for criminals, I would not be surprised to see them suspend the ecash trial and demand that Chaum redesign the system to truly make it non-anonymous for payees, if that is possible. So while I admire Eric's ethical concern about making relevant information about the properties of ecash available, it is also important to understand the possible outcome. One thing I notice that was missing from Eric's posting was a description or reference to exactly how the payee anonymity is achieved. Is it his intention to tell people that it is possible, yet to keep secret how it is done? This way there might be a debate about the desirability of full anonymity, while not actually putting these tools into the hands of those who would misuse them. And it might lessen the chance of precipitate action by MTB and other ecash issuers. But on the other hand it's not clear that keeping it secret is possible or desirable. A full discussion of the issue will require understanding of technical aspects. How effective is the payee anonymity? How about a timing/amount coincidence attack, where payments of X dollars to anonymous person A are always followed a few moments later by deposits of X dollars to account B? Does the payee need to trust a "broker" who serves as an intermediary with the bank? Is there any way the bank can distinguish a payee-anonymous deposit from a normal one, and are there any countermeasures the bank could take to prevent payee anonymity? These questions would seem to require understanding of how the scheme works. Also, there were a number of postings a few months ago by people who had ideas about how payee anonymity could be done. They mostly had drawbacks and may not be as nice as what Ian has come up with, but could perhaps serve as a starting point for re-creating something similar to Ian's ideas. So keeping it secret may not be a practical possibility. Hal From JonWienke at aol.com Thu Mar 14 19:33:18 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Fri, 15 Mar 1996 11:33:18 +0800 Subject: PGP reveals the key ID of the recipient of encrypted msg Message-ID: <960314020217_245709855@mail06.mail.aol.com> There is a way to beat this--generate new public keys on a frequent basis, and send them to whoever wants to send you absolutely anonymous mail in encrypted form. Have your anonymous partner do likewise. Since the key ID is fairly random, if it changes constantly, it will be irrelevant if it shows up in a message only once. Keep a separate (and temporary) key ring for these temporary public keys, so you can delete the key ring files when they start getting too large. Jonathan Wienke From jimbell at pacifier.com Thu Mar 14 19:33:56 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 15 Mar 1996 11:33:56 +0800 Subject: Beat Remote Monitor Snooping? Message-ID: At 10:46 PM 3/13/96 -0500, Alan Horowitz wrote: >Visual contrast is not the same thing as frequency diffrence. It is quite >easy to measure extremely small changes of phase. As in, your >plain-vanilla FM receiver. However, that's not how SVGA CRT's do it. NTSC (TV video) modulation is done by phase modulation of the 3.579545 MHz subcarrier. SVGA has three different baseband analog signals feeding three electron beams. Even so, they still should be able to pick up SVGA with a little tinkering. > What's his name put this stuff together in the >mid 1930's. Ed Armstrong From stewarts at ix.netcom.com Thu Mar 14 19:37:42 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 15 Mar 1996 11:37:42 +0800 Subject: Leahy bill, legalize crypto Message-ID: <199603140706.XAA20911@ix10.ix.netcom.com> At 06:14 PM 3/13/96 -0800, Tim wrote: >One reason Washington pushed for the Wiretap Act (aka Digital Telephony) >was because digital switches have made conventional methods of wiretapping >and pen registers harder and harder to do. (I'm not a phone phreaker >expert, as some of you no doubt are, so I don't know the details of how >wiretaps were done prior to the advent of digital switches...I picture >wires connected to the back of PBX systems, and I presume the ESS systems >and their ilk changed this dramatically.) There are different places you can do your wiretap, depending on convenience, weather, observability, whether you've got a warrant, etc. ESSs don't really change the pair of wire coming from your house out to the telephone pole, over to your local wire center, and into the distribution system that eventually connects them to the switch. You've still got a pair of copper wires. On the other hand, underground wiring is harder to get at, and pair gain systems such as Subscriber Loop Carrier bring some of the multiplexing out to your block instead of all the way back to the phone office, and ESSs do make those more cost-effective. Connections from PBXs are also harder to tap than individual phone lines, since your phone call may be on any of the (probably virtual) circuits going from the PBX to the phone office. >The main way they blew it is that the Wiretap Act ostensibly does not cover >end-to-end encryption, especially as computers are used in place of >telephones. I don't think they blew it there, although the EFF's work against S.266 a few years back really hurt them. There are two ways to get oppressive laws enacted - wholesale, or bit by bit. A wholesale ban would have affected a lot of people, and had substantial constitutional difficulties. On the other hand, a mere regulation telling the already regulated telephone companies that they have to do a bit more free work in return for their monopoly status isn't a big constitutional stretch, and mainly annoys phone companies rather than end consumers. Also, it's far easier to enforce regulations on phone companies - there are bureaucrats in place to do it, you can kick them around in all sorts of ways if they don't cooperate, and it gets you most of your wiretapping and enforcement done wholesale rather than retail. (It's still major slime, of course :-) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From frantz at netcom.com Thu Mar 14 19:45:27 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 15 Mar 1996 11:45:27 +0800 Subject: Remailer passphrases Message-ID: <199603140644.WAA05138@netcom6.netcom.com> At 12:13 AM 3/14/96 -0600, Alex Strasheim wrote: >(I have no idea how hard it would be to steal information from a running >machine's ram -- or if it's even possible). It is probably possible. Put a clip across the CPU chip, and take over from it by raising it's chip disable will work with some microprocessors. However, the proper application of various kinds of rubber hose to the operator should make that kind of attack unnecessary. "Perfect" Forward Security or some approximation helps protect the operator against such an attack by reducing the amount of compromised material, and therefore the incentive. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From cp at proust.suba.com Thu Mar 14 19:50:18 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Fri, 15 Mar 1996 11:50:18 +0800 Subject: Remailer passphrases In-Reply-To: <199603140450.XAA12195@homeport.org> Message-ID: <199603140613.AAA00470@proust.suba.com> (warning: I don't know much about security, so if you don't either, don't take what I have to say too seriously...) > This is a long standing debate in the security community. > Some folks like multiple box security. Others point out that using > two boxes means both need to be well secured, and you have twice as > many places to make mistakes. Ok, I see your point. If someone compromises workstation, they can read all the mixmaster packets by looking at what comes in and out of blackbox. But they still can't grab the passphrase and key, so old and future traffic is safer, and if there's a large reordering pool they'll have trouble matching a given incoming packet with a given outgoing packet. > Lets say the boxes are called workstation and blackbox. If I > break into workstation, I can provide bogus files for blackbox. Since > blackbox extends some trust to workstation, it might not be expecting > to see a message with a return address of "`|telnet evil.fbi.gov`". It seems to me that if you're just running a remailer that only talks to one other machine, it ought to be possible to eliminate this kind of a problem. Blackbox grabs a file from a queue on workstation, runs it through mixmaster, and deposits the output in an outgoing queue on workstation. If the trojan file is something strange, it will just drop through mixmaster. Maybe it would choke workstation on the way out, but blackbox -- and the passphrase -- would be safe. > I'd argue that setting up a simple mailer which uses > workstation as a relay host gives you as much security, and lessens > your dependance on workstation, which we expect will be comprimised. If we leave sendmail on, we're hosed -- wouldn't bb moving packets on and off workstation with ssh's rcp be a lot safer? > (Of course we expect ws to be comprimised. Why else are we setting up > bb as a seperate machine?) Agreed. > Turning of getty and removing the swap file strike me as a bit > extreme. A panic login system, otoh, that accepts a bad password and > wipes the disk, might not be a bad idea. (Of course, if this becomes > popular, the bad guys will just rip out your disk and read it on > another machine.) I admit freely that this is all extreme and impractical... I was just trying to think through the problem. I was shooting for a system that would be worthless to an attacker if it was turned off, and which couldn't be hacked easily from the console without turning it off. A crypto file system directory will be worthless if the machine goes down, and if there's no swapfile, there's not going to be anything nasty left behind there. The bad guys *can't* rip out your hard drive and read it, because all the good stuff is on the cfs drive -- it's just a big blob of idea'd data, and neither the remailer' or cfs's passphrase was ever written to disk. When bb boots, it waits for the sysadmin to ssh in and mount the cfs drive manually, then start the remailer manually. If the attacker didn't know what you've got in place, he'd probably just steal the machine assuming he could get something out of it when he's got it back on his workbench. If he did know the details of the system, he'd be faced with trying to extract the cfs and remailer passwords from the machine's ram without turning it off and without being able to login from the console -- ideally you wouldn't even have a keyboard plugged in. (I have no idea how hard it would be to steal information from a running machine's ram -- or if it's even possible). > Be awful tough if it only listens to ssh & smtp. Are you sure > your kernel doesn't do anything bogus with ICMP? Data overflows in > ssh or smap? DNS, syslogd, tty overloads? Actually, it only listens to ssh; a bug there is fatal. Same goes for the kernel. We don't need dns -- to bb, the only other machine in the universe is workstation, and it knows the IP address. If the core system can't run without incident, you're in trouble. But couldn't you do a pretty good job of shielding it from surprises by turning almost everything off and not letting it talk to the outside world, except in very narrow ways? From markm at voicenet.com Thu Mar 14 19:58:08 1996 From: markm at voicenet.com (Mark M.) Date: Fri, 15 Mar 1996 11:58:08 +0800 Subject: LACC: PC Phones Home? In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Wed, 13 Mar 1996, Jim McCoy wrote: > A few questions: > > 1- How does the PC know where it is? > 2- How does the PC know it has been stolen? > > Since this is a software product I am assuming that the answer to #1 > is the use of CallerID on the line when the software calls, which is > defeated by the use of line blocking by the thief. The obvious answer > to #2 seems to me to have the system call the CompuTrace office at > odd intervals to see if it has been reported stolen yet... If the company uses an 800-number, than ANI can be used to identify the caller. ANI information cannot be blocked with *67 or line blocking. > > Obvious solution for potential thieves: wipe the disks and reinstall > an OS once you steal a PC. This should be done anyway to remove any > bits of data which might identify the original owner. If the software installs itself on the master boot record, than reformatting the disk would not get rid of the program. - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMUibNbZc+sv5siulAQHAzQP+MW1/rB9zdkp0CR8Nk9jB2BckV7j91bA6 Vr0+K41Lhg2/7ais7zxSJ5XUc8C0+2N0rr5tEE3oyeKtJJI/WL1a9BaHdovwrW3R PrJ1NG3E782SKXfN4uB5uialg+DaGyy0eyTqeRJw9ot/7XltTfStgYl9vX7rpmR5 KWuAG+KRTeE= =u09m -----END PGP SIGNATURE----- From alano at teleport.com Thu Mar 14 20:03:15 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 15 Mar 1996 12:03:15 +0800 Subject: SCHWA - New Web Search Engine!! Message-ID: <2.2.32.19960314230647.0089dfc0@mail.teleport.com> Something of interest... >X-Www-Page: http://www.fringeware.com/MSG/index.html#digest >Keywords: pleashes heorg horizona disabili freques inspecurs >Subject: SCHWA - New Web Search Engine!! >Reply-To: Troy.Sheets at Eng.Sun.COM (Troy Sheets) >Date: Tue, 12 Mar 1996 09:47:27 -0800 >Apparently-To: fwlist-daily at fringeware.com >X-UIDL: 70f914736d382f472d2b9d22d8a07327 > >Sent from: Troy.Sheets at Eng.Sun.COM (Troy Sheets) > >The Schwa Corperation, Global Media and Infomation Services is proud >to present "Intrude", the search engine for the next century. Intrude >is working 24 hours a day, sucking infomation and carefully indexing >data from all four corners of the global infosphere. Sure, other >search engines scan Usenet and mailing list archeives... but Intrude >goes even further. Using the powerful parallel-processing supercomputer, >"Pal 4000" (courtesy of Schwa Microsystems Computer Corperation), Intrude >reads credit ratings, cable TV viewing habits, mail-order products received, >videos rented, parking tickets received, and of course, every single >peice of email transmitted over the Internet. Tired of those pesky >PGP messages? They are no match for Pal's Reverse Escrow Orthoganal >decryption software. > >But don't feel bad about knowing that everything you ever said online >is now available to any crazy with a 14.4, all search querries on Intrude >are logged also... so you can always Intrude the person Intruding on you. > >Try Intrude today, and see what juice facts it pulls up. You might learn >things about yourself you never knew! > >"The Schwa Corperation, making information work harder... and harder >infomation to work... or working infomation hard" > >-Troy Sheets, VP of Marketing, GMIS. > >http://www-scf.usc.edu/~tsheets > > --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From rah at shipwright.com Thu Mar 14 20:10:16 1996 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 15 Mar 1996 12:10:16 +0800 Subject: e$: Neal Stephenson's geodesic economy Message-ID: --- begin forwarded text Sender: e$@thumper.vmeng.com Reply-To: rah at shipwright.com (Robert Hettinga) Mime-Version: 1.0 From: rah at shipwright.com (Robert Hettinga) Date: Thu, 14 Mar 1996 18:19:49 -0500 Precedence: Bulk To: Multiple recipients of Subject: e$: Neal Stephenson's geodesic economy -----BEGIN PGP SIGNED MESSAGE----- e$: Neal Stephenson talks e$ I used to joke that I read science fiction by the yard. I certainly *buy* it that way. I finally got around around to reading Neal Stephenson's The_Diamond_Age,_ or,_A_Young_Lady's_Illustrated_Primer. I thought that his first book, _Snow_Crash_ was marvellous, and thought that, in ability to create utterly er, novel, reality out of whole cloth, he was right up there with Gibson. I was wrong. He's much better. Gibson's first book, _Neuromancer_, was his best. _Diamond_Age_ was an order of magnitude better than _Snow_Crash_ , and I get the feeling that Stephenson's just getting warmed up. Why am I saying all this? Well, I'm in the process of reading _Diamond_Age_, and there, on page 270 of the recent paperback edition, (Copyright 1995, Neal Stephenson), Stephenson describes, in perfect detail, a geodesic economy-- complete with digital cash, payer anonymity, and money as software food. The story concerns a girl named Nellodee, Nell to her friends, an abused waif of no means whatsoever, and her adventures with a very large nanocomputer disguised as a book. The scene in question is about Miranda, a "ractor", an interactive actress, who has been effectively raising Nell interactively through a cleverly disguised Grimm-like fairytale with Nell as the protagonist. Actually, Miranda's just been acting lines provided by the nanocomputer in the book, back through to Nell over the net. After 2 years of this, Miranda decides she wants to meet Nell. She goes to her boss for help... Miranda sat very still for a moment, hypnotized by the colorful flashing lights on a vintage jukebox. "This is related to Princess Nell, isn't it?" "Is it that obvious?" "Yeah. Now, what do you want?" "I want to know who she is," Miranda said. This was the most guarded way she sould put it. She didn't suppose that it would help matters to drag Carl down through the full depth of her emotions. "You want to backtrace a payer," Carl said. It sounded terrible when translated it into that kind of language. Carl sucked powerfully on his milkshake for a bit, his looking over Miranda's shoulder to the traffic on the Bund. "Princess Nell's a little kid, right?" "Yes. I would estimate five to seven years old." His eyes swiveled to lock on hers. "You can tell that?" "Yes.", she said, in tones that warned him not to question it. "So she's probably not paying the bill anyway. The payer is someone else. You need to backtrace the payer and then, from there, track down Nell." Carl broke eye contact again, shook his head, and tried unsucessfully to whistle through frozen lips. "Even the first step is impossible." Miranda was startled. "That seems pretty unequivocal. I expected to hear 'difficult' or 'expensive.' But--" "Nope. It's impossible. Or maybe" -- Carl thought about it a while -- "maybe 'astronomically improbable' is a better way of putting." Then he looked mildly alarmed as he watched Miranda's expression change. "You can't just trace the connection backward. That's not how media works." "How does media work, then?" "Look out the window. Not toward the Bund -- check Yan'an Road." Miranda swiveled her head around to look out the big window, which was partly painted over with colorful Coke ads and and descriptions of blue plate specials. Yan'an Road, like all of the major throughfares in Shanghai, was filled from the shop windows on one side to the shop windows on the other, with people on bicycles and powerskates. In many places the traffic was so dense that greater speed could be attained on foot. A few half-lane vehicles sat motionless, polished boulders in a sluggish brown stream. It was so familiar that Miranda didn't really see anything. "What am I looking for?" Carl was right. At a minimum, everyone had a small plastic bag with something in it. Many people, such as the bicyclists, carried heavier loads. "Now just hold that image on your head for a moment, and think about how to set up a global telecommunications network." Miranda laughed. "I don't have any basis for thinking about something like that." "Sure you do. Until now, you've been thinking in terms of the telephone system in the old passives. In that system, each transaction had two participants -- the two people having the conversation. And they were connected by a wire that ran through a certral switchboard. So what are the key features of this system?" "I don't know -- I'm asking you," said Miranda. "Number one, only two people or entities can interact. Number two, it takes a dedicated connection that is made and broken for the purposes of that one conversation. Number three, it is inherently centralized -- it can't work unless there's a central switchboard." "Okay, I think I'm following you so far." "Our media system today -- the one that you and I make our livings from -- is a decendant of the phone system only insofar as we use it for essentially the same purposes, plus many, may more. But the key point to remember is that *it is totally different from the old phone system*. The old phone system -- and its technological cousin, the cable TV system -- tanked. It carshed and burned decades ago, and we started virtually from scratch." "Why? It worked, didn't it?" "First of all, we needed to enable interactions between more than one entity. What do I mean by entity? Well, think about the ractives. Think about _First_Class_to_Geneva_ . You're on this train -- so are a couple of dozen other people. Some of those people are being racted, so in that case the entities happen to be human beings. But the others-- like the waiters and porters-- are just software robots. Furthermore, the train is full of props: jewelry, money, guns, bottles of wine. Each one of those is also a separate piece of software-- a separate entity. In the lingo, we call them objects. The train itself is another object, and so is the countryside through which it travels. "The countryside is a good example. It happens to be a digital map of France. Where did this map come from? Did the makers of _First_Class_to_Geneva_ send out their team of surveyors to make a new map of France? No, of course they didn't. They used existing data-- a digital map of the world that is available to any maker of ractives who needs it, for a price of course. That digital map is a separate object. It resides in the memory of a computer somewhere. Where exactly? I don't know. Neither does the ractive itself. It doesn't matter. The data might be in California, it might be in Paris, it might be down on the corner-- or it might be distributed among all of those places and many more. It doesn't matter. Because our media system no longer works like the old system- dedicated wires passing through a central switchboard. It works like *that*." Carl pointed to the traffic on the street again. "So each person on the street is like an object?" "Possibly. But a better analogy is that the objects are people like us, sitting in various buildings that front on the street. Suppose that we want to send a message to someone over in Pudong. We write a message down on a piece of paper, and we go to the door and hand it to the first person who goes by and say, 'Take this to Mr. Gu in Pudong.' And he skates down the street for a while and runs into someone on a bicycle who looks like he might be headed for Pudong, and says, 'take this to Mr. Gu.' A minute later, that person gets stuck in traffic and hands it off to a pedestrian who can negotiate the snarl a little better, and so on and so on, until it eventually it reaches Mr. Gu. When Mr. Gu wants to respond, he sends us a message on the same way." "So there's no way to trace the path taken by a message." "Right. And the real situation is more complicated. The media net was designed from the ground up to provide privacy and security, so that people could use it to transfer money. That's one reason that nation-states colapsed-- as soon as the media grid was up and running, financial transactions could no longer be monitord by governments, and the tax colelction systems got fubared. So if the IRS, for example, wasn't able to trace these messages, theen there's no way that you'll be able to track down Princess Nell." "Okay, I guess that answers my question," miranda said. "Good!" Carly said brightly. He was obviously pleased that he'd been able to help Miranda, and so she didn't tell him how his words had really made her feel. She treated as an acting challenge: Could she fool Carl Hollywood, who was sharper about acting than just about anyone, into thinking that she was fine? Apparently she did. He escorted her back to her flat, in a hundered story high-rise just across the river in Pudong, and she held it together long enough to bid him good-bye, get out of her clothes, and run a bath. Then climebed into the hot water and dissovled into awful, wretched, blubbery, self-pitying tears. Eventually she got it under control. She had to keep this in perspective. She could still interact with Nell and still did, everyday. And if she paid attention, sooner or later she would find some way to penetrate the curtain. Barring that, she was beginning to understand that Nell, whoever she was, had become marked out in some way, and that in time she would become a very important person. Within a few years, Miranda expected to be reading about her in the newspapers. Feeling better, she got out of the bath and climbed into bed, getting a good night sleep so she'd be ready for next day of taking care of Nell. Go buy this book. Cheers, Bob Hettinga -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUipXfgyLN8bw6ZVAQGhfwP/SpOP6F07hLzxTxyR8XpBBZsqUzPKMSRK 3OLc0xYjTLkQvunuhZ6vyGwUqadCu0My2wIMspgSakjhUJkN0dmMBWif2zzWBsLP fSe+WUJiVuT8dJkcLC844pkLE2fjg07rqRMdHRXSbq5TDEMsHllfyBKb5GfW+NM3 TVUgwwiIX/A= =YDVU -----END PGP SIGNATURE----- -------------------------------------------------- The e$ lists are brought to you by: Making Commerce Convenient (tm) - Oki Advanced Products - Marlboro, MA Value-Checker(tm) smart card reader= http://www.oki.com/products/vc.html Where people, networks and money come together: Consult Hyperion http://www.hyperion.co.uk info at hyperion.co.uk See your name here. Be a charter sponsor for e$pam, e$, and Ne$ws! See http://thumper.vmeng.com/pub/rah/ or e-mail rah at shipwright.com for details... ------------------------------------------------- --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From jimbell at pacifier.com Thu Mar 14 20:10:21 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 15 Mar 1996 12:10:21 +0800 Subject: LACC: PC Phones Home? Message-ID: At 07:41 PM 3/13/96 -0800, Jim McCoy wrote: >Dennis Hilliard writes: >> >>"Software to the rescue: >>If somoeone steals your PC, you may be able to get it back because of >>software that acts as a kind of tracking device. Home Office Computing >>magazine reports that the software CompuTrace TRS will automatically dial >>the office of its creator, Absolute Software, if a thief hooks up a stolen >>PC's modem to a phone line. The software reveals the location of the PC and >>Absolute Software will call the police" - Providence Journal-Bulletin - >>March 12, 1996. >1- How does the PC know where it is? >2- How does the PC know it has been stolen? > >Since this is a software product I am assuming that the answer to #1 >is the use of CallerID on the line when the software calls, which is >defeated by the use of line blocking by the thief. I think that 1-800 services provide caller ID information to the company or organization that pays for the service. Whether or not this is blocked by standard caller-ID I don't know. Nevertheless, like you, I am not impressed with the likelihood of success of this system. > The obvious answer >to #2 seems to me to have the system call the CompuTrace office at >odd intervals to see if it has been reported stolen yet... One thing that might be useful would be a OTP (one-time programmable) EPROM chip installed on all major system components (monitor, HD, motherboard, CDROM drive, maybe even DRAM SIMMs). It would be a serial device for low cost, such as a 3-pin TO-92 chip, which would have a capacity of about 4k bits, enough to store a hash of the owner-history (at about 100 bits per owner) for any owner that decided to leave a record. Like an EPROM, bits could only be written once; the chip itself would prevent write-overs previous to the last-written bit. Subsequent owners could read the history and publish the hash codes; anyone looking for such a stolen product could have their losses checked automatically, and perhaps semi-anonymously or anonymously, by a service set up to do this. Innocent owners could be adequately compensated for finding a piece of stolen hardware, to the extent that nobody is deterred about reporting a find. Jim Bell jimbell at pacifier.com From WlkngOwl at unix.asb.com Thu Mar 14 20:19:45 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Fri, 15 Mar 1996 12:19:45 +0800 Subject: Why escrow? (was Re: How would Leahy bill affect crypto Message-ID: <199603142334.SAA01245@unix.asb.com> On 14 Mar 96 at 12:00, jim bell wrote: > At 07:57 AM 3/14/96 +0000, Deranged Mutant wrote: > >On 13 Mar 96 at 15:27, jim bell wrote: > >[..] > >> If I were trying to detect government investigation in such a situation, I > >> would buy a crypto phone, open an "escrow account" on a totally voluntary > >> basis, give them a phony key, and then (as part of the > >(presumably?) [..] > > > >Would it be legal to deceive an escrow agent? > > It _should_ be legal. At least, assuming the arrangement is truly voluntary > and the escrow agent gets his part of the bargain (his usual fee) he has no > interest in knowing whether or not the data he's holding for you is "real" > or "imaginary." I mean illegal in the sense that your true purpose is to decieve law enforcement. (Yes, it'll also fake out anyone who bribes the escrow agent for your keys, though....) Of course that depends how you give your key to an escrow agent. If it's already escrowed when you buy a phone, for instance... [..] > It is sections of the bill like that which will guarantee that nobody > provides an unencrypted key for escrow: Nobody will want to risk having the > escrow agent "forced" to release the key, even (and especially!) under a > court order. Fortunately, modern technology will provide the solution to > government-simpleton thinking. It's part of warrants. Nobody likes having the cops search their apartments either. (I'd say a warrant is better than none, but judges are generally all too willing to grant a warrant, and the bill allows for "good faith" when no warrant is used anyway...) Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From jlasser at rwd.goucher.edu Thu Mar 14 20:21:53 1996 From: jlasser at rwd.goucher.edu (Bruce Zambini) Date: Fri, 15 Mar 1996 12:21:53 +0800 Subject: [HUMOR] SCHWA - New Web Search Engine!! (fwd) Message-ID: I thought this was rather amusing... it's labeled as humor, so maybe people won't flame me for posting it... :) Jon Lasser ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. ---------- Forwarded message ---------- Date: Tue, 12 Mar 1996 09:47:27 -0800 From: FringeWare Daily Subject: SCHWA - New Web Search Engine!! Sent from: Troy.Sheets at Eng.Sun.COM (Troy Sheets) The Schwa Corperation, Global Media and Infomation Services is proud to present "Intrude", the search engine for the next century. Intrude is working 24 hours a day, sucking infomation and carefully indexing data from all four corners of the global infosphere. Sure, other search engines scan Usenet and mailing list archeives... but Intrude goes even further. Using the powerful parallel-processing supercomputer, "Pal 4000" (courtesy of Schwa Microsystems Computer Corperation), Intrude reads credit ratings, cable TV viewing habits, mail-order products received, videos rented, parking tickets received, and of course, every single peice of email transmitted over the Internet. Tired of those pesky PGP messages? They are no match for Pal's Reverse Escrow Orthoganal decryption software. But don't feel bad about knowing that everything you ever said online is now available to any crazy with a 14.4, all search querries on Intrude are logged also... so you can always Intrude the person Intruding on you. Try Intrude today, and see what juice facts it pulls up. You might learn things about yourself you never knew! "The Schwa Corperation, making information work harder... and harder infomation to work... or working infomation hard" -Troy Sheets, VP of Marketing, GMIS. http://www-scf.usc.edu/~tsheets From JonWienke at aol.com Thu Mar 14 20:27:52 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Fri, 15 Mar 1996 12:27:52 +0800 Subject: CD-reading for random keys Message-ID: <960314142759_168531295@mail04.mail.aol.com> In a message dated 96-03-14 08:34:57 EST, you write: >I would >suggest recording thermal noise (Eg the hiss from an untuned FM radio), >perhaps XORing with a pseudo-random sequence to remove residual bias. XORing 2 or independent thermal noise sources together would be even better. Jonathan Wienke From frantz at netcom.com Thu Mar 14 20:30:12 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 15 Mar 1996 12:30:12 +0800 Subject: CONGRESS: Online Parental Control Act of 1996 Message-ID: <199603142300.PAA24652@netcom6.netcom.com> Date: Thu, 14 Mar 1996 14:21:53 -0800 (PST) Precedence: bulk From: telstar at wired.com (--Todd Lappin-->) To: Multiple recipients of list Subject: CONGRESS: Online Parental Control Act of 1996 Today in the House of Representatives, legislation was introduced to encourage parental empowerment on the Internet and eliminate the vague and overbroad "indecency" standard that became law under the Communications Decency Act. The new legislation, called the "Online Parental Control Act of 1996," was introduced by Rep. Anna Eshoo (D-CA), whose district includes much of California's Silicon Valley. Representatives Pelosi (D-CA), Dellums (D-CA), Farr (D-CA), Gejdenson (D-CT), and Woolsey (D-CA) are co-sponsors of the bill. (The full text of Rep. Eschoo's press release on the new legislation follows below.) The Online Parental Control Act of 1996 seeks to replace the "indecency" standard (which is mainly used to regulate speech in BROADCAST media) with the more narrowly-drawn "harmful to minors" standard which has already been upheld as constitutional in 48 states. My understanding is that "harmful to minors" is a PRINT-based standard, but I'll research this and send out a more detailed evaluation as soon as possible. In the meantime, I can say this: "harmful to minors" is viewed as a middle-of-the-road standard, and as such, it remains *highly* controversial. There are many who would argue that *any* attempt to restrict access to content other than obscenity (which does not enjoy First Amendment protection) is unwarranted. Stay tuned. All of this, by the way, comes on the heels of a bill (S 1567) Patrick Leahy introduced in the United States Senate last month in an effort to repeal the Communications Decency Act altogether. Spread the word! --Todd Lappin--> Section Editor WIRED Magazine ============================================================ FOR IMMEDIATE RELEASE Lewis Roth CONTACT: (202) 225-8104 March 14, 1996 Eshoo Introduces Online Parental Control Act Legislation Strengthens Parental Control Of Online Materials, Eliminates "Indecency" Standard Washington, D.C.--Rep. Anna Eshoo (D-CA) today introduced the Online Parental Control Act of 1996 (OPCA) to strengthen the control parents have over their children's access to online materials, eliminate the "indecency" standard from the Communications Act of 1934, and provide additional defenses against liability for publishing online materials. Representatives Pelosi (D-CA), Dellums (D-CA), Farr (D-CA), Gejdenson (D-CT), and Woolsey (D-CA) are original cosponsors of OPCA. When the Telecommunications Reform Bill was signed into law earlier this year, it made sweeping changes to America's telecommunications policy. Among those changes was the establishment of a ban on using telecommunications devices to provide "indecent" materials to minors, as well as defenses against being held liable for a violation of that ban. For example, people could avoid liability by using software that blocks the access of minors to such materials or restricts access through the use of credit card numbers or adult access codes. Some U.S. Representatives, including Rep. Eshoo, opposed the "indecency" standard because the range of material it would ban was so broad that it violates the right to freedom of speech. The "indecency" standard is currently being challenged in court by a large coalition of free speech advocacy groups and high technology companies. "The Online Parental Control Act will encourage an open dialogue in Congress about the best way to both give parents control over what their children see online and protect the First Amendment rights of Internet users," said Rep. Eshoo. "My proposal builds on last year's efforts to reach a compromise on this issue by offering more incentives for the online community to provide families with better parental control technologies. "I'm supportive of efforts to address this issue in the courts, but I believe Congress also needs to offer a legislative solution. Given the political realities of the current Congress, I think OPCA offers the most realistic way to settle this dispute in a timely and effective manner." The Online Parental Control Act of 1996: Replaces the "indecency" standard with a "harmful to minors" standard; Establishes a definition for "harmful to minors;" Maintains the Communications Act of 1934's legal defenses against liability for people who choose to give parents technology that: 1) blocks or restricts access to online materials deemed obscene or harmful to minors, and 2) restricts access to such materials through adult access codes or credit card numbers; Adds two new defenses: 1) the use of labeling or segregating systems to restrict access to online materials, such as systems developed using the standards designed by the Platform for Internet Content Selection project (PICS), and 2) the use of other systems that serve the same function of the other defenses if they are as reasonable, effective, and appropriate as blocking, adult access code, and labeling technologies; and Protects providers or users of interactive computer services, information content providers, and access software providers from civil or criminal liability under state law for making available to minors materials that are indecent or harmful to minors if they take actions to qualify for the defenses mentioned above. "I'd rather have Mom and Dad monitoring their children's online viewing habits than the government," concluded Rep. Eshoo. "Technology offers the best opportunity for parents to manage what their kids have access to, and the Online Parental Control Act encourages those technologies to be developed more fully." The "indecency" standard is a vague term that has been subject to legal challenge by a wide range of free speech advocates and high technology companies. The broad nature of the "indecency" standard means that it could lead to a prohibition on material such as classic art like Michelangelo's David, classic literature like "Catcher In The Rye," and frank discussions about birth control, sexuality, or disease transmission. "Harmful to minors," on the other hand, already works successfully in 48 states, more directly addresses speech that actually harms children, and passes constitutional muster. PICS is a cross-industry working group assembled under the auspices of MIT's World Wide Web Consortium to develop an easy-to-use content labeling and selection platform that empowers people worldwide to selectively control online content they receive through personal computers. The Recreational Software Advisory Council recently announced that it will soon implement a detailed voluntary ratings system, using PICS standards, that will let computer users filter out varying degrees of sex, violence, nudity, and foul language. Companies and groups supporting PICS include Apple, America Online, AT&T, the Center for Democracy and Technology, CompuServe, IBM, France Telecom, Prodigy, Providence Systems/Parental Guidance, Surf Watch Software, and Time Warner Pathfinder. For more information about the Online Parental Control Act of 1996, please contact Lewis Roth at (202) 225-8104 or look on the Internet at http://www-eshoo.house.gov/opca.html. ### +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- This transmission was brought to you by.... THE CDA INFORMATION NETWORK The CDA Information Network is a moderated mailing list providing up-to-the-minute bulletins and background on efforts to overturn the Communications Decency Act. To subscribe, send email to with "subscribe cda-bulletin" in the message body. WARNING: This is not a test! WARNING: This is not a drill! +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- From registrar at switchboard.com Thu Mar 14 20:31:37 1996 From: registrar at switchboard.com (Switchboard Registrar) Date: Fri, 15 Mar 1996 12:31:37 +0800 Subject: Welcome to Switchboard Message-ID: <19960314042717722.AAA75@www2> Thank you for registering in the Switchboard database. Your Switchboard login is: Email: cypherpunks at toad.com Password: DrawLint This password is case sensitive. Once you log in (set your browser to http://www.switchboard.com), your entry appears in the directory with your email address attached. You may then update your listing to show exactly the information you want and correct errors. Note that Switchboard waits until you log in to change the directory, because this step verifies that your email address is correct. Logging in also allows you to create an additional listing, change your password, list your home page URL, unlist your main listing, and access other features. Once you are logged in, please change your password to make it easier to remember. If you did not register in Switchboard and received this message erroneously, please Reply to Registrar at switchboard.com. From alano at teleport.com Thu Mar 14 20:32:50 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 15 Mar 1996 12:32:50 +0800 Subject: Interesting Egghead freebee Message-ID: <2.2.32.19960314084336.008b11f8@mail.teleport.com> While at Egghead today, I found out that they are giving away copies of Spry Mosaic in a Box. (You have to buy something, but that was why I was there anyways...) So far, it seems to be worth about what you pay for it. It is designed to connect you to Compu$lave. What has this to do with this list you ask? The product actually claims to support S-HTTP! (No export warnings on the package and no real info as to how it is implemented... I suspect brand-name snake oil here.) For those of you who do web development and are interested in a client that actually supports S-Http (I do not believe the d/lable version does), take a look. (It does install alot of crap, like a new Winsock, so be warned.) --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From jamesd at echeque.com Thu Mar 14 20:35:19 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Fri, 15 Mar 1996 12:35:19 +0800 Subject: Why escrow? (was Re: How would Leahy bill affect crypto Message-ID: <199603140748.XAA27068@mail1.best.com> At 03:27 PM 3/13/96 -0800, jim bell wrote: > There is nothing in Leahy's bill which appears to prohibit the > escrow agent from informing the key holder of a request/demand for the key; On the contrary: See section 2802(c)(4) Section 2802(c) > "(c) REQUIREMENTS FOR RELEASE OF DECRYPTION KEY TO > INVESTIGATIVE; OR LAW ENFORCEMENT OFFICER.- > > "(1) CONTENTS OF WIRE AND ELECTRONIC COMMUNICATIONS.- > A key holder is authorized to release a decryption key > or provide decryption assistance to an investigative or > law enforcement officer authorized by law to conduct > electronic surveillance under chapter 119, only if- > [...] or "(ii) a certification in writing by a person > specified in section 2518(7) [...] stating that- "(I) > no warrant or court order is required by law; > [...] > "(4) NONDISCLOSURE OF RELEASE.-No key holder, officer, employee, or > agent thereof shall disclose the key release or provision of > decryption assistance pursuant to subsection (b), except as may > otherwise be required by legal process and then only after > prior notification to the Attorney General or to the principal > prosecuting attorney of a State or any political subdivision of > a State, as may be appropriate. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From frantz at netcom.com Thu Mar 14 20:37:08 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 15 Mar 1996 12:37:08 +0800 Subject: Remailer passphrases Message-ID: <199603141930.LAA03089@netcom6.netcom.com> At 11:12 AM 3/14/96 -0500, JonWienke at aol.com wrote: >In a message dated 96-03-14 01:52:14 EST, you write: > >>It is probably possible. Put a clip across the CPU chip, and take over >>from it by raising it's chip disable will work with some microprocessors. >>However, the proper application of various kinds of rubber hose to the >>operator should make that kind of attack unnecessary. > >In general, this is an excellent way to make smoke and big sparks, which >(since shorts tend to overtax the power supply and drop voltage levels) is a >good way to clear system RAM, thus defeating the purpose of the exercise. > Software hacks can do the job just as well, and don't require special >breathing apparatus. Provided you insist on UNIX. I still think rubber hoses will be the technique of choice. That was what the Scientologists used on anon.penet.fi. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From bwitanek at igc.apc.org Thu Mar 14 20:37:43 1996 From: bwitanek at igc.apc.org (Bob Witanek) Date: Fri, 15 Mar 1996 12:37:43 +0800 Subject: Omnibus Repression Message-ID: From: Bob Witanek Posted owner-187-l at CMSA.BERKELEY.EDU Wed Mar 13 07:43:50 1996 Subject: Immigration in Counter-Terrorism Bill ANALYSIS OF IMMIGRATION AND FUND-RAISING PROVISIONS IN OMNIBUS COUNTERTERRORISM ACT OF 1995 by David Cole, Professor, Georgetown University Law Center I. INTRODUCTION AND SUMMARY The "Omnibus Counterterrorism Act of 1995," drafted by the Clinton Administration, was introduced on February 10, 1995 by Senators Biden and Specter, among others, in the Senate, and by Congressman Schumer in the House. The bill is wide-ranging, dealing with everything from the making of plastic explosives, to bomb threats and trading in nuclear materials. But it also prohibits a wide range of First Amendment protected activities, resurrects "guilt by association" as a guiding principle of criminal and immigration law, and creates an unprecedented "alien terrorist removal procedure" that would deny immigrants the most basic of due process protections -- the right to confront the evidence the government seeks to use against one. This memorandum briefly addresses those provisions of the bill that raise the gravest civil liberties concerns. In brief, the Administration's bill would reintroduce to federal law the very principle of guilt by association that defined the McCarthy era, and which has been repudiated since then. It triggers criminal penalties and even deportation not on individual culpability, but simply on a showing that those with whom one associates have engaged in illegal acts. It allows the government to impose up to ten years' imprisonment on citizens, and deportation on non-citizens, where an individual has done nothing more than support the lawful activities of an organization that the government has labelled "terrorist," even if it is undisputed that that organization engages in a wide range of lawful activities and that the individual supported only such lawful activities. This is guilt by association in its purest form. The bill goes beyond McCarthyism in authorizing trials based on secret evidence for immigrants accused of supporting a "terrorist organization." Under this provision, the government not only could deport immigrants for supporting solely lawful activities of organizations that have also engaged in unlawful acts, but could do so on the basis of evidence that the immigrant and his lawyers would never see. This provision authorizes secret proceedings, one-sided, ex parte appeals, and expressly permits the INS to use information obtained illegally. When the government has previously sought to rely on undisclosed evidence against non-citizens living here, the courts have barred it from doing so on due process grounds. The courts have held that secret evidence defeats the adversarial process, and deprives the individual against whom it is used a meaningful opportunity to defend himself. When the INS last sought to use secret evidence to expel a permanent resident alien, the D.C. Circuit likened the position of the alien to that of "Joseph K. in The Trial," finding that "[i]t is difficult to image how even someone innocent of all wrongdoing could meet such a burden [of rebutting undisclosed evidence that he is a terrorist]." Rafeedie v. INS, 880 F.2d 506, 516 (D.C. Cir. 1989). This bill's secret evidence procedure has the same fundamental flaw -- it allows the government to rely on information that the alien cannot see. Due process cannot be squared with the affirmative use of secret evidence. II. IMMIGRATION LAW CHANGES Title II of the Omnibus Counter-Terrorism Act would change immigration law in two respects. First, it amends the substantive provisions authorizing deportation and exclusion of non-citizens for "engaging in terrorist activities," broadly expanding the definition to include support of solely lawful activities. Second, it allows the government to deport aliens accused under this broad substantive provision on the basis of secret, undisclosed evidence. This memo will address each provision in turn. A. Section 202: Changes to the Immigration and Nationality Act to Facilitate Removal of Alien Terrorists This section changes current immigration law to broaden substantially the government's power to deport aliens based on charges that they have supported a terrorist organization. 1. Current Law Under current law, aliens are excludable and deportable if they either engage in a terrorist activity themselves, of if they provide material support to an individual, organization, or government "in conducting a terrorist act at any time." Terrorist activity under current law is defined extremely broadly, to include any use of a firearm or explosive with the intent to endanger person or property. However, the current law does require the government to prove that the individual it seeks to deport or exclude has actually engaged in such activity, or has provided material support for the conducting of such activity. 2. Expansion of "Terrorism" Deportation Provisions to Include Support of Lawful Activity The proposed bill would eliminate any requirement that the alien actually have any connection to terrorist activity per se, and would substitute guilt by association. Under the new law, the government need only prove that the alien has afforded "material support to any individual, organization, or government which the actor knows or reasonably should know has committed or plans to commit terrorism activity." Section 202 (a)(B)(iii). Under this provision, an individual who pays taxes to a government that has engaged in the use of an explosive or firearm with intent to endanger person or property would be deportable as a terrorist. Similarly, an individual who raised funds solely for the lawful medical services provided by any organization that has also engaged in terrorism would be deportable as a terrorist. The new law explicitly provides that a "terrorist organization" is defined without reference to lawful activities of the group. It defines "terrorist organization" as "any organization engaged, or which has a significant subgroup which engages, in terrorism activity, regardless of any legitimate activities conducted by the organization or its subgroups." Section 202(a)(B)(iv). Under this definition, any alien who provided money for the peace process to Yasir Arafat's Palestine Liberation Organization would be deportable, notwithstanding that the peace process is lawful, and that the United States government itself has provided the PLO with funds for that purpose, and asked others to do the same. The PLO's subgroups include the Democratic Front for the Liberation of Palestine and the Popular Front for the Liberation of Palestine, both of whom the government charges are engaged in terrorism.[fn0] Thus, aliens would be deportable for doing what the U.S. government itself is currently doing, and asking others to do. 3. Deportation of Terrorist Group "Representatives" The new law also permits the President, together with the Secretary of State and Attorney General, to deport any alien they choose simply by identifying him or her as a "representative" of a "terrorist organization," in an unreviewable determination. Section 202(a)(B)(i) makes deportable "representatives" of "any terrorist organization designated by proclamation by the President after he has found such organization to be detrimental to the interests of the United States." Such a designation would likely be unreviewable, since it provides no standards, and courts are unlikely to second-guess the President on what is "detrimental to the interests of the United States." The provision further authorizes either the Secretary of State or Attorney General to designate any alien a representative of a terrorist organization, and specifies that such determination "shall be controlling and shall not be subject to review by any court." Thus, this statute effectively allows the President, together with the Secretary of State or Attorney General, to deport any alien in the United States through two unreviewable designations. To afford government officials such unreviewable power to single individuals out for deportation is contrary to basic principles of due process. 4. Analysis The "terrorism" provisions of the Immigration and Nationality Act were added in 1990, when Congress finally repealed the McCarran-Walter Act. The 1990 Act was designed to repudiate the principle of guilt by association that characterized the McCarran-Walter Act. This bill would reintroduce, in the name of counter-terrrorism, the same principles of guilt by association. It would render aliens deportable for associational activity fully protected by the First Amendment, and for supporting wholly lawful and humanitarian activities. These provisions are unconstitutional on their face. The Supreme Court has long held that the First Amendment forbids punishment for association alone. The right of association means that all persons in the United States have a right to support, join, recruit for, and raise money for organizations that engage in both lawful and unlawful activity. Raising and contributing money is a core aspect of associational and expressive First Amendment rights.[fn1] Recruiting members for a group is also protected.[fn2] And the Supreme Court has long held that in order for the government to punish an individual's associational activities on behalf of a group, it must prove that the individual specifically intended to further the unlawful ends of the group . [fn3] Yet under this bill, aliens are deportable solely for supporting lawful activities of groups that also engage in unlawful activity. The Administration is aware that organizations denominated "terrorist" often engage in lawful activity. Indeed, just last year, the Administration testified against a bill that would have made membership in Hamas a ground for exclusion as a "terrorist" on such grounds. It argued that because Hamas engages in "widespread social welfare programs" as well as terrorism, one could not presume that a Hamas member was a "terrorist" without indulging in guilt by association.[fn4] Yet the Administration's bill would do just that for countless groups. These provisions also raise substantial concerns about selective enforcement. They are written so broadly that any alien who has supported any organization that has engaged in an act of property destruction is deportable. There are literally thousands of such groups worldwide, and millions of such aliens here in the United States. Yet the government will almost certainly enforce this provision selectively against those individuals who support groups the government does not support. Thus, non-citizens who raise money for Israel, which has certainly engaged in unlawful property damage directed at civilians (see, for example, its collective punishment policies pursuant to which it bulldozed homes and villages), would technically be deportable under this provision, but it is of course unlikely that they will be targeted. History has shown that one man's terrorist is another man's counterrevolutionary. A bill as broadly written as this invites selective enforcement against unpopular groups. B. Section 201: Alien Terrorist Removal Procedures This provision would authorize the INS to deport aliens accused of engaging in "terrorist activities," as that term is broadly defined above, on the basis of secret evidence never disclosed to the alien or his or her lawyer. 1. Current Law Deportation proceedings throughout our history have been conducted on the basis of evidence disclosed to the alien, to afford him an opportunity to defend himself. The Supreme Court and lower courts have held that due process -- which protects all aliens living in the United States, whether here lawfully or unlawfully [fn5] -- does not permit the use of secret evidence.[fn6] Accordingly, the INS has never used undisclosed evidence to deport any alien from the United States. 2. Secret Evidence Procedure The bill sets up a special court, comprised of 5 district court judges designated by Chief Justice Rehnquist, to hear deportation cases against aliens charged under the "terrorism" provisions discussed above. Section 502. To trigger the "secret evidence" procedure, the government need only establish that the alien is subject to deportation under the "terrorism" provisions, and that adherence to regular deportation provisions would "pose a risk to the national security of the United States." Section 502(a). Any time the government has classified information that it does not want to reveal, it will be able to claim that an ordinary deportation hearing would pose such a risk, because an ordinary deportation hearing would require the disclosure of classified information. If the court finds that the government has not made such a showing, the government has a right to an immediate appeal, which shall be "ex parte," meaning the alien and his lawyers have no right to participate. Section 502(d)(1). The alien has no appeal. The procedure requires the government to provide the alien with summaries of its classified information, but if the government shows either that the alien's continued presence or the provision of the summary "would likely cause serious and irreparable harm to the national security or death or serious bodily injury to any person." Section 502(e)(2). If the government makes that showing, it may proceed by undisclosed evidence, without any summary. It is likely that the government will often be able to make such claims, because all it needs to do is state that an informant is involved, that a summary would disclose his or her identity, and that the informant's safety would be endangered. Where ex parte evidence is used, the alien and his lawyers have no opportunity to see it, and the immigration judge may hear argument based on the evidence outside the presence of the alien and his lawyers. Section 502(j), (l). If the judge declines to accept such secret evidence, the Justice Department may take a one-sided appeal to the Court of Appeals, which will consider the government's appeal without the participation of the alien or his lawyers.[fn7] In such a special removal proceeding, the alien is barred from seeking to suppress any evidence, even if it was illegally obtained, and has no right to discover information derived from electronic surveillance, which the government may use even if obtained in violation of the law restricting electronic surveillance. Section 501(b). Ordinarily, any person in any proceeding can move to suppress such evidence on the ground that it was unlawfully obtained. 18 U.S.C. �3504. That statute is specifically made inapplicable to these deportation proceedings. Section 501(b).[fn8] The bill provides for immediate detention without bail of all aliens subject to this procedure. Aliens here on student visas, tourist visas, or special labor visas would be denied any hearing regarding their detention. Lawful permanent resident aliens would get a hearing, but the government would be able to use classified information, and instead of the government having to prove that there are grounds for detention, the alien would have to prove that there is no basis for detention. Section 502(b).[fn9] 3. Analysis It is a cardinal rule of due process that evidence used against one party must be disclosed to that party. This rule applies in criminal and civil proceedings. The government is thus seeking to exercise an unprecedented power in authorizing reliance on secret evidence. Under the law, the government need only show that the presence of the alien or revealing the information presents a risk of serious harm to national security or any person. If such a showing were sufficient to justify using secret evidence in criminal trials, virtually every criminal case involving an informant would be heard on the basis of secret evidence. Yet it is well-established that in no criminal trial -- even involving the most heinous of crimes, the most top secret information, and the most dangerous of threats -- may the government use undisclosed evidence. If it wants to use an informant's testimony, it must reveal his or her identity. If it wants to rely on classified information, it must reveal it in court. Yet under this law, the government would be permitted to use secret evidence against an alien who did no more than provide humanitarian aid, as long as part of its evidence against the alien is based on classified information. Moreover, the law allows the government to use undisclosed evidence without a summary not only where revealing the information would pose a risk, but also where revealing the information would pose * no * risk, but the alien's presence poses a risk. Section 502(e)(2)(A)., Thus, the law allows the government to use secret evidence against aliens it claims are dangerous even where there would be no danger posed by disclosing the evidence. This provision simply authorizes the government to use secret evidence where the only reason for doing so is to deny the alien a fair opportunity to defend himself. As noted above, courts have consistently declared unconstitutional INS attempts to use secret evidence against aliens, even where the government claims that national security is at stake. This procedure is equally unconstitutional. Moreover, the government has made no showing that such a procedure is necessary. The nation has survived for more than 200 years without secret trials. III. RESTRICTIONS ON FUND-RAISING BY ALL U.S. PERSONS Title III of the bill imposes unprecedented restrictions on humanitarian fundraising for any organization designated by the President as a terrorist group. This provision reaches the activities of U.S. citizens as well as non-citizens, and directly infringes on First Amendment protected activity. A. Current Law It is already illegal to provide money for the terrorist acts of any group or person. Congress passed a bill prohibiting such activity in the 1994 crime bill. 18 U.S.C. �2339A. What this bill adds is a prohibition on fundraising that would otherwise be legal, namely fundraising for the lawful activities of an organization that has engaged in terrorism. B. Designation of Terrorist Groups Under Section 2339B(c), the President may designate any foreign organization as a terrorist organization if he finds that the organization engages in terrorism activity as defined in the immigration provisions and that the organization's terrorism activities "threaten the national security, foreign policy, or economy of the United States." As noted above, the immigration provision definition of "engage in terrorism activity" is extremely broad, and includes not only any unlawful property damage, but also any fundraising for the lawful activities of another organization that has engaged in property damage. Thus, this definition places virtually no constraints on the groups the President could designate. In addition, the bill makes the President's designation "conclusive," and provides that "[n]o question concerning the validity of the issuance of such designation may be raised by a defendant in a criminal prosecution." Section 2339B(c)(6). Thus, even in the ludicrous instance of the President designating the Girl Scouts as a terrorist organization, a person charged with raising funds for the group could not challenge the designation. C. Fundraising for Lawful Activities Criminalized The bill criminalizes any fundraising or monetary support of any designated group. In theory, it provides an if the individual obtains a prior license from the Secretary of the Treasury. To obtain a license, however, the individual must prove that the funds will be used exclusively for lawful purposes, and will not be used to offset a transfer of other funds to be used in terrorist activity. Section 2339B(e)(3). In addition, the individual must make available to the Secretary's inspection his books and records, and the books and records of the recipient organization. Section 2339B(e)(4). Under this law, it would have been a crime to give money to the ANC during Nelson Mandela's speaking tours here, unless the individual made his or her books and the books of the ANC available to the Secretary of the Treasury for inspection.10 (Of course, under the preceding immigration provisions, Nelson Mandela and any alien who contributed to his cause would be deportable, even if they could prove that the money went solely for lawful causes). This bill authorizes up to 10 years' imprisonment for any violation. It also subjects anyone who gets a license and thereafter fails to make available to the Secretary their books or the books of the recipient organizations liable to a $50,000 fine, or twice the amount of money that would have been documented, whichever is larger. Section 2339B(i). The law also allows the government to bar discovery of classified information by defendants in civil proceedings for injunctions under this Act, and to use summaries of classified information or redacted documents affirmatively against defendants. Section 2339B(l). D. Analysis This bill raises several constitutional concerns. First, it criminalizes constitutionally protected fundraising for lawful activities. The loophole it creates to allow such fundraising is illusory, given the requirement that the foreign organization must open its books to the Secretary of the Treasury. Second, even if the licensing option were not illusory, it imposes an unconstitutional prior restraint, because it requires approval before the First Amendment activity can be engaged in. The First Amendment prohibition on prior restraints means that the government is restricted to punishing speech or associational activity after the fact, and cannot require prior licensing.. Third, the licensing requirement reverses the burden of proof constitutionally required by the First Amendment. The First Amendment bars the government from prohibiting fundraising for an organization unless the government can prove that the money is specifically intended for unlawful activities. Under this bill, guilt is presumed, and the individual seeking a license must prove that the money is intended for, and will be used only for, lawful activities. Fourth, the bill gives the President judicially unreviewable authority to designate prohibited organizations, and that determination is conclusive in court. Moreover, the definition of terrorist organization, taken from the immigration provisions discussed above, is so broad as to invite selective enforcement. Fifth, the provisions permitting the government to use summaries of classified information against defendants and barring defendants from discovering classified information that would be helpful to their case raise significant due process concerns, for reasons discussed above in Section II.B., addressing the alien terrorist removal provisions. ------------------------------------------------------------------------ Footnotes 0 Executive Order (January 24, 1995). 1 See Citizens Against Rent Control v. Berkeley, 454 U.S. 290, 295-96 (1981) (monetary contributions to a group are a form of "collective expression" fully protected by the right of association); Federal Election Comm. v. National Conservative Political Action Comm., 470 U.S. 480, 495 (1985) (same); Roberts v. United States Jaycees, 468 U.S. 609, 626-27 (1984) (First Amendment protects Jaycees' "fundraising"); Village of Schaumburg v. Citizens for a Better Environment, 444 U.S. 620, 632-33 (1980) (First Amendment protects charitable solicitation of funds). 2 Staub v. City of Baxley, 355 U.S. 313 (1958) (striking down restriction on solicitation of members for unions and other organizations as violation of First Amendment); City of Watseka v. Illinois Public Action Council, 796 F.2d 1547, 1558-59 (7th Cir. 1986) (upholding award of damages for First Amendment violation based in part on organization's "inability to recruit new members"). 3 In Healy v. James, 408 U.S. 169, 186 (1972), the Supreme Court held that: 'guilt by association alone, without [establishing] that an individual's association poses the threat feared by the Government,' is an impermissible basis upon which to deny First Amendment rights. The government has the burden of establishing a knowing affiliation with an organization pursuing unlawful aims and goals, and a specific intent to further those illegal aims. (citations omitted, emphasis added). Under this principle, the Court has struck down statutes barring Communist Party members from public and private employment, Keyishian v. Board of Regents, 385 U.S. 589, 606-07 (1967); Elfbrandt v. Russell, 384 U.S. 11, 17 (1966); United States v. Robel, 389 U.S. 258; ballot access, Communist Party of Indiana v. Whitcomb, 414 U.S. 441, 448-49 (1974); the right to travel abroad, Aptheker v. Secretary of State, 378 U.S. 500 (1964); and the practice of law. Baird v. State Bar of Arizona, 401 U.S. 1 (1971); Schware v. Board of Bar Examiners, 353 U.S. 232 (1957). 4 Written Testimony of Mary A. Ryan, Assistant Sec. for Consular Affairs, Dept. of State, Before the Subcomm. on International Law, Immigration and Refugees of the House Judiciary Comm., Feb. 23, 1994, at 7. See also Written Testimony of Chris Sale, INS, same hearing, at 9. 5 As the Supreme Court stated in Mathews v. Diaz, 426 U.S. 67, 77 (1976): There are literally millions of alines within the jurisdiction of the United States. The Fifth Amendment, as well as the Fourteenth Amendment, protects every one of these persons from deprivations of life, liberty, or property without due process of law. Even one whose presence in this country is unlawful, involuntary, or transitory is entitled to that constitutional protection. 6 Kwong Hai Chew v. Colding, 344 U.S. 590 (1953) (holding that INS could not subject returning permanent resident alien to "summary exclusion" procedure in which INS would rely on secret evidence); Rafeedie v. INS, 795 F. Supp. 13 (D.D.C. 1992) (holding unconstitutional the INS's attempt to expel a permanent resident alien on the basis of undisclosed classified information); American-Arab Anti-Discrimination Comm. v. Reno, No. CV 87-2107-SVW(Kx), Slip op. (C.D. Cal. Jan. 25, 1995) (enjoining INS, on due process grounds, from relying on undisclosed information to deny aliens legalization to permanent resident status), appeal pending (9th Cir.). 7 The bill may also change the standard of proof. In deportation hearings, it has long been established that the government must prove its case by "clear, unequivocal, and convincing evidence." Woodby v. INS, 385 U.S. 276 (1966). Under this bill, however, the government would need to prove its case only by "clear and convincing evidence." Section 502(m). It's not entirely clear that the government considers this a change in the standard, however, for it states in its section-by-section analysis that the same burden of proof would apply as in other deportation proceedings. The analysis does not explain the statutory omission of the requirement that the evidence by "unequivocal." 8 In fact, that statute is made inapplicable to all deportation proceedings under the "terrorism" provisions, whether or not they involve the use of undisclosed information. Section 202(d). 9 The bill would also make any alien subjected to such a proceeding ineligible for any discretionary relief otherwise available to deportable aliens. Section 501(c). Thus, under this bill, a permanent resident alien who provided medical supplies to a hospital run by an organization that had also engaged in an act of property destruction could be deported on the basis of secret evidence, and would have no opportunity even to apply for discretionary relief. 10 The ANC was routinely listed as a "terrorist group" in official government documents prior to its becoming part of the South African government. From blancw at MICROSOFT.com Thu Mar 14 20:40:36 1996 From: blancw at MICROSOFT.com (Blanc Weber) Date: Fri, 15 Mar 1996 12:40:36 +0800 Subject: (Humor) FW: How to Win Arguments Message-ID: <> I argue very well. Ask any of my remaining friends. I can win an argument on any topic, against any opponent. People know this, and steer clear of me at parties. Often, as a sign of their great respect, they don't even invite me. You too can win arguments. Simply follow these rules: * Drink Liquor. Suppose you're at a party and some hotshot intellectual is expounding on the economy of Peru, a subject you know nothing about. If you're drinking some health-fanatic drink like grapefruit juice, you'll hang back, afraid to display your ignorance, while the hotshot enthralls your date. But if you drink several large martinis, you'll discover you have STRONG VIEWS about the Peruvian economy. You'll be a WEALTH of information. You'll argue forcefully, offering searing insights and possibly upsetting furniture. People will be impressed. Some may leave the room. * Make things up. Suppose, in the Peruvian economy argument, you are trying to prove Peruvians are underpaid, a position you base solely on the fact that YOU are underpaid, and you're damned if you're going to let a bunch of Peruvians be better off. DON'T say: "I think Peruvians are underpaid." Say: "The average Peruvian's salary in 1981 dollars adjusted for the revised tax base is $1,452.81 per annum, which is $836.07 before the mean gross poverty level." NOTE: Always make up exact figures. If an opponent asks you where you got your information, make THAT up, too. Say: "This information comes from Dr. Hovel T. Moon's study for the Buford Commission published May 9, 1982. Didn't you read it?" Say this in the same tone of voice you would use to say "You left your soiled underwear in my bath house." * Use meaningless but weightly-sounding words and phrases. Memorize this list: Let me put it this way In terms of Vis-a-vis Per se As it were Qua So to speak You should also memorize some Latin abbreviations such as "Q.E.D.," "e.g.," and "i.e." These are all short for "I speak Latin, and you do not." Here's how to use these words and phrases. Suppose you want to say: "Peruvians would like to order appetizers more often, but they don't have enough money." You never win arguments talking like that. But you WILL win if you say: "Let me put it this way. In terms of appetizers vis-a-vis Peruvians qua Peruvians, they would like to order them more often, so to speak, but they do not have enough money per se, as it were. Q.E.D." Only a fool would challenge that statement. * Use snappy and irrelevant comebacks. You need an arsenal of all-purpose irrelevent phrases to fire back at your opponents when they make valid points. The best are: You're begging the question. You're being defensive. Don't compare apples and oranges. What are your parameters? This last one is especially valuable. Nobody, other than mathematicians, has the vaguest idea what "parameters" means. Here's how to use your comebacks: You say As Abraham Lincoln said in 1873... Your opponents says Lincoln died in 1865. You say Your begging the question. OR You say Liberians, like most Asians... Your opponents says Liberia is in Africa. You say You're being defensive. * Compare your opponent to Adolf Hitler. This is your heavy artillery, for when your opponent is obviously right and you are spectacularly wrong. Bring Hitler up subtly. Say: "That sounds suspiciously like something Adolf Hitler might say" or "You certainly do remind me of Adolf Hitler." So that's it: you now know how to out-argue anybody. Do not try to pull any of this on people who generally carry weapons. ------------------------------------------- End Forwarded Article .. ~ Blanc From jimbell at pacifier.com Thu Mar 14 21:56:25 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 15 Mar 1996 13:56:25 +0800 Subject: Why escrow? (was Re: How would Leahy bill affect crypto Message-ID: At 04:15 PM 3/13/96 +0000, Deranged Mutant wrote: >Since when is the government intentionally going to let any bill or >policy go through that isn't friendly to themselves??? (You don't >have to be an anarchist to figure that out!) Well, it's not surprising, of course, but it DOES seem to be making these assumptions. I wonder what they're gonna do when they start discovering that "all" voluntary escrow system in place have protections far beyond what they've anticipated? That's why I'm more than a little disturbed about the one really bad portion of the Leahy bill: The one that makes using encryption to thwart an investigation a crime. As Mr. Junger observed, and as should be obvious to most of the rest of us, such a section of the bill could turn a key-escrow holder into a criminal if he fails to disclose an encryption system that protects a key, or (worse!) even if he structures his business in such a way as to avoid having the decrypt key for the escrowed key at all. Previously, legally, he could probably have claimed innocence because he had no decrypt-key to disclose, but Leahy's bill would make him guilty even if there was nothing he could do to give them a key. >Nothing is safe from abuse, by the goverment or non-government fols >alike. There's always more loopholes to clean up. (Not that this >means we shouldn't clean them up... obviously bad policies should be >fixed...). Just as no crypto is 100% foolproof, no legal system is >100% abuse-proof. If I were trying to detect government investigation in such a situation, I would buy a crypto phone, open an "escrow account" on a totally voluntary basis, give them a phony key, and then (as part of the (presumably?) enforceable escrow agreement) insist that they inform me if anybody asks for the key. There is nothing in Leahy's bill which appears to prohibit the escrow agent from informing the key holder of a request/demand for the key; (I would greatly prefer if that was an actual legal requirement that they do inform the key user.) The question is, is this merely an oversight on their part, or are they planning something, or are they assuming an existing law would cover his? The answer doesn't look good. Jim Bell jim bell at pacifier.com From tj_lists at prado.com Thu Mar 14 21:59:18 1996 From: tj_lists at prado.com (tj_lists at prado.com) Date: Fri, 15 Mar 1996 13:59:18 +0800 Subject: ADL_mil Message-ID: <199603131451.GAA16213@zoe.prado.com> Addressed to: John Young ** Reply to note from John Young 03/10/96 5:15pm -0500 > The ADL survey also found that many hard-core > militiamen believe that the United States Government > itself conducted the Oklahoma City bombing to create an > excuse for further depriving citizens of their > constitutional rights. One doesn't need to be a "hard-core militia" type to realize the demolition of the Murrah Bldg. wasn't caused by a truck full of ANFO 20 feet away. The alleged method used, 20 seperate plastic drums of the stuff is the absolutely WRONG way to get a coherent explosion of ANFO which needs concentration, not air space between the containers. Further more, a truck bomb would create a circular blast pattern, not the linear left to right pattern seen & caused by shape charges planted on the structural columns inside the building. Brig. General USAF (Ret.) Ben Partin, who designed & tested bombs while in the Air Force wrote in a letter to various Congressmen, "I can say, with a high level of confidence, that the damage pattern on the reinforced concrete superstructure could not possibly have been attained from the single truck bomb without supplementing demolition charges at some of the reinforced column bases. The total incompatibility with a single truck bomb lies in the fact that either some of the columns collapsed that should not have collapsed or some of the columns are still standing that should have collapsed and did not." According to Charles Mankin, head of the Geologic Survey at the University of Oklahoma, referring to seismograph records of April 19, 1995 "We had two events, ten seconds apart. The first one coincided in time with the explosion at the Federal Building." A truck bomb did explode outside of the Fed Bldg as a cover & distraction for the real demolition job inside. McVeigh is a dupe, a fall guy, about on par with Lee H. Oswald in Dallas, November 23, 1963. The benefits to the statist monstrosity & it's quasi-official allies like the ADL of the deaths of 168 people have been enormous. This in itself does not prove government agencies are responsible for the bombing, but combined with the simple fact that the damage could not possibly have occured the way they are claiming it did, it adds up to certainty as to whom the real bombers are. Qui bono? From Yawn82 at aol.com Thu Mar 14 22:01:10 1996 From: Yawn82 at aol.com (Yawn82 at aol.com) Date: Fri, 15 Mar 1996 14:01:10 +0800 Subject: Why escrow? (was Re: How would Leahy bill affect crypto Message-ID: <960314175726_446575157@mail04.mail.aol.com> How the hell do I get off this list? From gary at kampai.euronet.nl Thu Mar 14 22:01:28 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Fri, 15 Mar 1996 14:01:28 +0800 Subject: Beat Remote Monitor Snooping? Message-ID: <199603142054.VAA04403@kampai.euronet.nl> At 10:46 PM 3/13/96 -0500, Alan Horowitz wrote: >Visual contrast is not the same thing as frequency diffrence. It is quite >easy to measure extremely small changes of phase. As in, your >plain-vanilla FM receiver. However, that's not how SVGA CRT's do it. NTSC (TV video) modulation is done by phase modulation of the 3.579545 MHz subcarrier. SVGA has three different baseband analog signals feeding three electron beams. Even so, they still should be able to pick up SVGA with a little tinkering. kkkkk From tcmay at got.net Thu Mar 14 22:02:32 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 15 Mar 1996 14:02:32 +0800 Subject: LACC: PC Phones Home? Message-ID: (This came to me via the Cypherpunks list, and was addressed to "lacc at suburbia.net". I have no idea who that is, or how it got to the CP list...probably another local reflector of the list, of which we seem to be getting more and more every day. Very confusing. I am removing these from the distribution list...if they get it, they get it.) At 2:28 PM 3/13/96, D. C. Hilliard wrote: >Listers, > >I came across a blurb in the local paper today and was interested if >someone here could provide some substance to the story: > >"Software to the rescue: >If somoeone steals your PC, you may be able to get it back because of >software that acts as a kind of tracking device. Home Office Computing >magazine reports that the software CompuTrace TRS will automatically dial >the office of its creator, Absolute Software, if a thief hooks up a stolen >PC's modem to a phone line. The software reveals the location of the PC and >Absolute Software will call the police" - Providence Journal-Bulletin - >March 12, 1996. > >Any Comments? Thanks for the pointer. I found more info via Alta Vista, including a more detailed press release (http://199.125.99.5/vpr/vpr/000246.htm). It looks "cypherpunkly correct" to me. No mandatory aspects and no privacy-limiting aspects. It calls the CompuTrace number weekly, and this could in principle help to track a mobile (laptop) user. But the arrangement is voluntary, and of course the owner knows about it and hence is not being tricked. (Slightly more worrisome might be corporate-owned laptops, with the program used to track where employees are making use of the laptop. However, two things mitigate against this. First, CompuTrace only makes a trace of the call if the laptop is reported stolen (though this arrangement could be modified by the corporate owner). Second, the weekly call is a poor granularity for tracking (though this, too, could be modified). Lastly, the owner of the laptop can do with his property what he wishes, as I see it.) I would think that a knowledgeable thief could disable such software, even if it is fairly cleverly hidden. But a typical thief would not. But then a typical thief merely stockpiles the things he steals and is unlikely in the extreme to actually try to use the PC he has stolen. The likeliest scenario is that the stolen machine is sold to someone at a flea market, or through classified ads in the paper, or as part of a bulk sale to a company seeking cheap computers. It is this user who is likely to get nabbed. (And then they'll have to return the computer as stolen property and tell what they know about who sold it to them. Sounds fair to me.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Thu Mar 14 22:04:24 1996 From: unicorn at schloss.li (Black Unicorn) Date: Fri, 15 Mar 1996 14:04:24 +0800 Subject: RICO and remailers (brief treatment, if long) Message-ID: 0 Several people expressed interest in a small treatment of seizure law jurisprudence, and the Bennis case (seizure of an automobile used for soliciting prostitution was upheld even where one of the owners knew nothing about its use for a crime and which Mr. Bell has relied on fairly heavily in pointing out that the Supreme Court has its "head up its ass.") I want to point out that I'm not being paid for this. As a result anyone who takes this like legal advice, rather than what it is, i.e. an academic examination, does so at their own peril. -A- RICO I cover RICO because it's a popular prosecution tool, because it is the predominate vehicle for seizure and forfeiture in federal cases (of which remailer and encryption issues are likely to arouse) and because it represents a codification of the approach most courts take when dealing with seizure cases. In a very real way, RICO represents the outer extremes of seizure cases in the United States, and is probably, given the complexity of many state laws, the simplest way to "grab" something. It also has civil provisions which make "private prosecutors" out of you and me. Generally speaking, after its passage (1970) RICO was ignored. (Interested readers might look to Bradley, Racketeers, Congress and the Courts: An Analysis of RICO, 65 Iowa Law Review, 837 (1980). for a detailed review of its early development). It was "rediscovered" some years later, and grew in popularity because of the civil provisions for divestiture, dissolution, reorganization, and restrictions on future activites as well as treble damages under 18 U.S.C. 1964. Generally speaking, in order to secure a conviction with RICO, one must prove the existance of an "enterprise" and a connected "pattern of racketeering activity." RICO prosecutions are generally triggered by predicate acts, listed specifically in the statute. The statute lists these in the definitions section. (Section 1961) I reproduce some below to give the reader a feel for what is anticipated: As used in this chapter-- (1) "racketeering activity" means (A) any act or threat involving murder, kidnaping, gambling, arson, robbery, bribery, extortion, dealing in obscene matter, or dealing in a controlled substance or listed chemical (as defined in section 102 of the Controlled Substance Act), which is chargeable under State law and punishable by imprisonment for more than one year; (B) any act which is indictable under any of the following provisions of title 18, United States Code: [bribery, sports bribery, counterfeiting, theft from interstate shipment, embezzlement from pension or welfare funds, extortionate credit transactions, mail fraud, transmission of gambling information, wire fraud, financial institution fraud, obscene matters, obstruction of justice, tampering with witnesses, informants or victims, money laundering, monetary transactions with respect to property derived from unlawful activity, sexual exploitation of children, white slavery, (some deleted)] (18 U.S.C. 1961) The activities specifically prohibited by RICO are also statuatorily defined. Specifically: (a) It shall be unlawful for any person who has received any income derived, directly or indirectly, from a pattern of racketeering activity... in which such person has participated as a principal within the meaning of section 2, title 18, United States Code, to use or invest, directly or indirectly, any part of such income, or the proceeds of such income, in acquisition of any interest in, or the estlablishment or operation of, any enterprise which is engaged in, or the activities of which affect, interstate or foreign commerce.... (b) It shall be unlawful for any person through a pattern of racketeering activity or through collection of an unlawful debt to acquire or maintain, directly or indirectly, any interest in or control of any enterprise which is engaged in, or the activities of which affect, interstate or foreign commerce. (c) It shall be unlawful for any person employed by or associated with any enterprise engaged in, or the activities of which affect, interstate or foreign commerce, to conduct or participate, directly or indirectly, in the conduct of such enterprise's affairs through a pattern of racketeering activity or collection of an unlawful debt. (Section 1962) (d) [or to conspire to do any of the above] The seizure provisions are contained in 18 U.S.C., Section 1963: (a) Whoever violates any provision of section 1962 of this chapter shall be [fined and imprisoned or both] and shall forfeit to the United States, irrespective of any provision of State Law-- (1) any interest the person has acquired or maintained in violation of section 1962; (2) any -- (A) interest in; (B) security of; (C) claim against; or (D) property or contractual right of any kind affording a source of influence over; [the enterprise violating section 1962]; and (3) any property constituting, or derived from, any proceeds which the person obtained, directly or indirectly, from racketeering activity or unlawful debt collection in violation of section 1962. [...] (b) Property subject to criminal forfeiture under this sections includes-- (1) real property, including things growing to, affixed to, and found in land; and (2) tangible and intangible personal property, including rights, privileges, interests, claims and securities. The lead case generally used to outline the overall principals of RICO is United States v. Turkette, 452 U.S. 576 (1981). Most of the defining litigation surrounding RICO involved refining the definitions of "enterprise" and "pattern" of racketeering. Turkette indicates in part that: Section 1962(c) makes it unlawful "for any person employed by or associated with any enterprise engaged in, or the activities of which affect, interstate or foreign commerce, to conduct or participate, directly or indirectly, in the conduct of such enterprise's affairs through a pattern of racketeering activity or collection of unlawful debt." The term "enterprise" is defined as including "any individual, partnership, corporation, association, or other legal entity, and any union or group of individuals associated in fact although not a legal entity." (Turkette) Of primary importance, and the key issue in Turkette, is the fact that "There is no restriction upon the associations embraced by the definition: an enterprise includes any union or group of individuals associated in fact." Id. Both legitimate and illegitimate enterprises qualify. United States v. Hartley, 678 F.2d 961 (11th Cir. 1982) applied RICO to an otherwise legitimate corporate defendant. On the subject of passive involvement of a defendant in criminal activity the court in Haroco Inc. v. American Nat'l Bank & Trust Co. 747 F.2d 284 (7th Cir. 1984) offers: ...the defendants are surely correct in saying that the corporation enterprise should not be liable when the corporation is itself the victim or target or merely the passive instrument for the wrongdoing of others... The liable person may be a corporation using the proceeds of a pattern of racketeering activity in its operations. This approach... makes the corporation enterprise liable under RICO when the corporation is actually the direct or indirect beneficiary of the pattern of racketeering activity, but not when it is merely the victim, prize, or passive instrument of racketeering. This result is in accord with the primary purpose of RICO, which, after all, is to reach those who ultimately profit from racketeering, not those who are victimized by it. (This preference for enterprise liability has been followed by other courts. See e.g., Schreiber Distributing Co. v. Serv-Well Furniture Co., 806 F.2d 1393 (9th Cir. 1986); Commonwealth of Pa. v. Derry Construction Co., 617 F.Supp 940 (W.D.PA 1985). See generally, First, Business Crime, 1990) And Ravens v. Ernst and Young, 113 S.Ct. 1163, refines the definition of "conduct or participate" thusly: Once we understand the word "conduct" to require some degree of direction, and the word "participate" to require some part in that direction, the meaning of section 1962(c) comes into focus. In order to "participate, directly or indirectly in the conduct of such enterprise's affairs," one must have some part in directing those affairs. Of course, the word "participate" makes clear that RICO liability is not limited to those with primary responsibility for the enterprise's affairs, just as the phrase "directly or indirectly" makes clear that RICO liability is not limited to those with a formal position in the enterprise, [note 4] but some part in directing the enterprise's affairs is required. The "operation or management" test expresses this requirement in a formulation that is easy to apply... In sum, we hold that "to conduct or participate, directly or indirectly, in the conduct of such enterprise's affairs," one must participate in the operation or management of the enterprise itself. Let us assume for a moment then that the worst conspiracy one can imagine, involving all of the horsemen of the infopocalypse, uses a remailer to conduct its activities. Absent a showing that the conspiracy is involved, participating, or directing the operation of the remailer, or that the conspiracy used proceeds to support the remailer, it is pretty clear that the remailer, and the operator are a "passive instrument" of the conspiracy. One might also look to the Justice Department Guidelines for the use of RICO as a prosecutoral tool: "...it is not the policy of the criminal Division to approve "imaginative" prosecutions under RICO which are far afield from the Congressional purpose of the RICO statute.... Further, it should be noted that only in exceptional circumstances will approval be granted when RICO is sought merely to serve some evidentiary purpose, rather than to attack the activity which Congress most directly addressed- the infiltration of organized crime into the nation's economy." (9- 110.200, RICO guidelines preface). One might also look at the second circuit in Huber: "We further note that where the forfeiture [under RICO] threatens disproportionately to reach untainted property of the defendant... section 1963 permits the [court] a certain amount of discretion in avoiding draconian (and perhaps unconstitutional) applications of the forfeiture provision." In sum, provided no statute exists expressly felonizing the operation of e-mail forwarding or encryption, I wouldn't much worry about RICO. It is possible, I suppose, to construct a creative (very creative) argument that mere operation of a remailer is wire fraud, and thus triggers RICO and allows seizure, but I find this fairly unlikely. I might add that future legislation prohibiting "furtherance of a felony via encryption" or some such is almost certain to have a scienter requirement making innocent forwarders of such information who did not know they were furthering a felony immune from the statute, and thus RICO. -B- The Michigan Case, and why it has absolutely nothing to do with remailers. Mr. Bell has made a great to-do about the Bennis case (seizure of automobile absent showing that co-owner knew of criminal use of same). His connection of the case to remailers is surrounded by a good deal of imagination, myth, and outright fabrication. I thought I would take a closer look and see what was to be found. That done, let me then dispel some of the myths. Myth #1: This holding means that any property can be seized for any crime and the owner placed at the mercy of the state at a whim. Totally false. The Michigan law is specifically written to allow property seizure in the specific instance of prostitution or gambling. Many states have forfeiture laws, but they are an extreme resort, and typically bear only on very narrow activities. Michigan, further, is at the draconian side of the spectrum. Michigan also has some of the toughest state drug laws in the country (Automatic life sentence without parole for mere possession without intent to distribute, of more than 650 grams of cocaine) Consider the Michigan law used in Bennis, reproduced below. Section 600.3801 of Michigan's Compiled Laws. states in pertinent part: "Any building, vehicle, boat, aircraft, or place used for the purpose of lewdness, assignation or prostitution or gambling, or used by, or kept for the use of prostitutes or other disorderly persons... is declared a nuisance... and all... nuisances shall be enjoined and abated as provided in this act and as provided in the court rules. Any person or his or her servant, agent, or employee who owns, leases, conducts, or maintains any building, vehicle, or place used for any of the purposes or acts set forth in this section is guilty of a nuisance." Section 600.3825 states in pertinent part: "(1) Order of abatement. If the existence of the nuisance is established in an action as provided in this chapter, an order of abatement shall be entered as a part of the judgment in the case, which order shall direct the removal from the building or place of all furniture, fixtures and contents therein and shall direct the sale thereof in the manner provided for the sale of chattels under execution . . . . "(2) Vehicles, sale. Any vehicle, boat, or aircraft found by the court to be a nuisance within the meaning of this chapter, is subject to the same order and judgment as any furniture, fixtures and contents as herein provided." Mich. Comp. Laws Ann. @ 600.3825 (1987). Myth #2: This means that if your property is seized, you can never make an innocent owner defense to the seizure. Again, false. Many statutes allow innocent owner defenses and some courts will assume the availability of such a defense in absence of express intent by the legislature to the contrary. In this case there was such an expression. Namely: "Proof of knowledge of the existence of the nuisance on the part of the defendants or any of them, is not required." Mich. Comp. Laws Ann. @ 600.3815(2) (1987). Myth #3: If your car is stolen, and it is used in the sales of drugs, its gone baby. False. Most states recognize that use of property without the owner's consent insulates the property from seizure. Michigan is no exception. Note the Supreme Court's Comment in the Bennis Case: The Michigan Supreme Court specifically noted that, in its view, an owner's interest may not be abated when "a vehicle is used without the owner's consent." Id., at 742, n. 36, 527 N.W.2d at 495, n. 36. Myth #4: This is a new and outlandish holding by the Supreme Court. Nothing like this has ever been seen before. It represents a turn to fascism. The current Supreme Court has its head up its ass. False. The history of allowing seizure of property not taken without the owners consent, even if the specific use of the property was indeed without the owners knowledge, goes back more than 150 years and can be traced to Britain's own practice (maintained to this day). Take the Supreme Court's comment again in the Bennis Case: Our earliest opinion to this effect is Justice Story's opinion for the Court in The Palmyra, 25 U.S. 1, 12 Wheat. 1, 6 L. Ed. 531 (1827). The Palmyra, which had been commissioned as a privateer by the King of Spain and had attacked a United States vessel, was captured [*10] by a United States war ship and brought into Charleston, South Carolina, for adjudication. Id., at 8. On the Government's appeal from the Circuit Court's acquittal of the vessel, it was contended by the owner that the vessel could not be forfeited until he was convicted for the privateering. The Court rejected this contention, explaining: "The thing is here primarily considered as the offender, or rather the offense is attached primarily to the thing." Id., at 14. Myth #5: This means that if someone drives my car to the city, and then blows up a building and flees via subway, my car is history. False. In order to allow seizure, the property seized must typically be an "instrumentality" of the crime. Granted this is a bit of a obscure distinction at times, even to supreme court justices: The limits on what property can be forfeited as a result of what wrongdoing--for example, what it means to "use" property in crime for purposes of forfeiture law--are not clear to me. See United States v. James Daniel Good Real Property, 510 U.S., ___ (1993) (slip op., at 2-5) (THOMAS, J., concurring in part and dissenting in part). (Bennis) But it's fairly clear that this is a significant defense to seizure, and one which was never raised by the defense in Bennis: It thus seems appropriate, where a [challenge] by an innocent owner is concerned, to apply [the instrumentality] limits rather strictly, adhering to historical standards for determining whether specific property is an "instrumentality" of crime. Cf. J. W. Goldsmith, Jr.-Grant Co., supra, at 512 (describing more extreme hypothetical applications of a forfeiture law and reserving decision on the permissibility of such applications).The facts here, however, do not seem to me to be obviously distinguishable from those involved in Van Oster; and in any event, Mrs. Bennis has not asserted that the car was not an instrumentality of her husband's crime. (Bennis) After getting the government's brief by fax this afternoon, it became fairly clear why the non-instrumentality defense was not made: After John Bennis was seen stopping and allowing Ms. Polarchio to enter his car, the Police followed him to a residential area, midway in the block, where his car stopped and the lights were turned off. (TR-63-65) After the police stopped behind the Bennis' auto, two heads were seen: a female on the right, a male on the left. Seconds later, the female head went down, disappearing toward the drivers side. (TR 65-66) When the officer observed John Bennis and Kathy Polarchio engaged in fellatio in the Bennis' car, John Bennis had his pants pulled down. (TR-67) (Bennis: Brief for the Government) It's pretty hard to argue that the automobile was not an instrumentality of the crime when it was used to pick up, transport and conceal, indeed make possible the very illicit sexual practices of the defendant which are at issue. (i.e. public solicitation of prostitution and lewd conduct on a public street within the car itself, conduct probably not possible in this form without the automobile). Myth #6: The court just doesn't care about property rights. False. The court spends a great deal of time thinking about the parties rights, and even suggests a different ruling had the car not be co-owned by the perpetrator of the crime. First, it bears emphasis that the car in question belonged to John Bennis as much as it did to Tina Bennis. At all times he had her consent to use the car, just as she had his. (Bennis) It also considered what Mrs. Bennis would actually gain from a ruling in her favor from a practical standpoint: Th[e] court declined to order a division of sale proceeds, as the trial judge took pains to explain, for two practical reasons: the Bennises have "another automobile," App. 25; and the age and value of the forfeited car (an 11-year-old Pontiac purchased by John and Tina Bennis for $ 600) left "practically nothing" to divide after subtraction of costs. See ante, at 3 (majority opinion) (citing App. 25).(Bennis) While it is tempting to damn the decision after listening to the sound bytes, there is much more going on here than a mere seizure. Remailer operators shouldn't be concerned (at least with regard to these cases) overmuch until a local state statute addressing remailers specifically is passed in a jurisdiction where the innocent owner defense is not permitted, or in any jurisdiction where such statute forbids resort to the innocent owner defense. I will, however, note that this is only about 3 hours work, and I wouldn't go betting the farm on it. --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From adam at lighthouse.homeport.org Thu Mar 14 22:06:30 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 15 Mar 1996 14:06:30 +0800 Subject: "The Infernal Machine" (new book) Message-ID: <199603150043.TAA15646@homeport.org> Just finished 'The Infernal Machine' by Larry Hannant. It is a history of security screening in canada, focusing on the period from the early 1920s through the end of world war 2. Mass fingerprinting for security purposes in Canada began, not as is commonly supposed, with a spy case after the end of the second world war, but in the early 20s, as a means of catching, tracking, and harrassing communists. The system expanded from there without public debate or acknowledgement, through Canadas entry to the second world war. Although fingerprinting legally was only permissable in the case of people charged with felonies, the Royal Canadian Mounted Police fingerprinted Communists and other undesirables, who they picked up for vagrancy or drunkeness. The RCMP was aware that this was a violation of Canadian law. At the start of ww2, again without public discussion or debate, the system was expanded to cover workers in many military industries. It was only in 1948 that the government acknowledged what was going on, by giving a stamp of approval to a system already in place. The book traces the ties between the RCMP, MI5 and the FBI in the context of security screening. Cypherpunk relevancies include the RCMP fear of anonymity, the expansion of government power unchecked to harrass those with unpopular and subversive views, and the mechanics of building systems for tracking millions of fingerprints (with custom Hollerith card sorters that IBM designed for the purpose.) I found it interesting and worth the time to read. 1995, University of Toronto Press, isbn 0-8020-0448-2 (cloth) or 0-8020-7236-4 (paper). $9 in a used bookstore. (A rant is waiting to be written over the lack of useful standards in creating ISBNs. Is there a good reason not to have x-y-z-1 not be the cloth, and x-y-z-2 be the paper edition? (Or some other obvious relation...)) -- "It is seldom that liberty of any kind is lost all at once." -Hume From WlkngOwl at unix.asb.com Thu Mar 14 22:08:40 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Fri, 15 Mar 1996 14:08:40 +0800 Subject: (Fwd) BACKGROUNDER: Internet Censorship FAQ Message-ID: <199603142334.SAA01238@unix.asb.com> ------- Forwarded Message Follows ------- From: telstar at wired.com Subject: BACKGROUNDER: Internet Censorship FAQ Yesterday I received some friendly email from Jonathan Wallace, a subscriber to this list. Jonathan pointed me toward his Web site, where I found the following list of Frequently Asked Questions (FAQ) about Internet Censorship. It's a great background document which contains many pearls of insight, so I'm redistributing it here with Johnathan's permission. Jonathan , by the way, is also co-author of "Sex, Laws and Cyberspace," a new book on Internet censorship from Henry Holt. Spread the word! --Todd Lappin--> Sedtion Editor WIRED Magazine ================================================= The Internet Censorship FAQ http://www.spectacle.org/freespch/faq.html [..] +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- This transmission was brought to you by.... THE CDA INFORMATION NETWORK The CDA Information Network is a moderated mailing list providing up-to-the-minute bulletins and background on efforts to overturn the Communications Decency Act. To subscribe, send email to with "subscribe cda-bulletin" in the message body. WARNING: This is not a test! WARNING: This is not a drill! +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From tcmay at got.net Thu Mar 14 22:10:28 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 15 Mar 1996 14:10:28 +0800 Subject: FCC-type Regulation of Cyberspace Message-ID: At 9:57 PM 3/14/96, jim bell wrote: >I think your analysis is absolutely correct. Despite the fact that fiber >bandwidth has none of the limitations of "over the air" communications, the >government will try to regulate it as if it were. The underlying danger of >the CDA, in addition to regulating CONTENT, is that the government is >setting up precedents to regulate the communications AT ALL, which is >dangerous to us. Indeed, the _regulation of content_ is completely separable from the issue of allocation of bandwidth. The FCC and WARC arrangements for allocation of bandwidth to broadcasters and other RF spectrum users is not perfect, to my mind, but at least it does not ostensibly deal with content. However, conflated with the issue of spectrum allocation has been the notion that "the public owns the airwaves." I'm not saying the "public" doesn't in some sense own the airwaves, in that the airwaves are a commons. But the "public ownership" notion has turned into the pernicious idea that _content_ ought to be regulated. Thus, if a radio station is too conservative, too liberal, too corporate, too populist it may "lose its license." Anyway, I won't debate this point here, as it has been oft-debated elsewhere. The danger is that this notion of "public ownership" is being extended in various ways to things that are *not* resource-limited, such as the Internet. The whole "information superduperhighway" debate, thankfully on the back burner now, echoed this FCC-centric point of view. A better model is that of publishing, a la newspapers and magazines. There is little "content control" there (with a couple of major exceptions, to be discussed in a minute), and no talk of how "the public owns the publishing pages" and hence can control content. The First Amendment is (mostly) still alive in the publishing arena. The exceptions are, first, obscenity and the like. Second, articles and advertisements are regulated in various ways as to the claims that can be made, the promises, the competitive claims, etc. Third, there are moves afoot to limit advertisements of tobacco and cigarettes in various magazines. (In the U.S., of course, the advertising of cigarettes on television was banned 25 years ago. Hard liquor ads are also never seen, though I don't know if this was by FTC or FCC mandate or by consensus. Beer ads may be next.) Cigarette ads must carry warning messages. Now, being a free speech and First Amendment sort of person, I naturally wonder just what constitutional standing such restrictions, especially in print, have? Doesn't "Congress shall make no law..." make things pretty clear? (No doubt the arguments in favor of restrictions have something to do with the powers to regulate commerce and/or provide for the general welfare, blah blah blah. So, how long before the same arguments are used to stop people from arguing that cigarettes are not harmful, or portraying in fiction a positive--or at least not negative--image of alchohol, cigarettes, drugs, suicide, etc.?) Back to cyberspace. We must be alert for moves to "regulate" cyberspace as the FCC and related agencies have regulated the RF spectrum, the phone industry, etc. (The latest incursion is of course the "Internet phone" imbroglio....given that a user installs a piece of software and then uses his Internet access exactly as others might, the only enforcement of rules against phone use would be to outlaw certain types of software which may be possessed! A serious move indeed.) Finally, for now, we really should "Just Say No" to the attempts to regulate our Net access, to regulate our published words, to regulate our access to offshore services. (When the time comes when America tells its residents they may not connect to offshore services, then we will have become what we fought for so many decades.) And better than "Just Say No," do it by deploying unstoppable technologies. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From JonWienke at aol.com Thu Mar 14 22:10:29 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Fri, 15 Mar 1996 14:10:29 +0800 Subject: LACC: PC Phones Home? Message-ID: <960314190536_351417944@emout07.mail.aol.com> In a message dated 96-03-14 17:30:38 EST, you write: >If the software installs itself on the master boot record, than reformatting >the disk would not get rid of the program. > >- --Mark You can wipe the master boot record by entering FDISK /MBR at the DOS prompt. This, in conjunction with FORMAT, will definitely get rid of any pesky blabbermouth whistleblower programs. Jonathan Wienke "Let's flame these bozos! They're too stupid to live!" -- Dr. Ziploc From tcmay at got.net Thu Mar 14 22:56:04 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 15 Mar 1996 14:56:04 +0800 Subject: Kid Gloves or Megaphones Message-ID: First, let me say I sympathize with the "problems of anonymity" that Hal has had to deal with. He began running his remailers about as early as anyone, so he clearly has had to encounter problems that to most of us are merely academic issues. However, the problems anyone has with "anonymity" or "cash" are universal ones. The real issue is this: should the problems and opportunities for mischief that sometimes come up with anonymity or cash be grounds for outlawing anonymity and cash? At 6:18 PM 3/14/96, Hal wrote: >As a remailer operator I unfortunately see more of the seamy side of >anonymity than most people. I do think there are people who will take >advantage of this technology in harmful ways. So payee anonymity will >certainly make life more interesting. I view things pretty simply. Often I am faced with choosing to deal with people on a fully or mostly anonymous basis, and I am faced with dealing with people who offer cash. I can choose to deal with these people or their payments, or not. I can demand further identification, insiste that they pay with more traceable forms of payment, such as personal checks, or not. Yes, there is a chance of abuse. Even of criminality. But I strongly prefer making the choice myself, rather than having a government decide for me. Fully anonymous digital cash--which I believe has been implicit in Chaum's system since the gitgo, as soon as anonymous money-changers are extant--will certainly make possible certain behaviors variously regarded as "crimes." As Hal of course knows, these potential crimes have been debated by us many times. (One of them, most recently, is Bell's version of untraceable assassination payments.) But of course the same sorts of problems are implicit in anonymous cash transactions, in anonymous mail sending (note that letters have stamps, with no requirement of identification, at least not yet), and in the very presence of immediately-negotiable currency. I of course agree with Eric Hughes' point that we should not be attempting to "sanitize" the possibilities. (One of the depressing things for me has been the extent to which so many subscribers to this list think that the main agenda is some sort of discussion of PGP 3.0 or of IETF standards, or even of Java applets, without any real awareness of the longterm implications. And when people ask about political implications, there are even mother hens who demand "What does this have to do with crypto?" Depressing.) As to not sanitizing, look again at the .sig I have used in more-or-less the same form for several years. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From frantz at netcom.com Thu Mar 14 22:58:14 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 15 Mar 1996 14:58:14 +0800 Subject: FCC-type Regulation of Cyberspace Message-ID: <199603150307.TAA16080@netcom6.netcom.com> At 7:27 PM 3/14/96 -0800, Timothy C. May wrote: >The exceptions [to the general right to publish (bf)] are, first, >obscenity and the like. Second, articles and advertisements are regulated >in various ways as to the claims that can be made, the promises, the >competitive claims, etc. Third, there are moves afoot to limit >advertisements of tobacco and cigarettes in various magazines. Mark Miller and I had a discussion about the restrictions on commercial speech a few months ago. I contended that these restrictions (generally that you can prove your claims) are good for markets because they provide startup companies (and other newcomers to the market) with a small amount of positive reputation capital that they would otherwise have to invest to obtain. Mark pointed out the superiority of non-governmental reputation agencies. I mentioned that one bad effect of "truth in commercial speech" was it resulted in people having a greater tendency to believe politicians, and we left the discussion there. In thinking back over the discussion, I would like to eliminate the restrictions without making markets less free by adding yet more barriers to market entry. We certainly need more robust reputation agencies than we have now. I just don't know how to encourage their formation. Regards - Bill BTW - I am sending a blind copy to Mark so he can maintain anonymity if he wants to. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From eric at remailer.net Thu Mar 14 22:59:59 1996 From: eric at remailer.net (Eric Hughes) Date: Fri, 15 Mar 1996 14:59:59 +0800 Subject: Kid Gloves or Megaphones In-Reply-To: <199603141818.KAA16974@jobe.shell.portal.com> Message-ID: <199603150311.TAA13238@largo.remailer.net> Date: Thu, 14 Mar 1996 10:18:27 -0800 From: Hal So while I admire Eric's ethical concern about making relevant information about the properties of ecash available, it is also important to understand the possible outcome. My concern is not ethical, although upon re-examining what I said I can see how that might appear that way. My concern is entirely pragmatic. Disclosure is the ethical act, true, but in this case the ethicality is performative, it is the active principle itself. The issue is one of legitimacy and the epistemology of a group. Telling the truth is not just a morally good idea, it is a pragmatically useful one. If we do not disclose what we know now, _regardless_ of the immediate outcome, we will lose in the end. If we lose now, we will never have been able to win at all. The debate which must be taken to the public is whether we want payee anonymity or not. I am confident that people want their privacy and are willing to let others have theirs as well. If they do not, the world is not as I understand it, and I have some hard thinking to do. One thing I notice that was missing from Eric's posting was a description or reference to exactly how the payee anonymity is achieved. Is it his intention to tell people that it is possible, yet to keep secret how it is done? I didn't invent it. I'm going to let Ian describe it when and how he wants. Eric From alano at teleport.com Thu Mar 14 23:30:24 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 15 Mar 1996 15:30:24 +0800 Subject: SCHWA - New Web Search Engine!! Message-ID: <2.2.32.19960315040715.008a98b0@mail.teleport.com> At 09:18 PM 3/14/96 -0600, Jim Thompson wrote: > >(Alan Olsen forwards something of the FringeWare list to cypherpunks.) > >> Something of interest... >> >> >X-Www-Page: http://www.fringeware.com/MSG/index.html#digest >> >Keywords: pleashes heorg horizona disabili freques inspecurs >> >Subject: SCHWA - New Web Search Engine!! > >Oh sweet Jesus in the morning, it was a JOKE! Yes. And your point...? | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From WlkngOwl at unix.asb.com Thu Mar 14 23:45:49 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Fri, 15 Mar 1996 15:45:49 +0800 Subject: Stupid Message-ID: <199603150426.XAA08875@unix.asb.com> On 14 Mar 96 at 19:30, Yawn82 at aol.com wrote: > How the hell do I get off this list? Very carefully. Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From firebrd123 at ns.interconnect.net Fri Mar 15 00:44:15 1996 From: firebrd123 at ns.interconnect.net (Firebrd123) Date: Fri, 15 Mar 1996 16:44:15 +0800 Subject: maling list In-Reply-To: Message-ID: <3148BEF7.5E23@mail.interconnect.net> Can you please take me off your mailing list. Thankyou. firebrd123 at mail.interconnect.net From proff at suburbia.net Fri Mar 15 02:55:50 1996 From: proff at suburbia.net (Julian Assange) Date: Fri, 15 Mar 1996 18:55:50 +0800 Subject: Anti-scientology rally Melbourne Saturday the 16th of Match Message-ID: <199603151011.UAA02671@suburbia.net> The suburbia.net administrators kindly invite you to attend to the Church of Scientology Demonstration at: The Church of Scientology Corner of Fliners Lane and Russel St, Melbourne City [Australia] SATURDAY March the 16th 1996 11am to 1pm For those completely unfamiliar with the Church of Scientology [CoS]'s attack upon the Internet and RRR radio station and critical speech generally, read my below summary and the the appended transcript of one of our users [David Gerard ] from JJJ radio station. The Church of Scientology was founded by the late L. Ron Hubbard in the United States some 30 years ago. To followers, Hubbard is their profit, and his prolific writings are the sacred word. The Church's hierarchy and financial viability revolve around Hubburd's verbose scriptures. Each new level gained by a church follower brings to them, among other rights and privileges access to a new and previously verboten set of the works of Ron. But to the Church it brings something else. Revenue. A very sizeable revenue. Ron's works are a required element in order for the follower to progress through the many of successive levels the Church has -- and they cost hundreds or thousands of dollars each. In fact, by the time a devote of the Church has realized the highest OT level, the Church has usually had them for over five figures. But revenue isn't the only reason for keeping the works of Ron occulted away. A common technique used by cults to brainwash their followers is gradual immersion in cult mythology and philosophy. To put it bluntly, it is often advisable to keep the more wacko beliefs and practices out of your new recruit's faces until they are sufficiently wacko themselves. Now, the problem for the Church of Scientology is that on the wacko scale the higher level works of Ron hover somewhere near the figure 10. To an outsider it is an immediate farse. But to a follower who has become psychologically dependent on the Church's philosophy & society and invested thousands and thousands of dollars in doing so, it is just another step on the road to mental subservience. What you have then is a Church based on brainwashing yuppies and other people with more money than sense. This may not concern you. If Nicole Kiddman, Kate Cerbrano, John Travolta, Burce Willis, Demi Moor and Tom Cruise want to spend their fortunes on learning that the earth is in reality the destroyed prison colony of aliens from out of space then so be it. However, money brings power and attracts the currupt. Money is something the Church has a lot of. Not all of the Church's beliefs and practices are so out of it as to be completely as irrelevant as the previous example. Some are quite insidious. For instance, L. Ron Hubbard devised a range of methods that could be used against critics and other `enemies of the Church'. Among the list was manipulation of the legal/court system. To the Church the battle isn't won in the court room. It is won at the very moment the legal process starts unfolding, creating fear and expense in those the Church opposes. Their worst critic at the moment is not a person, or an organisation but a medium -- the Internet. The Internet is, by its very nature a censorship free zone. Censorship, concealment and revelation (for a fee) is the Church's raison d'etre. The Church, via its manipulation of the legal system has had computer systems seized, system operators forced to reveal their users personal details, university accounts suspended and radio stations, such as RRR cut their programs. It has sued ex-cult members, newspapers, and many others for copyright infringements, loss of earnings and trade secret violation. Trade secret violation? Yes, the Church of Scientology claims its religious works are trade secrets. The fight against the Church is far more than the Net vs a bunch of wackos with too much money. It is about corporate suppression of the Internet and free speech. It is about intellectual property and the big and rich versus the small and smart. The precedents the Church sets today the weapons of corporate tirany tomorrow. --Julian Assange (please direct replies to fun at suburbia.net) DAVID GERARD ON 3-CR (855KHZ AM) MELBOURNE, 8:50AM THU 14 MAR 1996 ANNOUNCER: There's currently a war going on on the Internet, especially in relation to the Church of Scientology. This morning on the line is David Gerard. Good morning, David. DAVID: Good morning. A: First of all, can you tell me what, what the war is that's going on on the Internet? D: Well, OK. There's a newsgroup on the Internet called alt-dot-religion-dot-scientology, ARS. For a few years, this was like one of the thousands of backwater Internet newsgroups. A newsgroup's a sort of area with a given name where anyone can put a message on, read other people's messages, that sort of thing; it's distributed world-wide, there's no central control over it, so ... A: So it's sort of like an electronic noticeboard, where you can put up whatever you feel like. D: Yep. Free access. And, y'know, most of them are utter garbage and there's no way anyone's interested in all thousands of them. And it was like a little backwater religion newsgroup for many years, where you have a few Church people and a few critics sniping at each other, y'know, and no-one else was really interested. But then, there was an ex-Scientologist on there, a guy called Dennis Erlich, who ... Someone put on a message saying, "is this actually part of secret Scientology scripture?" It was a particularly wacky thing about 'find some plants and see If you can communicate with them and see if they receive your communication.' And he verified, 'yes, that's the real thing.' In verifying it, he quoted it. So what the Church of Scientology then did, seeing as they have tended in dealing with critics to have the subtlety of a Mack truck, what they did was, they got a judge to write a copyright violation writ. And they went round and raided his house, and took away his computers, and went through his house, and took anything they felt like. This is a good way to piss of thirty million people in one go. And the Internet sort of rose up as one to strike back at these people. So what happened was, in their attempts to quash all discussion and quash all criticism, they earned themselves a whole lot more critics. I mean, I'm not an ex-Scientologist, I have no interest in them, except that they're trying to use legal thuggery, corporate financing, to try to quash all dissent. Thankfully they're doing it very badly. They're losing cases left, right and centre when they get them into court, and the publicity has been very damaging for them. A: So there's obviously more than one legal case going on. How many people have they prosecuted, or how many people are they in the process of charging? D: Well, there was Dennis Erlich in America; Lawrence Wollersheim and Bob Penny, who are also ex- Scientologists -- they ran a computer bulletin-board called FACTNet, which contains information on all forms of cults and restrictive groups like those, and Arnie Lerma, who was an ex-Scientologist. And after Lerma was raided, someone in Holland put the thing which he had posted, the Fishman Affidavit, which contains quotes from the Scientology scriptures, someone in the Netherlands put it on a Web page -- on a World Wide Web page, the thing you get through Netscape and so on. And in magazines where you see the Internet, they usually have a screen shot from Netscape -- and what happened was, they tried raiding the Internet provider in Holland, and the Dutch people were outraged with this and promptly there were a hundred different copies of it all over Holland. And then they tried mounting a case against them, and it just came in, word came in a few days ago that they lost. A: So is the Church of Scientology actually using the Internet to display information, or to put out information about the positive sides of the Church, or the sort of information that they would use to draw people in? D: Yeah, they finally got their own Web server up, but the point is ... And that's fine. The more information the better. The critics have their information up, and the Church is trying to stop that, but they're having a lot of trouble, because basically, once information's out there, you can't put the genie back in the bottle, you can't squeeze the toothpaste back into the tube. They feel that if people find out about their secret scriptures, they might think that they're very silly and laugh at them and not want to be Scientologists. And also when things like the prices of these things come out, like when you discover you've paid a hundred and sixty thousand US dollars to learn that Xenu the galactic dictator took people to Earth seventy-five million years ago, strapped them to volcanoes and blew them up, and that you've paid this much money for that and you're supposed to believe it. A: Well, you'd want to believe it after paying all that money. D: Well, actually, that's exactly it. The further people get in, the more fanatical they seem to be. Experts on cults say that the Church of Scientology is one of the hardest cults to get people back to the real world from. And you have that cognitive dissonance between 'this is a load of rubbish' and 'I've paid hundreds of thousands of dollars and worked for years for this.' A: Probably fits into the same philosophy that once you've paid a lot of money for a car, it's the best car there is. [laughs] D: Something like that. Yeah. And the issue goes beyond the Church of Scientology. I mean, they're weird and vicious, and this is well-documented, and if they care to object to me making that statement I'll back it up in court if they like ... A: Is this a fairly typical scenario on the Internet? Are there other groups who are behaving in this manner, or is it a fairly limited ... D: Well, at first only the Scientologists tried this, but, um, the Unification Church, Reverend Moon's lot, have recently been trying this, there's another small cult called Eckankar which is descended from a church which is descended from Scientology, have recently been trying this as well. It's quite amazing. It's not an issue of Scientology, it's not an issue of Scientology teachings, it's an issue of the corporate behaviour in the world where they attempt to silence critics by using legal bigfooting, money ... Can small people criticise big corporations or big financial interests? A: I guess in some ways it's very similar to the McDonalds case in Britain, where they're suing two unemployed people as this huge corporation. D: And the same thing is happening: it's backfiring on them. A: Yeah. D: 'Cos the thing about the Internet is, you can't stop the information going out, because if you make something restricted, suddenly everybody wants it. They've tried suing one person in Holland, a hundred more sprung up. They've tried getting their critics pulled off the Internet altogether -- my University Internet account was locked for two months because of the Church of Scientology, so I then went out and got a private provider. Their behaviour is ... it's intolerable in a multicultural society, where the implicit rule is we all have to get along. A: I understand that a similar thing has happened to the 'Liars' Club', a show put together by the Skeptics on 3-RRR. D: Yep. The Church spent about ... a few years trying to shut down the 'Liars' Club', 'cos they dared to mention, criticise Scientology. And they finally got it taken to the Australian Broadcasting Authority, who ruled that a particular show, where they had an ex-Scientologist called Cyril Vosper ... that he went on and he talked about the Church and what he didn't like about it and what was bad about it. And he knows his stuff, he's been there, he actually knew L. Ron Hubbard, that sort of thing. A: Is this L. Ron Hubbard the science fiction author? D: Yes, the guru of Scientology, the source of everything in Scientology. Every word he wrote is taken by them as scripture. A: [laugh] I've read his books and thought they were novels! [laughs] D: Ha, well, yeah, pretty well ... But anyway, Vosper went on, and the Tribunal ruled that no word or sentence that Vosper said was religious vilification, no word or sentence that Adam Joseph, presenter, said was vilification, no word or sentence that Vanda Hamilton, the other presenter, said was vilification, but, because the presenters agreed with the guest, it was therefore vilification. Now, they didn't ask RRR to pull the show, but RRR pulled the show. They also didn't give them any due process in pulling the show; if a show's in danger of being pulled, y'know, you give them the chance to speak. Stephen Walker just killed it. A: Actually, you're holding a demonstration, that's right. D: It's a small thing, where we politely state our case and hand out leaflets, it's outside the Church, corner Russell Street and Flinders Lane, on Saturday morning at 11am. A: So you'll be providing people who turn up with leaflets to hand out? D: Yep. We'll have hundreds of leaflets, we'll have a few signs ... We expect it to be a very polite demonstration. We had one in September last year, we politely stated our case, the Church people had a leaflet of their own, that sort of thing. It was ... A: [laughs] That's all very nice! D: It's all about ... It's not to do with the local people, I mean, the individual people are fine. We're talking about management actions in America. It's a multinational organisation. A: Anyway, we've got to go. Thanks very much for your time, David. D: Thank you very much. A: See you later. That was Dave Gerard talking about the war on the Internet and the way that the Church of Scientology is ... taking action against people who publish information which is negative about the Church. You've been listening to Thursday Breakfast, it's now two minutes past nine, we've gone over time, and we'll catch you again next week. It's time for 'Scheherazade'. -- "I mean, after all; you have to consider we're only made out of dust. That's admittedly not much to go on and we shouldn't forget that. But even considering, I mean it's sort of a bad beginning, we're not doing too bad. So I personally have faith that even in this lousy situation we're faced with we can make it. You get me?" - Leo Bulero/PKD +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff at suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff at gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From meredith at ecid.cig.mot.com Fri Mar 15 04:02:46 1996 From: meredith at ecid.cig.mot.com (Andrew D Meredith) Date: Fri, 15 Mar 1996 20:02:46 +0800 Subject: Netscape Registration Wizard is dead Message-ID: <9603151142.ZM883@jurua.sweng.ecid.cig.mot.com> Hi Folks, We've just done a quick test on 2.01 and it would seem that the "Netscape Registration Wizard" is no more. Cheers Andy M -- ___________________________________________________________________ Andrew Meredith Senior Systems Engineer Tel: (direct) +44(0) 1793 545377 Network Engineering Tools Group Tel: (main) +44(0) 1793 541541 Motorola, GSM Products Division Fax: +44(0) 1793 512618 16, Euroway, Blagrove SMTP: meredith at ecid.cig.mot.com Swindon, SN5 8YQ, UK X400: Andrew_Meredith-QSWI016 at email.mot.com ___________________________________________________________________ From rah at shipwright.com Fri Mar 15 07:14:54 1996 From: rah at shipwright.com (Robert Hettinga) Date: Fri, 15 Mar 1996 23:14:54 +0800 Subject: maling list Message-ID: At 2:50 PM 3/14/96, David K. Merriman wrote: > We can take you off the maling list, or we can take you off the mailing >list. Which would you prefer? Ah. And all this time I thought that cypherpunks was a mauling list. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From vznuri at netcom.com Fri Mar 15 08:30:46 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Sat, 16 Mar 1996 00:30:46 +0800 Subject: Venona NSA web page Message-ID: <199603141942.LAA28926@netcom14.netcom.com> ------- Forwarded Message Date: Wed, 13 Mar 1996 06:59:32 -0500 (EST) From: merkaba at styx.ios.com Subject: VENONA PROJECT (fwd) - - ---------- Forwarded message ---------- Date: Tue, 12 Mar 1996 22:07:24 -0500 From: Ronald Pearce To: merkaba at styx.ios.com Subject: VENONA PROJECT http://www.nsa.gov:8080/docs/venona/venona.html The VENONA Project In July 1995 the Intelligence Community ended a 50-year silence regarding one of cryptology's most splendid successes - the VENONA Project. VENONA was the codename used for the U.S. Signals Intelligence effort to collect and decrypt the text of Soviet KGB and GRU messages from the 1940's. These messages provided extraordinary insight into Soviet attempts to infiltrate the highest levels of the United States Goverment. Today, we are proud to offer these exceptional documents on the NSA home page and we invite you to study and interpret them in the context of history. NSA will declassify over 2200 messages related to VENONA. We believe they will not only provide a window into Soviet espionage during the 1940's, but will also give you a glimpse of the important contributions signals intelligence and cryptographic expertise make to our nation's security. - - -Ron ==================================================== "We're all pawns, my dear... your move?" No. 66, - - --The Prisoner "Arrival" ==================================================== From 72124.3234 at compuserve.com Fri Mar 15 08:30:48 1996 From: 72124.3234 at compuserve.com (Kent Briggs) Date: Sat, 16 Mar 1996 00:30:48 +0800 Subject: recent ( 3 months ) software developements? Message-ID: <199603141949.OAA05238@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- gjeffers at ns.htc.net (Gary Lee Jeffers) wrote: >Dear Cypherpunks, > > Due to really lousey circumstances, I have been unable to monitor my >mail for the last 3 months. Also, last 3 months mail currently unavailble >to me. I am interested in finding out if there have been any new soft- >ware offerings or software upgrades in that time. My particular interest >is Dos/Windows. Also, locations where software can be downloaded. Note >that a brief description of recent software developements maybe helpful >to other Cypherpunks with little time to monitor Cypherpunks list. > > Beat State, > Gary Jeffers > I released version 2.0 of Puffer, my symmetric encryption program for Windows last month. The exportable shareware version (40-bit RC4, uh, I mean PC1) is available from my web site (http://execpc.com/~kbriggs). The registered version uses 160-bit Blowfish. Both versions have a secure wipe feature and a built-in editor for on-the-fly e-mail encryption. Kent - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMUh4QioZzwIn1bdtAQGUDQF+OlQQTGvyfuzAJahBAXIc09V82QDc4IGj 3TUEyrU8Y9n0GAEWwZw+mDRaSSEXbqlc =7HdD -----END PGP SIGNATURE----- From shamrock at netcom.com Fri Mar 15 08:34:40 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 16 Mar 1996 00:34:40 +0800 Subject: e$ and markets and meta-markets. quote with little comment Message-ID: At 12:42 3/14/96, bryce at digicash.com wrote: >I just thought I would re-print this extract from the recent >press release regarding the EUNet/Merita ecash roll-out. > > >Favorite phrase: "interesting new possibilities." > > >Follow-ups directed toward e$. If you post to cpunks without >Cc'ing me I probably won't see it. > > > >Bryce > > >******* begin quote from the "companies that accept ecash" section > >SOM -- SOM, the Finnish Securities and Derivatives Exchange >and Clearing House, established in 1987, serves as a >neutral integrated securities and derivatives exchange and >clearing house. SOM offers real-time financial market >information on stocks, options and futures via the >Internet, with invoices payable in ecash. Somtel for >Windows -the application that offers real-time feed, as >well as simulation and position-analysis functions-, is >already available via leased line. > "The use of money makes stock trading less complicated, >with money acting as a practical intermediary between the >transactions." states Asko Schrey, President of SOM. >"However, since stock trades, as well as the shares >themselves, are electronic nowadays, this conventional >transmission of money has actually become a bottleneck and >a threat to the development of the financial world. >Therefore, SOM actively participates in projects to promote >and improve the efficiency of payment traffic. We believe >that electronic money will offer interesting new >possibilities." As mentioned before, one Ecash "currency" per ticker symbol would be a Very Interesting Possibility. No, I am not aware of any plans by DigiCash to implement this. -- Lucky Green PGP encrypted mail preferred. From asgaard at sos.sll.se Fri Mar 15 09:37:21 1996 From: asgaard at sos.sll.se (Asgaard) Date: Sat, 16 Mar 1996 01:37:21 +0800 Subject: Fencing (location-signalling computers) In-Reply-To: Message-ID: On Wed, 13 Mar 1996, Timothy C. May wrote: > (And then they'll have to return the computer as stolen property and tell > what they know about who sold it to them. Sounds fair to me.) Really? In Sweden, if you buy stolen property from a thief or fence 'in good faith', not knowing that it was stolen (usally arguable in court only if the price was substantially below market value) you can keep it. The original owner, or his insurance company, can buy it back only if you let them. It's up to the others to prove that you didn't act 'in good faith' - if it can be proved that you did not, you are likely to be prosecuted for fencing, of course (if the state doesn't drop the case for lack of manpower, which often occurs with 'minor' crimes). I can think of another application for computers (or modems) signalling their presence with regular intervals. Manufacturers can keep track of their use, life-length etc. Using some kind of Chaumian blind signatures (like those implemented in anonymous toll systems) this could be done without revealing the geographical location of a specific computer, I guess - the manufacturers presumably wouln't care if the hardware was stolen or not. Asgaard From maldrich at grctechs.va.grci.com Fri Mar 15 09:47:54 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Sat, 16 Mar 1996 01:47:54 +0800 Subject: [NOISE] The all.net controversy continues Message-ID: Here's some info from all.net and a host of players IRT the "telnet" fiasco and assorted activities related to it. Crypto relevance is oblique, but some people on this list have implied "knob twidling" intentions. It would appear any number of sites are trying more than twidling. One interesting notion that surfaces in this is what's a "normal" automated inquiry for information versus an "attack." Do I commit computer trespass when I finger someone? Or do I have to try to telnet? Is attempting a telnet into a "guest" account OK if I just want to see if the machine's policy is to welcome visitors? Do they have to post "do not trespass" signs? If all.net's policy is really "nobody's allowed to telnet in," they why don't they just shutdown the damn telnetd, and be done with it? Or, if they want only "authorized" personnel, why not add sufficient crypto to secure the channel? Anyway, it makes for an interesting read.... **BEGIN FORWARDED MATERIAL** --------------------------------------------- Date: Wed, 13 Mar 1996 21:25:03 -0500 (EST) >From: Sick Puppy Subject: Re: IW Mailing List iw/960313 > [Moderator's Note: I believe that the federal computer abuse statutes > don't require a warning banner. If they did, than any denial of service > attack that ignored responses would be legal.] In our discussions with the FBI about how we could meet the legal requirements for a successful prosecution that would not be thrown out on technicalities, the need for a warning statement or warning banner was stressed by the FBI. I don't remember the specifics but the need to have a warning banner is related to the freedoms guaranteed by the US Constitution and its Amendments. The FBI mentioned a couple of prosecutions by the Secret Service where part of the case was thrown out and the whole case was significantly weakened, because there was no warning banner. I believe that CERT also covers this point in its annual conference/seminar for incident response teams. They usually get a FBI agent with experience in the rules of evidence to speak during the lunch breaks. Maybe there is someone on the list whose recollection on this point is more precise than mine. --------------------------------------------- Date: Wed, 13 Mar 1996 18:46:52 -0600 >From: Walt Auch Subject: Re: IW Mailing List iw/960313 Quote: [Moderator's Note: I believe that the federal computer abuse statutes don't require a warning banner. If they did, than any denial of service attack that ignored responses would be legal.] Unquote Banners are not REQUIRED, but DOJ has indicated in many conversations that they are "looked upon favorably" by the Court. You do NOT have to prove that they were read - much like you don't have to prove a speed limit sign was read in order to prove speeding - you should just be able to show it was posted. (Scott Charney is the DOJ person - not sure that should be posted.) --------------------------------------------- >From: fc (Fred Cohen) Subject: More progress Date: Wed, 13 Mar 1996 23:59:56 -0500 (EST) So far, we have traced down: A breakin at a community college in Pennsylnavia where the attacker rigged the University computer to automatically telnet to our site every 5 minutes. A port scan followed by a series of scores of attempts to telnet into our site for over an hour from a University site in Arizona. The attacker has been caught. Several IP spoofing attempts that we are tracing down to the specific dial-in accounts used to launch the attack. An intentional insider corruption of a Web page designed to turn innocent browsers into launchpads for their attack. This one was tracked down yesterday and has been stopped after recurrences by contacting this ISPs ISP and the FBI. A web site which is misleading people into telnetting into our site under the auspices of getting a letter from a self-proclaimed computer security expert. What appeared to be a systems administrator at a prominant university who did a port scan followed by numerous telnets. It now looks like this person may not have been authorized by the university to do any of this and it has been raised to another level in the University. Several other individuals have been tracked down as well. 19:52 > From: "Matthew G. Devost" ... > I am concerned over the all.net statement that it will pursue criminal > conspiracy charges against all those that telnet to their site. I asked > what sort of warning banner was in place and hadn't gotten a reply yet > so I checked to see. Well, there is NO warning banner. You simply get > a connection refused by foreign host (and I imagine, a email to root at > my ISP saying I am an evil hacker!). The message changed as incidents occured. Contrary to what previous postings indicated, we haven't historically claimed these events as attacks. We simply state that (current form): A user at your site has just attempted to telnet into our site. No users from your site are authorized to telnet into this site. We thought you would like to know so you could investigate further. If more telnets come from your site, this may indicate a more substantial attempted entry originating from your site, and should be followed up in more depth and more quickly. > Here is my point. It is obvious that someone (an individual) has a > gripe with you or just wants to target your machine, but I would not > call the other attempts a conspiracy. I could post the following > message to a cancer survivor newsgroup or list: At this point in time [see above] several different individuals have been identified as having intentionally attacked this site during the incident. About 5 individuals are responsible for over 90% of all of the attempted entries. > "Hello all! Just wanted you to know that I have set up a Cancer > Survivors network on my host machine. It requires telnet access > for now, but we are hoping to find an easier way to access the > computer in the near future. Please give it a try by telneting > to all.net." Excellent example. This would not be a criminal conspiracy unless some of the participants became accomplices after the fact by lying about the source of the message and actively creating their own similar messages. Then they would become co-conspirators. That's what appears to have happened here. ... > My point, and I realize I am taking a long time getting there, is that > at the very least you should provide a warning banner when folks telnet > to you site telling them that an unauthorized telnet attempt will be > considered an intrusion. We express this in our finger daemon: No users are allowed on this system In the case of telnet, we don't want people getting that far into our system because we believe that such mechanisms may be breakable by high volume attacks. We prefer to stop things at the earliest possible phase and to have layered defenses after that. --------------------------------------------- Subject: Re: IW Mailing List iw/960313 Date: Thu, 14 Mar 1996 10:02:56 -0500 >From: "Michael G. Reed" |> Well congrats for sparking the list back to life! I think it is |> definitely an IW attack at the Class I level, but I would agree with |> most of the comments from the list that perhaps [all.net is] overreacting. Over reacting, no, inflaming the situation, yes. It is well within the rights of all.net to treat attempted telnets to their machine as attempted break-ins if the proper notification has been given; but personally, I think their handling of the situation is quite silly. One does not get up on a soap box and scream and shout to the world like this -- it just invites (no, begs) more attacks. Instead, you deal with it in the professional manner that system administrators have used for years -- contact other admins and deal with the problem directly. The big problem is *ARE YOU SURE* you have the right people? IP spoofing is trivial these days (a problem that won't be solved until IPv6, if even then) and it would be very easy to mount a concerted attack that *NO ONE* would be able to track down unless you start looking at backbone router logs (which I seriously doubt are being generated or kept) or placing sniffers all over the Internet. [Moderator's Note: Apparently all.net has this well covered because of their previous efforts in automated vulnerability testing.] ... Actually, there are both CERT and DoD bulletins on appropriate warning banners. These banners should (ideally) be displayed *PRIOR* to login (ie, before the login prompt), but most OS's today don't allow for this and as such the banners are normally displayed in the motd. For us (DoD/USN), the message is as follows (at least this is what is showing up on all of our machines): * * * WARNING! * * * This is a U.S. Government/Department of the Navy Automated Information System. This system may be used only for unclassified official business. Unauthorized use of this system is prohibited by Title 18, Section 1030, United States Code. Department of the Navy Automated Information Systems and related equipment are intended for the communication, processing and storage of U.S. Government information, and are subject to monitoring to ensure proper functioning, to protect against improper or unauthorized use or access, to verify the presence or performance of applicable security features or procedures, and for other like purposes. Such monitoring may result in the acquisition, recording, and analysis of all data being communicated, transmitted, processed or stored in this system by a user. If monitoring reveals evidence of possible criminal activity, such evidence may be provided to law enforcement personnel. * * * USE OF THIS SYSTEM CONSTITUTES CONSENT TO SUCH MONITORING. * * * Send questions and/or problem reports to root at foobar.mil |> Let me first start by saying that a telnet attempt is the first and most |> obvious step in any electronic intrusion. ... |> Telnet's only purpose is to establish access. I think this is stretching the law a bit. Let me give you an analogy: Suppose I walk up to a military installation. At the gate they will ask me for my pass, but I don't have one on me. Now, as long as I do not attempt to enter, and leave the grounds at that point, have I done anything wrong? Is my attempt to "break in" illegal? I would contend no. Now, if I had been trying to scale the fence at the time I was detected, that is a COMPLETELY different story, but by following normal protocol I am within my rights. This doesn't preclude handling denial-of-service attacks either. If I continually walk up to the military installation and ask for entry without the proper pass, then I am *POSSIBLY* breaking the law (disturbing the peace or harassment at the minimum) or if there are big signs (which I ignore) stating that unauthorized attempts to enter will result in prosecution, then I *AM* breaking the law. |> As for alerting an administrator, it is extremely likely that a person |> trying to get into one system also tries to get into dozens of others. ... Yes, this is what all system administrators should do. I am not saying that systems should hide the fact that they are (or have been) attacked, but that they should handle it professionally and not throw a tantrum (I'm sorry, but that's what all.net's message looks like to me -- a tantrum -- my personal take on reading it). Security on the Internet is a *MAJOR* problem today, the problem is that few people realize this (or to what extent it is a problem). The one good thing coming out of all of all.net's attention to this "attack" is the quality discussions about security, the handling of threats, and what should be done in the future. [Moderator's Note: The all.net banner is shown above.] --------------------------------------------- Date: Thu, 14 Mar 1996 10:24:03 -0800 (PST) >From: watson at tds.com Subject: Re: hackers and the law >[Moderator's Note: I believe that the federal computer abuse statutes >don't require a warning banner. If they did, than any denial of service >attack that ignored responses would be legal.] There was a CERT or CIAC about late 1992, and a sidebar in Cheswick and Bellovin that summarizes the fuzzy state of this assertion. Apparently, the attackee has some risk of prosecution under wiretap laws if actions are taken against an attacker without proper notice. The warning banner is considered necessary defense against the attacker's lawyers when he claims he was "just knocking on the door." I haven't heard of a clear precedent on this. Probably varies by jurisdiction, phase of the moon, etc. I would encourage those who post on this topic to state their legal credentials. [Moderator's Note: I'll bite - what are your legal credentials?] --------------------------------------------- **END FORWARDED MATERIAL** ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From asgaard at sos.sll.se Fri Mar 15 10:07:25 1996 From: asgaard at sos.sll.se (Asgaard) Date: Sat, 16 Mar 1996 02:07:25 +0800 Subject: e$: Neal Stephenson's geodesic economy In-Reply-To: Message-ID: On Thu, 14 Mar 1996, Robert Hettinga wrote: > Go buy this book. No. From this excerpt, I draw two conclusions: 1) The author is keeping up with some well known (at least to longtime readers of the cp list) concepts of future consequencies of information technology. 2) Around these, he weaves a boring, artless plot. Asgaard From jamesd at echeque.com Fri Mar 15 10:16:25 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sat, 16 Mar 1996 02:16:25 +0800 Subject: FCC-type Regulation of Cyberspace Message-ID: <199603151625.IAA21520@mail1.best.com> Timothy C. May wrote: >>Mr. Frantz, unless you can prove your claims here, forthwith, I must inform >>you that they are in violation of the Truth in Speech Act of 1996. Please >>retract them, now. Bill Frantz wrote: >Political speech, not commercial speech. The act doesn't apply or is >unconstitutional. I see: The bill of rights reads: "Congress shall make no law [...] abridging the freedom of *political* speech". Never knew that until now. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From asgaard at sos.sll.se Fri Mar 15 10:19:47 1996 From: asgaard at sos.sll.se (Asgaard) Date: Sat, 16 Mar 1996 02:19:47 +0800 Subject: Remailer passphrases In-Reply-To: <199603141930.LAA03089@netcom6.netcom.com> Message-ID: On Thu, 14 Mar 1996, Bill Frantz wrote: > Provided you insist on UNIX. I still think rubber hoses will be the > technique of choice. That was what the Scientologists used on > anon.penet.fi. No, they used social engineering: Nice, honest Finnish policemen were conned by well-dressed lawyers carrying papers written in impressive legaleese. The policemen regretfully admitted that afterwards. Asgaard From WlkngOwl at unix.asb.com Fri Mar 15 10:27:29 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Sat, 16 Mar 1996 02:27:29 +0800 Subject: Why escrow? (was Re: How would Leahy bill affect crypto Message-ID: <199603151658.LAA06153@unix.asb.com> On 14 Mar 96 at 19:41, jim bell wrote: > >Of course that depends how you give your key to an escrow agent. If > >it's already escrowed when you buy a phone, for instance... > > That's the real danger with any such legislation. Individuals can generally > only get things that are manufactured for sale. (You can't buy a car with a > 7-cylinder engine, for instance...) If manufacturers are dissuaded from > building a good crypto telephone, then key-escrow can be as "voluntary" as > you want and you still won't be able to exercise your rights. You might sill be able to buy an unescrowed crypto-phone. If forgeign companies start selling them, then the gov't will have a hard time preventing domestic companies from manufacturing them and exporting them (in theory...) under the legislation. Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From sameer at atropos.c2.org Fri Mar 15 11:35:46 1996 From: sameer at atropos.c2.org (sameer at atropos.c2.org) Date: Sat, 16 Mar 1996 03:35:46 +0800 Subject: Cypherpunks reference in Netscape book In-Reply-To: <2.2.32.19960315083753.009c3b84@pdmail2.mcom.com> Message-ID: <199603151744.JAA05865@atropos.c2.org> Make sure you list majordomo at toad.com and cypherpunks-request at toad.com. Don't list cypherpunks at toad.com. > I'm writing the "Encryption and SSL" chapter for the Netscape products, and > I'm finishing it up with a "Further reading" section that lists > crypto-related books, web sites, and newsgroups. I was thinking of including > a reference to this mailing list. > > Any strong opinions either way? > > As I see it, the downside is a possible increase in confused people > (specifically on the mailing list--not in general from my writing) and a > decrease in the ever-controversial signal-to-noise ratio. The upside is that > new people might come to the list and be enlightened further on the > reasonableness of privacy. > > And speaking pragmatically, I can't imagine that too many people would take > the time to: > 1. read the docs > 2. join the mailing list > 3. post ill-considered messages > > (As a side note, if anyone ever has any feedback about security coverage in > Netscape documentation, send it my way.) > > Corey Bridges > Netscape Security Documentation > http://home.netscape.com/people/corey > 415-528-2978 > -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From reagle at mit.edu Fri Mar 15 13:02:16 1996 From: reagle at mit.edu (Joseph M. Reagle Jr.) Date: Sat, 16 Mar 1996 05:02:16 +0800 Subject: Internet Security Worskhop Call for Papers Message-ID: <9603151816.AA22063@rpcp.mit.edu> ------- Forwarded Message From: papers at rpcp.mit.edu (Richard J. Solomon) Date: Fri, 15 Mar 1996 12:17:23 -0500 To: {Recipient List Suppressed} Cc: reagle at rpcp.mit.edu, execdir at fnc.gov Reply-To: papers at rpcp.mit.edu Subject: Internet Security Call for Papers CALL FOR PAPERS INTERNET PRIVACY AND SECURITY WORKSHOP Haystack Observatory, MA May 20-21, 1996 Privacy and Security Working Group Federal Networking Council Research Program on Communications Policy Center for Technology, Policy, and Industrial Development Massachusetts Institute of Technology INVITATION The Privacy and Security Working Group (PSWG) of the Federal Networking Council (FNC) and the Research Program on Communications Policy of the Center for Technology, Policy, and Industrial Development at the Massachusetts Institute of Technology will hold an invitational workshop at the Haystack Observatory outside of Boston, MA, on May 20-21, 1996. This workshop is intended to bring Federal, academic and private sector participants together in collaboration to develop strategies and potential solutions related to Internet privacy and security. Though a principal focus of the workshop will be on the Federal portion of the Internet, the FNC recognizes that the Federal Internet is tightly coupled with the Global Internet, whose security policies, practices, and goals are complementary to those of the Federal Government. To define those practices, procedures and goals, the PSWG has undertaken two major initiatives: - The Federal Internet Security Plan (FISP), which was developed as a scalable, continual improvement process, based on common principles and mechanisms compatible with Internet community values and needs; and - The Collaborations in Internet Security (CIS) project, an effort aimed at testing the strength of agency approaches to security and moving these technologies beyond individual agency networking environments and into both inter-agency and agency-commercial sector communications. The CIS will result in the development of a new and sustainable process for developing, integrating, and deploying security technologies that are interoperable at all levels of the Federal government and within the commercial and academic sectors. These initiatives are intended to highlight the critical interface between Federal and commercial users and developers of Internet services and technologies. OBJECTIVES This workshop will bring together principal players in the Federal and overall Internet community to discuss the problems and challenges of privacy and security on the Internet, and will: - Identify critical issues, requirements, and recommendations related to future Internet privacy and security research and development efforts; - Describe "best practice" approaches to Internet privacy and security; - Develop specific strategies for implementing Internet Security programs involving all sectors of the Internet community; - Extend the Federal Internet Security Plan (FISP) by defining specific implementations; and finally, - Develop specific strategies for the migration of technologies from the individual RFC unit test stage to the integration of a complete functional managed system in the CIS test/demonstration/pilot projects. SUBMISSIONS Abstracts or complete paper drafts related to the topics listed above are welcome. Accepted papers will be a part of the published record of the workshop. All points of view on Federal policies affecting Internet privacy and security are welcome. Please make all electronic submissions in ASCII format. For further information or to submit an abstract or paper contact: Internet Security and Privacy Workshop c/o Joseph Reagle Research Program on Communications Policy Massachusetts Institute of Technology One Amherst St. (E40-218) Cambridge, MA 02139 Voice: (617) 253-4138. Fax: (617) 253-7326 papers at rpcp.mit.edu SCHEDULE and DEADLINES Call for papers - March 14, 1996 Abstracts Due - April 14, 1996 Invitations to Participants - April 20, 1996 Revised/Completed papers due - May 19, 1996 Workshop - May 20-21, 1996 PARTICIPANTS Participation in the workshop is by invitation, based primarily on submitted papers and abstracts. Additional individuals may be invited to ensure that participation reflects a broad cross-section of the Internet community. PROGRAM COMMITTEE Dennis Branstad - Trusted Information Systems (TIS) Rich Pethia - Computer Emergency Response Team (CERT) Jeffrey Schiller - Massachusetts Institute of Technology (MIT) Richard Solomon - Massachusetts Institute of Technology (MIT) Rick Stevens - Department of Energy /Argonne National Labs (DOE) STEERING COMMITTEE Stephen Squires, Defense Advanced Research Projects Agency (FNC/PSWG Co-Chair) Dennis Steinauer, National Institute of Standards and Technology (FNC/PSWG Co-Chair) Tice DeYoung, National Aeronautics and Space Administration (NASA) Phillip Dykstra, Army Research Laboratory (ARL) Mike Green, National Security Agency (NSA) George Seweryniak, Department of Energy (DOE) Walter Wiebe, Federal Networking Council (FNC) ********************* BACKGROUND Federal Internet Security Plan: In September 1995, the PSWG published the draft Federal Internet Security Plan (FISP). The FISP is oriented toward a scalable, continual improvement process, based on common principles and mechanisms compatible with Internet community values and needs. See . The plan addresses Internet security requirements, including interoperability, from the perspective of the goals and objectives outlined in the National Performance Review (NPR), http://www.npr.gov/. The Federal Networking Council developed this framework in conjunction with its Advisory Committee which represents industry, academia, and non-profit sectors. Action Items, from the FISP, to be addressed during the Workshop: Internet Security Policy and Policy Support Activities * Establish overall Internet security policies * Address security in all Federally supported NII pilots * Coordinate Internet community involvement * Establish an ongoing Internet threat database and assessment capability * Identify legal and law enforcement issues Internet Security and Technology Development * Develop an Internet security maturity model * Develop Internet security architecture * Enhance Internet security services and protocols * Develop a "Secure-Out-of-the-Box" endorsement * Enhance application security Internet Security Infrastructure * Establish a set of Internet security interoperability testbeds * Support privacy, authentication, certificate, and security services pilots * Establish Internet security testing and evaluation capabilities * Improve security incident handling capabilities * Develop security self-assessment capabilities * Establish effective secure software and document distribution mechanisms Education and Awareness * Compile Internet user and site profiles * Encourage use of available security technologies * Establish an Internet security information server * Establish an Internet security symposium/workshop series * Establish an Internet security fellowship program Collaborations in Internet Security: With the Federal government's ever-increasing dependency on computers and distributed systems, there is great urgency for it to develop and employ enhanced information system security technologies and practices. At the same time, these Federal technologies must interoperate with those of the broader Internet community (encompassing the private and academic sectors, along with the Federal sector). In recognition of these needs, the Federal Networking Council's Privacy & Security Working Group (FNC/PSWG) has been awarded a National Performance Review (NPR) Innovation Fund grant to compare and validate agency approaches to security. This Collaborations in Internet Security (CIS) project aims to test the strength of these technologies beyond individual agency networking environments, emphasizing the inter-agency and agency-commercial sector communications. The CIS will result in the development of a new and sustainable process for developing, integrating, and deploying security technology that is interoperable at all levels of the Federal Government and within the commercial and academic sectors. The governing principles behind the Security Testbeds include: employment of an open process (with the activities and results open to participation and comment by both public and private sector participants); a focus on multivendor technologies; an emphasis on testing and experimentally deploying security technologies emerging from research and private sectors as well as security technologies currently in use in the commercial environment; and an underlying objective to ensure interoperability among the broad Internet community (federal, private, and academic). Initial tests will include demonstrations of Kerberos v.5, testing of single-use passwords, and digital signatures. For more information, please see (http://www.fnc.gov/cis_page.html) From blancw at MICROSOFT.com Fri Mar 15 14:00:57 1996 From: blancw at MICROSOFT.com (Blanc Weber) Date: Sat, 16 Mar 1996 06:00:57 +0800 Subject: Tim's friend's mildly retarded son Message-ID: >From: Asgaard > >The reason FDA has not approved this drug is most probably because >it does not make mildly retarded boys less retarded. But of course, >it's not up to the state to protect people from wasting their money >on snake oil. It becomes more difficult to uphold a pure market >philosophy when it comes to poisonous snake oil or, as is often the >case with potent drugs, effective oil but which will kill you from >side effects after a delay. [. . . . . ] >................................................. > >In reference to the "pure" market: > >The point is not simply that the State should protect people from >snake-oil salesmen. > >There are many "private" agencies whom one can pay to do the work of >research on the actual benefits of a drug; companies which which can, >if one does not have the time or the expert knowledge, perform tests >and such to establish whether there is any danger involved in taking >it. This would be the same kind of work that anyone would need to do >in any case (information that they would need to have), whether as an >individual or a private group or a government agency. > >They, too, can do all the work of checking on the safety of the >product, ensuring that it is good, guaranteeing the reality of any >positive effects, then handing it over to the their client and saying, >"there - now, we are satisfied in our judgement that it is not >dangerous to use it." > >The point is that it is not right to prevent, stifle, suffocate, the >liberty to use one's own resources, to act at one's own discretion and >make one's own choices in regard of one's own particular circumstance, >to make independently the judgements necessary to determine the truth >or falsehood of a statement, or the efficacy of a drug - i.e., it is >not right to have to "give it up" to the State, allowing no one else to >engage in the mental exercise and follow-through. > > .. >Blanc >I hope I'm not the only one here who thinks so. > > > > > From adam at lighthouse.homeport.org Fri Mar 15 14:02:10 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 16 Mar 1996 06:02:10 +0800 Subject: Cypherpunks reference in Netscape book In-Reply-To: <2.2.32.19960315083753.009c3b84@pdmail2.mcom.com> Message-ID: <199603151846.NAA18536@homeport.org> Corey Bridges wrote: | I'm writing the "Encryption and SSL" chapter for the Netscape products, and | I'm finishing it up with a "Further reading" section that lists | crypto-related books, web sites, and newsgroups. I was thinking of including | a reference to this mailing list. | | Any strong opinions either way? If you do so, point to the list archives on www.hks.net/cpunks and give out the address of majordomo at toad.com over a warning about list volume. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From trei at process.com Fri Mar 15 15:36:50 1996 From: trei at process.com (Peter Trei) Date: Sat, 16 Mar 1996 07:36:50 +0800 Subject: Interesting Egghead freebee Message-ID: <9603152004.AA18262@toad.com> > From: Alan Olsen > Subject: Interesting Egghead freebee > While at Egghead today, I found out that they are giving away copies of Spry > Mosaic in a Box. (You have to buy something, but that was why I was there > anyways...) So far, it seems to be worth about what you pay for it. It is > designed to connect you to Compu$lave. > What has this to do with this list you ask? The product actually claims to > support S-HTTP! (No export warnings on the package and no real info as to > how it is implemented... I suspect brand-name snake oil here.) For those > of you who do web development and are interested in a client that actually > supports S-Http (I do not believe the d/lable version does), take a look. > (It does install alot of crap, like a new Winsock, so be warned.) Spry Mosaic really does support SHTTP - you can use it to connect to the SHTTP test pages at Terisa and Commercenet without difficulty, once you've doped out how to generate and get signed a low-assurance RSA persona certificate. I just performed an altavista search for references to "shttp://" (the SHTTP prefix) and "https://" (the SSL prefix). The results were 1,000 SHTTP hits, and 20,000 SSL hits. SHTTP may be technicly superior to SSL level 2.0, but as a commercial software developer, I know on which side my bread is buttered. Peter Trei Senior Software Engineer Purveyor Development Team Process Software Corporation http://www.process.com trei at process.com From carboy at hooked.net Fri Mar 15 15:36:51 1996 From: carboy at hooked.net (Michael E. Carboy) Date: Sat, 16 Mar 1996 07:36:51 +0800 Subject: NOISE: Remailers Message-ID: <01BB1268.2BDCA5C0@fish-19.ppp.hooked.net> Has anon.penet.fi recently died??? Seems to have not been responding for the past week or so... Michael E. Carboy carboy at hooked.net From jf_avon at citenet.net Fri Mar 15 15:52:35 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Sat, 16 Mar 1996 07:52:35 +0800 Subject: sector cleaning utility anywhere? Message-ID: <9603151913.AA15304@cti02.citenet.net> Hi. I am using secdrive and also PCTools win 2.0 In the disk defragmenter of PCTools, I can choose DOD wipe to clear up free sectors. But I wondered if it wipes the trailing bits and sectors(?) at the end of a file in the end cluster? Is there a standalone utility that would do this end-of-sector cleanup like secure drive does, but that could do it on it's own without the need of any deletion? JFA Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 From mdiehl at dttus.com Fri Mar 15 16:05:33 1996 From: mdiehl at dttus.com (Martin Diehl) Date: Sat, 16 Mar 1996 08:05:33 +0800 Subject: Cypherpunks reference in Netscape book Message-ID: <9602158269.AA826932252@cc1.dttus.com> Sameer and Cory, Consider setting up some persistent html pages on cryptology, privacy, cyphernomicon, cypherpunks list, and cypherpunks archives. Include these URL's as bookmarks with the delivered Netscape browser. The page on the cypherpunks list could have a subscribe (mail-to) button, as well as some list nequitte, a product warning about list volume, and an unsubscribe (mail-to) button. Martin G. Diehl ______________________________ Reply Separator _________________________________ Subject: Re: Cypherpunks reference in Netscape book Author: sameer at atropos.c2.org at INTERNET-USA Date: 3/15/96 12:59 PM Make sure you list majordomo at toad.com and cypherpunks-request at toad.com. Don't list cypherpunks at toad.com. > I'm writing the "Encryption and SSL" chapter for the Netscape products, and > I'm finishing it up with a "Further reading" section that lists > crypto-related books, web sites, and newsgroups. I was thinking of including > a reference to this mailing list. > [snip] > Corey Bridges > Netscape Security Documentation > http://home.netscape.com/people/corey > 415-528-2978 > -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From alano at teleport.com Fri Mar 15 16:06:55 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 16 Mar 1996 08:06:55 +0800 Subject: Interesting Egghead freebee Message-ID: <2.2.32.19960315212951.008b4d54@mail.teleport.com> At 10:37 AM 3/15/96 -6, Peter Trei wrote: >Spry Mosaic really does support SHTTP - you can use it to connect to the >SHTTP test pages at Terisa and Commercenet without difficulty, once you've >doped out how to generate and get signed a low-assurance RSA persona >certificate. After I posted about it, I did a little more digging and checked out the S-HTTP portion of the code. Seems to work pretty well. (I was a bit surprised to see that the Personna cert generation saved the information off in a text file, instead of using the bundled e-mail client. The docs on this process were pretty sketchy as well...) >I just performed an altavista search for references to "shttp://" (the SHTTP >prefix) and "https://" (the SSL prefix). The results were 1,000 SHTTP >hits, and 20,000 SSL hits. > >SHTTP may be technicly superior to SSL level 2.0, but as a commercial >software developer, I know on which side my bread is buttered. My reasons for installing it had little to do with S-HTTP (but it was a nice bonus) and more to do with the lack of table support. (I needed something to check out how pages would look on non-table supporting browsers.) My concerns with S-HTTP are with the lack of server (and browser) software support for it, as well as the difficulty of maintaining a site that uses it. (Having to change every single page on a site can become a bit of a chore, as well as introduce unintended security holes due to in improperly updated page.) --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From declan+ at CMU.EDU Fri Mar 15 16:15:09 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 16 Mar 1996 08:15:09 +0800 Subject: FCC-type Regulation of Cyberspace In-Reply-To: <199603151625.IAA21520@mail1.best.com> Message-ID: Excerpts from internet.cypherpunks: 15-Mar-96 Re: FCC-type Regulation of .. by jamesd at echeque.com > Bill Frantz wrote: > >Political speech, not commercial speech. The act doesn't apply or is > >unconstitutional. > > I see: The bill of rights reads: > "Congress shall make no law [...] abridging the freedom of *political* > speech". > Never knew that until now. Thanks for clarifying. Now I know that Congress can pass a law muzzling the New York Times Co., Inc. More seriously, society accepts greater limitations on commercial speech, and I don't find them nearly as odious as I do ones that restrict political speech. -Declan From s1018954 at aix2.uottawa.ca Fri Mar 15 16:16:55 1996 From: s1018954 at aix2.uottawa.ca (s1018954 at aix2.uottawa.ca) Date: Sat, 16 Mar 1996 08:16:55 +0800 Subject: The Diamond Age (was Re: E$: Neal...) Message-ID: *Mild spoiler warning* Asgaard wrote: >No. From this excerpt, I draw two conclusions: >1) The author is keeping up with some well known (at least >to longtime readers of the cp list) concepts of future >consequencies of information technology. He is. Stephenson's an occasional programmer and mentions a few cpunks from Communities.com at the end of Snow Crash. He also throws in tasteful renditions of old hat stuff like Turing machines (hardly the pinacle of high tech processing power), and does a great job with an example of parallel processing stolen from A Fire Upon the Deep (but *so* much spicier!). Who would have thought sex orgies would be a model for computation? Or ritual drumming as IPC...? I can just imagine a unix kernel for such a machine...(or beast?) >2) Around these, he weaves a boring, artless plot. Actually the plot is rather well done and does not focus nearly as much on tech Snow Crash did. It's more of a story-telling novel with some very cute literary devices. It's got to be the only children's book I'd recommend to anyone, especially people you'd like to interest in basic CS concepts or crypto-anonymity issues and who wouldn't be caught dead reading sci-fi, much less cyberpunk. I don't consider it to be a thriller (though it has more sex and violence than your average kid's book.). It was even a bit sentimental. Those of you who enjoy conclusive story resolution, will not like Stephenson's open-ended finale (though *I* think he got it right this time, unlike in Snow Crash). It has me wondering was what a real "Young Lady's Primer" complete with gentle cartoonesque intros to CS, crypto (recreational crypto maybe?) and chaumian concepts would invlolve. I do remember Phil Z. mentioning on the list that his original exposure to crypto was as a child by just such a book (he announced this the day the author died). I have heard of the occasional video game that teaches assembler or typing, it might be interesting to create and release such a thing on the net for the topics discussed among us (for all age groups). Anyone for a crypto-anarchy game .wad? From maldrich at grctechs.va.grci.com Fri Mar 15 16:47:28 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Sat, 16 Mar 1996 08:47:28 +0800 Subject: Source of Cryptanalysis Materials Message-ID: Some folks (this was awhile back) were looking for texts on cryptanalysis and related cryptographic topics. Today, I ran across some stuff published by an outfit called "Aegean Park Press." With such titles as "Manual for the Solution of Military Ciphers," "Elementary Military Cryptography," and "Cryptanalysis of Shift-Register Generated Stream Cipher Systems," they sound like a source of potentially interesting material. A lot of what they are publishing are now-declassified military manuscripts, and they specialize in military-related historical stuff and crypto-related mathematics, etc. A Web resource for them is at http://www.halcyon.com/books/ Otherwise, contact them at: Aegean Park Press P. O. Box 2837 Laguna Hills, CA 92654 VOX 714.586.8811 TF 800.736.3587 (US & Canada only) FAX 714.586.8269 ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From markm at voicenet.com Fri Mar 15 16:50:29 1996 From: markm at voicenet.com (Mark M.) Date: Sat, 16 Mar 1996 08:50:29 +0800 Subject: How to use markov3 writing style changer? Origional URL? In-Reply-To: <199603150239.SAA09261@netcom17.netcom.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Thu, 14 Mar 1996, Dave Harman wrote: > I've got the markov3 binary and source at: > > ftp://ftp.netcom.com/pub/qu/qut/bin/markov3 > ftp://ftp.netcom.com/pub/qu/qut/src/markov3.6/ > > I downloaded it from a url that was posted here recently. > > But I can't find instructions on how to run it. > Can that URL be posted again or instructions on > how to use markov3? I assume you are refering to the post I made a while ago on the markov3 program. The URL is http://www.voicenet.com/~markm/markov3.tar.gz . The usage for the program is just: markov3 foo1.txt foo2.txt foo3.txt [etc] where foo[0-9].txt are writing samples from your "victim." The resulting message is printed to standard output. I think this is all covered in the README file. - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMUnQ8bZc+sv5siulAQEngQP+INbJiUC6BS+3FvHuMZXH4jv59YKAp7t6 /oYZr3zkhSTYTabXViIvMDmDQMd0ssYC/6DiC66LFpHQG8hScVzGgmwpYxIMcTyn +2anUkSS+2Wjs96BVmQV1od+9AS2I4LpPIYKf1XrtdBAhB+kVWXlGFpsmu9RoKEE iv2l+GKGfBc= =quTk -----END PGP SIGNATURE----- From lull at acm.org Fri Mar 15 17:22:55 1996 From: lull at acm.org (John Lull) Date: Sat, 16 Mar 1996 09:22:55 +0800 Subject: Beat Remote Monitor Snooping? In-Reply-To: <199603142054.VAA04403@kampai.euronet.nl> Message-ID: <31498f9a.89133975@smtp.ix.netcom.com> On Thu, 14 Mar 1996 21:54:10 +0100, Gary Howland wrote: > NTSC (TV video) modulation is done by phase modulation of the 3.579545 MHz > subcarrier. This is not correct. I'd suggest you go back and re-read your NTSC references. From dlv at bwalk.dm.com Fri Mar 15 18:14:25 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sat, 16 Mar 1996 10:14:25 +0800 Subject: Tim's friend's mildly retarded son In-Reply-To: Message-ID: Asgaard writes: > On Thu, 14 Mar 1996, Timothy C. May wrote: > > > Mexico has no FDA. A trip to the pharmacies of Tijuana is instructive. A > > friend of mine was just here. On a business trip to SF and LA, he drove all > > the way down to TJ to buy a "personal supply" of a nootropic drug for his > > mildly-retarded son, a drug the FDA has not approved but which Mexicans and > > Europeans have been buying for years. U.S. Customs, aware of such > > tragedies, waves people through who are carrying "personal supplies" of > > (non-narcotic) drugs. > > The reason FDA has not approved this drug is most probably because > it does not make mildly retarded boys less retarded. But of course, > it's not up to the state to protect people from wasting their money > on snake oil. It becomes more difficult to uphold a pure market > philosophy when it comes to poisonous snake oil or, as is often the > case with potent drugs, effective oil but which will kill you from > side effects after a delay. FDA has a very good reputation of not > 'recommending' drugs with (delayed) adverse effects outweighing the > beneficial ones. This is not true. Today it costs hundreds of millions of dollars to bring a new drug to the U.S. market. I speak from personal experience: my late mother used to use Rowatinex to relieve kidney symptoms. It's widely available in Europe, but the Irish manufacturer doesn't want to tell it here because the cost of getting an FDA approval would be more than what they would make selling it. Hence, it had to be smuggled in. :-) Many over-the-counter drugs that became popular before the FDA probably could't be brought to the market now. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From blancw at MICROSOFT.com Fri Mar 15 20:53:18 1996 From: blancw at MICROSOFT.com (Blanc Weber) Date: Sat, 16 Mar 1996 12:53:18 +0800 Subject: Tim's friend's mildly retarded son Message-ID: >From: tcmay at got.net (In response to my sig statement): >>>I hope I'm not the only one here who thinks so. > >How could you be? Since I was the one who cited the example, I clearly >am >opposed to the current monopoly on judgment the FDA enjoys. .................................................................... Yes. I know. I am on the infamous Anarcho-Capitalist Cypherpunk List. But I am sending mail from my place of work, and I intended it as a sort of "disclaimer". Ha-ha. I wasn't clear about that. BTW, vis-a-vis the Tijuana Free Market qua government involvement with addicting substances, I think your precision statitics below are apropos, Q.E.D. :>) * > .... Tobacco, which kills an estimated 400,000 a year is the > winner. (The statistics I saw a few years ago were easily memorizable: > tobacco: 400,000, alchohol: 40,000, drugs: 4,000.) .. Blanc * you would have had to read my "How to Win an Argument" post to appreciate this one. > From mab at research.att.com Fri Mar 15 21:18:54 1996 From: mab at research.att.com (Matt Blaze) Date: Sat, 16 Mar 1996 13:18:54 +0800 Subject: PolicyMaker paper available Message-ID: <199603152107.QAA23226@nsa.tempo.att.com> A number of people have been asking me about some work I've been doing (with Joan Feigenbaum and Jack Lacy) on alternatives to traditional (X.509, PGP, etc.) identity-based certificates. We've just finished up our paper on the concept, "Decentralized Trust Management", to appear at the Oakland Security Conference in May. A PostScript pre-print is available in ftp://research.att.com/dist/mab/policymaker.ps -matt [NB: I no longer read the cypherpunks list with any regularity, so please cc me directly on any comments or discussion. Thanks.] From tcmay at got.net Fri Mar 15 21:24:00 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 16 Mar 1996 13:24:00 +0800 Subject: Tim's friend's mildly retarded son Message-ID: At 5:16 AM 3/16/96, Timothy C. May wrote: >(I'll spare the usual stuff about how the Founders smoke a pipe of cannabis >now and then, how "canvas" comes from the Dutch word for this herb, how >special interests got hemp and "reefer" outlawed, and how the effects fell >mainly on the poor and inner-city folks.) I meant "and how the effects of criminalization fell mainly on the poor and inner-city folks." Just thought I should make this clear, because many who advocate drug laws do so out of some notion that by illegalizing some drug they are _helping_ the poor folks. In fact, they are helping to destroy inner cities by making illegal drugs a profitable thing to trade. And since people living in cities are more likely to come in contact with police than are folks living in suburban areas, the implications of illegality are even more strongly felt. Far removed from crypto, except the the sort of thinking that says the FDA and DEA know best what people ought to be allowed to buy and ingest is very similar to the thinking that government agencies know best what codes and ciphers people ought to be allowed to use. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From ses at tipper.oit.unc.edu Fri Mar 15 21:54:25 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sat, 16 Mar 1996 13:54:25 +0800 Subject: Tim's friend's mildly retarded son In-Reply-To: Message-ID: On Fri, 15 Mar 1996, Timothy C. May wrote: [...] > it gives his son an improvement from, say, an IQ of 70 to perhaps an IQ of > 75. Apparently this is an important difference, so much so that when his [...] > (A few years ago I also bought some nootropics in TJ. I felt no effect. My Headline: Drugs Fail to Raise Tim May's IQ to 75 Simon // "Bad journalists live for moments like these" --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From stewarts at ix.netcom.com Fri Mar 15 23:06:10 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 16 Mar 1996 15:06:10 +0800 Subject: Kid Gloves or Megaphones Message-ID: <199603160637.WAA14730@ix3.ix.netcom.com> At 07:11 PM 3/14/96 -0800, Eric wrote: > The debate which must be taken to the public >is whether we want payee anonymity or not. I am confident that people >want their privacy and are willing to let others have theirs as well. My initial impression of Chaum's work, from his 1985 CACM paper, was that the technology gave you strong anonymity; I was surprised when I first saw references to payees _not_ being anonymous (subject to the usual limitations of getting the digicash to them anonymously and getting the service you want from them anonymously.) We've had discussions on this list about topics like kidnap ransom, which need payee anonymity to make sense at all; we later had discussions about how to provide it given that it wasn't a standard feature. So first we need to tell people that the technology _won't_ provide payee anonymity unless used carefully, and then we need to tell them that it _can_ provide anonymity if you want it.... Depending on the details of Ian's method, I don't think the debate needs to be taken to the public, or even done - it may simply be a done deal once the technology's out there. If Mark Twain Bank or Merita Bank or the Federal Reserve wants to offer Digicash(tm) with Payee-Non-Anonymity, they can always make it a contractual requirement that their payees not use anonymity techniques in return for being paid. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From asgaard at sos.sll.se Fri Mar 15 23:36:53 1996 From: asgaard at sos.sll.se (Asgaard) Date: Sat, 16 Mar 1996 15:36:53 +0800 Subject: Tim's friend's mildly retarded son In-Reply-To: Message-ID: On Thu, 14 Mar 1996, Timothy C. May wrote: > Mexico has no FDA. A trip to the pharmacies of Tijuana is instructive. A > friend of mine was just here. On a business trip to SF and LA, he drove all > the way down to TJ to buy a "personal supply" of a nootropic drug for his > mildly-retarded son, a drug the FDA has not approved but which Mexicans and > Europeans have been buying for years. U.S. Customs, aware of such > tragedies, waves people through who are carrying "personal supplies" of > (non-narcotic) drugs. The reason FDA has not approved this drug is most probably because it does not make mildly retarded boys less retarded. But of course, it's not up to the state to protect people from wasting their money on snake oil. It becomes more difficult to uphold a pure market philosophy when it comes to poisonous snake oil or, as is often the case with potent drugs, effective oil but which will kill you from side effects after a delay. FDA has a very good reputation of not 'recommending' drugs with (delayed) adverse effects outweighing the beneficial ones. But what the hell, let the pharmaceutical companies build up their own reputation. And let anyone call himself a medical doctor (of School Medicine, Naprapathy, Healing, Zone Therapy, Quackery or whatever). Most diseased persons will then carefully check the mag strips on the gallipots with their pocket readers for the secret key signatures of Abbot or Parke-Davis, and PDA-check the signatures of Stanford or Harvard University on the doctors's digital diplomas (which will include some physical descriptions) for authenticity. As usual, lots of coming opportunities for reputation agencies and authentication services. Until this happens, trust FDA. Asgaard From overlord at hp.novsu.ac.ru Sat Mar 16 00:32:36 1996 From: overlord at hp.novsu.ac.ru (Alexey Boldyrev) Date: Sat, 16 Mar 1996 16:32:36 +0800 Subject: Free News access Message-ID: <314A2754.1291@hp.novsu.ac.ru> Anyone know, how to get free online (not through FTP) Usenet News access? From eggplant at inlink.com Sat Mar 16 00:59:30 1996 From: eggplant at inlink.com (eggplant) Date: Sat, 16 Mar 1996 16:59:30 +0800 Subject: Jump Start ecash With IPhone Message-ID: >Jim McCoy wrote: >| Two problems: >| >| 1- Chaum did not have the clue to pick up on this when two >| cypherpunks (who shall remain nameless...) pitched this >| and several other ideas to involve ISPs in jump-starting >| ecash almost two years ago, so why would he figure it out >| now? > > But now we don't need no stinkin' license. We just use Mark >Twain ecash. > > The big problem with this is that net phones can be subject to >delay & drop out, and I don't want to deal with that when I'm talking >on the phone. > >Adam > >-- >"It is seldom that liberty of any kind is lost all at once." > -Hume One thing to remember, this is still a developing program. With the increasing of bandwith and the development of new and better compression algorithyms, this will slowly fade. This is only the begining. In a couple years, the transmision and reception could be as good, if not better than the normal telephone, you never know. -- "... In Germany they first came for the Communists and I didn't speak up because I wasn't a Communist. Then they came for the Jews, and I didn't speak up because I wasn't a Jew. Then they came for the trade unionists, and I didn't speak up because I wasn't a trade unionist. Then they came for Catholics, and I didn't speak up because I was a Protestant. Then they came for me-and by that time no one was left to speak up..." Pastor Martin Niemoller ++++++++++++ ************************************** * Matthew Murphy ------------ eggplant at inlink.com * ---------- * http://www.inlink.com/~eggplant * The Web page is under construciton at this time though.. * Please don't mind the mess.... * ************************************** ++++++++++++ finger eggplant at inlink.com for my PGP key. From stewarts at ix.netcom.com Sat Mar 16 01:03:21 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 16 Mar 1996 17:03:21 +0800 Subject: FCC-type Regulation of Cyberspace Message-ID: <199603160808.AAA00980@ix14.ix.netcom.com> At 08:18 AM 3/15/96 -0800, you wrote: >Timothy C. May wrote: >>>Mr. Frantz, unless you can prove your claims here, forthwith, I must inform >>>you that they are in violation of the Truth in Speech Act of 1996. Please >>>retract them, now. > >Bill Frantz wrote: >>Political speech, not commercial speech. The act doesn't apply or is >>unconstitutional. > >I see: The bill of rights reads: >"Congress shall make no law [...] abridging the freedom of *political* >speech". >Never knew that until now. Non-election-related political speech only, of course. And excepting support for Communism or opposition to Prohibition or to approved wars, or to anything the military does to get them approved. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From stewarts at ix.netcom.com Sat Mar 16 01:06:34 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 16 Mar 1996 17:06:34 +0800 Subject: Tim's friend's mildly retarded son [NOISE] Message-ID: <199603160809.AAA01015@ix14.ix.netcom.com> At 09:31 PM 3/15/96 -0800, Simon Spero wrote: >Tim May> (A few years ago I also bought some nootropics in TJ. I felt no effect. My > >Headline: > Drugs Fail to Raise Tim May's IQ to 75 > >Simon // "Bad journalists live for moments like these" Hey, in Cyberspace, nobody can tell you're not a _real_ journalist. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From stewarts at ix.netcom.com Sat Mar 16 01:06:56 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 16 Mar 1996 17:06:56 +0800 Subject: Man in the middle attacks Message-ID: <199603160809.AAA00996@ix14.ix.netcom.com> At 09:30 AM 3/14/96 -0500, cme at cybercash.com (Carl Ellison) wrote: >Take, for example, my bank account. I go to my bank today and open an >account. I give them my SSN and sign a form. They give me an account >number. >Given digital signatures, I still go to them, give them my SSN and >digitally sign a form. They give me an account number. They keep, in a >database of their own [rather than some CA's database] my name, SSN, public >key and whatever other identifying information they need to feel warm and >fuzzy about tracking me down in case of fraud. The SSN isn't there for tracking you down in case of fraud. It's there because the IRS insists they collect it on interest-bearing accounts so they can tax you. Your driver's license, if they ask for that, is something they want to see for fraud prevention, because that's harder to fake than an SSN. And your SSN is a perfectly appropriate thing to use with a key-centered approach: "This is my SSN, please use it for my bank account", signed key 123456789. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From JonWienke at aol.com Sat Mar 16 02:07:15 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sat, 16 Mar 1996 18:07:15 +0800 Subject: RTFM & such Message-ID: <960315042954_351869058@emout06.mail.aol.com> In a message dated 96-03-15 03:14:52 EST, you write: >At 07:30 PM 3/14/96 -0500, Yawn82 at aol.com wrote: >>How the hell do I get off this list? > >You can check out any time you want, but you can never leave. > > I seem to recall getting a message explaining how to do this when I subscribed. Jonathan Wienke "Let's flame these bozos! They're too stupid to live!" --Dr. Ziploc From JonWienke at aol.com Sat Mar 16 02:08:58 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sat, 16 Mar 1996 18:08:58 +0800 Subject: Why escrow? (was Re: How would Leahy bill affect crypto Message-ID: <960315042941_351869030@mail02.mail.aol.com> In a message dated 96-03-15 02:56:56 EST, Jim Bell cites Deranged Mutant: >And if you recall the requirements the government wanted to put on >telephones equipped with Clipper, one thing they eventually admitted was >that they were insisting that such phones be designed to be inoperable with >a telephone that had its "key-escrow" not "enabled". And they still wanted >to >call it "voluntary! That's a laugh! > > >>Of course that depends how you give your key to an escrow agent. If >>it's already escrowed when you buy a phone, for instance... > >That's the real danger with any such legislation. Individuals can generally >only get things that are manufactured for sale. (You can't buy a car with a >7-cylinder engine, for instance...) If manufacturers are dissuaded from >building a good crypto telephone, then key-escrow can be as "voluntary" as >you want and you still won't be able to exercise your rights. Of course, you could always hack up a direct-dial version of PGPfone or Nautilus to turn your multimedia computer into a crypto phone... Jonathan Wienke From unicorn at schloss.li Sat Mar 16 02:11:37 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 16 Mar 1996 18:11:37 +0800 Subject: [Noise] Re: RICO and remailers In-Reply-To: Message-ID: You know, the more I read, the more I understand why the United States is a declining power. The education in this country must really be slipping. On Thu, 14 Mar 1996, jim bell wrote: > Begin quotation: > > > So he wants a cite of Supreme Court decisions from you bearing on > legislative history & congressional intent, does he? [...] > to about 8.5 years FLAT time in the joint. The original > absurdity was challenged in Chapman but the SC blindly stuck to it's > own reading of "mixture or substance", blindly ignoring reality & > Congressional intent that "cuts" of drugs such as heroin or cocaine > being an attempt to increase the amount sold & therefore profit, should > be punished, while the LSD paper was merely a way to transport & > distribute it. As far as congressional intent goes, Joseph Biden has > said that as chairman of the senate judiciary committee, they gave > little thought to LSD but they definitely did NOT mean weigh the whole > blotter paper in handing out nickels & dimes. Who cares what the chairman of the committee who forwarded the bill thought? He is but one member who voted or declined to vote for the bill. The view that he has any more authority than any other member who supported the bill is a silly one. Indeed, he may have had LSD out of mind when he wrote the bill, but unless you poll every member of congress as to their understanding of the bill, this means little if anything at all. If a bill passes that says "All discharging of firearms within the District of Columbia is illegal." Who cares if the chairman of the judiciary says (after the fact incidently) that he didn't think of handguns when he wrote the bill. Obviously congress has passed an ambigious statute. They could very easily have clarified the statute and applied the correction retroactively. This they did not do, (despite the fact that they have often done so before, and that the court often invites congress to revisit an issue and make a correction, and congress often does). > Now the US Sentencing > Commission has changed the guidelines by changing the way the dosage is > calculated to something reasonable, the SC refuses to make the change > retroactive to help a lot of people. You mean, help a lot of convicted drug felons. And even if they are deserving of help (I personally could care if people use drugs as long as they don't operate heavy machinery in public areas thereafter) where is the congress leaping to the rescue and writing an amendment to apply a corrective act retroactively? (Which, incidently, is arguably beyond the power of the supreme court to do). One might also note that the district court and the circut court came to the same conclusion in reading the intent of the statute. You think those judges had their heads up their asses too? You're talking now about 15 people who all came to the same conclusion. Who's wrong? These Harvard, Yale, Columbia, Georgetown and Stanford educated legal professionals, or you? > Note where Kennedy basically says > that if Congress passees laws that are poorly worded & subject to > create great unfairness in sentences, the SC, once they've made a > stupid decision in interpretation will stick to it no matter how unfair > it is in order to make congress write laws that are linguistically > intelligible. And you think that instead we should have two legislative branches second guessing one another? What the hell is the law supposed to be if congress can't write it properly? And if the manner of its application offends congress so much why has it not been corrected retroactively? Kennedy in this respect is acting as one of the more rational justices. It is the activist justices that go crazy and stretch the law beyond the bounds of its intent. Sure, it's easy enough to appeal to the libertarian in everyone by citing a supposedly silly result in a drug case, but you are fighting with smoke and mirrors here. The real issue is one of seperation of powers. It never ceases to amaze me how smart "commentators" like this think they are when they makes grand denouncements of the system. It never ceases to amaze me that almost every single one of these "commentators" knows so little about the way the system really works that it's a wonder they passed the constitution test in 8th grade. (Was it required when you were in school? Probably not). The more they talk, the more they prove my point. A little knowledge is a dangerous thing. A little legal knowledge is lethal. > This would be fine if those on the sharp end of them were > congressmen. The more Supreme Cocksucker decisions I read like this, > the better BOTH your big ideas sound. So move to a civil law jurisdiction. --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From unicorn at schloss.li Sat Mar 16 02:12:08 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 16 Mar 1996 18:12:08 +0800 Subject: RICO and remailers (brief treatment, if long) In-Reply-To: Message-ID: On Thu, 14 Mar 1996, jim bell wrote: > At 07:30 PM 3/13/96 -0500, Black Unicorn wrote: > >0 > >Several people expressed interest in a small treatment of seizure law > >jurisprudence, and the Bennis case (seizure of an automobile used for > >soliciting prostitution was upheld even where one of the owners knew > >nothing about its use for a crime and which Mr. Bell has relied on > >fairly heavily in pointing out that the Supreme Court has its "head > >up its ass.") > > "Relied on"? Hell no! Not when I get the following text, from an anonymous > source. Uh, I'm not sure what this sentence means. > Begin quotation: > > > So he wants a cite of Supreme Court decisions from you bearing on > legislative history & congressional intent, does he? When it can be directly applied to your opinion that the Bennis case has anything to do with remailers, sure. > > I've attatched the relevant syllabus which is from the > Supreme Court reporter & carries no legal weight, along with the > UNANIMOUS decision in Neal written by Kennedy. [Whining about how a supreme court decision upholding the use of acid measurements including the weight of blotter paper as a guide to sentencing was really unfair deleted.] > congressmen. The more Supreme Cocksucker decisions I read like this, > the better BOTH your big ideas sound. Actually, the decision was in line with a long history of precident. That fact that you personally don't like the result has little to do with the legitimacy of the decision, or its fairness under law and the constitution. > This & all recent other decisions of the 9 in-Justices are available at > the below address. > http://spoke.law.cornell.edu:8001/supct/opinionlist.1995.html > > Syllabus: > SUPREME COURT OF THE UNITED STATES > > Syllabus > > NEAL v. UNITED STATES > certiorari to the united states court of appeals for the seventh circuit > No. 94-9088. Argued December 4, 1995-Decided January 22, 1996 [...] > My commentary continues below: JB. > > Note the sentence above, > > "It is the responsibility of Congress, not this Court, to change statutes > that are thought to be unwise or unfair." Precisely. This is called the seperation of powers. It is the responsibility of the judicary to apply and intrepret the law, not make it. > As far as I am aware, there is no _legal_ mechanism, short of impeachment > (but how practical is that?), to remove a sitting SC justice, no matter how > damaging his effect on the country by his decisions. Thus, I propose > re-writing the above sentence a bit: Actually, if a decision is so damaging, congress is always free to change it. The major whine you and your anonymous friend have [i.e. that the Supreme court refused to apply the change in sentencing measurement of weight for LSD convictions] is entirely out of place. If you took the time to look at the retroactivity issue, you would know that it was not applied retroactively because congress did not indicate that it should have been, (which congress was quite free to do, and has done before). Retroactivity in relation to a change in law by the legislature is NOT within the ambit of the court. Congress simply refused to apply the sentencing changes retroactively. If the court had done so, it would be making law. This is not the function of the court. Further, what the hell does any of this have to do with your former moronic claim that the Bennis case impacted remailers? The claim that this is a statuatory construction case is rather far fetched. It's a basic seperation of powers case, and it was decided correctly. > "It is the responsibility of the citizenry, not Congress, to 'change' > Supreme Court Justices that are thought to be unwise or unfair." Unfortunately, subjecting the supreme court to the short term whims of political fad would be devestating. Making supreme court justices into elected officials is about the stupidist thing I've ever heard. I won't even go into the kind of decisions you might get if this horridly reckless idea were implemented. > > Since that change can be accomplished if that 'Justice' dies or becomes > disabled, (or retires, perhaps because he's in fear for his life) I think > the answer to boneheaded decisions like the Bennis one is obvious. > I think you need to crawl back under the rock from whence you came. Really you and your anonymous friend have said nothing. You don't like a pair of supreme court decisions, the basic premises and reasonings of which you couldn't recite if someone held a gun to your head and insisted. I suggest you try and break the ego-centric pre-school mentality you have. An eternity with satan himself and all of his devilish instruments of torture would be a walk in the park compared to five minutes in a dictatorship under you and anonymous. > Jim Bell > jimbell at pacifier.com ^^^^^^^^ Like I said. Pre-school. --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jim at SmallWorks.COM Sat Mar 16 02:36:26 1996 From: jim at SmallWorks.COM (Jim Thompson) Date: Sat, 16 Mar 1996 18:36:26 +0800 Subject: SCHWA - New Web Search Engine!! In-Reply-To: <2.2.32.19960314230647.0089dfc0@mail.teleport.com> Message-ID: <9603142118.ZM6979@butthead.smallworks.com> (Alan Olsen forwards something of the FringeWare list to cypherpunks.) > Something of interest... > > >X-Www-Page: http://www.fringeware.com/MSG/index.html#digest > >Keywords: pleashes heorg horizona disabili freques inspecurs > >Subject: SCHWA - New Web Search Engine!! Oh sweet Jesus in the morning, it was a JOKE! Jim From tcmay at got.net Sat Mar 16 02:39:56 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 16 Mar 1996 18:39:56 +0800 Subject: FCC-type Regulation of Cyberspace Message-ID: At 3:10 AM 3/15/96, Bill Frantz wrote: >Mark Miller and I had a discussion about the restrictions on commercial >speech a few months ago. I contended that these restrictions (generally >that you can prove your claims) are good for markets because they provide >startup companies (and other newcomers to the market) with a small amount >of positive reputation capital that they would otherwise have to invest to >obtain. Mr. Frantz, unless you can prove your claims here, forthwith, I must inform you that they are in violation of the Truth in Speech Act of 1996. Please retract them, now. (Yoy can of course find the complete description of how citizen-units ascertain the veracity of their claims at their local Ministry of Truth office. Minitru is always to help citizen-units on their quest for truth.) Do you see the problem? Personally, I don't care if you choose to have some bunch of people called the "Food and Drug Administration" telling you which substances you may buy, and in which quantities, but I care greatly that you (the general you) wish to stop me from making my own decisions, or listening to those I choose to trust, over the FDA. This is what it all boils down to. Think about it. Be careful of the utilitarian point of view that the "FDA saves lives." (It has also cost a lot of lives, by denying effective treatments for needless years of extra butt-covering tests just so no bureacrat will ever have even a single Flipper-kid on his watch.) Mexico has no FDA. A trip to the pharmacies of Tijuana is instructive. A friend of mine was just here. On a business trip to SF and LA, he drove all the way down to TJ to buy a "personal supply" of a nootropic drug for his mildly-retarded son, a drug the FDA has not approved but which Mexicans and Europeans have been buying for years. U.S. Customs, aware of such tragedies, waves people through who are carrying "personal supplies" of (non-narcotic) drugs. We should learn from this kind of "anarchy" the Mexicans enjoy. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From qut at netcom.com Sat Mar 16 02:41:26 1996 From: qut at netcom.com (Dave Harman) Date: Sat, 16 Mar 1996 18:41:26 +0800 Subject: How to use markov3 writing style changer? Origional URL? Message-ID: <199603150239.SAA09261@netcom17.netcom.com> I've got the markov3 binary and source at: ftp://ftp.netcom.com/pub/qu/qut/bin/markov3 ftp://ftp.netcom.com/pub/qu/qut/src/markov3.6/ I downloaded it from a url that was posted here recently. But I can't find instructions on how to run it. Can that URL be posted again or instructions on how to use markov3? -- Have you ever brought your group into disrepute? From don at cs.byu.edu Sat Mar 16 02:41:38 1996 From: don at cs.byu.edu (don at cs.byu.edu) Date: Sat, 16 Mar 1996 18:41:38 +0800 Subject: Announce: WEB OF TRUST keyring Message-ID: <199603150223.TAA00183@wero.cs.byu.edu> -----BEGIN PGP SIGNED MESSAGE----- March 14, 1996: I announce the first true "web of trust" PGP keyring. Last year, I attempted to create a keyring containing the web of trust. I did so, because I was beginning the process of integrating PGP into my mail and news, and realized that a valid signature did not mean much if I had to reason to trust the key, not to mention that keyrings were approaching 5 megabytes, which drastically slowed down searching through the keyrings. In a web of trust, if A has signed B, then if A is in the keyring, B is added. My project last year, as a result very crude methods I was using, added B if B had signed A. This made for significant numbers of junk keys. I promptly dubbed the keyring the "Web of Nobodies" keyring. There are many people in a much better position than I to do what I have done. My methods are still somewhat crude. I have written, however, a program that will generate the keyring with minimal user intervention, using a seed key as its center. I am considering releasing the source instead of just the keyring. The code is sloppy, the methods crude. I understand that PGP 3.0 will include the capability, so the program is merely a short term solution to a short term problem. If there is a large enough demand for the code, I will probably make it available. (Note: I rely on PGP itself to extract the keys, which takes about 8 hours to process on an HP9000) I would certainly appreciate feedback from anyone who uses the keyring. The master keyring I used was a 9.3 megabyte keyring I obtained from the Norwegian key site at uit.no (sorry bal, but I couldn't find yours). I obtained the keyring in late February. As the seed for the web of trust, I used Derek Atkins's key. I have also inserted the following keys: Pr0duct Cypher (0x97558a1d) CancelMoose[tm] (0x538d56a1) Scamizdat (0x37a541d1) Cypherpunk Enq. (0xaa5f5c9d) Maude X (0x1ead5e8d) Black Unicorn was not inserted due to one key being revoked, and the other unsigned. I couldn't find Alice's key, and figured it wasn't worth the trouble since it's fake anyway. (Or at least that's what the imposter has convinced everyone.) I don't know of any other keys that should have made this list. The keyring is _significantly_ larger than I expected, 2.9 megabytes uncompressed, although still a third the size of the original master. Because of the size, I have also put together a second keyring using stricter parameters. Only keys that were 4 hops from the "center keys" (specifically, 5 keys between itself and Derek Atkins) were included, with the additional constraint that _no_ keys with fewer than two links toward the center (see below) were processed. The resulting keyring was 1 megabyte in size. (Note: the PGP extraction from the "big" keyring took under 30 minutes) The keyrings are named weboftrust.big.pgp.gz and weboftrust.small.pgp.gz respectively. They are both available by anonymous ftp exclusively at ftp.hacktic.nl / utopia.hacktic.nl, in /pub/replay/pub/pgp/pgp-key-ring. C2 did not respond to either of two enquiries. Detached PGP signatures of the .gz files follow: - -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQB1AwUAMUfE3cLa+QKZS485AQHE5gL8DOAkT5s+BzIik5uK+NBW1ithL4DCfmll pqin/4Bhs3LOP7zj11vvufMNGzDvcVonTO9meQEjPL4hanouxizzB7XM6CKidbK+ uAAxLvjkNKuRu1Ci1Tw6jbdd5WdG73us =dXm9 - -----END PGP MESSAGE----- - -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQB1AwUAMUfNKMLa+QKZS485AQG5FgL+Oy62xLT8zMJHpmyFez6uC7UJKFaOAxFB nnWCUOLyp9X9KB+Kasn8Oex4glg1pEMOMB4ZiDT7iVJDuOmm1p07pC3pULmj0+O/ tnNEGbyOpyzeEnAb3vLVvHamzvZ+YPp/ =soxN - -----END PGP MESSAGE----- I have also done some analysis. In the big keyring, there are 2910 keys. The longest trust chain length is 287 keys. The maximum connections any key had was 66. The average "connectivity" among the keys was 4.3. (Hello to my friends at the NSA) In the small keyring, there are 551 keys. The longest trust chain length is, of course, 6 keys. The maximum connections any key had was 68. (I have no explaination for why this is 2 more than the big ring, other than coding changes) The average "connectivity" among the keys was 3.1. For reference, the web of nobodies, built 6 months ago, had 734 connected keys, a max depth of 104, maximum connectivity of 47, and average connectivity of 5.6. For further information, by using the "big" keyring and not processing any keys with fewer than _3_ links back to the "center keys", but with no depth restriction, there are 1348 keys, producing a max chain length of 83 keys. The average connectivity is 4.6. Meaning, there are several people that would be very difficult to spoof. Go meet one of them. In order to prevent loops, I keep track of whether a key had been visited. By incrementing the visited field on a key each time I encountered it (but exploring no further), I was able to roughly gauge how well (versus depth == how close) connected the keys are, relative to the root. I used this number in making the small keyring. I encourage Someone[tm] to start a keyserver servicing only the web of trust. Don don at cs.byu.edu Note to the curious: The reason I picked Derek is because I met someone claiming to be Derek who not only gets mail at warlord at mit, but also has control of the key. Hence, I'm merely picking the only key that comes with PGP that I also happen to trust. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMUjUAsLa+QKZS485AQGPCQL/bWRgDsE0QSwEf96aB3X4M+Wan7DGeeab A9NuSpYF6RAm307mFIv7O7iSCcuuRlZmFZh9Bzmh456+8NdbuPSZBEk1+MNjHqmI hhDFidL+IFpjNKItnIFCj1C9aOmyWRuN =NZ0I -----END PGP SIGNATURE----- fRee cRyPTo! jOin the hUnt or BE tHe PrEY PGP key - http://students.cs.byu.edu/~don or PubKey servers (0x994b8f39) June 7&14, 1995: 1st amendment repealed. Hello to my friends at the NSA. * This user insured by the Smith, Wesson, & Zimmermann insurance company * From stewarts at ix.netcom.com Sat Mar 16 02:49:43 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 16 Mar 1996 18:49:43 +0800 Subject: Cypherpunks reference in Netscape book Message-ID: <199603160637.WAA14724@ix3.ix.netcom.com> At 12:37 AM 3/15/96 -0800, you wrote: >I'm writing the "Encryption and SSL" chapter for the Netscape products, and >I'm finishing it up with a "Further reading" section that lists >crypto-related books, web sites, and newsgroups. I was thinking of including >a reference to this mailing list. > >Any strong opinions either way? The big problem with the list isn't just signal-to-noise, it's VOLUME VOLUME VOLUME - you don't want somebody to subscribe and get flodded with 100 messages/day without warning. (There's also the problem with newbies sending us mail saying "please send me some anarkist crypt0 warez, d00ds!" If you're going to refer to the list, please mention - the cypherpunks home page is www.csua.berkeley.edu/cypherpunks - you can browse the list with a news reader at nntp.hks.net and with the web at www.hks.net (delayed a bit). - the list is high volume, 50-100 messages/day, - there are lots of readers, 500-1000, who get all the mail sent to the list. - if you want to unsubscribe, send mail to majordomo at toad.com, saying help - oh, BTW, if you _do_ want to subscribe, cypherpunks-request at toad.com is the canonical location, and majordomo at toad.com is the droid. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From lull at acm.org Sat Mar 16 02:52:41 1996 From: lull at acm.org (John Lull) Date: Sat, 16 Mar 1996 18:52:41 +0800 Subject: [NOISE] NTSC color encoding In-Reply-To: Message-ID: <314a5cb4.141647874@smtp.ix.netcom.com> On Fri, 15 Mar 1996 18:10:59 -0800, Jim Bell wrote: > At 12:18 AM 3/16/96 GMT, John Lull wrote: > > >This is not correct. I'd suggest you go back and re-read your NTSC > >references. > > If that's not correct, what is? And it's been years since I read NTSC; I > don't even know if I now have ready access to the information. Merely > saying that it's wrong isn't particularly informative, especially if you > choose to copy it to the list. A detailed discussion of NTSC (or PAL, or SECAM, or any other video standard) color encoding is hardly cypherpunks material. I posted to the list ONLY because I'd hate to see anyone rely on your posting. A simple heads-up warning should be enough for most people to realize they need to look up a more authoritative source if they really need to know how this stuff works. If no one replied publicly to such inaccurate postings, the internet would quickly degenerate to the "Net of a Million Lies" of fiction. If everyone replied publicly and in excruciating detail to every off-topic but inaccurate posting, there would be so much noise on the list very little could be accomplished. I should, of course, have added [NOISE] to the subject line in my origial response, and for not doing so I apologize to the list. The color components in NTSC (there are 2 of them, not just one) are carried as essentially double-sideband suppressed carrier signals at the color subcarrier frequency, both phase-locked to the color bursts, but with the two carriers in quadrature. Although the sum of these signals does vary in phase, it is CLEARLY distinct from a phase modulated signal since it also varies in amplitude. A phase-modulated signal would not do so. If you feel a burning desire to pursue this further, PLEASE take it to e-mail. I'll not be replying to any further posts to the list on this topic. From jamesd at echeque.com Sat Mar 16 03:14:21 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sat, 16 Mar 1996 19:14:21 +0800 Subject: Tim's friend's mildly retarded son Message-ID: <199603160749.XAA04114@dns1.noc.best.net> At 06:50 PM 3/15/96 +0100, Asgaard wrote: > FDA has a very good reputation This is not correct: The FDA has a thoroughly villainous reputation. Among other things it engages in corruption and extortion. Companies who want their stuff approved hire ex FDA "advisors". There is ample evidence that these advisors do no actual work, the FDA simply knocks back applications that fail to pay large sums to their friends. Indeed one company recently won a court case on this ground. The FDA is famous for grotesque scientific incompetence, (as for example its recent showboating on silicone), for playing to the gallery, for simple extortion, as a court recently found, for corruptly excluding drugs that people who are not well connected wish to sell and for corruptly approving the often identical drugs that people who are well connected wish to sell, and for a callous and light hearted disregard for human lives. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jimbell at pacifier.com Sat Mar 16 03:37:47 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 16 Mar 1996 19:37:47 +0800 Subject: Why escrow? (was Re: How would Leahy bill affect crypto Message-ID: At 11:41 PM 3/13/96 -0800, jamesd at echeque.com wrote: >At 03:27 PM 3/13/96 -0800, jim bell wrote: > >> There is nothing in Leahy's bill which appears to prohibit the >> escrow agent from informing the key holder of a request/demand for the key; > >On the contrary: See section 2802(c)(4) Ooops! You're right, it's much worse than I thought... This bill is truly a pile of crap. From jya at pipeline.com Sat Mar 16 03:44:06 1996 From: jya at pipeline.com (John Young) Date: Sat, 16 Mar 1996 19:44:06 +0800 Subject: BES_ieg Message-ID: <199603131716.MAA20090@pipe3.nyc.pipeline.com> Architectural Record reports in the March issue on "Building Security: Coping With Threats From Bombs to Break-Ins." It shows the parallels of designing to protect vulnerable buildings and the hapless computer systems inside them. It reviews current approaches for "crime prevention through environmental design (CPTED)." And offers a cypherpunkish outlaw-and-disorder survey of besieged corporatism: For Which of the Following Does Your Organization Have Response Plans? Employee theft 90% Bomb threats 85% Fraud 80% Employees bringing weapons to work 79% Fights among employees 76% Robberies 75% Threatening phone calls 72% Verbal threats from employees 69% Employee sabotage 65% Murder threats 60% Civil unrest 53% BES_ieg From perry at vishnu.alias.net Sat Mar 16 04:27:17 1996 From: perry at vishnu.alias.net (John Perry) Date: Sat, 16 Mar 1996 20:27:17 +0800 Subject: Release of PGPdomo version 0.2 In-Reply-To: <199603160809.AAA01022@ix14.ix.netcom.com> Message-ID: <199603161216.GAA15373@vishnu.alias.net> -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Bill" == Bill Stewart writes: Bill> We've recently discussed PGP-enhanced majordomo, and just by Bill> coincidence, there's a new version. And I have it running on vishnu.alias.net. Check out the new and improved cypher-list. John Perry - KG5RG - perry at vishnu.alias.net - PGP-encrypted e-mail welcome! WWW - http://www.alias.net PGP 2.62 key for perry at vishnu.alias.net is on the keyservers. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMUqxJKghiWHnUu4JAQHKkQf/aDmxe45wqUFTW3la3Zqfl4DXlGqD8tZg eXiVHw1U+O9ail4J8bnKBDVxd007o+Td/5xrMVK8mF749sKwmf7gXAHT+iHhM13p CAHqIQkrJtWl4+7PL5TAyCdruGnf3m+2ciUfYOqhv8RI0XB3DrPEVSoTXe01Coq5 RUoOdDgmSfL74/uqGKGA9Zz50QOP7tPPTFTl/iYrbFA4J6zTsW3HzFMpc6QR0o+n UOgT5rW77cAcbSChm8iIul5gD8fxjtTBd9UvfGK5XkVM7VIVBzql6teZo8Muci/W 8jUhJ23veJTZs+y4EpTN/jWFb2yT5jAbROpiAuiJerC67C/+Y5+xWA== =Pb+X -----END PGP SIGNATURE----- From gary at kampai.euronet.nl Sat Mar 16 06:09:21 1996 From: gary at kampai.euronet.nl (Gary Howland) Date: Sat, 16 Mar 1996 22:09:21 +0800 Subject: Beat Remote Monitor Snooping? Message-ID: <199603161357.OAA11003@kampai.euronet.nl> > At 12:18 AM 3/16/96 GMT, John Lull wrote: > >On Thu, 14 Mar 1996 21:54:10 +0100, Gary Howland wrote: > > > >> NTSC (TV video) modulation is done by phase modulation of the 3.579545 MHz > >> subcarrier. > > > >This is not correct. I'd suggest you go back and re-read your NTSC > > references. Sorry, I didn't write that! I accidentally replied to this mail, but didn't comment on it - must be someone else! From wlkngowl at unix.asb.com Sat Mar 16 06:28:27 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sat, 16 Mar 1996 22:28:27 +0800 Subject: Venona NSA web page Message-ID: <199603152345.SAA13692@bb.hks.net> From perry at piermont.com Sat Mar 16 06:31:12 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 16 Mar 1996 22:31:12 +0800 Subject: maling list In-Reply-To: <3148BEF7.5E23@mail.interconnect.net> Message-ID: <199603150751.CAA11348@jekyll.piermont.com> Firebrd123 writes: > Can you please take me off your mailing list. Thankyou. > firebrd123 at mail.interconnect.net No, we can't take you off the list. We are the *recipients* of the mailing list, not the people who run it. We have no access to the machine that contains the list management software. You get off by mailing to the same address you mailed to to get on. I leave that information as an exercise to the reader. From merriman at arn.net Sat Mar 16 06:33:58 1996 From: merriman at arn.net (David K. Merriman) Date: Sat, 16 Mar 1996 22:33:58 +0800 Subject: maling list Message-ID: <2.2.32.19960314195041.006aace4@arn.net> At 12:51 AM 03/15/96 +0000, you wrote: >Can you please take me off your mailing list. Thankyou. >firebrd123 at mail.interconnect.net We can take you off the maling list, or we can take you off the mailing list. Which would you prefer? Of course, you'll still be on our shitlist.... Dave Merriman ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From frantz at netcom.com Sat Mar 16 06:36:50 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 16 Mar 1996 22:36:50 +0800 Subject: Venona NSA web page Message-ID: <199603150730.XAA26212@netcom6.netcom.com> At 11:42 AM 3/14/96 -0800, Vladimir Z. Nuri wrote: >------- Forwarded Message > >Date: Wed, 13 Mar 1996 06:59:32 -0500 (EST) >From: merkaba at styx.ios.com >Subject: VENONA PROJECT (fwd) > > > > >- - ---------- Forwarded message ---------- >Date: Tue, 12 Mar 1996 22:07:24 -0500 >From: Ronald Pearce >To: merkaba at styx.ios.com >Subject: VENONA PROJECT > >http://www.nsa.gov:8080/docs/venona/venona.html > >The VENONA Project > >In July 1995 the Intelligence Community ended a 50-year silence regarding >one of cryptology's most splendid successes - the VENONA Project. ... How they did it (from http://www.nsa.gov:8080/docs/venona/memory.html): A word about the VENONA cryptosystems---they should have been impossible to read. They consisted of a code book in which letters, words, and phrases were equated to numbers. So a code clerk would take a plain text message and encode the message using numbers from the codebook. This would have presented a significant challenge itself depending on how long the code book was used. However, the messages were further modified, in other words double-encrypted, by use of a one time pad. The use of a one time pad effectively randomizes the code and renders it unreadable. The key to the VENONA success was that mistakes were made in the construction and use of the one time pads---a fact that was discovered only through brute force and analysis of the message traffic. (http://www.nsa.gov:8080/docs/venona/monographs/monograph-2.html): ... One-time pads used properly only once are unbreakable; however, the KGB's cryptographic material manufacturing center in the Soviet Union apparently reused some of the pages from one-time pads. This provided Arlington Hall with an opening. Very few of the 1942 KGB messages were able to be solved because there was very little duplication of one-time pad pages in those messages. The situation was more favorable in 1943, even more so in 1944, and the success rate improved accordingly. Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From tcmay at got.net Sat Mar 16 06:37:06 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 16 Mar 1996 22:37:06 +0800 Subject: FCC-type Regulation of Cyberspace Message-ID: At 5:59 AM 3/15/96, Bill Frantz wrote: >At 9:26 PM 3/14/96 -0800, Timothy C. May wrote: >>Mr. Frantz, unless you can prove your claims here, forthwith, I must inform >>you that they are in violation of the Truth in Speech Act of 1996. Please >>retract them, now. > >Political speech, not commercial speech. The act doesn't apply or is >unconstitutional. I recognize no such distinction, and neither does--in my reading--the First Amendment. The First doesn't say, "Congress shall make no law...except for commercial speech...and except for religious speech...and except for insulting speech...." It said, simply, "Congress shall make no law..." (Before Bill jumps in and points out that he said nothing about religious, insulting, etc. forms of speech, I added those because it underscores just what "Congress shall make no law" means.) The issue of _fraudulent claims_ is presumably a main reason for those who think commercial speech is "different" from ordinary speech. Fraud is tough to control through legislation without severely limiting free speech. For example, if a Jehovah's Witness comes to my door and tells me all the wonderful things that will happen if I convert, is this fraud? Before one says this is "noncommercial," more fortunes have been lost or given away to Moonies, Christians, and other cults than all the financial scams in history. If a recruit to the Unification Church "is led to believe" that she will find salvation in the bosom of the Church if she donates her inheritance, is this fraud? Personally, while I view all religions as basically fraudulent, liberal societies have accepted the view that it's best that the State not seek to determine which claims are true, that "caveat emptor" should be the rule. The same caveat emptor view is the basic rationale for the First Amendment. It is recognized that free speech will inevitably cause some people to make bad decisions, to make bad investments (such as in the canonical case of an investment advisor giving advice that turns out to be flaky), and so on. "Don't believe everything you hear" is the operative phrase. Again, I see no distinction between commercial and other forms of speech. If a contract is involved, then civil law is the way to handle this. (As it might be with religious speech, where someone is told contractually that if they give $10,000 to the church their blindness will be cured. Key to a contract must be a testable set of results.) The First is under constant attack by people who claim that some type of speech is "not covered" by the First, or that other clauses of the Constitution give the State authority to regulate speech, or that the Founders did not "intend" for certain types of speech to be protected. The "campaign reformers" want limits placed on how much speech a candidate may issue (or how much speech people like me, as a volunteer or PAC, can issue). The medical protectionists want the speech of quacks, midwives, and other non-union members suppressed. And the arguments about "commercial speech" could mean broad limits on speech. >>Do you see the problem? > >Of course. Why do you think I said (in the 4th paragraph which you didn't >quote) (ZING :-) ): Touche. >BTW - I consider non-free markets, produced primarily by oligarchic >combines of large organizations to be a major impediment to removing >government influence from the economic system. Easing market entry is one >way to reduce the power of these oligarchic combines. I don't want to just >trade elected government oppression for unelected corporate oppression. To >put it bluntly, to suppress the 19th century coal mining strikes, the >companies hired the Pinkertons. I don't see a whole lot of difference >between this kind of private enterprise transaction, and Ruby Ridge. But this is direct violence. Libertarians don't condone this. Using episodes of such violence, by any side, as an argument against free markets is just an appeal to emotion. (I'm of course not saying we will ever be free of people initiating the use of force.) As for "oligarchic combines," certainly much larger and more concentrated examples may be found in Microsoft and Intel, which currently have about 80% apiece of their respective markets. Not to many Pinkerton guards forcing we Mac users to switch to Microsoft and Intel.... --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From mixmaster at spook.alias.net Sat Mar 16 08:18:04 1996 From: mixmaster at spook.alias.net (NSA Spook) Date: Sun, 17 Mar 1996 00:18:04 +0800 Subject: New Nym Server! (cubed) Message-ID: <199603161557.JAA25901@riker.phoenix.net> Hello everyone! There is a new nymserver on the net! alias at alias.alias.net (cubed) is running the Alpha code by Matt Ghio (ghio at myriad.alias.net). It's short name on Raph's list will be "cubed" with an actual email address of alias at alias.alias.net. Enjoy! Here's the public key: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzFKvt4AAAEEALz0GGp2todRpJsnPUUPo5dLK4b/xY6BEmh5H/v0Ujx3TuiU Bz++YxyGfcps1m0GpXp61hzSA1QDyhQFIMn98yyG7uzmeS1O3KX3/a5941+EO3yQ Vov8WkkewHxuSv62KcweynQjct0K+aeUopjzHvo6C/c0c5bzYTxTYiwGgKGpAAUR tCxUaGUgQ3ViZWQgTnltIFNlcnZlciA8YWxpYXNAYWxpYXMuYWxpYXMubmV0Pg== =i/Px -----END PGP PUBLIC KEY BLOCK----- From hfinney at shell.portal.com Sat Mar 16 08:23:01 1996 From: hfinney at shell.portal.com (Hal) Date: Sun, 17 Mar 1996 00:23:01 +0800 Subject: Java bignum package Message-ID: <199603161559.HAA03547@jobe.shell.portal.com> From: Bill Stewart > Does Java have a run-time way to do > #if_exists library_X > foo = library_X.method_a(bar, baz) > #else > foo = library_Y.method_a(bar, baz) > #endif > or equivalent? This would let you distribute a slow pure-java library > that's compatible to a native-mode library and use whichever you need. Bill is referring to an announcement I made elsewhere about a bignum package I am working on in Java. Take a look at to play with a little interactive "calculator" I made with it. You need a Java enabled browser to use it. I think Bill's idea is a good one but I will discuss it further on coderpunks since it gets into some technical aspects of Java that may not be of general interest. Hal From JonWienke at aol.com Sat Mar 16 08:26:48 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sun, 17 Mar 1996 00:26:48 +0800 Subject: Beat Remote Monitor Snooping? Message-ID: <960316110359_169928015@emout06.mail.aol.com> The whole 'to NTSC, or not to NTSC" debate is irrelevant, since VGA monitors use seperate red, green, blue, and sync signals that are not modulated on any carrier. Jonathan Wienke From merriman at arn.net Sat Mar 16 09:25:21 1996 From: merriman at arn.net (David K. Merriman) Date: Sun, 17 Mar 1996 01:25:21 +0800 Subject: remailer file request Message-ID: <2.2.32.19960314115627.00685620@arn.net> -----BEGIN PGP SIGNED MESSAGE----- I'm ready to start testing my Win95 remailer hack. I'd appreciate a *few* anon messages with my webmaster (_not_ remailer) address as an intermediary: webmaster at shellback.com vs. remailer at shellback.com Messages don't have to contain anything important, since they will _not_ be sent on. A PGP-encrypted message or two in the mix would be Really Nice. Thanks. Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUfsqsVrTvyYOzAZAQH8swQAgTJoRMCd8Hb58wmvz9fzHeCJ2vEjLZO3 Me3v9NB4uy2zhExid8/MN3ZBl3iNrkUZnbktA9+gLZ2OrqyLNwC6PxoKB/yN2Ev9 ckHqrMfsqrYvrUmm/oTdAi2rRalBRq8aT5jjLw4itVfv1peSWuEmh9iFPXfzlWXL vP8fTlmvQcs= =toB2 -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From jimbell at pacifier.com Sat Mar 16 09:26:59 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 17 Mar 1996 01:26:59 +0800 Subject: Leahy bill, legalize crypto Message-ID: At 11:50 AM 3/14/96 -0800, Timothy C. May wrote: >At 2:41 PM 3/14/96, Robichaux, Paul E wrote: >>The difference here is that the courts have upheld government restrictions >>on broadcast spectrum because it's a scarce resource. In the special case of >>encryption on ham bands, no one's ever even challenged the restriction >>AFAIK. As Duncan Frissell has preached here many times, bandwidth is no >>longer as scarce, so I think a constitutional challenge to an encryption ban >>would probably be workable. > >Yes, and I said as much--about the bandwidth limitations--in my post. In >the very next line after you stopped quoting!!!!!: > >"Sure, I understand that Internet bandwidth is not the same as the >"public airwaves," but this subtlety may not be enough to stop the parallel >from being successfully drawn. Especially if the phone companies and other >threatened players are pushing hard for the FCC to step in and regulate." I think your analysis is absolutely correct. Despite the fact that fiber bandwidth has none of the limitations of "over the air" communications, the government will try to regulate it as if it were. The underlying danger of the CDA, in addition to regulating CONTENT, is that the government is setting up precedents to regulate the communications AT ALL, which is dangerous to us. Jim Bell jimbell at pacifier.com Klaatu Burada Nikto From jimbell at pacifier.com Sat Mar 16 09:27:06 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 17 Mar 1996 01:27:06 +0800 Subject: Why escrow? (was Re: How would Leahy bill affect crypto Message-ID: At 07:57 AM 3/14/96 +0000, Deranged Mutant wrote: >On 13 Mar 96 at 15:27, jim bell wrote: >[..] >> If I were trying to detect government investigation in such a situation, I >> would buy a crypto phone, open an "escrow account" on a totally voluntary >> basis, give them a phony key, and then (as part of the >(presumably?) [..] > >Would it be legal to deceive an escrow agent? It _should_ be legal. At least, assuming the arrangement is truly voluntary and the escrow agent gets his part of the bargain (his usual fee) he has no interest in knowing whether or not the data he's holding for you is "real" or "imaginary." The problem is, the government could easily start trying to control and limit the "voluntariness" of this arrangement, as I've now just been told they intend to do: Yes, the bill specifically wants the key escrow agent to NOT tell the key holder if his key has been compromised. In my opinion, this totally destroys the illusion that this agreement is "voluntary," and makes me question any other "feel-good" component of this bill. It is sections of the bill like that which will guarantee that nobody provides an unencrypted key for escrow: Nobody will want to risk having the escrow agent "forced" to release the key, even (and especially!) under a court order. Fortunately, modern technology will provide the solution to government-simpleton thinking. Jim Bell jimbell at pacifier.com Klaatu Burada Nikto From perobich at ingr.com Sat Mar 16 09:27:12 1996 From: perobich at ingr.com (Robichaux, Paul E) Date: Sun, 17 Mar 1996 01:27:12 +0800 Subject: Leahy bill, legalize crypto Message-ID: Tim May said: >Suppose encryption is allowed, but only with key escrow? [...] >And it might pass constitutional muster (for the same reasons the FCC >jurisdiction over airwaves and the ban on encryption by ham operators, got >approval. The restriction on using encryption on the ham bands is an outgrowth of the world-wide spectrum allocation process. Spectrum's allocated by the International Telecommunications Union (ITU); every four years, the World Amateur Radio Council (WARC) meets to go over existing allocations. Sometimes hams lose (as when the 220MHz band went away) and sometimes they win. The ITU accords were originally signed around WW I, when use of encryption on the radio bands was of great concern. The whole licensing system is based on the concept of an Amateur Radio _Service_, whose operators are licensed by the FCC to use a "public" resource. Said use is restricted by international treaties to which the US is a signatory. The difference here is that the courts have upheld government restrictions on broadcast spectrum because it's a scarce resource. In the special case of encryption on ham bands, no one's ever even challenged the restriction AFAIK. As Duncan Frissell has preached here many times, bandwidth is no longer as scarce, so I think a constitutional challenge to an encryption ban would probably be workable. -Paul From 102774.1273 at compuserve.com Sat Mar 16 09:58:01 1996 From: 102774.1273 at compuserve.com (Media Distribution) Date: Sun, 17 Mar 1996 01:58:01 +0800 Subject: Web Page Links Message-ID: <960316173225_102774.1273_GHU80-3@CompuServe.COM> CYPHERPUNKS: What is your main home page address? I found you at http://ibd.ar.com/lists/comp/cypherpunks/199508081922.MAA20209 at netcom5.netcom.com .html We would like to speak to you about providing a link to your web page from our Media Distribution web page and possibly a link back to our web page as well. The products we are currently promoting cover topics found on your web page. We are trying to get information to the public as fast as possible which I think is a common goal you have as well. Please visit our web page at http://www.ibb.com/media.html We are going to leave this page as a text only page and will be adding another web page (on another server) in 30 days with frames, video clips, audio clips, images and in multiple languages. We can be reached at INTERNET:102774.1273 at compuserve.com or at media at injersey.com The following is our current list of hot links we are adding to our page: Clinton Expose Web by David Sussman http://www.4bypass.com/4by_expose.html (this address may change) Jeremiah Films Educational and Religious Market Videos, Television Programs and Books http://www.empirenet.com/~jeremiah/ Media Bypass - "The Uncensored National News" http://www.4bypass.com Conspiracy Nation - John Lawrence Fishers "Corruption in America" page dedicated to exposing corruption in America wherever it may be found. http://www.europa.com/~johnlf Zenger News Service R - maintains a global database of business and civic entities and key personalities which support individual liberty and other traditional American values. ZNS distributes topical background news and investigative reports electronically and by mail, and publishes a monthly leadership-oriented newsletter, "Principia" . http://www.zns.com The Death Of Vince Foster web page is a compilation of the work of Christopher Ruddy, a journalist whose work appears in the Pittsburgh Tribune-Review. The site contains roughly 50 articles dealing with Foster, Whitewater and the Clinton White House which are maintained by Adam Music, Online Editor. http://tribune-review.com/trib/ruddy/ War Room America's only FM, rock 'n roll, kick ass, conservative, morning show; where liberal music collides head on with conservatism and looses! It's "Truth" at the speed of light! Jim Quinn Live On The Internet [Real Audio] http://www.warroom.com/sound_archive/real_audio/real_audio.html Drudge Report from Hollywood, California USA by Matt Drudge http://www.lainet.com/~drudge Accuracy in Media http://take.aim.org/aim.html Accuracy in Academia http://take.aim.org BeachBum's Page More than you wanted to know about the scandals of the First Felons, Bill and Hilllary Clinton, especially as relates to the death of Vince Foster. It'll keep you awake at night! http://users.aol.com/beachbt/index.html The Other Side Conservative opinion on the net by author Mark E. Howerter http://www.cris.com/~dhathaw/otherside/ The Rancho Runnamukka This webpage for PIXELODEON, owned by Michael & Claire Rivero, covers not only their work in music and film, but their interests in archaeology and politics as well. http://www.accessone.com/~rivero Dave Feustel's Web Page This web page deals with the question "Just How Corrupt IS our federal Government?". http://www.mixi.net/~feustel/ Extremist Home Page Do YOU qualify as an Extremist? The Politically Correct, modern definition is a person who exhibits one or more of the following qualities: *Has an explicit philosophical base. *Has a concise, inflexible moral code. *Has an ethical standard which is not relative or situational. *Believes in a Creator God. *Believes that life, liberty and property are sacred. *Is willing to stand up for these principles and beliefs. - The purpose of this page is to provide some pointers to extremists who want to gather their own information, directly from the sources, rather than accept some non-extremist's interpretation of reality. The battle for the mind and spirit of We the People rages on. The weapons that we face are Propaganda, Misinformation, Rhetoric and Censorship. Protect yourself. Ask questions. Question answers. Do your own homework and come to your own conclusions. Then, act on those conclusions! By Pete Celano. http://WWW.Alliance.Net/~celano19/ Free Speech Newspaper A current collection by top writers and researchers of exposes on government, corporate and institutional coverup and fraud. Exposing serious media abuses. Free Speech Forum (HyperMail), A Web Site Newsgroup on above topics. http://www.FreeSpeechNews.com/callme/ Dwights World "Home of great Republicans" Americans for Conservative Action. http://utiweb.com/~lincoln LIN MEDIA DISTRIBUTION From nobody at REPLAY.COM Sat Mar 16 10:09:59 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sun, 17 Mar 1996 02:09:59 +0800 Subject: Yeo, Pea-brained Imbecile Message-ID: <199603161748.SAA07515@utopia.hacktic.nl> The Economist, 16 March 1996, pp. 42-43. Asia and the Internet: Not too modern, please Hunched quietly over their terminals around the world, the mouse-clicking, keyboard-tapping denizens of the Internet have created quite a noise in Asia. The worldwide computer network is still young in the region, but already cyberspace resounds to the crashing of broken taboos, and collisions with the powers that be. In discussion groups on the Internet, you will find views never aired in the domestic media; about Malaysia, a call for the emigration of ethnic Chinese; about Indonesia, passionate pleas for East Timorese independence; about Thailand, jibes at the monarchy, which are a crime. On the World Wide Web, the fast-growing multimedia part of the network, everyone from Confucius to the Penthouse pet of the month seems to have a "home page". All of this confronts many Asian governments with an old dilemma in a new form. All want to be "modern". But many reject the notion that modernity encompasses the sort of political pluralism seen in the west. On the Internet modernity and pluralism go hand in hand. Hence the recent flurry of efforts by governments in the region to exert control over the Internet and overturn what they see as the American colonisation of cyberspace. The effort is complicated by the undoubted commercial potential ofthe Internet, and its future as a business tool. Most countries would prefer to do without the smut and the anti-government invective, but none wants to risk being left out. Fidel Ramos, president ofthe Philippines,whose press is freer than others in Asia, has his own home page, but so does the military junta that runs Myanmar's media like an Orwellian Ministry of Truth. The dilemma is most acute for Singapore. More than any other country in the region, it prides itself on being ahead of the technological game. Indeed, its economic success relies on a state-of-the-art infrastructure. By the end of the century the government hopes to have created an "intelligent island", with at least 95% of homes cabled for services like the Internet and interactive television. Already, the government has a big presence on the World Wide WebHt even provides links to a Board for Online Graffiti ("the only place in Singapore where graffiti are legal"). You can make your choice of virtual lavatory wall on which to scribble a message. More seriously, the World Chinese Business Network hopes to harness the Internet to the legendary "guanxi" or connections that drive overseas Chinese business. George Yeo, Singapore's information minister, is fluent in cyberbabble. "we will need a URL [universal resource locator] that is easy to remember," he told a meeting of his colleagues from the Association of South-East Asian Nations (ASEAN) on March 7th. "we should also encourage hyperlinks to each other's web pages." But Singapore is also among the staunchest critics of unfettered individualism, and of western attempts to foist its political standards on Asia. Because its content remains dominated by westerners, the Internet can be seen as part of such an attempt. Every fanatic liberal and foulmouthed crank can air his heresies and obscenities. So Mr Yeo also warned his ASEAN colleagues that "the influx of objectionable materials via the new electronic media, if left unchecked, will undermine our values and traditions." He was speaking the day after Singapore had introduced "anti-pollution measures" to clean up the I nternet in Singapore. The three local "providers", offering access to the I nternet by a domestic telephone call, will be required to filter out offensive material. "Cybercafes" providing computers for customers to use the Internet will have to install filter software such as "Net Nanny" or "Surf Watch". But this is not just an antipornography drive like that seen in many countries. Organisations posting political or religious information on to the World Wide Web will need to register with the broadcasting authority. Technically, Singapore's effort to control the Internet will be complicated. Mr Yeo suggested it was feasible because all international telephone traffic reaches Singapore through one network, operated by Singapore Telecom. So the authorities are able to monitor anything being sent to Internet servers (who distribute material) in Singapore. Singaporeans could still dial abroad and get access to the uncensored Net. But that would be expensive -- prohibitively so for most people, especially if they wanted to download a pin-up, which can be frustratingly time-consuming. Mr Yeo stressed that Singapore did not intend to "stifle discussion". The only obligation on those engaging in political debate was to take a "certain responsibility and accountability" for their views. It was not clear how these requirements would apply to the Singaporean who responded to the speech by calling the minister a "pea-brained imbecile" on an Internet discussion group. Singapore's house-cleaning effort will be watched closely by other governments in the region. Of Singapore's 3m people, 100,000 already have Internet accounts, twice as many as in China (population 1.2 billion). Nevertheless, China has already gone a step further than Singapore, requiring all Internet users as well as providers to register. It too is looking at how to put a cordon sanitaire around the Internet. Like Myanmar and Vietnam, it is particularly concerned about the campaigning activities in cyberspace of exiled dissidents. Vietnam is seeking prevention rather than cure. The state-owned Internet provider, Netnam, does not as yet give subscribers access to the World Wide Web, just to e-mail services. Other ASEAN countries have so far preferred to be seen as Internet-friendly. Malaysia's deputy prime minister, Anwar Ibrahim, recently opened an exhibition about the Internet in Kuala Lumpur with a warning against censorship. "Let us not forget", he said, "that an informed citizenry is also a responsible citizenry." Similarly in Indonesia and Thailand, the Internet is largely unregulated. An Indonesian magazine, Tempo, banned in 1994 for upsetting the government, has just reappeared "on-line", which even the censors admit is perfectly legal. In the much freer intellectual climate of Thailand, the concern has been as much about sex as about politics. An Internet campaign has urged a boycott of Thai goods because of the prevalence of child prostitution in the country. And a photograph has been posted on the Internet purportedly showing a senior politician engaged in sexual congress with another man's wife. As the Internet gathers pace, so too will its impact on the political scene. InJanuary an article in Singapore's obsequiously pro-government Straits Times asked whether Singapore would "change the Internet", or the other way round. "A little of both," it concluded. But as the Internet free-for-all becomes more readily available to the population at large, other, more decorous, media may find it hard to ignore the challenge. The Straits Times itself may be among the first to feel the change. ----- From rah at shipwright.com Sat Mar 16 10:13:03 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sun, 17 Mar 1996 02:13:03 +0800 Subject: Internet Security Worskhop Call for Papers Message-ID: --- begin forwarded text X-Sender: reagle at rpcp.mit.edu Mime-Version: 1.0 Date: Fri, 15 Mar 1996 13:17:08 -0500 To: (Recipient list suppressed) From: "Joseph M. Reagle Jr." Subject: Internet Security Worskhop Call for Papers ------- Forwarded Message From: papers at rpcp.mit.edu (Richard J. Solomon) Date: Fri, 15 Mar 1996 12:17:23 -0500 To: {Recipient List Suppressed} Cc: reagle at rpcp.mit.edu, execdir at fnc.gov Reply-To: papers at rpcp.mit.edu Subject: Internet Security Call for Papers CALL FOR PAPERS INTERNET PRIVACY AND SECURITY WORKSHOP Haystack Observatory, MA May 20-21, 1996 Privacy and Security Working Group Federal Networking Council Research Program on Communications Policy Center for Technology, Policy, and Industrial Development Massachusetts Institute of Technology INVITATION The Privacy and Security Working Group (PSWG) of the Federal Networking Council (FNC) and the Research Program on Communications Policy of the Center for Technology, Policy, and Industrial Development at the Massachusetts Institute of Technology will hold an invitational workshop at the Haystack Observatory outside of Boston, MA, on May 20-21, 1996. This workshop is intended to bring Federal, academic and private sector participants together in collaboration to develop strategies and potential solutions related to Internet privacy and security. Though a principal focus of the workshop will be on the Federal portion of the Internet, the FNC recognizes that the Federal Internet is tightly coupled with the Global Internet, whose security policies, practices, and goals are complementary to those of the Federal Government. To define those practices, procedures and goals, the PSWG has undertaken two major initiatives: - The Federal Internet Security Plan (FISP), which was developed as a scalable, continual improvement process, based on common principles and mechanisms compatible with Internet community values and needs; and - The Collaborations in Internet Security (CIS) project, an effort aimed at testing the strength of agency approaches to security and moving these technologies beyond individual agency networking environments and into both inter-agency and agency-commercial sector communications. The CIS will result in the development of a new and sustainable process for developing, integrating, and deploying security technologies that are interoperable at all levels of the Federal government and within the commercial and academic sectors. These initiatives are intended to highlight the critical interface between Federal and commercial users and developers of Internet services and technologies. OBJECTIVES This workshop will bring together principal players in the Federal and overall Internet community to discuss the problems and challenges of privacy and security on the Internet, and will: - Identify critical issues, requirements, and recommendations related to future Internet privacy and security research and development efforts; - Describe "best practice" approaches to Internet privacy and security; - Develop specific strategies for implementing Internet Security programs involving all sectors of the Internet community; - Extend the Federal Internet Security Plan (FISP) by defining specific implementations; and finally, - Develop specific strategies for the migration of technologies from the individual RFC unit test stage to the integration of a complete functional managed system in the CIS test/demonstration/pilot projects. SUBMISSIONS Abstracts or complete paper drafts related to the topics listed above are welcome. Accepted papers will be a part of the published record of the workshop. All points of view on Federal policies affecting Internet privacy and security are welcome. Please make all electronic submissions in ASCII format. For further information or to submit an abstract or paper contact: Internet Security and Privacy Workshop c/o Joseph Reagle Research Program on Communications Policy Massachusetts Institute of Technology One Amherst St. (E40-218) Cambridge, MA 02139 Voice: (617) 253-4138. Fax: (617) 253-7326 papers at rpcp.mit.edu SCHEDULE and DEADLINES Call for papers - March 14, 1996 Abstracts Due - April 14, 1996 Invitations to Participants - April 20, 1996 Revised/Completed papers due - May 19, 1996 Workshop - May 20-21, 1996 PARTICIPANTS Participation in the workshop is by invitation, based primarily on submitted papers and abstracts. Additional individuals may be invited to ensure that participation reflects a broad cross-section of the Internet community. PROGRAM COMMITTEE Dennis Branstad - Trusted Information Systems (TIS) Rich Pethia - Computer Emergency Response Team (CERT) Jeffrey Schiller - Massachusetts Institute of Technology (MIT) Richard Solomon - Massachusetts Institute of Technology (MIT) Rick Stevens - Department of Energy /Argonne National Labs (DOE) STEERING COMMITTEE Stephen Squires, Defense Advanced Research Projects Agency (FNC/PSWG Co-Chair) Dennis Steinauer, National Institute of Standards and Technology (FNC/PSWG Co-Chair) Tice DeYoung, National Aeronautics and Space Administration (NASA) Phillip Dykstra, Army Research Laboratory (ARL) Mike Green, National Security Agency (NSA) George Seweryniak, Department of Energy (DOE) Walter Wiebe, Federal Networking Council (FNC) ********************* BACKGROUND Federal Internet Security Plan: In September 1995, the PSWG published the draft Federal Internet Security Plan (FISP). The FISP is oriented toward a scalable, continual improvement process, based on common principles and mechanisms compatible with Internet community values and needs. See . The plan addresses Internet security requirements, including interoperability, from the perspective of the goals and objectives outlined in the National Performance Review (NPR), http://www.npr.gov/. The Federal Networking Council developed this framework in conjunction with its Advisory Committee which represents industry, academia, and non-profit sectors. Action Items, from the FISP, to be addressed during the Workshop: Internet Security Policy and Policy Support Activities * Establish overall Internet security policies * Address security in all Federally supported NII pilots * Coordinate Internet community involvement * Establish an ongoing Internet threat database and assessment capability * Identify legal and law enforcement issues Internet Security and Technology Development * Develop an Internet security maturity model * Develop Internet security architecture * Enhance Internet security services and protocols * Develop a "Secure-Out-of-the-Box" endorsement * Enhance application security Internet Security Infrastructure * Establish a set of Internet security interoperability testbeds * Support privacy, authentication, certificate, and security services pilots * Establish Internet security testing and evaluation capabilities * Improve security incident handling capabilities * Develop security self-assessment capabilities * Establish effective secure software and document distribution mechanisms Education and Awareness * Compile Internet user and site profiles * Encourage use of available security technologies * Establish an Internet security information server * Establish an Internet security symposium/workshop series * Establish an Internet security fellowship program Collaborations in Internet Security: With the Federal government's ever-increasing dependency on computers and distributed systems, there is great urgency for it to develop and employ enhanced information system security technologies and practices. At the same time, these Federal technologies must interoperate with those of the broader Internet community (encompassing the private and academic sectors, along with the Federal sector). In recognition of these needs, the Federal Networking Council's Privacy & Security Working Group (FNC/PSWG) has been awarded a National Performance Review (NPR) Innovation Fund grant to compare and validate agency approaches to security. This Collaborations in Internet Security (CIS) project aims to test the strength of these technologies beyond individual agency networking environments, emphasizing the inter-agency and agency-commercial sector communications. The CIS will result in the development of a new and sustainable process for developing, integrating, and deploying security technology that is interoperable at all levels of the Federal Government and within the commercial and academic sectors. The governing principles behind the Security Testbeds include: employment of an open process (with the activities and results open to participation and comment by both public and private sector participants); a focus on multivendor technologies; an emphasis on testing and experimentally deploying security technologies emerging from research and private sectors as well as security technologies currently in use in the commercial environment; and an underlying objective to ensure interoperability among the broad Internet community (federal, private, and academic). Initial tests will include demonstrations of Kerberos v.5, testing of single-use passwords, and digital signatures. For more information, please see (http://www.fnc.gov/cis_page.html) --- end forwarded text ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From cpunk at remail.ecafe.org Sat Mar 16 11:37:53 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Sun, 17 Mar 1996 03:37:53 +0800 Subject: PolicyMaker paper available Message-ID: <199603161912.TAA08618@pangaea.hypereality.co.uk> Mab at Research.Att.Com posted: >A number of people have been asking me about some work I've been doing >(with Joan Feigenbaum and Jack Lacy) on alternatives to traditional >(X.509, PGP, etc.) identity-based certificates. We've just finished >up our paper on the concept, "Decentralized Trust Management", to >appear at the Oakland Security Conference in May. > >A PostScript pre-print is available in > ftp://research.att.com/dist/mab/policymaker.ps I D/Led this file last night & printed it out. I was a little suspicious at first because you'd think if AT&T really wanted people to read (instead of just wanting to say they published it) they'd put it on the web in http and not use obscure printer codes. But after I read it my suspicious nature was confirmed. Behind all the obscure printer codes and fancy language, it is obvious to anyone with half a brain that this is just a move by AT&T to put itself on top of the internet certificate hierarchy where your're locked in to using AT&T software and internet service (just like RSA and Netscape). You have to license AT&T code to use it and you need an AT&T approved policy attribute or something in order to make it work. Ask yourself why they'd publish this otherwise. Hint: youre safer trusting university research than corporate research-marketing. PGP is good enuf for me. >-matt > >[NB: I no longer read the cypherpunks list with any regularity, so >please cc me directly on any comments or discussion. Thanks.] Uh huhhhhhh. Blaze and AT&T are no friends of the cypherpunks and no longer even condesend to pretend as much. Don't even ask me about their motives for supporting the Leahy key escrow bill. From seth at hygnet.com Sat Mar 16 11:44:05 1996 From: seth at hygnet.com (Seth I. Rich) Date: Sun, 17 Mar 1996 03:44:05 +0800 Subject: Web Page Links In-Reply-To: <960316173225_102774.1273_GHU80-3@CompuServe.COM> Message-ID: <199603161926.OAA06910@arkady.hygnet.com> > > CYPHERPUNKS: > > What is your main home page address? I found you at > http://ibd.ar.com/lists/comp/cypherpunks/199508081922.MAA20209 at netcom5.netcom.com > .html > > We would like to speak to you about providing a link to your web page from > our Media Distribution web page and possibly a link back to our web page as > well. The products we are currently promoting cover topics found on your web > page. We are trying to get information to the public as fast as possible which > I think is a common goal you have as well. [conspiracy theory drivel deleted] Hee, this made me laugh a lot lot lot. Seth --------------------------------------------------------------------------- Seth I. Rich - seth at hygnet.com - (610) 859-0100 Systems Administrator / Webmaster, HYGNet My words are my own; please Rabbits on walls, no problem. don't blame my employer! From rah at shipwright.com Sat Mar 16 13:56:36 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sun, 17 Mar 1996 05:56:36 +0800 Subject: DCSB: Implementing Financial Cryptography, The Cybercash Experience Message-ID: -----BEGIN PGP SIGNED MESSAGE----- The Digital Commerce Society of Boston (Formerly The Boston Society for Digital Commerce) Presents Donald E. Eastlake, III Implementing Financial Cryptography, The Cybercash Experience Tuesday, April 2, 1995 12 - 2 PM The Downtown Harvard Club of Boston One Federal Street, Boston, MA Donald Eastlake is a Senior Systems Engineer with CyberCash, Inc., operators of a credit card based secure Internet payment system. He specializes in security and message protocol design and implementation and is also the editor for the IETF Domain Name System Security Working Group. This talk will cover the CyberCash credit card protocol and the lessons learned in its implementation. This meeting of the Digital Commerce Society of Boston will be held on Tuesday, April 2, 1995 from 12pm - 2pm at the Downtown Branch of the Harvard Club of Boston, One Federal Street. The price for lunch is $27.50. This price includes lunch, room rental, and the speaker's lunch. ;-). The Harvard Club *does* have a jacket and tie dress code. We need to receive a company check, or money order, (or if we *really* know you, a personal check) payable to "The Harvard Club of Boston", by Saturday, March 30, or you won't be on the list for lunch. Checks payable to anyone else but The Harvard Club of Boston will have to be sent back. Checks should be sent to Robert Hettinga, 44 Farquhar Street, Boston, Massachusetts, 02131. Again, they *must* be made payable to "The Harvard Club of Boston". If anyone has questions, or has a problem with these arrangements (We've had to work with glacial A/P departments more than once, for instance), please let us know via e-mail, and we'll see if we can work something out. Planned speakers for the following few months are: May Perry Metzger Security Consultant and Cypherpunk June Dan Shutzer FSTC July Pete Loshin Author, "Electronic Commerce" August Duane Hewitt Idea Futures We are actively searching for future speakers. If you are in Boston on the first Tuesday of the month, and you would like to make a presentation to the Society, please send e-mail to the DCSB Program Commmittee, care of Robert Hettinga, rah at shipwright.com . For more information about the Digital Commerce Society of Boston, send "info dcsb" in the body of a message to majordomo at ai.mit.edu . If you want to subscribe to the DCSB e-mail list, send "subscribe dcsb" in the body of a message to majordomo at ai.mit.edu . Looking forward to seeing you there! Cheers, Robert Hettinga Moderator, The Digital Commerce Society of Boston -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUszPvgyLN8bw6ZVAQHvAQP/XLySwqdqfNb33UjXc5GKOmXsRywGgM60 vlvmzjhHKyLyQhDtp1wgtJqlaTPd5Dkch/r4FU73cuPjrcbV5g3mOxFAmxebSrq3 O2iGN6TxXUrI+abvny0X+atl3htK2VHDZr+gHMfqX/NRU4mFEEuUyStF3zJQ1lyq J9RYE9LUhJQ= =zGoQ -----END PGP SIGNATURE----- ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From tcmay at got.net Sat Mar 16 15:32:30 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 17 Mar 1996 07:32:30 +0800 Subject: Tim's friend's mildly retarded son Message-ID: At 6:44 PM 3/15/96, Blanc Weber wrote: >>The point is that it is not right to prevent, stifle, suffocate, the >>liberty to use one's own resources, to act at one's own discretion and >>make one's own choices in regard of one's own particular circumstance, >>to make independently the judgements necessary to determine the truth >>or falsehood of a statement, or the efficacy of a drug - i.e., it is >>not right to have to "give it up" to the State, allowing no one else to >>engage in the mental exercise and follow-through. >> >> .. >>Blanc >>I hope I'm not the only one here who thinks so. How could you be? Since I was the one who cited the example, I clearly am opposed to the current monopoly on judgment the FDA enjoys. As to Asgaard and his claim that the FDA is to be trusted, he is welcome to trust them. I don't think they are _dishonest_, merely in thrall (*) to special interests, drug companies, and, above all, to bureaucratic stodginess. (* Asgaard should be happy that I am using a word derived from Old Norse, "thrall," as in "enthralling." A thrall was a slave in Icelandic and Old Norse.) His speculation that my friend's mildly retarded son is not helped is unknowable to him. In fact, the nootropic in question, Piracetam, is sold in Europe (and Mexico, as I noted), and elsewhere, for the treatment of Alzheimer's, dementia, and to alleviate mild retardation. My friend thinks it gives his son an improvement from, say, an IQ of 70 to perhaps an IQ of 75. Apparently this is an important difference, so much so that when his supply of Piracetam (nicely packaged from Glaxo Pharmaceuticals of England) ran out, and the FDA had tightened shipping rules and he was unable to order it through the mail from his usual Canadian source, he felt the strong need to drive to Tijuana to buy his son a significant supply. (A few years ago I also bought some nootropics in TJ. I felt no effect. My friend thinks the effect is greater at the impaired-end of the spectrum, which actually fits with the prescribed-usage patterns noted above.) Whether my friend is deluding himself or not, it is not for men with guns to tell him he may not buy something to consume. The "drug laws" are nothing more than "dietary laws," and have virtually nothing to do with public or personal safety. If safety was the issue, then the drug ethanol, which kills at least 40,000 Americans a year would be outlawed while marijuana and narcotics, which kill far fewer (even when police raids, overdoses, and illegality-related crimes are included) would not be the focus of drug laws. Tobacco, which kills an estimated 400,000 a year is the winner. (The statistics I saw a few years ago were easily memorizable: tobacco: 400,000, alchohol: 40,000, drugs: 4,000.) Don't think I am advocating illegalization of booze or cigarettes. Free people are free to consume what they choose. (The issue of driving while impaired, or operating heavy machinery, or posting to the CP list while impaired, is a separable issue. We don't illegalize alchohol, we illegalize drunk driving. And my drug-using acquaintances are drastically less likely to be "DUI" with marijuana or LSD than drinkers are with alcohol.) We are not free when someone tells us which foods and herbs are legal to eat, and which are not. (I'll spare the usual stuff about how the Founders smoke a pipe of cannabis now and then, how "canvas" comes from the Dutch word for this herb, how special interests got hemp and "reefer" outlawed, and how the effects fell mainly on the poor and inner-city folks.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From perry at piermont.com Sat Mar 16 16:14:30 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 17 Mar 1996 08:14:30 +0800 Subject: PolicyMaker paper available In-Reply-To: <199603161912.TAA08618@pangaea.hypereality.co.uk> Message-ID: <199603162353.SAA15330@jekyll.piermont.com> ECafe Anonymous Remailer writes: [Crap] > I D/Led this file last night & printed it out. I was a little suspicious > at first because you'd think if AT&T really wanted people to read (instead > of just wanting to say they published it) they'd put it on the web in http > and not use obscure printer codes. Huh? Postscript an "obscure printer code"? > Behind all the obscure printer codes and fancy language, it is obvious to > anyone with half a brain that this is just a move by AT&T to put itself > on top of the internet certificate hierarchy where your're locked in > to using AT&T software and internet service (just like RSA and Netscape). > You have to license AT&T code to use it and you need an AT&T approved > policy attribute or something in order to make it work. You are on drugs, whomever you are. Matt and company have done some very interesting work here on certificate policies. The work is unpatented and involves no proprietary AT&T technology. In short, you are both an stupid and paranoid. You probably didn't understand what you were reading. If you had a milligram of self respect, you'd come out from behind that anonymous remailer. Of course, I expect that you know that your words are embarassing rather than something to be proud of. The paper in question is seminal. I strongly urge people who don't drool when they open their mouths to read it. Perry From stewarts at ix.netcom.com Sat Mar 16 18:42:40 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 17 Mar 1996 10:42:40 +0800 Subject: Java bignum package Message-ID: <199603160809.AAA01000@ix14.ix.netcom.com> At 06:08 PM 3/15/96 -0800, Hal Finney wrote: >My implementation is purely in Java, so it is much slower than one which >uses native methods, although I don't think native methods can be sent >across the net automatically like applets, so until they are widely >distributed a pure-Java implementation may have some advantages. Does Java have a run-time way to do #if_exists library_X foo = library_X.method_a(bar, baz) #else foo = library_Y.method_a(bar, baz) #endif or equivalent? This would let you distribute a slow pure-java library that's compatible to a native-mode library and use whichever you need. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From stewarts at ix.netcom.com Sat Mar 16 18:42:56 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 17 Mar 1996 10:42:56 +0800 Subject: CD-reading for random keys Message-ID: <199603160809.AAA01012@ix14.ix.netcom.com> At 11:56 AM 3/14/96 GMT, bruce at omega.co.nz wrote: >The "entropy" or randomness of audio data is LOW. That's why audio compresses >so well. However, the idea of keeping a one-time key on CD-ROM is good. Actually, the idea's not real good - CDROMs are easy to keep around, last a long time, and are generally not eraseable - this encourages using them as a More Than One Time Pad, which is a really bad idea..... Tape is better - it's easy to write garbage over it as you go along, it doesn't have that feel of permanence about it, and it's easy to use for something else besides selling as Musique Concre'te or Rainforest Ocean Background Harmonies. If you're going to use audio as a source, even FM radio hiss (using one of those new radio-in-your-PC cards), compress it first, then feed it to some encryption algorithm or shove it through MD5 to lose any remaining patterns if you can. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From stewarts at ix.netcom.com Sat Mar 16 18:45:23 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 17 Mar 1996 10:45:23 +0800 Subject: Tim's friend's mildly retarded son Message-ID: <199603160809.AAA01009@ix14.ix.netcom.com> At 08:16 PM 3/15/96 -0800, Blanc or somebody she was replying to wrote: >> .... Tobacco, which kills an estimated 400,000 a year is the >> winner. (The statistics I saw a few years ago were easily memorizable: >> tobacco: 400,000, alchohol: 40,000, drugs: 4,000.) 99% of US drug deaths are from legal drugs. Alcohol's more like 100,000, as of 1990 figures, about 20% of US drug deaths; this is just disease-related deaths, excluding drunk driving. Tobacco was about 370K or 390K, roughly 75%. Prescription drugs were about 20,000, including suicides, and I don't know if this included prescription opiates like morphine and codeine. Caffeine, my personal favorite, is 5000-10000, though it's much harder to estimate how much it really contributes to heart attack deaths. Cocaine was about 2500, heroin 2000, PCP 700, the rest lower, total about 1%. Marijuana was its usual 0 deaths. As Tim says, it's far from crypto - but one of the main excuses for money-laundering laws is to track down pharmaceutical wholesalers' profits. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From eggplant at inlink.com Sat Mar 16 18:45:35 1996 From: eggplant at inlink.com (eggplant) Date: Sun, 17 Mar 1996 10:45:35 +0800 Subject: Jump Start ecash With IPhone Message-ID: >>(deleted) > >Granted. Of course it is quite a jump to claim that a software program is a >"Long Distance Carrier." If I run Winsock on my machine and a Winsock >application like Iphone, if anyone is the LD carrier, *I* am because I am >digitizing my voice and doing the first part of the switching necessary to >send the packets on their way. Maybe the FCC should bust *me* for >practicing telecommunications without a license. It would make for an >interesting case. > >DCF So is telecommunications defined as voice transmision? Couldn't Cu-Seeme be defined as telecommunications also? Or how about the transmission of digital data in general since that's one place where telecom companies are investing. -- "... In Germany they first came for the Communists and I didn't speak up because I wasn't a Communist. Then they came for the Jews, and I didn't speak up because I wasn't a Jew. Then they came for the trade unionists, and I didn't speak up because I wasn't a trade unionist. Then they came for Catholics, and I didn't speak up because I was a Protestant. Then they came for me-and by that time no one was left to speak up..." Pastor Martin Niemoller ++++++++++++ ************************************** * Matthew Murphy ------------ eggplant at inlink.com * ---------- * http://www.inlink.com/~eggplant * The Web page is under construciton at this time though.. * Please don't mind the mess.... * ************************************** ++++++++++++ finger eggplant at inlink.com for my PGP key. From stewarts at ix.netcom.com Sat Mar 16 18:45:43 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 17 Mar 1996 10:45:43 +0800 Subject: Release of PGPdomo version 0.2 Message-ID: <199603160809.AAA01022@ix14.ix.netcom.com> We've recently discussed PGP-enhanced majordomo, and just by coincidence, there's a new version. >Return-Path: >Date: Fri, 15 Mar 1996 14:29:07 -0500 >From: phollins at hawww.ha.osd.mil >To: majordomo-workers at greatcircle.com, pgpdomo-announce at hawww.ha.osd.mil, > pgpdomo-users at hawww.ha.osd.mil >Subject: Release of PGPdomo version 0.2 >Cc: >Sender: owner-pgpdomo-announce at hawww.ha.osd.mil > >-----BEGIN PGP SIGNED MESSAGE----- > > >PGPdomo version 0.2 is now available as Public Domain freeware at: > > ftp://hawww.ha.osd.mil/pgpdomo/pgpdomo.tar.Z > ftp://hawww.ha.osd.mil/pgpdomo/pgpdomo.tar.Z.md5 > ftp://hawww.ha.osd.mil/pgpdomo/README > >PGPdomo is an integration of PGP and Majordomo 1.93 allowing you >to manage encrypted mailing lists from any UNIX platform. > >PGPdomo contains perl source replacement programs (and config files) >for Majordomo 1.93. You must have PGP and Majordomo 1.93 functional >before installing PGPdomo. > >Version 0.2 adds new commands, more logging, tweaks, and bug fixes. > >Comments and suggestions welcome! > >Patrick Hollins >phollins at hawww.ha.osd.mil > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.2 > >iQCVAwUBMUm9uWYiTeh15gbBAQHysAP/W6rvXRTd437ISOoo/piCsn2gESceSA92 >jiVarMl6XqhRAvf1mpqsQiTa3uywqbuEpyu0EmnZ/cUIYbgpwMi/RCO7AqUFmb7I >hL6RDt9X1fhg4BGS/NiHJ1tG9GHWR1zlzj+KHaK1oPT4YGdNnBgwGQUZdmAmRYp+ >nCoDJdZZ6jk= >=QAay >-----END PGP SIGNATURE----- > > #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From winn at Infowar.Com Sat Mar 16 20:20:01 1996 From: winn at Infowar.Com (winn at Infowar.Com) Date: Sun, 17 Mar 1996 12:20:01 +0800 Subject: InfoWarCon V 1996: Call For Papers Message-ID: <199603170401.XAA18462@mailhost.IntNet.net> P L E A S E D I S T R I B U T E W I D E L Y C A L L F O R P A P E R S InfoWarCon 5, 1996 Fifth International Information Warfare Conference "Dominating the Battlefields of Business and War" September 5-6, 1996 Washington, DC Sponsored by: Winn Schwartau, Interpact, Inc. National Computer Security Association Robert Steele, Open Source Solutions, Inc. Information Warfare represents a global challenge that faces all late-industrial and information age nation states. It also represents the easiest and cheapest way for less developed nation-states and religious or political movements to anonymously and grievously attack major nations and international corporations. This Fifth International Conference on Information Warfare is an unclassified, open source conference, and will examine US and global perspectives on all three classes of Information Warfare: Class One: Personal Privacy: In Cyberspace You Are Guilty Until Proven Innocent Class Two: Industrial and Economic Spying and Warfare Class Three: Global Conflict, Terrorism and the Military The three planned tracks will be: * Financial/Civilian Information Warfare (Class I and Class II) * Military and Terrorist Information Warfare (Class III) * Offensive and Defensive Technologies for Business and Government (Classes I, II and III) We are seeking forward thinking papers, demonstrations and interactive concepts for presentation to an audience of 1000+, representing civilian and military from more than 20 countries, all branches of the US government and the top US corporations. The papers should offer new perspectives, attitudes, studies, and technologies that can be used for the advancement of the field. You are free to submit on any subject matter, including, but not limited to: - Battlefield Dominance - Industrial Espionage: cases, policies and defense. - Military perspectives on "Information in Warfare" - Policy Quagmires - Policy Resolutions - Personal Privacy in the global marketplace - Denial of Service techniques and technologies for the private sector and the military - Terrorism and Counter-terrorism - Defending Against the Internet: new techniques and methods - Threats to Global Electronic Commerce and Solutions - Anonymous International Banking - The convergence of the commercial and military in the Post Cold War World - InfoWar Technologies - Case Studies - Your Thoughts and Ideas Please submit your 1-2 page concept white papers no later than May 5, 1996. The evaluation committee will let you know the results by May 15, at which point we will need your complete submission no later than July 15, 1996. Send you papers to: Betty at Infowar.Com For sponsorship opportunities and registration information at InfoWarCon V 1996, please contact: National Computer Security Association 1.800.488.4595 pgates at ncsa.com or infowar96 at ncsa.com Peace Winn Winn Schwartau - Interpact, Inc. Information Warfare and InfoSec V: 813.393.6600 / F: 813.393.6361 Winn at InfoWar.Com From corey at hedgehog.mcom.com Sun Mar 17 00:44:24 1996 From: corey at hedgehog.mcom.com (Corey Bridges) Date: Sun, 17 Mar 1996 16:44:24 +0800 Subject: Cypherpunks reference in Netscape book Message-ID: <2.2.32.19960315083753.009c3b84@pdmail2.mcom.com> I'm writing the "Encryption and SSL" chapter for the Netscape products, and I'm finishing it up with a "Further reading" section that lists crypto-related books, web sites, and newsgroups. I was thinking of including a reference to this mailing list. Any strong opinions either way? As I see it, the downside is a possible increase in confused people (specifically on the mailing list--not in general from my writing) and a decrease in the ever-controversial signal-to-noise ratio. The upside is that new people might come to the list and be enlightened further on the reasonableness of privacy. And speaking pragmatically, I can't imagine that too many people would take the time to: 1. read the docs 2. join the mailing list 3. post ill-considered messages (As a side note, if anyone ever has any feedback about security coverage in Netscape documentation, send it my way.) Corey Bridges Netscape Security Documentation http://home.netscape.com/people/corey 415-528-2978 From jimbell at pacifier.com Sun Mar 17 01:15:03 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 17 Mar 1996 17:15:03 +0800 Subject: Beat Remote Monitor Snooping? Message-ID: At 12:18 AM 3/16/96 GMT, John Lull wrote: >On Thu, 14 Mar 1996 21:54:10 +0100, Gary Howland wrote: > >> NTSC (TV video) modulation is done by phase modulation of the 3.579545 MHz >> subcarrier. > >This is not correct. I'd suggest you go back and re-read your NTSC >references. If that's not correct, what is? And it's been years since I read NTSC; I don't even know if I now have ready access to the information. Merely saying that it's wrong isn't particularly informative, especially if you choose to copy it to the list. Jim Bell jimbell at pacifier.com From unicorn at schloss.li Sun Mar 17 01:29:28 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 17 Mar 1996 17:29:28 +0800 Subject: InfoWarCon V 1996: Call For Papers In-Reply-To: Message-ID: On Sat, 16 Mar 1996, jim bell wrote: > At 11:01 PM 3/16/96 -0500, winn at Infowar.Com wrote: > > C A L L F O R P A P E R S > > > > InfoWarCon 5, 1996 > > Fifth International Information Warfare Conference > > "Dominating the Battlefields of Business and War" > > September 5-6, 1996 > > Washington, DC > > I'm wondering if I should bother re-writing my "Assassination Politics" > essay into the form of a paper and submitting it to these people. While it > might nominally be considered right down their alley, from a subject > standpoint, even a cursory look at the location (Washington, DC) and the > invited people (large companies and military) suggest that my ideas would be > just about as welcome as a yarmulke at a Nazi Party convention. It didn't take an analysis of the sponsor or even the forum to determine this. > > I'm not aware of the agenda (hidden or otherwise) of the sponsors, so I don't know whether I should even bother. Many people aren't particularly appreciative of being "one-upped" (not to mention made obsolete) so it's not clear that they'd give me the time of day. Any ideas as to their receptiveness? I think you should keep your day job. As to "one-upping" the key figures in the field. Good luck. Hey, you asked. > Jim Bell > jimbell at pacifier.com > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From mab at research.att.com Sun Mar 17 01:51:20 1996 From: mab at research.att.com (Matt Blaze) Date: Sun, 17 Mar 1996 17:51:20 +0800 Subject: new release (v.1.3.3) of CFS encrypting filesystem Message-ID: <199603170931.EAA02014@nsa.tempo.att.com> Source code for the latest version (release 1.3.3) of CFS, the Cryptographic File System, is now available upon request for research and experimental use in the US and Canada. This version works under most BSD-derived Unix systems and should now run without modification under most current Linux releases as well. CFS pushes encryption services into the Unix(tm) file system. It supports secure storage at the system level through a standard Unix file system interface to encrypted files. Users associate a cryptographic key with the directories they wish to protect. Files in these directories (as well as their pathname components) are transparently encrypted and decrypted with the specified key without further user intervention; cleartext is never stored on a disk or sent to a remote file server. CFS employs a novel combination of DES stream and codebook cipher modes to provide high security with good performance on a modern workstation. CFS can use any available file system for its underlying storage without modification, including remote file servers such as NFS. System management functions, such as file backup, work in a normal manner and without knowledge of the key. CFS runs under SunOS and several other BSD-derived systems with NFS. It is implemented entirely at user level, as a local NFS server running on the client machine's "loopback" interface. It consists of about 5000 lines of code and supporting documentation. You must have "root" access to install CFS. CFS was first mentioned at the work-in-progress session at the Winter '93 USENIX Conference and was more fully detailed in: Matt Blaze. "A Cryptographic File System for Unix", Proc. 1st ACM Conference on Computer and Communications Security, Fairfax, VA, November 1993. (PostScript available by anonymous ftp from research.att.com in the file dist/mab/cfs.ps.) and in Matt Blaze. "Key Management in an Encrypting File System", Proc. Summer '94 USENIX Tech. Conference, Boston, MA, June 1994. (PostScript available by anonymous ftp from research.att.com in the file dist/mab/cfskey.ps.) Version 1.3 of CFS also includes ESM, the Encrypting Session Manager. ESM provides shell-to-shell encrypted sessions across insecure links and requires no OS or network support. It is useful for typing cfs passphrases when logged in over the network. ESM needs RSAREF 2.0 to compile and is tested only on SunOS and BSDI. ESM is the first released part of a suite of session encryption tools that are described in Matt Blaze and Steve Bellovin. "Session-layer Encryption." Proc. 1995 USENIX Security Workshop, Salt Lake City, June 1995. (PostScript is available from ftp://research.att.com/dist/mab/sesscrypt.ps) The new version of CFS differs from the version described in the papers in a few ways: * The DES-based encryption scheme has been strengthened, and now provides greater security but with the online latency of only single-DES. * Support for the smartcard-based key management system is not included and a few of the tools are not included. * An impoved key management scheme now allows chaning the passphrase associated with a directory. * The performance has been improved. * The security of the system against certain non-cryptanalytic attacks has been improved somewhat. * User-contributed ports to a number of additional platforms. * Hooks for adding new ciphers. * 3-DES, MacGuffin, and SAFER-SK128 encryption options. * Timeout options allow automatic detach of encrypted directories after a set time or period of inactivity. CFS is distributed as a research prototype; it is COMPLETELY UNSUPPORTED software. No warranty of any kind is provided. We will not be responsible if the system deletes all your files and emails the cleartext directly to the NSA or your mother. Also, we do not have the resources to port the software to other platforms, although you are welcome to do this yourself. The software was developed under SunOS and BSDI, and there are also unsupported user-contributed ports available for AIX, HP/UX, Irix, Linux, Solaris and Ultrix. We really can't promise to provide any technical support at all, beyond the source code itself. We also maintain a mailing list for CFS users and developers; subscription information is included with the source code. Because of export restrictions on cryptographic software, we are only able to make the software available within the US and Canada to US and Canadian citizens and permanent residents. Unfortunately, we cannot make it available for general anonymous ftp or other uncontrolled access, nor can we allow others to do so. Sorry. Legal stuff from the README file: * Copyright (c) 1992, 1993, 1994, 1995 by AT&T. * Permission to use, copy, and modify this software without fee * is hereby granted, provided that this entire notice is included in * all copies of any software which is or includes a copy or * modification of this software and in all copies of the supporting * documentation for such software. * * This software is subject to United States export controls. * * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED * WARRANTY. IN PARTICULAR, NEITHER THE AUTHORS NOR AT&T MAKE ANY * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY * OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. If you would like a copy of the CFS source code, please read to the end of this message and then send email to: cfs at research.att.com DO NOT REPLY DIRECTLY TO THIS MESSAGE. You must include a statement that you are in the US or Canada, are a citizen or legal permanent resident of the US or Canada, and have read and understand the license conditions stated above. Be sure to include an email address in a US- or Canada-registered domain. The code will be sent to you via email in a "shar" shell archive (a little over 300K bytes long). From merriman at arn.net Sun Mar 17 04:41:00 1996 From: merriman at arn.net (David K. Merriman) Date: Sun, 17 Mar 1996 20:41:00 +0800 Subject: Win95 Remailer beta Message-ID: <2.2.32.19960317002833.00678054@arn.net> -----BEGIN PGP SIGNED MESSAGE----- I've finally managed to get my hack at a Win95-based remailer done. I've settled on RemailerBot for a name, an this will be version .9b(eta). It isn't pretty, and there isn't a whole lot of functionality to it yet (remailing, reorder, automagically kills subject lines, handles both anon-to and request-remailing-to). But at least it's *something*; I'll start adding to it ASAP. I'll have the (_heavily_ commented) source (written in VB4 Pro, heh) available on my web page in a day or two (probably need to figure on Monday :-). Anyone wants it before then, email me and I'll zip it up and email it to you (state your preference for MIME or uuencoding). Many thanks to the kind folks who sent 'anonymous mail' to me via my webmaster identity so that I'd have some 'real' remailer messages to play with. Brief description of it is that it reads what Seattle Labs software (purveyors of SLMail95) assures me is a 'standard unix' .mbx file, separates it into component messages, processes them, and dumps the results into an outbox directory. It deletes (not wipes [yet]) any intermediate files. Wiping isn't a big priority (I think) because of Win95's System Agent which can run a defrag utility periodically. My feature priorities are PGP first, followed by latency, then the rest. If there's anyone out there that can read VB source _and_ knows what a .mbx file really looks like, I'd appreciate having a cross-check on my parsing. Right now, it's SLMail-specific, and I'd like to be able to make sure it can handle a little more variety. Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUtALsVrTvyYOzAZAQF9+gP+NBtz30BYmPhFBo2P6hPp5yD7nc2bP4ot 5J+HN8K6no3ESguAw2vyhjgY64xIFpD3OUsQsSyz67d7p2nuplKPdTCAKsywE3TF xRcAnb62HH2XOb3QrlnVP17xUqyp8QNlu+fX4WWYqMCoxiyc0KEaFaC+7R7apAuA KfPD7voioDI= =lhjn -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From dmandl at panix.com Sun Mar 17 04:56:33 1996 From: dmandl at panix.com (David Mandl) Date: Sun, 17 Mar 1996 20:56:33 +0800 Subject: PolicyMaker paper available Message-ID: At 2:12 PM 3/16/96, ECafe Anonymous Remailer wrote: >Mab at Research.Att.Com posted: >>A number of people have been asking me about some work I've been doing >> >>A PostScript pre-print is available in ^^^^^^^^^^ >> ftp://research.att.com/dist/mab/policymaker.ps > >I D/Led this file last night & printed it out. I was a little suspicious >at first because you'd think if AT&T really wanted people to read (instead >of just wanting to say they published it) they'd put it on the web in http >and not use obscure printer codes. ^^^^^^^^^^^^^^^^^^^^^ Yeah, not only that, but you need one of them fancy modem contraptions to get it. --Dave. -- Dave Mandl dmandl at panix.com http://www.wfmu.org/~davem From winn at Infowar.Com Sun Mar 17 07:17:11 1996 From: winn at Infowar.Com (winn at Infowar.Com) Date: Sun, 17 Mar 1996 23:17:11 +0800 Subject: InfoWarCon V 1996: Call For Papers In-Reply-To: Message-ID: <199603171507.KAA02986@mailhost.IntNet.net> Welcome! I can't tell which of the two authors of ths following conversation is the more paranoid, but clearly at least 1 1/2 of them are totally wrong with their assumptions about 'agenda' and 'receptiveness' and 'one-upped.' It's so obscure, I don't know whether to take it seriously or not. BUT - if you are serious about submitting, to an international audience, I suggest that you first: - Read "Information Warfare: Chaos on the Electronic Superhighway" - Get the Proceedings from InfoWarCon III, 1995 from 1.800.488.4595 and then make informed opinions and decisions. We openly ebncourgae and welcome controversial subjects; that's why InfoWarCon's are so successful Fromthe sounds of it, no one else would have you. Make it intersting, cogent, contributory to the field, and meaningful. We will then take you seriously. Thyanks for your thoughts! Winn On Sun, 17 Mar 1996, Black Unicorn wrote: >On Sat, 16 Mar 1996, jim bell wrote: > >> At 11:01 PM 3/16/96 -0500, winn at Infowar.Com wrote: >> > C A L L F O R P A P E R S >> > >> > InfoWarCon 5, 1996 >> > Fifth International Information Warfare Conference >> > "Dominating the Battlefields of Business and War" >> > September 5-6, 1996 >> > Washington, DC >> >> I'm wondering if I should bother re-writing my "Assassination Politics" >> essay into the form of a paper and submitting it to these people. While it >> might nominally be considered right down their alley, from a subject >> standpoint, even a cursory look at the location (Washington, DC) and the >> invited people (large companies and military) suggest that my ideas would be >> just about as welcome as a yarmulke at a Nazi Party convention. > >It didn't take an analysis of the sponsor or even the forum to determine >this. > >> >> I'm not aware of the agenda (hidden or otherwise) of the sponsors, so >I don't know whether I should even bother. Many people aren't >particularly appreciative of being "one-upped" (not to mention made >obsolete) so it's not clear that they'd give me the time of day. Any >ideas as to their receptiveness? > >I think you should keep your day job. As to "one-upping" the key figures >in the field. Good luck. > >Hey, you asked. > >> Jim Bell >> jimbell at pacifier.com >> >> > >--- >My prefered and soon to be permanent e-mail address: unicorn at schloss.li >"In fact, had Bancroft not existed, potestas scientiae in usu est >Franklin might have had to invent him." in nihilum nil posse reverti >00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information > > > Peace Winn Winn Schwartau - Interpact, Inc. Information Warfare and InfoSec V: 813.393.6600 / F: 813.393.6361 Winn at InfoWar.Com From jimbell at pacifier.com Sun Mar 17 08:57:06 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 18 Mar 1996 00:57:06 +0800 Subject: InfoWarCon V 1996: Call For Papers Message-ID: At 11:01 PM 3/16/96 -0500, winn at Infowar.Com wrote: > C A L L F O R P A P E R S > > InfoWarCon 5, 1996 > Fifth International Information Warfare Conference > "Dominating the Battlefields of Business and War" > September 5-6, 1996 > Washington, DC >Sponsored by: > Winn Schwartau, Interpact, Inc. > National Computer Security Association > Robert Steele, Open Source Solutions, Inc. > >Information Warfare represents a global challenge that faces all late-industrial >and information age nation states. It also represents the easiest and cheapest >way for less developed nation-states and religious or political movements to >anonymously and grievously attack major nations and international corporations. > >This Fifth International Conference on Information Warfare is an unclassified, >open source conference, and will examine US and global perspectives on all three >classes of Information Warfare: I'm wondering if I should bother re-writing my "Assassination Politics" essay into the form of a paper and submitting it to these people. While it might nominally be considered right down their alley, from a subject standpoint, even a cursory look at the location (Washington, DC) and the invited people (large companies and military) suggest that my ideas would be just about as welcome as a yarmulke at a Nazi Party convention. I'm not aware of the agenda (hidden or otherwise) of the sponsors, so I don't know whether I should even bother. Many people aren't particularly appreciative of being "one-upped" (not to mention made obsolete) so it's not clear that they'd give me the time of day. Any ideas as to their receptiveness? Jim Bell jimbell at pacifier.com From jimbell at pacifier.com Sun Mar 17 09:56:45 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 18 Mar 1996 01:56:45 +0800 Subject: InfoWarCon V 1996: Call For Papers Message-ID: At 10:10 AM 3/17/96 -0500, winn at Infowar.Com wrote: >PLEASE! >It sounds fascinating. Submit. I will NOT SUBMIT! NEVER! Oh, you meant my essay? Sorry! Here it is, parts 1-6. Parts 7-8, and 9-10 in the next message: Assassination Politics by Jim Bell, jimbell at pacifier.com Part 1 [rest deleted for CP] From WlkngOwl at unix.asb.com Sun Mar 17 10:17:20 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Mon, 18 Mar 1996 02:17:20 +0800 Subject: FYI - Article in Sun. 3/18 LI Newsday Message-ID: <199603171814.NAA29008@unix.asb.com> There's an article in Sunday's (March 18) Long Island Newsday called "When is online out of line" with the subtitle "Should we censor the internet?". Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From merriman at arn.net Sun Mar 17 12:03:52 1996 From: merriman at arn.net (David K. Merriman) Date: Mon, 18 Mar 1996 04:03:52 +0800 Subject: Win95 Remailer Message-ID: <2.2.32.19960317073711.00676ff8@arn.net> -----BEGIN PGP SIGNED MESSAGE----- I neglected to mention in my previous message that the source will also come with an executable. Dave -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUukpsVrTvyYOzAZAQF7bQP+NtuSDNKUnNk3P7l11rnHCmouZrclhbT3 o2ayOhYiOnpAkV4UQJLm/SN4KT5OL9tZdy8uc5dI+jzywVkPUlP79HSbfj9SNvgF AcjaDWvwjB4b0+iNam+avl/uMSR4xGRmCKi42pJZIN0klEvAvT6OadBYsPFat19W 1RiwthHvN9Y= =yLK+ -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From declan+ at CMU.EDU Sun Mar 17 12:46:14 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 18 Mar 1996 04:46:14 +0800 Subject: Judge blocks French ISPs from connecting to revisionist sites Message-ID: >From the attached message by Valerie Sedallian, it looks like a French judge approved the injunction. This will allow the French Jewish Students Association to prevent a number of ISPs (including CompuServe and IBM Global Network) from allowing connections to any revisionist web sites. In France, revisionism is a criminal offense. Related messages are in these archived threads: http://fight-censorship.dementia.org/fight-censorship/dl?num=1801 http://fight-censorship.dementia.org/fight-censorship/dl?thread=French+Jewish+s tudents+sue+ISPs+for+revisionist+materials&after=1817 Instructions on how to subscribe to fight-censorship-announce for updates: http://fight-censorship.dementia.org/top/ A web site with some info on Germany's failed net.blocking attempts: http://www.gsia.cmu.edu/andrew/ml3e/www/Not_By_Me_Not_My_Views/ France's failed book banning attempt is at: http://www.cs.cmu.edu/~declan/le-secret/ Info on other international net-censorship attempts is at: http://www.cs.cmu.edu/~declan/zambia/ -Declan ---------- Forwarded message ---------- Date: Sun, 17 Mar 1996 20:29:05 +0100 From: Sedallian =?iso-8859-1?Q?Val=E9rie?= To: Declan McCullagh Subject: French Jewish students sue ISPs for revisionist materials? Declan, Here is a note about the hearing that i have written for my newsletter and translated . english version has not reviewed yet so please excuse english mistakes.you can forward this message . FRANCE : 15 March 1996 A French Jewish Students Association ( Union des Etudiants Juifs de France - UEJF) has issued a writ against 9 French Internet Providers on the grounds that ISP allow their client to access to negationists services or messages infringing French criminal law. The plaintiff asked that the jugde gave the defendants an injonction under penalties to prevent their clients to connect to messages and services that patently infringe a french law that provides that revisionism is a criminal offense (loi Gayssot). The law provides that whose who will have contested publicly the existence of one or some crimes against humanity as they are defined under article 6 of statutes of the international military court attached to London agreement of 8 august 1945 and that have been committed either by an organisation declared criminal by application of article 9 of the said statute , or by a person recognised as guilty of such crimes by a french or international jurisdiction will be punished up to an emprisonnment of one year or/and a fine of 300 000FF Defendants have explained that they were providers of access, not of content, the the plaintiff 's demand would amount to make an a priori, systematic, in real time control on all serviecs and messages exchanged, which would be impossible to implement. They underlined the discriminatory character of the proceedings as not all French IP had been sued and the unspecified nature of the demand , messages and services considered unlawfull not being precised. International law issues and the fact that negationnists messages come from persons located in the USA where they are protected by the 1st amendment of the american constitution have also been discussed. Internet providers have reminded that they were neither administrators or managers of the Internet, which is a network build by users themselves. Sentenced is scheduled April 12th 1996. From drose at AZStarNet.com Sun Mar 17 13:49:55 1996 From: drose at AZStarNet.com (drose at AZStarNet.com) Date: Mon, 18 Mar 1996 05:49:55 +0800 Subject: Censorship Message-ID: <199603172135.OAA20358@web.azstarnet.com> FYI, just saw the following scheduled (at least here in Tucson) on PBS for Friday night, 3/23: _Firing Line_ debate Resolved: The Government Has the Right to Regulate the Internet "A current communications controversy fuels the proposed resolution in the latest installment of William F. Buckley Jr.'s recurring series, in which participants debate whether the Internet should be federally regulated. Among those arguing for it with Buckley are Arianna Huffington and Reid Hoffman; those against it include Susan Estrich and John Perry Barlow." From markm at voicenet.com Sun Mar 17 14:01:00 1996 From: markm at voicenet.com (Mark M.) Date: Mon, 18 Mar 1996 06:01:00 +0800 Subject: Backup of Encrypted Partition In-Reply-To: <827090597.2529.0@bclimser.demon.co.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sun, 17 Mar 1996, Sanwar Ali wrote: > Does anyone know how to backup a "SecureDrive" partition onto tape > quickly and easily. > > HPACK is really slow. > > PKZIP and then PGP is slow. > > RAWDISK, seems to be quite complex (perhaps I am just stupid!), and I > am terrified of making some sort of terrible mistake. I don't think that you can avoid the speed problem. The SecureDrive TSR has to decrypt the data on the disk and this can be a slow procedure when dealing with 100 megabytes. You could speed up the backup procedure by turning off compression. I know that pkzip has this option, but I'm not sure about any of the other programs you mention. - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMUyIGbZc+sv5siulAQGUSwP/TveptXcLvr/J8Ehxzi/NhcY02omdM9WF kbOMSqPKkGfPDUNmCnCQWoOsSMhjOWH5dqpW3+QC59+R1YQDRILGdPMttfpvuXDB UCRmP9BkYsG/knhrfnztw0eoUKV3TgMLGMC1tETGJ1PG4tWcaFj70wYDnffo5ckI vHpP1ggyJc8= =ECX1 -----END PGP SIGNATURE----- From merriman at arn.net Sun Mar 17 14:22:26 1996 From: merriman at arn.net (David K. Merriman) Date: Mon, 18 Mar 1996 06:22:26 +0800 Subject: RemailerBot available from homepage Message-ID: <2.2.32.19960317100524.0069ec4c@arn.net> -----BEGIN PGP SIGNED MESSAGE----- I've gotten RemailerBot up on my home page. Source, executable, and (very sparse) documentation available as a 20+K zip file. http://www.shellback.com/personal/merriman/index.htm Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUvHksVrTvyYOzAZAQG5ywQAoYhjUDZ3Hexc8HoFW7C3zKkrFnXyx5nd iGAYQy9BcKh25fTz8pFmezEKPnAH2v58+OY/5I86F9ZgKDTpLiRXn/TrG97X3cGh DxVgrgar+yDsdhJ9RKlT6s7PmDf6H8f2nvblRBDqKbcc1Mj57l9RNNH3/fBjGlXg SPvIwfr/SaY= =+9G4 -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From mch at squirrel.com Sun Mar 17 14:43:09 1996 From: mch at squirrel.com (Mark C. Henderson) Date: Mon, 18 Mar 1996 06:43:09 +0800 Subject: Backup of Encrypted Partition Message-ID: <199603172221.OAA14725@squirrel.com> On Mar 17, 18:38, Sanwar Ali wrote: } Subject: Backup of Encrypted Partition } Hi } } Apologies if this is too much of a beginner's Q. } } Does anyone know how to backup a "SecureDrive" partition onto tape } quickly and easily. } } HPACK is really slow. } } PKZIP and then PGP is slow. } } RAWDISK, seems to be quite complex (perhaps I am just stupid!), and I } am terrified of making some sort of terrible mistake. } } I have about 100MB in the partition. I have a pretty out of date } computer which is a 386 33MHz running Windows. Ease of backup is one of the strengths of CFS which is a cryptographic filesystem for various flavours of UNIX and Linux. With CFS the encrypted files live in the ordinary UNIX filesystem (their names are also encrypted), so one can backup encrypted data without decrypting to make things intelligible and then encrypting to secure the tape. Backups take no more time than backups of ordinary unencrypted files and don't require any special tools (ufsdump, GNU tar, GNU cpio work fine). You backup files individually, which means you can also restore them individually, i.e. without restoring a whole partition. Of course, this doesn't solve your problem, because you are running Windows. But CFS might be incentive to also run a more feature-rich operating system on your PC. You don't need to give up DOS/Windows to also run Linux, FreeBSD, Solaris, Unixware, etc. -- Mark Henderson -- markh at wimsey.bc.ca, mch at squirrel.com, henderso at netcom.com ViaCrypt PGP Key Fingerprint: 21 F6 AF 2B 6A 8A 0B E1 A1 2A 2A 06 4A D5 92 46 unstrip for Solaris, Wimsey crypto archive, TECO, computer security links, change-sun-hostid, Sun NVRAM/hostid FAQ - http://www.squirrel.com/squirrel From llurch at networking.stanford.edu Sun Mar 17 14:48:59 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 18 Mar 1996 06:48:59 +0800 Subject: Judge blocks French ISPs from connecting to revisionist sites In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Those silly French people. And this right after the German Minister of Justice is quoted in Der Spiegel admitting that such blocking is foolish and counterproductive. OTOH, the Attorney General of Ontario threw out all charges against Ernst Zundel last Friday. Zundel's Holocaust-denial files are available from pathcom.com, cts.com, aol.com, compuserve.com, netcom.com, c2.org, stormfront.org, mit.edu, and cmu.edu (most of the Zundel-friendly sites require payment and a password). A student at pitt.edu has publicly and repeatedly offered to mirror Zundel's files as well, but he won't let her, because she's Jewish. None of the mirror sites are blocked by the French action, and of course all email and anonymous proxy routes are unfettered. Declan's list of links tells only one side of the story, with numerous factual errors that have been pointed out publicly and repeatedly. I refer you to last months' posts to comp.org.eff.talk by rich at c2.org. See also articles in the Western Jewish Bulletin by Hilary Ostrov and others, which support the right of Holocaust-deniers to speak freely. Those articles are available at: http://haven.uniserve.com/~hostrov/jwb/ http://haven.uniserve.com/~hostrov/mcvay.html http://haven.uniserve.com/~hostrov/denial.html There are dozens of articles, many of them by Holocaust survivors and the children of survivors and victims supporting the right of Holocaust-deniers to lie and organize freely on shamash.nysernet.org, www.eff.org, nizkor.almanac.bc.ca, and www.skeptic.com. The articles on the Skeptic Society and EFF sites have some interesting comments on the "Revisionists'" callous disregard for the truth in both substantive and "anti-censorship" matters. See: http://www.almanac.bc.ca/cgi-bin/ftp.pl?orgs/american/skeptic.magazine You will find not one article supporting the censorship of Nazis in alt.revisionism or alt.fan.ernst-zundel. For over a year, the regular posters have been trying to get the "Revisionist" leaders to participate in a public discussion on Usenet, but they have refused. Mendacious secret societies are secret not because they are oppressed, but because whenever they show their face in public, they are laughed at. http://www.users.cts.com/crash/m/metzger/White_Aryan_Resistance_Info/Race_%26_Reason.html - -rich Institute for Revisionist Revisionism http://www.c2.org/~rich/Press/Swedish/ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUyQ8Y3DXUbM57SdAQGaHAP/Q3LvW0XFnYl53xLcqmfLsbFbAmuFm7aM 5XTp3vGlVWyt2oRZpk2aP+emN70+kRaxcETDi8d9qIFZrsW+U9pbMajE7828VBB9 Muh5cS+1N0HoUnvTDx5Qu6fOXp+bhz+7zIGokCbgSlcf32fEqEv3yaJY7NzUGRrA ezgFaCK+DrM= =26m3 -----END PGP SIGNATURE----- From bglassle at kaiwan.com Sun Mar 17 15:25:45 1996 From: bglassle at kaiwan.com (Bob Glassley) Date: Mon, 18 Mar 1996 07:25:45 +0800 Subject: M$ CryptoAPI Question Message-ID: <314bb878.2839245@kaiwan.kaiwan.com> -----BEGIN PGP SIGNED MESSAGE----- With the current releases of the NT 4.0 betas, I would assume some of you have had the chance to look at the API more closely. I am getting ready to hack my first crypto enabled app and wondered if this was worth using or if Crypto C++ is the way to go. I would think that if their implementation is solid, and some of the *real* crypto gods write stronger CSP's than the M$ RSA Base CSP, this would be a good approach to get more enabled apps accepted for regular usage. Any thoughts? - --Bob -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUyb5e2vJ3dNshwFAQHN5wP7BN74aW2XhJnzfPnPyZUkg9N6asp+hCeN Mw6B6Q7iPd3le0nd8wDLJI6zj9lJ0oOP8ViwI0tDLYbG/H3dpQrA8cgUlOioVaAF L1ZruRvKn87gE0ZJHjIsnEeszxO+wAvnzPYPB2yTRM3LzQ1oIadjhj8FXnNxoVPN hZ+RJSF+qpI= =jEww -----END PGP SIGNATURE----- From dlv at bwalk.dm.com Sun Mar 17 16:11:07 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 18 Mar 1996 08:11:07 +0800 Subject: M$ CryptoAPI Question In-Reply-To: <314bb878.2839245@kaiwan.kaiwan.com> Message-ID: <5ckykD30w165w@bwalk.dm.com> bglassle at kaiwan.com (Bob Glassley) writes: > With the current releases of the NT 4.0 betas, I would assume some of > you have had the chance to look at the API more closely. I am getting > ready to hack my first crypto enabled app and wondered if this was > worth using or if Crypto C++ is the way to go. > > I would think that if their implementation is solid, and some of the > *real* crypto gods write stronger CSP's than the M$ RSA Base CSP, this > would be a good approach to get more enabled apps accepted for regular > usage. I wonder if it's worth it to crack their approval mechanism so we can add our own crypto subsystems without asking Microsoft's approval. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From jis at mit.edu Sun Mar 17 16:12:13 1996 From: jis at mit.edu (Jeffrey I. Schiller) Date: Mon, 18 Mar 1996 08:12:13 +0800 Subject: MIT PGP Distribution Site Upgraded Message-ID: <9603172338.AA24444@big-screw> (A copy of this message has also been posted to the following newsgroups: sci.crypt, alt.security.pgp) -----BEGIN PGP SIGNED MESSAGE----- New Software being used to distribute PGP via the World Wide Web from MIT. Since last night (Saturday) we have been running new Web Server software at http://web.mit.edu/network/pgp.html (the MIT PGP Homepage). This software is specially coded to deal with the complications of running an export controlled Web distribution site. The primary visible (to you) feature of this new software is that the bureaucracy necessary to get into the distribution site has been automated. When our old software believed your host was not in the U.S. or Canada because it was unable to "reverse resolve" your host's name you were out of luck. With this new software you will be given a chance to enter your e-mail address. We will then verify your e-mail address in real time and send you a special password which will allow you access to the distribution site, even if we couldn't let you in previously (this whole process happens automatically and doesn't wait for me to manually do anything!!!). IF YOU PREVIOUSLY SENT ME MAIL ASKING THAT I ADD YOUR SITE (particularly if I haven't responded, which is likely given the large number of requests I receive a day) YOU SHOULD TRY OUR WEB SITE NOW. Note: This software is still a little green and may be down from time to time while I install new versions (or if it crashes hard while I am sleeping or in meetings). There are known problems mostly dealing with older browsers which do "interesting" things. If you cannot get past the PGP access form page, keep trying (after a day or so). I will be monitoring the debugging logs and fixing things as I notice problems. AOL users cannot yet get through (I am working on this tonight, but I don't know if I'll figure out what is going on before I have to call it a night). Please do *not* send me e-mail yet reporting problems (the debugging logs will tell me a lot) unless you believe the problem you are seeing is particularly "interesting." Once the code is more stable I will send another message indicating that I think things are stable, *then* you can complain to me when things don't work because I will be removing the debugging code after it is stable. Also Note: We are only using this new software for PGP at the moment *NOT* PGPfone. However our plan is to convert the PGPfone distribution site to this new software as well. Btw. Phil informs me that the next PGPfone beta test, for both the Macintosh and (finally) Windows '95 should be ready any day. Some of you have heard this story before... but maybe this time... When this next release of PGPfone is made available, the new distribution system will be in effect. Technical details (for those who care, the rest of you can skip this): The new distribution system is a stand alone program which you talk to after "posting" the PGP access form. This program is a complete Web server in and of itself. It runs in one process, multiplexing up to 50 connections simultaneously (this makes it fast because it doesn't have to fork processes, something UNIX isn't particularly good about). It is written in C++ (compiled under G++) and is currently hosted on a SGI Indy workstations (175Mhz processor with 100 Megabytes of RAM), though it may move to a different server soon. And yes, I will be making it publicly available after I have it better debugged. -Jeff -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMUyiJMUtR20Nv5BtAQGPrAQAq2z7Nz3/XlWqjcRwSq8aFRiiqLI04oEp w1T9OZk3Ie7cTgfebyA69yGLNXPo4oFfea9Y6fw56eOMP2F/+gaCEajXhCwrMIjQ zSp8jF0QzTihZv0QYod2t4wIlOw7jNiAUIRdIBELI2OS12J0TRwOxb4eogHvI6Jh Q08S107/X1c= =GaW0 -----END PGP SIGNATURE----- From adam at lighthouse.homeport.org Sun Mar 17 16:12:18 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Mon, 18 Mar 1996 08:12:18 +0800 Subject: M$ CryptoAPI Question In-Reply-To: <314bb878.2839245@kaiwan.kaiwan.com> Message-ID: <199603172343.SAA26113@homeport.org> Bob Glassley wrote: | With the current releases of the NT 4.0 betas, I would assume some of | you have had the chance to look at the API more closely. I am getting | ready to hack my first crypto enabled app and wondered if this was | worth using or if Crypto C++ is the way to go. MS's crypto API is only available on MS platforms (AFAIK.) If you want to be able to run cross platform, I'd reccomend something that works on other platforms. Crypto++ is probably preferable to MS's API for that reason. For other options, I maintain a table of crypto libraries at www.homeport.org/~adam/crypto/ Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From sanwar at bclimser.demon.co.uk Sun Mar 17 16:43:33 1996 From: sanwar at bclimser.demon.co.uk (Sanwar Ali) Date: Mon, 18 Mar 1996 08:43:33 +0800 Subject: Backup of Encrypted Partition Message-ID: <827090597.2529.0@bclimser.demon.co.uk> Hi Apologies if this is too much of a beginner's Q. Does anyone know how to backup a "SecureDrive" partition onto tape quickly and easily. HPACK is really slow. PKZIP and then PGP is slow. RAWDISK, seems to be quite complex (perhaps I am just stupid!), and I am terrified of making some sort of terrible mistake. I have about 100MB in the partition. I have a pretty out of date computer which is a 386 33MHz running Windows. Any ideas and all the best. -- Sanwar Ali Managing Partner BCL Immigration Services 40 South Audley Street Mayfair London, W1Y 5DH UK Telephone: +44 171 495 3999 or +44 171 495 8662 Fax: +44 171 495 3991 e-mail: sanwar at bclimser.demon.co.uk, sanwar at pobox.com For public key: finger sanwar at pobox.com From llurch at networking.stanford.edu Sun Mar 17 16:51:01 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 18 Mar 1996 08:51:01 +0800 Subject: Judge blocks French ISPs from connecting to revisionist sites In-Reply-To: Message-ID: In other news, Holocaust Revisionist mgiwer at combase.com (Matt Giwer) has been *openly bragging* about getting a political opponent kicked off of a conservative Texas ISP. The main difference between the French and Texas cases being that the information on Rack Jite's web pages was true, and the information on the Holocaust Revisionist sites is not. I guess that's not important, though, since by definition, Political Correctness only targets the right. -rich From spyking at mne.net Sun Mar 17 16:52:34 1996 From: spyking at mne.net (SpyKing) Date: Mon, 18 Mar 1996 08:52:34 +0800 Subject: Sample Codex Newsletter Message-ID: <9603172340.AA02237@mne.com> The Codex Surveillance & Privacy Newsletter - Sample Issue Excerpts Published monthly - Subscription Rate $95.00 Foreign Subscriptions: $135.00 The Codex is a hardcopy newsletter delivered by first class US mail. Send Check or MO to: Codex Publishing 286 Spring Street New York, NY 10013 Tel: 212-989-9898 Fax: 212-337-0934 Every day we see or hear in the news, stories about electronic surveillance, wiretapping, corporate espionage, computer hacking, etc. Ever wonder how it's done? The Codex is a monthly newsletter published by Codex Publishing of New York City. It was created by professionals in the field of electronic surveillance, countermeasures, security, investigations and competitor intelligence and will teach you all the inside "Tricks of the Trade". Prior issues of the Codex have featured articles on: How to TAP a telephone...How to BUG a room...How to intercept a CELLULAR telephone conversation... How to intercept a digital PAGER...How to HACK a web site...How to DECODE telephone numbers off a tape recording...How to LISTEN into your home or office when you're away on vacation...How to SEE into your home or office when you're away on business...How to build a RED BOX for free phone calls...How to DETECT an eavesdropping device planted in your home or office...How to ACQUIRE personal & confidential information on anyone... Future issues of the Codex will feature "How To" articles on: Spying, Industrial Espionage, Competitor Intelligence, Emerging Technologies, Privacy and How to get it, Computer Hacking, Telephone Phreaking, Cons & Schemes, Insider tips on the Internet, Self Defense, Big Brother, Encryption, Surveillance Devices, Privacy Equipment, Intelligence Gathering Equipment and Sources of Confidential Information One time reprint and excerpt rights automatically granted provided our name and address is given. Enclosed is an abbreviated sample. LETTER FROM THE EDITOR Happy New Year to everyone and we sincerely hope 1996 brings you all good fortune and everything you hope for. Be careful, you just might get it... In response to the overwhelming requests for advertising rates and information we have decided to accept limited advertising in 1996 and will begin to accept advertising immediately. Advertising will be limited to a full page at the nominal rate of $150.00 per issue with volume discounts of course. We will travel shortly to New Zealand to attend 'The Gathering Conference" on information and communications security and will report our findings in great detail in an upcoming issue of the Codex. "The Gathering" promises to be an exciting and information bonanza with several of the top people in the world attending and speaking on a variety of subjects of interest to us all. We urge you to adise us if you have a security, computer or communications function planned, as we will make every attempt to give the event coverage. If we don't know about it...there's not much we can report. We've got a wealth of info for you this month with a very interesting topic on Web Site hacking. Seems the old rule applies, "Anything man can invent, man can defeat." How long before this window is closed? Don't forget. ..If there is a topic you would like to see covered, please let us know and we'll do everything we can to get it done for you. Enjoy this issue...we had fun doing it. SpyKing **************************************************************************** ****** **************************************************************************** ****** Nowhere to run...Nowhere to hide... The vulnerability of CRT's, CPU's and peripherals to TEMPEST monitoring in the real world. Copyright 1996, All Rights Reserved By Frank Jones CEO Technical Assistance Group 286 Spring Street New York, New York 10013 USA Tel: 212-989-9898 Fax: 212-337-0934 E-Mail: spyking at thecodex.com URL: http://www.thecodex.com George Orwell wrote the classic "1984" in 1949. He depicted a world in which the government controlled it's citizens and a world devoid of privacy. Many of the things Orwell wrote almost fifty years ago have come to pass. Surveillance technology has progressed to the point that is possible to identify individuals walking city streets from satellites in orbit. Telephone, fax and e-mail communications can routinely be monitored. Personal information files are kept on citizens from cradle to grave. There is nowhere to run...nowhere to hide... The advent of the personal computer has revolutionized the way we do business, keep records, communicate and entertain ourselves. Computers have taken the place of typewriters, telephones, fax and telex machines. The Internet has opened up a new world of high speed and inexpensive communications. How secure and private is it? There are many encryption programs and hardware devices available for security purposes but what about the computer terminal itself? How safe is it? What are it's vulnerabilities? Hackers have been known to cause mischief from time to time...Is it possible for an adversary to snoop on your private data? Can Big Brother? Suppose it was possible to aim a device or an antenna at your apartment or home from across the street or down the block. Suppose you were working on a confidential business project on your PC. Suppose that device down the block could read what you were typing and viewing on the CRT? Feeling uncomfortable? Suppose that device could monitor everything you do on your computer by collecting electromagnetic radiation emitted from your computer's CRT, CPU and/or peripheral equipment, reconstruct those emissions into coherent receivable signals and store them for later review? Feeling faint? Good. The technology exists...and it has for some time.... You don't have to worry about a "middle of the night" break-in by some clandestine government black-bag team to plant a bug. They never have to enter your home or office. Seedy looking private investigators or the information warrior won't be found tampering with your telephone lines in the basement either...it's not necessary...all they have to do is point an antenna...safely, from a distance away...and collect your private data... This surveillance technique has become known as TEMPEST monitoring. TEMPEST stands for Transient Electromagnetic Pulse Standard. It is the standard by which the government measures electromagnetic computer emissions and details what is safe (allowed to leak) from monitoring. The standards are detailed in NACSIM 5100A, a document which has been classified by the National Security Agency. Devices which conform to this standard are called TEMPEST certified. In 1985, a Dutch scientist Wim van Eck published a paper which was written about in the prestigious "Computers & Security" journal, "Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?" Vol 4 (4) pp 269-286. The paper caused a panic in certain government circles and was immediately classified as is just about all TEMPEST information. Wim van Eck's work proved that Video Display Units (CRT's) emitted electromagnetic radiation similar to radio waves and that they could be intercepted, reconstructed and viewed from a remote location. This of course compromises security of data being worked on and viewed by the computer's user. Over the years TEMPEST monitoring has also been called van Eck monitoring or van Eck eavesdropping. In 1990, Professor Erhard Moller of Acchen University in Germany published a paper, "Protective Measures Against Compromising Electromagnetic Radiation Emitted by Video Display Terminals". Moller's paper which updated in detail van Ecks's work also caused a furor. The government's policy of TEMPEST secrecy has created a double edged sword. By classifying TEMPEST standards, they inhibit private citizens and industry by failing to provide the means of adequately shielding PC's and/or computer facilities. There is an old saying, "You can't drive a nail without the hammer". If concerned personnel don't know the minimum standards for protection...how can they shield and protect? Shielding does exist which can prevent individuals and companies from being victims to TEMPEST monitoring. But without knowing the amount of shielding necessary... Perhaps this is the way the government wants it... My work has focused on constructing a countermeasures device to collect and reconstruct electromagnetic emissions from CRT's, CPU's and peripherals to diagnose emission levels and give security personnel a hands-on tool with which they can safeguard their computer data. In testing my countermeasures device I concentrated on interception and reconstruction of the three types of emitted electromagnetic radiation written about in van Eck and Moller's work. 1. Electromagnetic radiation emitted from CRT's - similar to radio waves 2. Shell waves on the surface of connections and cables 3. Compromising radiation conducted through the power line I found my greatest success (distance & quality) was in the collection of emitted radiation from the CRT although we were equally successful in our other experiments. In our opinion the greatest danger of TEMPEST monitoring comes from off premises and we decided early on to concentrate in this area. A workable countermeasures tool would give security personnel a handle on distance from which compromising electromagnetic radiation could be collected. Hopefully full countermeasures would then be implemented. This also is a double edged sword. The device I built albeit a countermeasures tool...can be used as an offensive TEMPEST monitoring device. My concerns however are that if such a device is not made available to the private sector...then the private sector is at the mercy of the information warrior using TEMPEST technology to gain an unfair advantage. TEMPEST MONITORING...HOW IT WORKS TEMPEST monitoring is passive. It cannot be detected. The computer emits compromising radiation which can be reconstructed from a remote location. There is no need to ever come near the target. No reason ever to go back to change a faulty bug like the Watergate burglars...It can be performed from an office or a vehicle with no chance of discovery. The premise is very simple. All electronic devices emit some low level electromagnetic radiation. Whenever an electric current changes in voltage level it generates electromagnetic pulses that radiate invisible radio waves. Similar to the ripples caused by dropping a small rock into a quite pool of water. These electromagnetic radio waves can carry a great distance. Computer monitors like televisions contain an electron gun in the back of the picture tube which transmits a beam of electrons (electric current). When the electrons strike the screen they cause the pixels to fluoresce. This beam scans across the screen from top to bottom very rapidly in a repetitive manner, line by line, flashing on and off, making the screen light and dark, creating the viewed image. These changes in the high voltage system of the monitor, generate the incoherent signal that TEMPEST monitoring equipment receive, reconstruct and view. We have found that most monitors emit signals in the 20 to 250 Mhz range although harmonics are fairly strong and can be intercepted. Radiated harmonics of the video signal bear a remarkable resemblance to broadcast TV signals although various forms of sync must be restored. Associated unshielded cabling can act as an antenna and increase interception range. Emissions can be conducted down power cables and supplies. Computers attached to unshielded telephone lines are easy prey as the telephone line acts as an excellent antenna. Printers and their cables are not immune either. The average computer setup in the home or office could be compared to a base station transmitting it's signals all over the neighborhood. Put quite simply, it is easy for someone with basic electronics knowledge to eavesdrop on you, while you are using a computer. They might not be able to steal everything from the hard disk but they can view anything you do....see anything you see... HOW IT'S DONE...THE COMPONENTS A good commercial wide band radio receiver preferably designed for surveillance (requires a little modification) with spectrum display. Sensitivity and selectivity are paramount. Not all receivers will do the job adequately Horizontal and vertical sync generator. Commercially available and will require some modification. Video Monitor with Shielded cables Active Directional Antenna (phased antenna array) with shielded cables. Think radio telescope. Video tape recording equipment. For capture and later review. WHAT WE WERE ABLE TO CAPTURE... Bench testing of the unit was quite successful in and around the office. Several computers were targeted and interception of the data was simple after injecting and restoring vertical and horizontal sync. We had no problem viewing computer screens on adjacent floors in the building (we were sometimes hindered by noise) and were able to differentiate (to my surprise) between different computers in a large office. We aimed our device out the window across the street at an adjacent office building and were able to view CRT screens without too much difficulty. I should mention here that during the field tests NO DATA WAS STORED FROM TARGET COMPUTERS. We were not on an eavesdropping mission. We simply were interested in testing OUR equipment not spying on others. Field testing of the unit was quite different and required continuing manipulation of the equipment. From a vehicle in a suburban area we were able to view active televisions inside homes ( the cable/pay-per-view people could have a field day) and what programs residents were watching. When we came across homes with active computers we were able to view CRTs. Average range was approximately 300 yards. We continued to test the device in a suburb of New York City with startling results. We were able to view CRT screens at ATM machines, banks, the local state lottery machine in a neighborhood candy store, a doctor's office, the local high school, the fire department, the local police department doing a DMV license plate check, a branch office of a securities trader making a stock trade and the local gas station tallying up his days receipts. We didn't expect that any of our "targets" would be TEMPEST certified and we were correct. BIGGER FISH IN A BIGGER POND We took our DataScan device, as we named it, to New York City. The Big Apple. We were interested in testing the integrity of various computer facilities and also wanted to see how our device would operate in an urban environment. Let me start off by saying New York is in a lot of trouble. We started at Battery Park (the southern tip of Manhattan Island) and headed north to Wall Street. The US Customs building leaks information as well as the Federal Reserve. Wall Street itself was a wealth of information for anyone interested. With hundreds of securities and brokerage companies located within a few blocks of each other, all an information warrior need do is rent an office with a view and aim his antenna. We were able to view CRT's in MANY executive offices. The World Trade Center was fertile. It afforded open parking areas nearby with millions of glass windows to snoop...we were most successful snooping the lower floors from the street. We borrowed a friends office at mid-tower in the south building and were able to view CRT's in the north building easily. We headed east towards the New York Post newspaper offices and read the latest news off their monitors (which was printed the next day). We headed north towards City Hall and NYPD Police Headquarters. Guess what? They're not TEMPEST certified either...Neither is the United Nations, any of the midtown banks, Con Edison (the power company) on First Avenue, New York Telephone on 42nd Street or Trump Tower! Citicorp's computer center in the SkyRink building on West 33rd Street was a wealth of information also... We found that with the proper frequency tuning, antenna manipulation, reintroduction of sync and vehicle location , we could monitor just about anyone, anywhere, anytime. There is no doubt in my mind that TEMPEST eavesdropping is here to stay and something that must be dealt with by computer and security professionals. Passwords, files, proprietary data and records are all vulnerable to the information warrior using TEMPEST monitoring equipment in a non TEMPEST certified world. POTENTIAL USERS OF TEMPEST MONITORING Big Brother: Yes, that's right. He does bug businesses. Sometimes with a court order and sometimes without one. It's unclear under present American law whether or not a court order would to needed to collect TEMPEST information. You never know when Big Brother's on a witchhunt. Maybe he suspects you of being a tax cheat, of insider trading, leftist sympathies, etc. Remember Watergate? Now, the FBI wants to be able to tap EVERY telephone, fax and data line in America at the turn of a switch and they want US to pay for it...Using TEMPEST technology they need never enter or come near your home or business. Foreign Intelligence Services: In the last days of the Bush Administration, the mission of the CIA was partially changed to spy on foreign businesses and steal trade secrets in response to the every growing surveillance of American industry by foreign competitors and foreign intelligence services. The Japanese are the worst. Most of the Japanese students living and attending school the USA are economic trade spies. The French intelligence service regularly bugged ALL the first class seats on AIR FRANCE flights to eavesdrop on traveling foreign businessmen. EVERY foreign service in the world is involved in corporate espionage to gain an economic advantage for their own companies. Do you have a foreign competitor? Then the chances are good that a foreign intelligence agency will spy on you. TEMPEST technology is becoming the medium of choice . The Activist: Dedicated, yet misguided activists may wish to further their own cause by releasing your private disclosures to the media. Every company circulates confidential memos that would be embarrassing if released to the public. TEMPEST technology makes corporate snooping simple. The Dissident: Dissidents want to damage more than your company's reputation. They may use TEMPEST technology as a means of compromising your internal security, valuable products and equipment, and even executive travel plans in order to commit crimes against your person, family or property! Financial Operators Unethical financiers can benefit greatly from prior knowledge of a company's financial dealings. TEMPEST attacks can be mounted quickly and from a distance with virtually no chance of discovery. Competitors: Competitors may seek to gain information on product development, marketing strategies or critical vulnerabilities. Imagine the consequences of a concerted TEMPEST attack on Wall Street. How much are you going to offer for that stock next week? You need to buy how many shares for control? Unions: Unscrupulous union negotiators may use TEMPEST technology to gain knowledge of a company's bargaining strategies and vulnerabilities. Is your company is having labor problems? Is your company is involved in any type of litigation or lawsuit with a union? Does your company have layoffs pending? Employees: One of your company's employees might use TEMPEST technology on another to further his own career and to discredit his adversary. It would be a simple matter for an adversary to plant a mole in your company who could position TEMPEST monitoring equipment in the right direction even though they might not be allowed to enter a specific restricted area... The Information Warrior: Brokers may profit from selling your company's secrets to the highest bidder, or maybe even to anyone who wants to know! Does your company have stock that is traded publicly? Or will be soon? With TEMPEST technology there is nowhere to run...nowhere to hide...Keep in mind that anybody with money, power, influence, or sensitive information is at serious risk. FINDINGS AND RECOMMENDATIONS Using simple off-the-shelf components with minor modifications we were able to monitor computer CRTs "at-will" in suburban and urban environments. We did not recreate the wheel. The TEMPEST monitoring premise is simple and anyone with a basic knowledge of electronics could construct such a device and use it with impunity. Our DataScan device differs from earlier models because of the unique signal amplification and directional antenna array used which we believe enhances the collection process greatly. It appears from our research that most individuals and companies do not use TEMPEST certified equipment and most have never even heard of TEMPEST. I believe the media should be made aware of the problem in hope that publicity about potential TEMPEST attacks will force the government to release the information necessary to allow private citizens and industry the means to properly secure their proprietary data. **************************************************************************** ******* **************************************************************************** ****** HACKING CELLULAR PHONES It turns out that there are several Japanese handheld transceivers (HT's) availible in the US for use by ham radio hobbyists that have hidden features allowing them to operate in the 800MHz band used by cellular telephones. Using an FSK decoder chip and a personal computer running an assembly language program to record and decypher the ID beeps at the beginning of cellular calls, a "phone book" of celular ID's can be compiled. A simple FSK oscillator controlled by the PC can then be used to dial out using the Handheld Transceiver and the captured ID codes. A low tech analysis could be done by taping the beeps and playing them back at slow speed into an oscilloscope. An edited tape may even be adequate for retransmission; no decyphering required. Several radio stores in New York sell the HT's and have given advice in the past about how to access the hidden out-of-band tuning features in the ROMS of the Japanese HT's. It's possible now to listen in to cellular phone conversations without building any special hardware. In fact if you have a good antenna, or live near a cellular repeater tower, you can pick up celluar calls using a UHF TV with a sliding tuner by tuning in "channels" between 72 and 83 on the UHF dial. Beside the obvious benefits of unlimited, untraceable, national mobile voice communication, there are other uses for cellular hacking. For instance: most people using cellular phones are pretty upscale. It is possible to scan for ID codes of the telephones of major corporations and their executives and get insider stock trading information. Simply by logging the called and calling parties you will be able to compile a database mapping out the executive level command & communication structure. If this is linked to a Vox operated tape deck you will know precisely what is going on and be able to note any unusual activity, such as calls between the executives of corporations that are in a takeover or leveraged buy out relationship. It is even likely that you will occasionally intercept calls between investors and their stock brokers, or calls discussing plans for new contracts. This data is most safely used for insider trading of your own; there will be no way that the Securities and Exchange Commission can establish a link between you and the insiders. A more risky proposition would be to offer any intelligence gathered to competitors for a price as industrial espionage. Then there are the anarchy & disruption angles for cybernetic guerrilla action at the corporate economic & financial level. Leaking info to the press can kill a deal or move stock prices prematurely. Intelligence gathered via cellular hacking can also be used to plan operations against corporate mainframes by providing names and keywords, or indicating vital information to be searched for. Listening to the phone calls of candidates and their campaign staff is also a field rich in possibilities. :) + **************************************************************************** ******* **************************************************************************** ******* WEB SITE HACKING A friend of mine showed me a nasty little "trick" over the weekend. He went to a Web Search server (http://www.altavista.digital.com/) and did a search on the following keywords - root: 0:0 sync: bin: daemon: You get the idea. He copied out several encrypted root passwords from password files, launched CrackerJack and a 1/2 MB word file and had a root password in under 30 minutes. All without accessing the site's server, just the index on a web search server! Well, the first thing I did was check my site and it's ok. The second thing I did was check my ISP for my home account, and it's okay. But by trying various combinations of common accounts on web searches, dozens of passwd files were found. It seems that a large number of locations who use httpd and ftpd on the same server often copy the regular passwd file to ftp/etc or ftp-users/etc for ftp user access. A few sites have left the root password in the file, and many contain user accounts' passwords. The problems I see here are as follows: 1. You can get the passwd file in some cases by simply pointing your URL to http://target.com/ftp/etc/passwd or http://target.com/ftp-users/etc/passwd. Not good. Anon ftp can't get it but a web browser can. Many passwd files are shadowed but you can see some legit account names. Yes, I realize that this may be a dummy file but hey, not always the case. 2. Some sites do not have the passwd file world readable, but the entire passwd file stills exists indexed on the web search server. I don't know about you, but I don't think I'd want my passwd file indexed and searchable on a world accessible web server. + **************************************************************************** ****** **************************************************************************** ****** MONITORING 900Mhz SPREAD SPECTUM Whats the current thinking on the security level of 900Mhz digital spread sectrum cordless phones? Clearly it's not a basic scanner job but how much more equipment is needed to monitor one ? The easiest way to do this is to simply buy a similar phone which has all the required signal processing hardware for that particular type of spread spectrum and modify it to receive promiscuously and not transmit while doing so, As far as I know, essentially no cordless phones use any kind of actual secure encryption of the digital bit stream, so all you have to do is ensure that your shadow phone is primed with the correct spreading sequence or hopping sequence and is tuned to the right center frequency. Typically choices for these are very limited (maybe 20 channels) and modifying the micro firmware in a phone or base unit to search all possiblities is realistic, especially with the help of an external PC as controller. The digital 900 mhz phones all use different proprietary modulation schemes, but many of them simply transmit a FSK or BPSK RF carrier digitally modulated by the output bitstream of a codec chip (CVSD or regular u-law PCM) on one of several randomly selected channels, perhaps slowly hopping from channel to channel in a fixed sequence. Even the phones that use direct sequence spreading are effectively just transmitting a fast BPSK signal modulated at the chip rate. Receivers and signal processing boxes capable of dealing with this kind of digital modulation are a standard commodity item in the spook world (made by Condor Systems and Watkins Johnson and the like) and even sometimes show up on the high tech surplus market (and are collected by some of us who collect high tech spook hardware as a hobby) they are however very expensive compared with simply modifying a couple of real phones to do the job. The digital modulation and "spread spectrum" features of 900 mhz phones are primarily intended to allow them to share the 902-928 mhz band with all the other users (other phones, truck tracking systems short range wireless video cameras and video distribution, various industrial users, wireless LANs of several types, ham radio operators, and several other types of unlicensed uncoordinated devices radiating up has plagued the older 46/49 mhz FM type. The FCC in fact requiressome level of spectrum spreading for this purpose but leaves the actual choice up to the implementor rather than establishing a standard method. Obviously only a secure form of encryption with randomly chosen and wide enough keys would really make intercepting a digital cordless phone difficult for someone determined to do so, especially if they were targeting one particular phone. I believe almost all of the manufacturers have chickened out in the face of NSA and ITAR and not even implemented toy encryption with random keys - they are simply assuming that Joe Sixpack or his 14 year old son won't be able to pick them up on a commercially available scanner and that the federal law banning sale of scanners capable of intercepting digital transmissions and converting them to analog listenable audio will keep the scanner companies from marketing such and keep customers from complaining about nosey neighbors listening to their calls. But don't assume that if someone really has some serious reason, you can be certain that expensive ($5-$20K) DSP based systems capable of intercepting several common types are already for sale to the usual suspects. And finally one should not forget that unless one has an ISDN line, intercepting calls on regular analog subscriber loops (normal telephone lines) by virtually undetectable simple alligator clip class wiretaps or bugs is something that any bright 12 year old can pull off (and many do before they grow up) - so if you have something to hide you shouldn't trust the phone at all. + **************************************************************************** ******** **************************************************************************** ******** COMPUTER SECURITY FOR PRIVATE PEOPLE Why should you worry about security? The answer lies in the fact that information has become an extremely marketable commodity.This commodity can be stolen from you without your knowledge, causing sometimes devastating harm to your business and personal life. Sensitive information needs guarding. Implementing an computer security program first requires you to determine what data is truly sensitive. The rule of thumb should be that any data, improperly released, that could cause a loss equivalent to ten percent of your annual net profit or mental hardship should be classified as sensitive. METHODS OF ATTACK Computer-based systems include all machine-readable files and auxiliary items such as magnetic backup tapes, floppy disks, printer paper carbons, and printer ribbons. Common methods of attack include unauthorized copying of files, hacking (unauthorized access to your system), between-the-lines entry (using a logged in terminal while the user is away), and hard disk surveillance (using a utility program to search for sensitive files on your Hard drive). Wire taps or other methods used to intrude on your phone lines or view your monitor. Imagine that you are holding an unlabeled floppy disk in your hand. Can you tell by eye what the disk contains? No, you need a computer to do that. How much information can a 720K disk hold? Even a disk of that small capacity holds more data than a regular size novel. High density disks (1.2 MB) hold almost twice that amount. When you give the DOS "Del a: *.*" command for this disk, all of the files are completely erased from the disk right? Wrong! Any good utility program such as the Norton Utilities or Lotus' Magellan can find those files and undelete them. s copying files from a hard disk to a floppy a time consuming and complex process? No, even with relatively large files, it is a fairly simple and quick procedure. Using a program like Magellan, one would be able to pick, choose, and sort files to copy very easily. >From the preceeding questions, the following about floppy disks is evident: 1. Unless they are scanned by a computer, you cannot tell what files are on them. External labels may be incorrect or misleading. Classification labels can be removed. 2. Their data storage density is such that hundreds of sensitive files could be walking out your door on a few microfloppies in someone's shirt pocket. 3. Floppies can retain sensitive files even when they look erased. 4. Floppies are easy to copy. It is easy to copy files from hard disks to floppies. None of this requires any extensive computer knowledge. Since floppy disks and the new 8mm magnetic tape backups for PC's have extreme portability, rigid measures have to be taken to protect them and to prevent unauthorized copying of your hard drive onto these media.The following would help: a. While it is fine to keep your programs on hard disk, the sensitive data files that they generate would be written to floppy disks. These disks could be backed up with another disk. The originals should be locked up onsite. The backups should be securely stored offsite. b. Make sure sensitive magnetic media have both an external label and an internal electronic label designating their classification (the DOS LABEL command can do this). c. Use the DOS ATTRIBUTE command on sensitive files to set an electronic switch so that the files cannot be accidentally erase. Attributing sensitive files on a disk also acts as a deterrent to someone grabbing a classified disk, changing the external label, then doing a global DELETE on the disk so they can remove it from the site under the guise of it being empty. Later they would UNDELETE the files using a file utility. d. Employ password security on sensitive files. Wordperfect 5.1 (and higher) has the ability to place minimal password protection on files. While the password (lockword) protection for Wordperfect is far from foolproof, it, combined with the other security measures suggested, provides a fairly decent perimeter of security. There are software packages available for PC's that can encrypt entire files. e. Have a consistent backup procedure for all of your files. Backup sensitive files onto disks designated and labled for that purpose. f. Do not leave disks with sensitive files on them unattended or unsecured. In large offices, require that authorized users of classified disks sign the media in and out through a designated librarian. g. Before sending a magnetic disk to someone, scan it with a file utility program to ensure it has no deleted, but recoverable, sensitive files. If it does, reformat the disk, and then write the non-sensitive files to the disk. h. Before trashing magnetic media, cut them up into little pieces. For damaged disks containing highly sensitive files, you may wish to use a degausser on the disk first. By not keeping sensitive files on your hard disk, you go a long way toward computer security. However, you should also consider the importance of not leaving a secure place (such as a locked drawer in their desk). At the end of the day, all classified media must be returned to the central library to be locked up. Also, auxiliary items such as spent carbons, printer ribbons, printouts, and damaged magnetic media should be securely stored until disposed of. Sensitive computer printouts should be shredded and intermixed with non-sensitive shredded documents prior to disposal. OTHER COMPUTER DEFENSES You may decide to use integrated software security packages such as Norton Disklock. These among other packages, offer hard disk lockdown, file lockword protection, temporary keyboard lockdown, and some security audit trails. The best defense though is not to put all your eggs in one basket. One can install security software on their computer and still keep sensitive files on securely locked away floppies. In fact, it might behoove you to place "decoy" sensitive files behind your security software defense. Decoy files look like they contain valuable, sensitive information, but in reality, behind their technical appearance, they have no useful secrets. These types of files can be "trapped" with information which, if it becomes public, would be harmless, but would tell you of a penetration or compromise. This method can be called the "False Fortress" defense. A TSCM (or Technical Surveillance Countermeasures) expert should be consulted if there is a possibility of some wanting your data so badly that they would resort to illegal taping or otherwise tampering with your phone lines or remotely viewing your monitor (yes it can be done). POINTS TO REMEMBER 1. When the terms "lock" or "locked up" are used for storage areas, we mean locks or safes that can withstand a physical attack of at least one to two hours of duration. 2. Do not make it easy for an information thief by placing signs in your office on where sensitive materials are stored. 3. Keep access to sensitive information by your coworkers and associates on a need-to-know basis. SUMMARY Your computer security will be good only if you use a comprehensive plan. Each defense must be adequate. It does little good if the password to a sensitive file is your first name. Learn to think like an information thief, and you will have less chance of being victimized by one. If you think that there is no possibility of anyone attempting to use covert methods to steal information from you...think again! In today's high-tech world, secrets are increasingly at a premium. + **************************************************************************** ********* **************************************************************************** ********* THE USE OF VOICE MAILBOXES BY TELEPHONE PHREAKERS For the past few years the use of voice mailbox systems in the USA has been increasing. Voice mailbox systems must be divided into two different types: Toll-free voice mailbox systems used by many types of companies, and voice mailbox systems from companies providing party lines, dating lines and other, mostly expensive, services. Normally a phreaker will primarily select the toll-free voice mailbox system. If no toll-free voice mailbox is available he probably has the knowledge and the technical capability to call a voice mailbox of a service provider in an illegal toll-free way. The problem, however, is not which voice mailbox system he will call, but how he will use it. To understand how to misuse a voice mailbox system, the basic system use must be understood. A voice mailbox is like a house. When you enter the house your host welcomes you. The host in this case is a voice menu explaining all the functions of the system. To choose one of these functions you just have to press the corresponding button of the key-pad. Having made a selection you will leave the entrance and enter a "room". Each room is dedicated to a special topic. Topics can be live discussions with as many people as are in the room, public message areas, private message areas, playing a game, etc. A large voice mailbox system can have more than 100 different "rooms". If the number is not toll free, the phreaker uses techniques to call the voice mailbox system free of charge anyway. If the voice mailbox is interesting, easy to hack and fits his needs, the phreaker has a lot of uses for such a system. It has been evidenced by court trials that phreakers use voice mailbox systems as their "headquarters", to meet, to discuss, to have conferences with up to 20 persons participating at the same time, to leave messages to other phreakers or to deposit and share knowledge. They waste system resources without paying for it. It is also interesting to see how the phreakers used system resources. As mentioned above, a voice mailbox is like a house, a house with easy-to-pick or no locks in the doors. The business of the service provider requires the voice mailbox to be easy to use without big security installations. The voice mailbox must be an open house for everybody, and that makes it easy for the phreaker. First a phreaker will look for hidden functions in the voice mailbox. Hidden functions are normally used to reprogram the voice mailbox from a remote location. Commonly, hidden functions are available to increase the security level of certain rooms and for creating new rooms with new possibilities and features. With knowledge of the hidden functions of a system, the phreaker can create new rooms for meetings with other phreakers, and he is able to raise the security level of such rooms so that only insiders can gain access. Increasing the security level means assigning an access code to a room. Without knowledge of the access code the room cannot be entered. Thus, he is able to create a voice mailbox inside the voice mailbox for a closed user group, "Entrance for phreakers only". This voice mailbox for phreakers can be used to post calling card numbers, private messages for other phreakers, the newest access codes for other voice mailbox systems, the newest tricks on how to cheat the telephone system, etc. All owners of voice mailbox systems can do is to watch the traffic inside his system and look for changes such new rooms suddenly appearing. From a pratical point of view it is very difficult to increase the security of a voice mailbox without causing problems for paying users. In case of misuse it is necessary to co-operate with. a security expert and the local authorities to limit financial losses. + **************************************************************************** ******** **************************************************************************** ******** COUNTERFEITING MONEY This information is provided for informational purposes only to familiarize security and law enforcement personnel with one method of counterfeiting money. Before reading this article, it would be a very good idea to get a book on photo offset printing, for this is the method used in counterfeiting US currency. If you are familiar with this method of printing, counterfeiting should be a simple task. Genuine currency is made by a process called "gravure", which involves etching a metal block. Since etching a metal block is impossible to do by hand, photo offset printing comes into the process. Photo offset printing starts by making negatives of the currency with a camera, and putting the negatives on a piece of masking material (usually orange in color). The stripped negatives, commonly called "flats", are then exposed to a lithographic plate with an arc light plate maker. The burned plates are then developed with the proper developing chemical. One at a time, these plates are wrapped around the plate cylinder of the press. The press to use should be an 11 by 14 offset, such as the AB Dick 360. Make 2 negatives of the portrait side of the bill, and 1 of the back side. After developing them and letting them dry, take them to a light table. Using opaque on one of the portrait sides, touch out all the green, which is the seal and the serial numbers. The back side does not require any retouching, because it is all one color. Now, make sure all of the negatives are registered (lined up correctly) on the flats. By the way, every time you need another serial number, shoot 1 negative of the portrait side, cut out the serial number, and remove the old serial number from the flat replacing it with the new one. Now you have all 3 flats, and each represents a different color: black, and 2 shades of green (the two shades of green are created by mixing inks). Now you are ready to burn the plates. Take a lithographic plate and etch three marks on it. These marks must be 2 and 9/16 inches apart, starting on one of the short edges. Do the same thing to 2 more plates. Then, take 1 of the flats and place it on the plate, exactly lining the short edge up with the edge of the plate. Burn it, move it up to the next mark, and cover up the exposed area you have already burned. Burn that, and do the same thing 2 more times, moving the flat up one more mark. Do the same process with the other 2 flats (each on a separate plate). Develop all three plates. You should now have 4 images on each plate with an equal space between each bill. The paper you will need will not match exactly, but it will do for most situations. The paper to use should have a 25% rag content. By the way, Disaperf computer paper (invisible perforation) does the job well. Take the paper and load it into the press. Be sure to set the air, buckle, and paper thickness right. Start with the black plate (the plate without the serial numbers). Wrap it around the cylinder and load black ink in. Make sure you run more than you need because there will be a lot of rejects. Then, while that is printing, mix the inks for the serial numbers and the back side. You will need to add some white and maybe yellow to the serial number ink. You also need to add black to the back side. Experiment until you get it right. Now, clean the press and print the other side. You will now have a bill with no green seal or serial numbers. Print a few with one serial number, make another and repeat. Keep doing this until you have as many different numbers as you want. Then cut the bills to the exact size with a paper cutter. You should have printed a large amount of money by now, but there is still one problem; the paper is pure white. To dye it, mix the following in a pan: cups of hot water, 4 tea bags, and about 16 to 20 drops of green food coloring (experiment with this). Dip one of the bills in and compare it to a genuine US bill. Make the necessary adjustments, and dye all the bills. Also, it is a good idea to make them look used. For example, wrinkle them, rub coffee grinds on them, etc. As before mentioned, unless you are familiar with photo offset printing, most of the information in this article will be fairly hard to understand. Along with getting a book on photo offset printing, try to see the movie "To Live and Die in LA". It is about a counterfeiter, and the producer does a pretty good job of showing how to counterfeit. A goodbook on the subject is "The Poor Man's James Bond". If all of this seems too complicated to you, there is one other method available for counterfeiting: The Canon color laser copier. The Canon can replicate ANYTHING in vibrant color, including US currency. But, once again, the main problem in counterfeiting is the paper used. This data is provided for informational purposes only. Counterfieting is illegal and you will be arrested if caught. + **************************************************************************** ******** **************************************************************************** ******** HOME BREW HERF DEVICE We coined HERF (High Energy Radio Frequency) as a generic term to mean a device that can interfere with a computer or communication's system operation. Simply, since a computer is electronic in nature, it both emits low level radiation and is susceptible to external interference. For example, when your cell phone goes haywire on a bridge or in a tunnel, it is caused by interference. In this case the interference in passive. The metallic structures 'suck-up' and disperse the transmissions and you get nada. Or, in the days of roof antennas, a pigeon would cause TV reception to falter just as a lightening storm could make the screen go blank for a few seconds. (With cable it's a few hours.) A computer is just as susceptible to interference, except that more power is required to cause a system failure or 'crash'. It is no surprise that surge protectors are designed to keep power linespikes from affecting a computer . . . a so called natural phenomenon. Not man made . . . just part of the power grid. We have all learned that certain integrated circuits, (IC's or chips) will self-destruct if we touch them after walking on a carpet on a dry day. The discharge of static electricity is large enough to break down the silicon barrier on the chips and Voila! No more chip . . . no more working computer. It should be no surprise then that a non-natural, or man made electrical discharge would have similar results. And they do. The object, on the part of certain in the military, is to create an arsenal of non-lethal weaponry. And they are doing it. The concept of particle beam weapons as part of Star Wars (SDI) relied upon focussed high energy beams that would destroy their electronic targets. Ground based systems have been tested at the regular weapons places like Los Alamos et al with varying degrees of success. Remember, the military requirements are generally an order of magnitude more rigid, so from their standpoint, the technology isn't there yet. For example, one mission goal would be: create a system that can force an cooperative pilot to make landing. Drug running is a good example. By targeting the avionics and communications of the target aircraft, the policing airplane would successively disable systems until the plane either landed or . . . well it is a big ocean. But conventional explosives would be unnecessary and the pilot would have been an unfortunate victim of a 'plane that ran out of gas.' HERF weapons can be operated over a wide range of frequency with a corresponding set of pros, cons and functional tradeoffs: distance, dispersion, penetration, reflection . . . all pretty basic stuff for a first year engineering student. Some businesses located on sightlines near airports have experienced periodic computer malfunction . . . with no apparent source or readily observable villain. But, it turns out that the high power radar systems have been responsible in many cases. The high frequency (above 1GHz) radar signals penetrate most structures, are focussed and can crash a computer network in a split second. Having unexplained system crashes? Look for outside influence. There are ways to identify certain power sources. Until recently I thought that HERF guns or their brethren HPM (High Power Microwave) devices were a military and laboratory reality, and in the future they would migrate into the hands of the 'bad guys'. I was wrong. It's pretty obvious that the hobbyist with a few dollars can purchase a surplus radar system from the U.S. Government for pennies on the dollar. Make a few modifications and BINGO, you got yourself a pretty potent electronic weapon. But it was not so obvious that HERF guns had already evolved to street technology - where the home brew hobbyist can put one together from spare parts. We made one. The device was ostensibly built as an electronics project for giggles. If you build up a large electric high voltage field, the air around the point of electrical build up can ionize and actually glow. The familiar experiments with Van De Graaf generators and Tesla coils create long spiky lightening-bolt shaped electrical discharges that are most impressive. But another phenomenon of sustained high voltage fields is known as St. Elmo's Fire which World War II fighter pilots and North Atlantic seamen report as balls of lightening that can dance or follow a plane or a ship. Last year, some friends and I were trying to come up with a unique window decoration for Christmas. We put nails around the window frame, attached the right wires,added a few more gizmos and waited for St. Elmo's Fire to provide a ghostly glow in the darkness. But, in our experimentation with the device, we found that if we discharged the voltage field in a short We also found that the discharges could cause computers up to a couple of hundred yards away to also feel the effects of my St. Elmo's toy. Admittedly curious, we played with the circuits and wanted to see just how much of an effect my home-brew efforts could have. We contacted friends in Australia and asked to listen to certain frequencies on their short wave radio. It turned out that every time the device was quickly discharged, sufficient energy was released in a short period of time to be 'heard' 14,000 miles away. Our HERF gun is astonishingly simple. Mounted on a piece of wood about 12" square sits the power transformer, rectifier and storage capacitors. (This is also known as a power supply.) A heavy gauge (4 or 6) wire runs from the plywood circuits to a long tube with a 1/2" thick metal bar on the end. Inside the tube is another circuit, this one purloined from a confidential source. This circuit is generically known as Jacob's Ladder or a high voltage multiplier. It takes the input voltage from the power supply (of a couple thousand volts for example) and brings it to perhaps millions of volts. Or, lower voltage and higher current. Ohm's law applies. A one microsecond pulse of 2.5 Megawatts is emitted every time it is fully charged. That's the equivalent of 100 amps at 25,000 volts, or 10 amps at 250,000 volts. The circuit performance can be enhanced very easily I believe. Just put a tuned coil as the output load and a resonance will increase the power in a focussed range by a factor of 10. Twenty five Megawatt pulses are trivial. The dispersion pattern is uncontrolled to say the least. Omnidirectional is an understatement. When we designed it we were not interested in focussed damage . . . but the resultant local computer outages were a source of entertainment. For us. Frequency and directionality are inversely proportional and with a little engineering, a more usable system is on the horizon. All for the price of a few parts from Radio Shack and Ed's Electrical Junk Store. The principle behind HERF guns is simplicity itself and they have arrived a lot sooner than any of us. + There's a LOT MORE in every issue of the Codex. Subscribe today. Don't miss an issue... Check out our WEB SITE - The Codex Privacy Page URL: http://www.thecodex.com The Codex Surveillance & Privacy Newsletter DataScan - Diagnostic TEMPEST Evaluation System Design and Fabrication of Specialized Systems Technical Surveillance CounterMeasures (TSCM) Forensic Audio Restoration & Audio Tape Enhancement -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.7.1 mQCNAzDgc7MAAAEEAK1gzGapvWKn287T8QPYphpIzF6+uHAyf/shVPbrGD/f5v8i sgMOSC5x05w9xyijpzx2ua5i4eXXzjiq257y7oJy60TEFWRHYqGJtZRpqlh9DKjD 0EA5dVitmEgKNot3rmcF9amBxUP2RwIq2nzHfgiLGB3obqeKYp0MXw7qZrH7AAUR tB5TcHlLaW5nIDxzcHlraW5nQG5vdmFsaW5rLmNvbT4==UBv6 -----END PGP PUBLIC KEY BLOCK----- From llurch at networking.stanford.edu Mon Mar 18 00:30:19 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Mon, 18 Mar 1996 16:30:19 +0800 Subject: M$ CryptoAPI Question In-Reply-To: <199603180605.WAA22290@dns1.noc.best.net> Message-ID: On Sun, 17 Mar 1996 jamesd at echeque.com wrote: > At 06:27 PM 3/17/96 EST, Dr. Dimitri Vulis wrote: > > I wonder if it's worth it to crack their approval mechanism so we can > > add our own crypto subsystems without asking Microsoft's approval. [...] > Wait until Microsoft makes some oppressive decisions, > or is compelled to make some oppressive decisions.] > > I do not expect that any cracking will be needed. Microsoft > will approve a freeware module for use in America, and then, > alas alas, someone will leak it. If the only goal is to allow international strong crypto using the CryptoAPI, then I agree with the above. However, exploring the CryptoAPI internals now, while there is still a possibility that they can be changed, is a productive undertaking to the extent that it exposes holes. If the good guys can find a way to plug an unapproved international strong-crypto module into the CryptoAPI, then the bad guys can find a way plug in a no-crypto virus or trojan horse. -rich at c2.org http://www.c2.org/hackmsoft/ and other cool stuff From asgaard at sos.sll.se Mon Mar 18 02:46:24 1996 From: asgaard at sos.sll.se (Asgaard) Date: Mon, 18 Mar 1996 18:46:24 +0800 Subject: The all.net controversy continues In-Reply-To: Message-ID: On Fri, 15 Mar 1996, Mark Aldrich wrote: > If all.net's policy is really "nobody's allowed to telnet in," they why > don't they just shutdown the damn telnetd, and be done with it? Or, if > they want only "authorized" personnel, why not add sufficient crypto to > secure the channel? Yes, it's a mystery. Especially since the sysadmin, Dr. F. Cohen, repeatedly assured this list, half a year ago, that his sites were the only impenetrable ones in the internet universe, so he should only have to sit laughing at these attacks. Asgaard From anon-remailer at utopia.hacktic.nl Mon Mar 18 02:47:53 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Mon, 18 Mar 1996 18:47:53 +0800 Subject: Backup of Encrypted Partition In-Reply-To: <199603172221.OAA14725@squirrel.com> Message-ID: <199603180230.DAA14930@utopia.hacktic.nl> Mark C. Henderson (mch at squirrel.com) wrote: : On Mar 17, 18:38, Sanwar Ali wrote: : } Subject: Backup of Encrypted Partition : } Hi : } : } Apologies if this is too much of a beginner's Q. : } : } Does anyone know how to backup a "SecureDrive" partition onto tape : } quickly and easily. : } : } HPACK is really slow. : } : } PKZIP and then PGP is slow. : } : } RAWDISK, seems to be quite complex (perhaps I am just stupid!), and I : } am terrified of making some sort of terrible mistake. : } : } I have about 100MB in the partition. I have a pretty out of date : } computer which is a 386 33MHz running Windows. : : : Ease of backup is one of the strengths of CFS which is a cryptographic : filesystem for various flavours of UNIX and Linux. If you have Linux installed, you can backup your dos securedrive partition by doing cat /dev/hda2 >/dev/ftape ^^^^ (or whatever your securedrive partition is) No decrypting necessary. If the partition is only 100MB then it ought to fit on a standard qic-80 tape. From frissell at panix.com Mon Mar 18 03:35:40 1996 From: frissell at panix.com (Duncan Frissell) Date: Mon, 18 Mar 1996 19:35:40 +0800 Subject: Would the FTC crack down on snake oil someday? Message-ID: <2.2.32.19960318111412.00d6ec40@panix.com> At 11:45 PM 3/17/96 +0000, Deranged Mutant wrote: >FTC TARGETS INTERNET FRAUD >The Federal Trade Commission is conducting a "wholesale crackdown" on >perpetrators of allegedly deceptive marketing schemes that are advertised in >Internet news groups or on the World Wide Web. Charges were filed against >nine individuals or companies accused of misleading the public Nine down and 100,000 to go. DCF From nobody at REPLAY.COM Mon Mar 18 04:26:05 1996 From: nobody at REPLAY.COM (Anonymous) Date: Mon, 18 Mar 1996 20:26:05 +0800 Subject: Judge blocks French ISPs from connecting to revisionist sites Message-ID: <199603181207.NAA11001@utopia.hacktic.nl> So that y'all can see what the fuss is about, try the following sites : Institute for Holocaust Revisionism Committee for Open Debate On the Holocaust Theres a wealth of eye opening information there, not only about the holocaust, but about freedom of speech, censorship, civil librerties, hate groups, nazi hunters etc. etc. The sites are noticeably empty of "hate speech," and are in no way "denying the holocaust," but are simply adopting a scientific approach to documenting the events of the holocaust, seperating fact from fiction. I was surprised - the authors of these sites come across as very sane and open-minded, not the foaming at the mouth bigoted types that others lead us to believe. Anyone who seriously calls him(her)self open-minded should give these sites a go - they certainly got me thinking. The recent actions of the French and German governments make me feel like I'm living in the middle ages. I am truly disgusted at the actions of such close minded people who have obviously not looked at the sites involved. Anon. (due to the emotional nature of this subject.) From sinclai at ecf.toronto.edu Mon Mar 18 05:59:33 1996 From: sinclai at ecf.toronto.edu (SINCLAIR DOUGLAS N) Date: Mon, 18 Mar 1996 21:59:33 +0800 Subject: reputation capital transaction Message-ID: <96Mar18.083034edt.10023@cannon.ecf.toronto.edu> -----BEGIN PGP SIGNED MESSAGE----- In anticipation of the upcoming Computers, Freedom and Privacy conference, I'd like to transfer some reputation capital between accounts. Doug Sinclair == The Cunning Artificers I ported RC4 to the HP48 calculator. A bignum package capable of RSA and Diffie-Hellman is coming soon. Doug's key: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAy93adEAAAEEAPHAXq0g2lFnn1kE4trrPWCjhiCzxNkjake4W4mspvOCGjd0 MUREgYJm3DVcTn5Ue0FdhSHOVoMoS+jdRV8W6wB/hGUUqyqleKkNSv1/yOAPCzHn Iq74GCRniy0WdO5zlDi56LxH5ruteWl6soPt1n3EeJKRldux7DouNsrtqO6VAAUR tB1Eb3VnIFNpbmNsYWlyIDxkaWVtb3NAaW8ub3JnPokAlQMFEDFNZAjhTVXsPaAX /QEBzZED/icJDAo1cjVp0eRqpelcAurXFqlkcfbvyg76KDHsxsiKthLyzF9UwErE xDxMyG/4rhojiJUoVaIq3MgJ9ZwtpXwkLS0kqXZySPSLsWMXjpzy36tOZ2XcdVFv kVVUy3I0M2nYfO8vT4vZV53VC8vqAKTjuQCt/vhcDrYTZdX0BLLY =t2MG - -----END PGP PUBLIC KEY BLOCK----- The Cunning Artificers key: - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzEAEf4AAAEEAMONoLHj5CwKvaM6ch9GOcUjgoVS5sjXa4TzD2ohhtHFYR9l QzNj0vNASBQKE/Mk9Flqg+dtitS7S7B0qZQ+mQmMT73yniun596jt1NCJ5sLBKrM jDvYK3wGbycVX43RBiR3iwJZGq5blfWqNRE7kFdTxgu+bCdtLOFNVew9oBf9AAUR tBZUaGUgQ3VubmluZyBBcnRpZmljZXJz =pf3Y - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMU1k8uFNVew9oBf9AQG/JQP+K0hNzQew5MBOc1TGea+gkvBrTy+O801j 0yb4OrmAfuEQg6TalE7+jKGPoB/y9Ln2eusaZ+JCneBs7oVdvPSlzm/qNOjYXB7m jSxjkp20lzhxU5UBSAWWePbYsvoCe78BFS51OXEZdTuvGnbcKyh8l1DbvEKEML0i rNzbhRCuMDE= =HOSH -----END PGP SIGNATURE----- From abc at gateway.com Mon Mar 18 06:11:19 1996 From: abc at gateway.com (Alan B. Clegg) Date: Mon, 18 Mar 1996 22:11:19 +0800 Subject: While browsing the IRS ("Electronic Certification") Message-ID: While poking around at www.ustreas.gov, I found the following: http://www.ustreas.gov/treasury/bureaus/sba/electro.html The first paragraph reads: --SNIP-- The Financial Management Service is implementing an Electronic Certification System to permit fast, secure, and accurate transmission and certification of payment data. The system has been approved by the General Accounting Office for satisfying the signature certification requirements of 31 U.S.C. 3325 and 3528. --SNIP-- Would anyone like to comment on what is being used to provide signatures? Reading on down a bit, we get to this: --SNIP-- It uses a microcomputer to generate voucher schedules, electronically certify the vouchers, and transmit them via a dial-up telephone line to a mainframe host computer at the servicing Regional Financial Center. The electronic certification process provides positive identification of the certifying officer who authorizes the voucher for payment and ensures the authenticity of the transmitted data. It also detects any deliberate or inadvertent manipulation, modification, and loss of data between the time the voucher is certified in the Federal Program Agency microcomputer and the time it is verified at the servicing Regional Financial Center host computer. --SNIP-- Comments? -abc \ Alan B. Clegg Just because I can \ Internet Staff does not mean I will. \ gateway.com, inc. \ From WlkngOwl at unix.asb.com Mon Mar 18 06:22:01 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Mon, 18 Mar 1996 22:22:01 +0800 Subject: Would the FTC crack down on snake oil someday? Message-ID: <199603180455.XAA12434@unix.asb.com> Enclosed is an excerpt from Edupage. Snake-oil crypto popped into my mind.... I wonder if the FTC (Federal Trade Commission... agency *meant* to crack down on consumer fraud, for non-US readers here) would ever get into act here. Does the FTC have a home page? (Guess I'll do a search...) ------- Forwarded Message Follows ------- ***************************************************************** Edupage, 17 March 1996. Edupage, a summary of news items on information technology, is provided three times each week as a service by Educom, a Washington, D.C.-based consortium of leading colleges and universities seeking to transform education through the use of information technology. ***************************************************************** TOP STORIES FTC Targets Internet Fraud [..] FTC TARGETS INTERNET FRAUD The Federal Trade Commission is conducting a "wholesale crackdown" on perpetrators of allegedly deceptive marketing schemes that are advertised in Internet news groups or on the World Wide Web. Charges were filed against nine individuals or companies accused of misleading the public, and agency officials say this is only the beginning: "The Internet opens a world of opportunities for consumers. Unfortunately, it also presents opportunities for scam artists. We intend to monitor the Internet rigorously and act decisively when we see deceptive and misleading marketing," says the director of the FTC's Bureau of Consumer Protection. (Investor's Business Daily 15 Mar 96 A4) [..] Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From jya at pipeline.com Mon Mar 18 06:39:35 1996 From: jya at pipeline.com (John Young) Date: Mon, 18 Mar 1996 22:39:35 +0800 Subject: DEC_lan Message-ID: <199603181356.IAA09520@pipe1.nyc.pipeline.com> NYT of 3-18-96 has front page story on Internet copyright issues, featuring copywebbing terrorist Declan. DEC_lan From asgaard at sos.sll.se Mon Mar 18 07:10:29 1996 From: asgaard at sos.sll.se (Asgaard) Date: Mon, 18 Mar 1996 23:10:29 +0800 Subject: Tim's friend's mildly retarded son In-Reply-To: Message-ID: On Fri, 15 Mar 1996, Timothy C. May wrote: > As to Asgaard and his claim that the FDA is to be trusted, he is welcome to > trust them. I don't think they are _dishonest_, merely in thrall (*) to > special interests, drug companies, and, above all, to bureaucratic > stodginess. I could write an answer to this (about that I only said to trust FDA until there exists an alternative web of trust and reputations in the pharmaceutical business; that truly diseased people are not in the mood for researching the competence of a 'doctor' or 'healer' but are happy that entering a clinic guarantees that the guy examining them is a physician authorized by a non-profit entity of long-standing integrity and not a comlete quack; that the physicians, who are bombarded with manipulated information from the multinational drug companies would be at a great loss without independent trustable second opinions; and about how it would take quite some time to build up an alternative, private structure without bureaucratic stodginess - and even about the hypothesis that basic medical care might be counted together with justice and national defence as best paid for by involuntary taxes in the best compromise for total anarcho-capitalism that we might see in our lifetimes) but I won't :-) because of the off-topicness of the topic. > (* Asgaard should be happy that I am using a word derived from Old Norse, > "thrall," as in "enthralling." A thrall was a slave in Icelandic and Old > Norse.) The substantive 'tral' (with double dots over the a) and even more the verb 'trala' are used in current Swedish. I commend your versatile and exact use of the American-English language. Your posts are always a pleasure to read (and learn from, for a reader with another native tounge). > His speculation that my friend's mildly retarded son is not helped is > unknowable to him. In fact, the nootropic in question, Piracetam, is sold > in Europe (and Mexico, as I noted), and elsewhere, for the treatment of > Alzheimer's, dementia, and to alleviate mild retardation. My friend thinks For a good (in my opinion) review on nootropics, see: http://www.damicon.fi/sd/nsa-sd-article.html (courtesy of Alta Vista) For comparison, Sweden has around 2,000+ prescription drugs. Germany has 20,000+. This doesn't mean that Germans are healthier. > Whether my friend is deluding himself or not, it is not for men with guns > to tell him he may not buy something to consume. The "drug laws" are > nothing more than "dietary laws," and have virtually nothing to do with > public or personal safety. If safety was the issue, then the drug ethanol, > which kills at least 40,000 Americans a year would be outlawed while That's another issue. One problem is that the overall mortality is 100%, in the end. The long-term side effects of alcohol and tobacco are not that bad compared to many potent pharmaceuticals that FDA approves of, for cautious use in diseased persons, after risk/benefit analysis (morphin, cytostatics, immuno-suppressives). The political question, if a (healthy) individual has the right to use (recreational) drugs of his choice, really isn't centered around safety. Even if there was a completely harmless opioid, central stimulant or psychedelic drug available, strong forces would act against legalization out of moral or religious convictions ('God created man to suffer, so we shall suffer'). > winner. (The statistics I saw a few years ago were easily memorizable: > tobacco: 400,000, alchohol: 40,000, drugs: 4,000.) These figures would look a bit different if 200,OOO,OOO Americans regularly used crack or heroin. > We are not free when someone tells us which foods and herbs are legal to > eat, and which are not. I generally agree. But I have a slight problem with the concept of Death Pills (f ex cyankalium) sold in any store, under various brand names, for better profits: Instant Nirvana, God's Face, Bye Bye Bella, Moon's Reincarnation. In these days of designer drugs, the consumer would have a lot to gain if FDA (or a private entity with a similar reputation) approved new recreational drugs before they entered the market, avoiding tragedies like the Parkinson epidemic (in California, wasn't it?) caused by MTPT. Asgaard From jamesd at echeque.com Mon Mar 18 11:21:10 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 19 Mar 1996 03:21:10 +0800 Subject: Judge blocks French ISPs from connecting to revisionist sites Message-ID: <199603181555.HAA23928@dns2.noc.best.net> At 01:07 PM 3/18/96 +0100, Anonymous wrote: > I was surprised - the authors of these [revisionist] sites come across > as very sane and open-minded, not the foaming at the mouth bigoted > types that others lead us to believe. > > Anyone who seriously calls him(her)self open-minded should give these > sites a go - they certainly got me thinking. The pernicious effects of censorship: When you actually meet monsters, and see that they do not have horns and a tail, you falsely imagine that they are not monsters. You will read: "So and so went to site of the alleged extermination centers, and he saw X, Y, and Z, and this shows there are holes in the extermination story. Simple lie. Whenever I write about Cuba, leftists write: "I went to Cuba, and I saw such and such so and so". Well I went to Cuba, and I know that they lie barefaced, therefore I assume the same is true of the flatly conflicting tales concerning the holocaust. Those who defend totalitarianism, regardless of the brand name of totalitarianism, simply lie. It is as uncomplicated as that. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From geeman at best.com Mon Mar 18 12:17:49 1996 From: geeman at best.com (geeman at best.com) Date: Tue, 19 Mar 1996 04:17:49 +0800 Subject: M$ CryptoAPI Question Message-ID: <199603181624.IAA24559@dns2.noc.best.net> At 12:02 AM 3/18/96 -0800, you wrote: > >If the good guys can find a way to plug an unapproved international >strong-crypto module into the CryptoAPI, then the bad guys can find a way >plug in a no-crypto virus or trojan horse. > You want to prove: (A) IF you CAN plug in an unapproved module THEN you CAN plug in a trojan/virus. That doesn't mean, however, that: (B) IF you can't plug in an unapproved module THEN you can't plug in a trojan/virus. The subversion mechanisms would just not use the standard API. So what have you really proved if you can prove (A)? >-rich at c2.org > http://www.c2.org/hackmsoft/ and other cool stuff > > From frissell at panix.com Mon Mar 18 21:58:47 1996 From: frissell at panix.com (Duncan Frissell) Date: Tue, 19 Mar 1996 13:58:47 +0800 Subject: Free Flight Message-ID: <2.2.32.19960318185538.0073ff30@panix.com> The latest Wired and last week's news reports covered the FAA decision to sloooowly move from the current Positive Control ATC system to one called Free Flight in which aircraft pick there own routes and separation is maintained by GPS, computers, and telecommunications. Collision avoidance telecoms as opposed to collision avoidance radar. Every plane knows where it is in 4 dimensions (don't forget time) and knows its performance capabilities. They communicate with each other and the ground to keep away from each other. The question is why? Why abandon a central command and control system with defined airways and checkpoints, orders and acknowledgements? Is this some sinister triumph by free market ideology creeping into the ATC system as it did into New Zealand's Labour Government of the 1980s or even into the Chinese Commies brains? Not quite. It is simple. The system was breaking down already even before the 40-50% traffic growth projected over the next few years. Even if the FAA weren't totally incompetent as a computer buyer, a centralized system suffers from real congestion problems as growth occurs. Trying to cram more traffic down fixed routes is a real problem. Likewise finding enough commanders to seize and hold the high points of the ATCS. The change has been proposed because the system would collapse without it. Freedom is their only chance. Note the same effect in the future as trade, travel, data flows, etc. double and redouble. At some point on the growth curve, free flight becomes the only possibility. DCF "What *was* Vince Foster doing on November 22, 1963"? From Majordomo at toad.com Tue Mar 19 01:21:57 1996 From: Majordomo at toad.com (Majordomo at toad.com) Date: Tue, 19 Mar 1996 17:21:57 +0800 Subject: Your Majordomo request results Message-ID: <9603190920.AA22092@toad.com> -- Your request of Majordomo was: >>>> subscribe cypherpunks **** Address already subscribed to cypherpunks Your request of Majordomo was: >>>> end END OF COMMANDS From hallam at w3.org Tue Mar 19 06:03:13 1996 From: hallam at w3.org (Phillip M. Hallam-Baker) Date: Tue, 19 Mar 1996 22:03:13 +0800 Subject: Judge blocks French ISPs from connecting to revisionist sites Message-ID: <199603181651.LAA26358@bb.hks.net> -----BEGIN PGP SIGNED MESSAGE----- [Various holocaust revisionist crap deleted] Don't worry, it will very soon become impossible to block access to anything on the Web. I have a long record of opposing the holocaust revisionists. I have never attempted to prevent them putting their views forward. It is better to expose them and their lies. Winston Smith, Faust and co disappeared after we proved that they were the creations of one Dan Gannon. Attempting to cut off access and the conceit that the truth needs to be legislated merely plays into the facists hands. Any attempt to cut of service can be circumvented simply by connecting to a cache. Hensa in the UK (www.hensa.co.uk ?) run a very large one. There are also many caches run by US universities although for obvious reasons it is preferable for the French to go through a European one. And please, no more anonymous posts trying to persuade us that there is anything worth reading at these hate sites. The literary style is familiar enough that nobody should be fooled. Phill - --- [This message has been signed by an auto-signing service. A valid signature means only that it has been received at the address corresponding to the signature and forwarded.] -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Gratis auto-signing service iQBFAwUBMU2UhSoZzwIn1bdtAQFuqAGAxBfCOiZ1LKPIXLdE7OAJnabXlv1rxShW bW7DwF16+4rjLdm9ZahdS/X0NAMS1Oum =ySHM -----END PGP SIGNATURE----- From m5 at tivoli.com Tue Mar 19 06:20:28 1996 From: m5 at tivoli.com (Mike McNally) Date: Tue, 19 Mar 1996 22:20:28 +0800 Subject: IPG - newest release of the ABC Encryption Algorithms (fwd) In-Reply-To: Message-ID: <314EBE25.7655@tivoli.com> IPG Sales wrote: > Obviously, you meet our requirements for the release of the IPG ABC > Encryption algorithms. We need no further information from you. though we > would appreciate your telephone num and snail mail address. On the other hand, the "algorithm" as presented is so hopelessly obfuscated by the strange terminology and loose descriptions used to present it that there's no way I (or anybody else) could seriously evaluate it. Either publish an algorithm in some accepted format (a real C program, or even Knuth notation) or cut back your expectations for public analysis. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From roy at sendai.cybrspc.mn.org Tue Mar 19 06:26:00 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Tue, 19 Mar 1996 22:26:00 +0800 Subject: The return of the IPG Unbreakable System In-Reply-To: Message-ID: <960319.065439.9K0.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, ipgsales at cyberstation.net writes: > Ladies and Gentlemen - > > For the last three plus weeks, some of the members of the C'Punks list > have had the IPG algorithms in their possesion. > > None, to date have suggested that the system is unbreakable - to the > contrary a few have stated that they believe it is unbreakable, but do > not want to go on the record yet. > > I invite those that have copies of the system to acknowledge that fact > and to state their opinions, if any. Since a copy of the IPG system has apparently arrived unsolicited in my mailbox this morning ("apparently" because I haven't unpacked or inspected the MIME message; "unsolicited" because I did not request it), I believe it's disclaimer time. I have entered into no agreements to inspect, test or validate the IPG software suite. In the absence of a valid contract for my services, I shall not inspect, test or offer opinions regarding the security of this product. IPG Sales is specificly enjoined from using my nym in any reference to validation of their product. Further, IPG is cautioned against using "cypherpunks" as a validation reference, as my subscription to this mailing list could then be construed as contributing to the claim of validation. This action is intended to guard against claims of the form "roy at sendai.cybrspc.mn.org has been unable to break our system", among others. Note to IPG: I review all contract offers. Feel free to contact me for terms, but be advised that I'm somewhat expensive. Note to c'punks: apologies for burning listwidth, but this looks like the proper Publication of Record for this notice. - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org "Governments find it notoriously difficult to work with people that they cannot shoot." -- James A. Donald -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMU60chvikii9febJAQFSGgQAsDheQdfO1i4GMFLAwsjdpjkeLjLVHcP8 ZcIvAN4lp6LyqEVSxlzWurubz+Cj3qHaUB/dI6P+QNjj4zylmD3i1m1rfRxEHz4J Nq21+uhmS1dsKhXOXcQ+pGpmygYOPMaRDD8kWsAt4XADDrqnOdRDLP14YyueiHwK pjoZl70XeF8= =8/sf -----END PGP SIGNATURE----- From diarioam at ronet.com.br Tue Mar 19 07:32:52 1996 From: diarioam at ronet.com.br (Leonardo Machado) Date: Tue, 19 Mar 1996 23:32:52 +0800 Subject: DESCRIBE Message-ID: <2F6BBFDA.5DF7@ronet.com.br> undescribe cypherpunks at toad.com cyber at ronet.com.br From quester at eskimo.com Tue Mar 19 07:35:20 1996 From: quester at eskimo.com (Charles Bell) Date: Tue, 19 Mar 1996 23:35:20 +0800 Subject: monsters et al In-Reply-To: <199603181555.HAA23928@dns2.noc.best.net> Message-ID: On Mon, 18 Mar 1996 jamesd at echeque.com wrote: > > The pernicious effects of censorship: When you actually meet monsters, > and see that they do not have horns and a tail, you falsely imagine > that they are not monsters. > Very good point. > > Those who defend totalitarianism, regardless of the brand name of > totalitarianism, simply lie. It is as uncomplicated as that. Not very good point. Monsters come in many hues and `totalitarianism' is rarely total. Simplicity is in the mind of the beholder. Charles Bell From jya at pipeline.com Tue Mar 19 07:36:39 1996 From: jya at pipeline.com (John Young) Date: Tue, 19 Mar 1996 23:36:39 +0800 Subject: 16B_uys Message-ID: <199603181816.NAA18604@pipe3.nyc.pipeline.com> 3-18-96. TWP: "FBI, CIA Try to Set Turf Rules as Bureau Branches Out." The growing FBI overseas contingent is establishing liaison relationships with foreign police and intelligence groups that already have relationships with CIA personnel. The FBI agents abroad also try to develop their own clandestine informants, sometimes recruiting individuals who work for the CIA or have been fired by it. At a gathering Feb. 3-4 in Davos, Switzerland, FBI Director Freeh met with six presidents, seven prime ministers and three foreign ministers. 16B_uys From dlv at bwalk.dm.com Tue Mar 19 07:36:44 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Tue, 19 Mar 1996 23:36:44 +0800 Subject: Judge blocks French ISPs from connecting to revisionist sites In-Reply-To: <199603181651.LAA26358@bb.hks.net> Message-ID: "Phillip M. Hallam-Baker" writes: > I have never attempted to prevent them putting their > views forward. It is better to expose them and their lies. Winston > Smith, Faust and co disappeared after we proved that they were the > creations of one Dan Gannon. Attempting to cut off access and the > conceit that the truth needs to be legislated merely plays into the > facists hands. First, this has no crypto relevance -- please take this thread elsewhere. Second, there were well-documented and partially successful attempts to pull Gannon's plug. Third, plug-pulling is fascism. Now go away. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From adam at lighthouse.homeport.org Tue Mar 19 07:38:09 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Tue, 19 Mar 1996 23:38:09 +0800 Subject: The return of the IPG Unbreakable System In-Reply-To: <960319.065439.9K0.rnr.w165w@sendai.cybrspc.mn.org> Message-ID: <199603191525.KAA05569@homeport.org> -----BEGIN PGP SIGNED MESSAGE----- Roy M. Silvernail wrote: | In list.cypherpunks, ipgsales at cyberstation.net writes: | Since a copy of the IPG system has apparently arrived unsolicited in my | mailbox this morning ("apparently" because I haven't unpacked or | inspected the MIME message; "unsolicited" because I did not request it), | I believe it's disclaimer time. | | I have entered into no agreements to inspect, test or validate the IPG | software suite. In the absence of a valid contract for my services, I | shall not inspect, test or offer opinions regarding the security of this | product. IPG Sales is specificly enjoined from using my nym in any | reference to validation of their product. Further, IPG is cautioned | against using "cypherpunks" as a validation reference, as my | subscription to this mailing list could then be construed as | contributing to the claim of validation. This action is intended to | guard against claims of the form "roy at sendai.cybrspc.mn.org has been | unable to break our system", among others. | | Note to IPG: I review all contract offers. Feel free to contact me for | terms, but be advised that I'm somewhat expensive. | | Note to c'punks: apologies for burning listwidth, but this looks like | the proper Publication of Record for this notice. I'd like to add my name to Roy's letter. I also received an unsoliceted (1700 line) copy of an algorithim. I do intend to review it. I strongly caution IPG against using my name in their advertising. Adam - -- "It is seldom that liberty of any kind is lost all at once." -Hume -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCSAwUBMU7R6N5XP6PQNGpRAQEp+APlHLT35qjhK5buecy5srQg3kQFJ8vce1QR 25GDw5rqK21nT5g8QWKTq0gcWk9EFyFPqKzC8kfPn2BOQ/u7RI3kRHTCGvlOzy0C X0fqqKgwXVeuYfShZGUmfz6Xeuiia208KJ6ZBkQkaK6o7J9ZKyZEoDob9k75B1ww HBmVJxc= =lg/D -----END PGP SIGNATURE----- From markm at voicenet.com Tue Mar 19 07:38:57 1996 From: markm at voicenet.com (Mark M.) Date: Tue, 19 Mar 1996 23:38:57 +0800 Subject: Would the FTC crack down on snake oil someday? In-Reply-To: <199603180455.XAA12434@unix.asb.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sun, 17 Mar 1996, Deranged Mutant wrote: > Enclosed is an excerpt from Edupage. Snake-oil crypto popped into my > mind.... I wonder if the FTC (Federal Trade Commission... agency > *meant* to crack down on consumer fraud, for non-US readers here) > would ever get into act here. > > Does the FTC have a home page? (Guess I'll do a search...) http://www.ftc.gov . - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMU3YuLZc+sv5siulAQFtOAP/TiodS2MtG1Zz6L5aCq2xVU34/xaSOB6H t/xcfxOyfUdWOmxAwUMYZiSsZqS1jVNvcrnNIqdL2cXMhGME5KpOqnOnCe9lg5JB kQ9cJnZVLnq904nF9ZrS1bI+dhiKblYJf92y3q7A+gD4PS89MF2UCRBPJ4MD9rlF rlfw4nID9ns= =kwhB -----END PGP SIGNATURE----- From bglassle at kaiwan.com Tue Mar 19 07:46:33 1996 From: bglassle at kaiwan.com (Bob Glassley) Date: Tue, 19 Mar 1996 23:46:33 +0800 Subject: M$ CryptoAPI Question In-Reply-To: Message-ID: <314db317.500238751@kaiwan.kaiwan.com> -----BEGIN PGP SIGNED MESSAGE----- On Mon, 18 Mar 1996 00:02:16 -0800 (PST), Rich Graves wrote: >On Sun, 17 Mar 1996 jamesd at echeque.com wrote: > >> At 06:27 PM 3/17/96 EST, Dr. Dimitri Vulis wrote: >> > I wonder if it's worth it to crack their approval mechanism so we can >> > add our own crypto subsystems without asking Microsoft's approval. >[...] >> Wait until Microsoft makes some oppressive decisions, >> or is compelled to make some oppressive decisions.] >> >> I do not expect that any cracking will be needed. Microsoft >> will approve a freeware module for use in America, and then, >> alas alas, someone will leak it. > >If the only goal is to allow international strong crypto using the >CryptoAPI, then I agree with the above. However, exploring the CryptoAPI >internals now, while there is still a possibility that they can be >changed, is a productive undertaking to the extent that it exposes holes. Exploration of the internals are critical for any crypto implementation. Unfortunately, this is beyond the scope of my skills, and requires me to rely upon the talents of you guys, ( Thanks! :) Of some relevance: (not intended to branch off topic) I work at a large corporation who has a strong relationship with MS. We had a MS Internet Architecture guru in here trying to sell us on an NT Internet server solution as opposed to Sun which we use now. We expressed our concerns about the security of NT versus Unix in regards to hackability, to which he responded. (paraprhased) NT is more secure than Unix since NT is newer, few people know anthing about it, where Unix has known, documented holes in security. (Albeit plugged ones. ed.) With this *security through obscurity* outlook, I think exploration is definatley in order. >If the good guys can find a way to plug an unapproved international >strong-crypto module into the CryptoAPI, then the bad guys can find a way >plug in a no-crypto virus or trojan horse. Now that's a scary thought! I need to look further into how they implement authentication of CSPs. > >-rich at c2.org > http://www.c2.org/hackmsoft/ and other cool stuff > - --Bob -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMU2b4O2vJ3dNshwFAQGfKwP+KJWP8m+dtJd+gc71PZ67ABTbZZUw7MOi BX24B89CQ67eldprcbXdnmxDDnLX25bBDee3EWEy5HTuJD1V9psXBU7VqkaEWnPE MhBGT2puaZIpGZUq222VdMrdToRsclM4wen6rnoYo8f/PsWWZR2BANCQu20BG0ZR fgQW2bcIsdM= =wihe -----END PGP SIGNATURE----- From jimbell at pacifier.com Tue Mar 19 07:49:29 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 19 Mar 1996 23:49:29 +0800 Subject: InfoWarCon V 1996: Call For Papers Message-ID: At 09:29 AM 3/18/96 -0500, Mark Aldrich wrote: >I personally know Winn and several of the folks from NCSA. You're stuff >would be a FANTASTIC contribution, and I'm certain that it would be a >popular session. Yes, some of these folks are a bit "establishment," but >they go to these things looking for new ideas, new perspectives, etc. Well, I've forwarded the essay as is. If they really insist, I'd cut it down to a 1-2 page summary, but I suspect that if it catches their attention they won't mind reading the extra material. >You sound like a guy who can hold his own in a debate, so I imagine >you'll have no problems dealing with this crowd. They may "challenge" >your views, but you're not going to get attacked or anything. You're probably right, but some of the more perceptive ones may shit bricks when they discover what the stakes really are. The REALLY perceptive ones will know that it doesn't make any difference, whether or not they like the idea or me, it's on the way. >Don't read too much into this. Last year, we had Eric Bloodaxe (Chris G) >there, a host of, uh, shall we say "fringe" elements, and I think Eric >Hughes was there (?Eric? Sarah and I *think* we saw you there?), as well. >As far as an "agenda" other than the published one, I think you're probably >being overly concerned. It's actually a fun con and you'd be surprised >the number of people willing to actively listen to anyone they even think >might remotely be a "hacker." > >If you show up trying to "one up" folks, however, you may not get what you >want. It's more of a cooperative, interactive forum; Not a competition. It's not that I'm trying to "one up" them; it might happen automatically. Let me give you a real-life example: I first published the essay on FIDOnet, as well as list called "Digitaliberty," run by Bill Frezza. Frezza's list paradigm was to develop a way to enable the net to stay free in an unfree world; my idea had the prospect of not only making/keeping the net free, but also dragging the rest of the world into freedom whether it liked it or not. (As well as eliminating war, governments, and a few other minor details.) A few weeks after I started publicizing AP, the list went down for a few days and when it eventually returned, I was not among the subscribers and Frezza studiously ignored my inquiries. As you can well imagine, Frezza's original idea was good, it was merely too limited and was overtaken by progress. It would have been easier for him if he had opposed the fundamental concept of net freedom, or believed my position to be impractical or technically flawed. As it was, there was nothing he could do. Jim Bell jimbell at pacifier.com From frissell at panix.com Tue Mar 19 07:54:54 1996 From: frissell at panix.com (Duncan Frissell) Date: Tue, 19 Mar 1996 23:54:54 +0800 Subject: "Physical Reality IV" Message-ID: <2.2.32.19960318212013.0073ce80@panix.com> Bad Boys, Bad Boys Whatcha gonna do? Whatcha gonna do when they come for you? Bad Boys, Bad Boys repeat endlessly. We did 4) two weeks ago. Here are some more points. 5) The Bad Boys must know where you are. The general problem that Bad Boys face when policing cyberspace (and indeed the whole modern marketplace) is that it is a "target poor" environment. As we saw in the last piece, the basic tactical reality is the force ratio that can be applied to a territory. How many bodies can you deploy per unit of land to control it. Even before you consider the size of the enemy force, you have to consider the size of the territory. This same calculus applies equally to civilian law enforcement. Another basic tactical problem is what von Clausewitz in "On War" called the "fog of war." This is the very great problem of knowing exactly where your opponent is and what he is doing. Note how computers can expand the "space" to be controlled. Even before the Internet became big, the problem can be seen in this excerpt from Sterling's "Hacker Crackdown" (http://www.usfca.edu/crackdown/crack_6.html) "About twenty-five boards vanished into police custody in May 1990. As we have seen, there are an estimated 30,000 boards in America today. If we assume that one board in a hundred is up to no good with codes and cards (which rather flatters the honesty of the board-using community), then that would leave 2,975 outlaw boards untouched by Sundevil. Sundevil seized about one tenth of one percent of all computer bulletin boards in America. Seen objectively, this is something less than a comprehensive assault." Today, 30,000 web sites are created each month or so. Just logging them is hard much less ruling them. The fact is that cyberspace is so vast, that it is very hard to make much of a dent in it. Policing territory is hard enough when you can see most of it. Any city cop or soldier doing house-to-house fighting can tell you that crowded cities are harder to police than open territory. Cyberspace has the topography of madness. Much of it is invisible and it grows changes and deforms with the speed of the thoughts of the millions of its "residents." And it has a doubling rate much faster than the doubling rate of "policing hours" available to the would-be authorities. Aside from sheer size and crazy topography, cyberspace can be very hard to penetrate. We on this list are well aware of the tools of obfuscation: cryptography, false identities, remailers, proxies, etc. An even bigger factor are the features of our world that we as sophisticated users don't even think about. The strange nature of the place is hard for outsiders to grasp. The "locals" always have the strategic advantage of familiarity with a territory. The speed of technological change is also problem as is the speed of "movement" within the system. Even if the opposition had the troopies to patrol the vast new territories there are these frustrating "magical" qualities of cyberspace. You block one WWW site and its content in "teleported" within minutes to another site half a world away. You require your local ISPs to interpose a "Surfwatch" interface between your captive citizenry and the free world and some of those captives don the "invisible cape" of a proxy server to get at the content they want. Then there's the "force field" of crypto to block your investigations. None of these "magical" technologies are perfect they can be defeated (sometimes) but defeating them takes resources. And so far, the Bad Boys haven't been winning too many in cyberspace. DCF From peponmc at fe3.rust.net Tue Mar 19 07:57:55 1996 From: peponmc at fe3.rust.net (Michael Peponis) Date: Tue, 19 Mar 1996 23:57:55 +0800 Subject: Yeo, Pea-brained Imbecile Message-ID: <199603190216.VAA15546@Fe3.rust.net> The Economist, 16 March 1996, pp. 42-43. Asia and the Internet: Not too modern, please Here is my two cents on the whole subject of countries wanting to recieve the technical and economic benifits of the internet, but reject groups they have moral or ethical problems with. Like myself, there are a number of subscribers on this list that maintain sites, archives, or have public domain software. Given the plethera of reports like this, I will start maintaining a list of country that will not be given access to my site, no FTP, no HTTP, no nothing, on top of that, I will hard code into all the new versions of my network aware programs to check for a domain subfix, if it is on of the black list, the software will not function. Thus until policies I find offencive are not changed, everything I create will not be acceptable or functional within those regions. I am only one person, but if this practice becomes common place, those countries will find that their access is limited to their own limited world view, and can only obtain goods and services that they create themselves. They want isolation, let them enjoy the full benifits of that decision. One thing I would like to see happen rather quickly is to eliminate thier access to usenet, or other areas of common knowledge. It seems they want the benifits of the technical expertise of the western "morally defuct" experts, but not the opinions of those ares. Well it's an all or nothing deal. Filtering works both ways, they filter out the political and sex groups on their end, we filter out the technical information on ours, I hope they enjoy what is left, which is not much. Regards, Michael Peponis PGP Key Avalible from MIT Key Server From blane at aa.net Tue Mar 19 09:30:01 1996 From: blane at aa.net (Brian C. Lane) Date: Wed, 20 Mar 1996 01:30:01 +0800 Subject: entropy masking (was Re: Multiple spinners as sources of entropy?) In-Reply-To: <960313234757_350663563@emout09.mail.aol.com> Message-ID: <314ed684.1241017@mail.aa.net> On Wed, 13 Mar 1996 23:47:58 -0500, you wrote: >In DOS, the keyboard, mouse, and disk drives run on interrupts, not timers. > If you use a timer as a spinner, such as the Windows GetCurrentTime() >function, (I MSec. resolution) and check its value each time a key is pressed [...] I'd also recommend using mouse clicks. I think that most windows users (going from personal experience) spend much more time clicking through messages than typingon the keyboard. A combination of several events should provide 'even better' randomness. Brian ------- -------------------- ------- Embedded Systems Programmer, EET Student, Interactive Fiction author (RSN!) ============== 11 99 3D DB 63 4D 0B 22 15 DC 5A 12 71 DE EE 36 ============ From pgf at srl01.cacs.usl.edu Tue Mar 19 09:50:09 1996 From: pgf at srl01.cacs.usl.edu (Phil G. Fraering) Date: Wed, 20 Mar 1996 01:50:09 +0800 Subject: nootropic drugs, etc... Message-ID: <199603191603.AA18735@srl03.cacs.usl.edu> Path: hks.net!news-mail-gateway!owner-cypherpunks From: asgaard at sos.sll.se (Asgaard) The reason FDA has not approved this drug is most probably because it does not make mildly retarded boys less retarded. But of course, ... Well, it wasn't until the past year that the FDA approved depakote for things like bipolar disorder. It can be prescribed for seizures. Psychiatrists have been prescribing it to their manic-depressive patients for the past ten years to help with their "seizures" when the patients have been unable to tolerate the lithium to treat their "seizures." (Depakote is usually used as an anticonvulsant.) I suspect the FDA hasn't ever approved _anything_ as a nootropic. And I guess the nootropic in question isn't useful for something else. Depakote has been known safe and successful for about ten years for the treatment of bipolar disorder. It's been approved for that for the last year. If the FDA had been more zealous, they would have probably forced many people into nine years or so of the progression of bipolar disorder _or_ lithium toxicity. on snake oil. It becomes more difficult to uphold a pure market philosophy when it comes to poisonous snake oil or, as is often the case with potent drugs, effective oil but which will kill you from side effects after a delay. FDA has a very good reputation of not 'recommending' drugs with (delayed) adverse effects outweighing the beneficial ones. Why not let the patients research the drugs themselves? They'll find out more than their doctors will ever tell them. [...] Until this happens, trust FDA. Have you ever stopped and wondered just how many drugs out there cause birth defects, and asked yourself why thalidomide is illegal and other drugs are legal? Asgaard Phil From maldrich at grctechs.va.grci.com Tue Mar 19 09:52:27 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Wed, 20 Mar 1996 01:52:27 +0800 Subject: While browsing the IRS ("Electronic Certification") In-Reply-To: Message-ID: On Mon, 18 Mar 1996, Alan B. Clegg wrote: They've been working on this for awhile. The problem is that the certification setup does not scale well. They've been looking at having the USPS maintain the certificates, but I have heard that it's been tossed back and forth between them and GSA and neither of them wants to do it. IRT the actual crypto being used in the solution, they are using the Digitial Signature Standard (FIPS PUB 186) with message digests being created via the Secure Hash Algorithm (FIP PUB 180). Unless you're using the FIPS stuff, you'd be hard pressed to get GAO or OMB to approve it. > --SNIP-- > The Financial Management Service is implementing an Electronic > Certification System to permit fast, secure, and accurate transmission and > certification of payment data. The system has been approved by the General > Accounting Office for satisfying the signature certification requirements > of 31 U.S.C. 3325 and 3528. > --SNIP-- > > Would anyone like to comment on what is being used to provide > signatures? > ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From enquirer at alpha.c2.org Tue Mar 19 09:53:10 1996 From: enquirer at alpha.c2.org (enquirer at alpha.c2.org) Date: Wed, 20 Mar 1996 01:53:10 +0800 Subject: Cypherpunk Enquirer Message-ID: <199603190254.SAA03087@eternity.c2.org> THE CYPHERPUNK ENQUIRER "Encyphering minds want to know." The recent opening of One Time Pad season was a resounding success, with previously unknown competitors Internet.Security.Guaranteed throwing out the first troll. Unfortunately, the annual cypherpunk contest may have to be renamed as it has been discovered that the phrase "One Time Pad" has been trademarked by the Kotex division of Johnson & Johnson. A second entrant, Stonewall-Drawbridge, was disqualified when it was found that the so-called "Infinite Venegere Key (IVK)" is the same one used by the New York Times for its popular Sunday Cypher series. Dr. Fred Cohen, noted virus expert and President of Info-Sec, recently announced the discovery of a new Internet security threat, the telnet bomb. First discovered when Dr. Cohen found, to his surprise, that people were actually trying to access the information that Info-Sec was posting on the Internet, this insidious attack seems to only go after sites that are getting down on their knees and begging for it by announcing to the world that people are actually trying to access our site and if you don't stop, we're going to tell the CERT and the FBI on you. Info-Sec quickly announced its solution, a $20,000 "Air Wall" (tm) turnkey computer with it's serial ports and ISA and PCI bus slots filled with crazy glue. Tim May's IQ dropped ten points today after the noted cypherpunk and retired Intel engineer was stopped at the Mexican border by Customs agents, who seized and confiscated over two hundred grams of an "unspecified pharmaceutical substance". Mr. May was released on his own recognizance when presented with an Alta Vista list of over two hundred aliases he has used to post to various Internet newsgroups and mailing lists and admitting, "Yup, that's me!". Eric Blossom has announced that CPLite is NOT out of business, but the S/N ratio has been so low for the past month that no posts made it through the CPLite filtering system. Not a single subscriber has requested a refund, claiming, en masse, "Hey, that's what we pay him for!". Asgaard's popular web site, a revisionist view of Viking history, has relocated to c2.org after being shut down by his original ISP due to complaints from the French government, which has declared as illegal Asgaard's claim that the Viking raiders were not actually early terrorists, but merely law-abiding tourists who didn't take any shit from rude French waiters. Surfwatch today reinstated access to AOL after the Wall Street Journal explained that their claim that AOL was "getting into bed with Bill Gates" was standard business school terminology and did not refer to consensual sexual activities. Neither party has responded to requests to clarify who was pitching and who was catching. Jim Bell died this week when a homemade "nuclear detonator" exploded in his hands. The detonator was immediately awarded the over ten thousand dollars bet on Mr. Bell in the Blacknet "Dead Pool" when the committee decided that the detonator had correctly predicted Mr. Bell's time and place of death, and that the prediction of "death by radiation poisoning" was "close enough for cypherpunk work." Nathaniel Borenstein was arrested on sexual harassment charges today after several female employees of First Virtual reported that he had been wandering around the offices for the past two months sniffing their keyboards. Next time in the Enquirer - the photos that DIDN'T get posted at www.c2.org/party/masquerade! How far did Lucky Green get his hands up Peter Pan's costume? What was Sandy Sandfort REALLY doing with that gun, or was he just happy to see her? What WAS that strange religious icon under "Father" Eric Blossom's robe? Did Dan Farmer REALLY design the rec room? Encyphering minds want to know! From ipgsales at cyberstation.net Tue Mar 19 09:57:45 1996 From: ipgsales at cyberstation.net (IPG Sales) Date: Wed, 20 Mar 1996 01:57:45 +0800 Subject: The return of the IPG Unbreakable System In-Reply-To: <199602200306.WAA11013@toxicwaste.media.mit.edu> Message-ID: Ladies and Gentlemen - For the last three plus weeks, some of the members of the C'Punks list have had the IPG algorithms in their possesion. None, to date have suggested that the system is unbreakable - to the contrary a few have stated that they believe it is unbreakable, but do not want to go on the record yet. I invite those that have copies of the system to acknowledge that fact and to state their opinions, if any. Some of these people have been helpful, and we have adopted some of their suggestions. For example, we are now call the encryption method, the ABC encryption method, because in the opinion of one person, it is so simple, straightforward and appropos as you will see. However, we want to expedite things. Accordingly, as of this date, we are now prepared to release the complete set of algorithms to any member of the C'punks mailing list who can establish that they are: 1. A citizen of the United States 2. Or a Citizen of Canada. We are willing to prove incontrovertibly, to your satisfaction, that the IPG ABC Encryption system is at once as secure, in the real sense, as a true OTP, or a pure 3064 bit prime number pair RSA system, and absolutely the fastest system possible, excepting possibly very short messages because of setup time. That is a lot of Chutzpah, but we are prepared to back it up, as you will see. We are prepared now, to send you a set of materials that can postively establish both of those assertions for yourself, beyond any doubt whatsoever. No ifs, no ands, no buts, no maybes, no anything. Period. Our agenda is very simple. 1. To prove beyond any doubt whatsoever that the system is absolutely unbreakable, and the fastest unbreakable system possible. 2. After that is agreed to, to prove beyond any doubt that the system is extremely simple and by far the easiest to use and operate. 3. That combined with RSA, or without RSA for that matter, the key distribution system is as secure and simple as any method available, including the public-private key method. No human ever gets involved, it is all fully automatic and uncorruptable. 4. That the key generation will be made to conform to your requirements - either by licensing the process to you, or by having an oversight group such as one of the Big Six, to provide continuous monitoring of the process to insure that no copies are kept and no one has access to the process. We can resolve any question you have in this regard. 5. That an interchange system will be implemented that provides the same degree of absolute guarantee of privacy, yet the two parties do not even have each others key. Yes it can be done, guaranteed. A few of you already know how, because they have the written copies of our materials. Temporarily however, we will only address point one. We will address the other four points after point one has been settled It will not take most of you weeks, or even days to establish that the IPG system is absolutely unbreakable, and that no system can possibly be faster. Most of you will be able to do it in a day, or even in a few hours, it is that simple. I suspect the reason that the few who have the materials are not ready to committ themselves is because they cannot believe their eyes and mind - it cannot be possible - something must be wrong. It is not though. What they see and what their minds are telling them is true. It is absolutely unbreakable and no digital system could possibly be faster. In all fairness though, we have only provided them with the materials necessary for them to conduct there own tests within the last 48 hours, so testing may still be under way. It is much faster than RD5, IDEA, DES or anything else available in the software version and with hardware implementation it can be made orders of magnitude faster, 1000s of times faster than those mentioned, or any Feistel type system or or any other system, of which we are aware. It is ideally suited to hardware implementation, with multilevels of parallelism, simple and practicable. We will send you a complete set of materials necessary for you to evaluate and test the system this date subject to the following. 1. You provide us with a telephone number that we can call you tonight to verify that you have an American or Canadian citizen, with a phone in one of those two countries. 2. That you provide us with an American or Canadian snail-mail address - we will send six of you, selected at random, registered copies of the materials provided to you, with some more detail, mainly relating to hardware implementation, though that is discussed in the Internet version. 3. That you agree to abide by ITAR, as well as by applicable copyrights and patents. That with respect to ITAR, that you will not provide a copy of the materials to anyone but you may tell them that IPG is making the materials available. Be forewarned again, we will not respond to any attacks made based upon any opinions, suppositions, hypotheses, guesses, thoughts, or anything else other than the facts. Nor will we respond to any of the same sort of things related to Key Distribution or the like other than to reiterate that we will license the manufacture of keys for the system. If you are an engineer, you will be amazed by how simple hardware implementation is, serial, simple one dimensional parallelism, and two level parrallelism, unbelievably so. We intend to license the manufacture of chips. So there my C'punk list friends. You threw down the gaunlet and challenged us. We accepted your challenge. Now, we are throwing down the gauntlet. To reiterate, we assert: 1. That IPG's ABC Encryption system it is absolutely proveably unbreakable, even to the point of quickly being self evidently so to most of you with any signficant mathematical background. 2. That is the fastest possible method of producing an unbreakable PRNG stream to be XORed with plain text - 3. That it is unbelieveably simple to implement and use, as simple as one of your associates said, as ABC. Some of you have spoken your piece without one iota of facts. We want all of you on the list to see the facts for yourself, It will make believers of you. Especially, we want those that jumped into the swimming pool, the fray, without anything other than dogma or opinions to see what the real facts are and how wrong they were. I close with three quotes: 1. The person who never alters their opinion is like standing water, and breeds reptiles of the mind. William Blake. "The Marriage of Heaven and Hell." 2. It is the uncompromisingness with which dogma is held that the danger lies. Samuel Butler - "The Way of All Flesh," 3. If we value knowledge, we must be free to follow wherever that search may lead us. The free mind is no barking dog, to be tethered on a ten-foot chain. Adlai Stevenson. Paraenthetically, IPG will not be tethered to a one pico meter chain that a few of you insist on trying to do. We urge you to take up this challenge. It is going to have far reaching implications for your clients and for your companies. It is the wave of the future, as you will quickly discover. From edgar at Garg.Campbell.CA.US Tue Mar 19 10:04:16 1996 From: edgar at Garg.Campbell.CA.US (Edgar Swank) Date: Wed, 20 Mar 1996 02:04:16 +0800 Subject: Request for reference info + Possible job offer Message-ID: -----BEGIN PGP SIGNED MESSAGE----- I would like people to send me (pointers to) reference information on how to write WinSock-compliant client software. Also tools required, hopefully free/shareware ones. The particular application of interest is a "web-crawler" which can log certain information in web pages it finds. If such reference information is not available or forthcoming, but there are people reading this who nevertheless know how to write such software, they are invited to contact me about contracting to write such an application for a negotiable payment. Please respond by Email, as I only subscribe to a digest of the Cypherpunks list. Edgar W. Swank -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMU4jnN4nNf3ah8DHAQEdwgP/RaYtSbT9RCA2MtR3++r6U7Sj9HAYKFZp GKunKKgDaE+/7mb08ixOq4/rtZ0THqwb9GyrYhoebKPKX3HeHIv4y4JbrG06zIMg YZQg7ex2YSZXBu2xcjuXDaVsLIdhpfBaJsuJ8RKODIFtElvXJkMpIaJFVAXg9P7K r8/2os1uMfs= =PgH7 -----END PGP SIGNATURE----- -- edgar at Garg.Campbell.CA.US (Edgar Swank) The Land of Garg BBS -- +1 408 378-5108 From ac at hawk.twinds.com Tue Mar 19 10:05:18 1996 From: ac at hawk.twinds.com (Arley Carter) Date: Wed, 20 Mar 1996 02:05:18 +0800 Subject: The return of the IPG Unbreakable System In-Reply-To: Message-ID: On Mon, 18 Mar 1996, IPG Sales wrote: > > Ladies and Gentlemen - > > For the last three plus weeks, some of the members of the C'Punks list > have had the IPG algorithms in their possesion. > > None, to date have suggested that the system is unbreakable - to the > contrary a few have stated that they believe it is unbreakable, but do > not want to go on the record yet. > [Lots of Stuff Snipped] If an IPG fell in a forest and nobody heard it, would it make a sound ? Arley Carter Tradewinds Technologies, Inc. email: ac at hawk.twinds.com www: http://www.twinds.com "Trust me. This is a secure product. I'm from ." From joelm at eskimo.com Tue Mar 19 11:17:10 1996 From: joelm at eskimo.com (Joel McNamara) Date: Wed, 20 Mar 1996 03:17:10 +0800 Subject: Commercial crypto in Zurich Message-ID: <199603181434.GAA02128@mail.eskimo.com> Just got back from doing some consulting in Europe. In the Zurich airport, there was a large illuminated sign (near the business class lounges) that proclaimed: Reliable cipher systems for absolute telecom protection TST 7790 Secure telephone, sat phone, ISDN TST 5573 F/U Fax ciphering TST 5573C Data ciphering with 10 EXP 80 Key TST 4045 HF SSB krypto modem TST 8010 Spread spectrum transceiver TST TeleSecurity Timmann Timman Gmbh Lutzing, Germany Full color photos of all of the above products were displayed. No technical details on the cryptosystems being used, but quite refreshing, considering the current state of things in the good old US of A... From maldrich at grctechs.va.grci.com Tue Mar 19 11:22:41 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Wed, 20 Mar 1996 03:22:41 +0800 Subject: InfoWarCon V 1996: Call For Papers In-Reply-To: Message-ID: On Sun, 17 Mar 1996, Black Unicorn wrote: > > > C A L L F O R P A P E R S > > > > > > InfoWarCon 5, 1996 > > > Fifth International Information Warfare Conference > > > "Dominating the Battlefields of Business and War" > > > September 5-6, 1996 > > > Washington, DC > > > > I'm wondering if I should bother re-writing my "Assassination Politics" > > essay into the form of a paper and submitting it to these people. While it > > might nominally be considered right down their alley, from a subject > > standpoint, even a cursory look at the location (Washington, DC) and the > > invited people (large companies and military) suggest that my ideas would be > > just about as welcome as a yarmulke at a Nazi Party convention. > I personally know Winn and several of the folks from NCSA. You're stuff would be a FANTASTIC contribution, and I'm certain that it would be a popular session. Yes, some of these folks are a bit "establishment," but they go to these things looking for new ideas, new perspectives, etc. You sound like a guy who can hold his own in a debate, so I imagine you'll have no problems dealing with this crowd. They may "challenge" your views, but you're not going to get attacked or anything. BTW, I'm not one of the reviewers or organizers.... > > I'm not aware of the agenda (hidden or otherwise) of the sponsors, so > I don't know whether I should even bother. Many people aren't > particularly appreciative of being "one-upped" (not to mention made > obsolete) so it's not clear that they'd give me the time of day. Any > ideas as to their receptiveness? Don't read too much into this. Last year, we had Eric Bloodaxe (Chris G) there, a host of, uh, shall we say "fringe" elements, and I think Eric Hughes was there (?Eric? Sarah and I *think* we saw you there?), as well. As far as an "agenda" other than the published one, I think you're probably being overly concerned. It's actually a fun con and you'd be surprised the number of people willing to actively listen to anyone they even think might remotely be a "hacker." If you show up trying to "one up" folks, however, you may not get what you want. It's more of a cooperative, interactive forum; Not a competition. ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From jamesd at echeque.com Tue Mar 19 12:43:25 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Wed, 20 Mar 1996 04:43:25 +0800 Subject: M$ CryptoAPI Question Message-ID: <199603180605.WAA22290@dns1.noc.best.net> At 06:27 PM 3/17/96 EST, Dr. Dimitri Vulis wrote: > I wonder if it's worth it to crack their approval mechanism so we can > add our own crypto subsystems without asking Microsoft's approval. Wait. Wait for some apps to come out that use Microsofts crypto. Wait until Microsoft makes some oppressive decisions, or is compelled to make some oppressive decisions.] I do not expect that any cracking will be needed. Microsoft will approve a freeware module for use in America, and then, alas alas, someone will leak it. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jamesd at echeque.com Tue Mar 19 12:49:06 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Wed, 20 Mar 1996 04:49:06 +0800 Subject: Judge blocks French ISPs from connecting to revisionist sites Message-ID: <199603180605.WAA22293@dns1.noc.best.net> At 04:30 PM 3/17/96 -0800, Rich Graves wrote: > In other news, Holocaust Revisionist mgiwer at combase.com (Matt Giwer) has > been *openly bragging* about getting a political opponent kicked off of a > conservative Texas ISP. The main difference between the French and Texas > cases being that the information on Rack Jite's web pages was true, and > the information on the Holocaust Revisionist sites is not. I guess that's > not important, though, since by definition, Political Correctness only > targets the right. Jack Rite was kicked off for gross and repeated violations of netiquette, not for his political views. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From sameer at atropos.c2.org Tue Mar 19 13:01:25 1996 From: sameer at atropos.c2.org (sameer at atropos.c2.org) Date: Wed, 20 Mar 1996 05:01:25 +0800 Subject: Judge blocks French ISPs from connecting to revisionist sites In-Reply-To: Message-ID: <199603180447.UAA25170@atropos.c2.org> Said political opponent is now being serviced by an ISP that will not kick him off because of threats from revisionists. > In other news, Holocaust Revisionist mgiwer at combase.com (Matt Giwer) has > been *openly bragging* about getting a political opponent kicked off of a > conservative Texas ISP. The main difference between the French and Texas > cases being that the information on Rack Jite's web pages was true, and > the information on the Holocaust Revisionist sites is not. I guess that's > not important, though, since by definition, Political Correctness only > targets the right. > > -rich > -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From grafolog at netcom.com Tue Mar 19 14:14:27 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Wed, 20 Mar 1996 06:14:27 +0800 Subject: nootropic drugs, etc... In-Reply-To: <199603191603.AA18735@srl03.cacs.usl.edu> Message-ID: On Tue, 19 Mar 1996, Phil G. Fraering wrote: > Have you ever stopped and wondered just how many drugs out there cause > birth defects, and asked yourself why thalidomide is illegal and other > drugs are legal? Notes in passing that thalidomise is still a perscription drug in the United States, and very useful for what it treats. xan jonathon grafolog at netcom.com From geeman at best.com Tue Mar 19 14:16:40 1996 From: geeman at best.com (geeman at best.com) Date: Wed, 20 Mar 1996 06:16:40 +0800 Subject: The return of the IPG Unbreakable System Message-ID: <199603191714.JAA09610@dns2.noc.best.net> >| I have entered into no agreements to inspect, test or validate the IPG >| software suite. In the absence of a valid contract for my services, I >| shall not inspect, test or offer opinions regarding the security of this >| product. IPG Sales is specificly enjoined from using my nym in any >| reference to validation of their product. Further, IPG is cautioned >| against using "cypherpunks" as a validation reference, as my >| subscription to this mailing list could then be construed as >| contributing to the claim of validation. This action is intended to >| guard against claims of the form "roy at sendai.cybrspc.mn.org has been >| unable to break our system", among others. >| >| Note to IPG: I review all contract offers. Feel free to contact me for >| terms, but be advised that I'm somewhat expensive. >| >| Note to c'punks: apologies for burning listwidth, but this looks like >| the proper Publication of Record for this notice. > > I'd like to add my name to Roy's letter. I also received an >unsoliceted (1700 line) copy of an algorithim. I do intend to review >it. I strongly caution IPG against using my name in their >advertising. > >Adam > > For my part, I invited them to submit their information to me; however, I have to jump on the wagon here and also state publicly that this implies no obligation on my part, nor my permission to use any information about me in their advertising or other material. Thank you. geeman at best.com > From perry at piermont.com Tue Mar 19 15:45:39 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 20 Mar 1996 07:45:39 +0800 Subject: The return of the IPG Unbreakable System In-Reply-To: Message-ID: <199603191618.LAA25608@jekyll.piermont.com> IPG Sales writes: > For the last three plus weeks, some of the members of the C'Punks list > have had the IPG algorithms in their possesion. You again? Go away. Our snakes are very well oiled already. .pm From Majordomo at toad.com Tue Mar 19 16:39:52 1996 From: Majordomo at toad.com (Majordomo at toad.com) Date: Wed, 20 Mar 1996 08:39:52 +0800 Subject: Your Majordomo request results Message-ID: <9603180708.AA18907@toad.com> -- Your request of Majordomo was: >>>> subscribe cypherpunks **** Address already subscribed to cypherpunks Your request of Majordomo was: >>>> end END OF COMMANDS From liberty at gate.net Tue Mar 19 16:50:54 1996 From: liberty at gate.net (Jim Ray) Date: Wed, 20 Mar 1996 08:50:54 +0800 Subject: The return of the IPG Unbreakable System Message-ID: <199603191924.OAA25750@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- No copy of this program has arrived in my mailbox, which is a good thing. I am no cryptography expert. Even _I_, however, see massive problems in letting _others_ generate my crypto-keys for me. If this egomaniac gets the respected experts on this list to review his software at no cost, & if the experts actually say, "he's right, it's unbreakable," the system will still have this weakness. This is even worse than the "Power One Time Pad" snakeoil. Am I missing something? JMR Regards, Jim Ray "The era of big government is over." -- Bill Clinton "Prepare for the era of _HUGE_ government." -- Jim Ray _______________________________________________________________________ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Public Key id. # E9BD6D35 -- http://www.shopmiami.com/prs/jimray _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMU8JKW1lp8bpvW01AQFK2gQAlxTZlfC9Dwx6nbbliSMxYqMp9Uvf9y0r ntFZfobQQ4OZsX0cNGDYIvwWMDztV+07d/seEqqEnGVvk8yFqcKPuFIo/WyFqxEc TqDzCp/i1XtndHDrfJb4hZDgizJKHXXrHO2dfuTecxS9uTgFvT3bUuTOfJme2hOx DNZz/Sm5rfs= =SaSo -----END PGP SIGNATURE----- From starcon at centrum.is Tue Mar 19 16:55:15 1996 From: starcon at centrum.is (StarCon) Date: Wed, 20 Mar 1996 08:55:15 +0800 Subject: No Subject Message-ID: <199603182044.UAA05465@xanadu.centrum.is> unsubscirbe From m5 at tivoli.com Tue Mar 19 17:27:35 1996 From: m5 at tivoli.com (Mike McNally) Date: Wed, 20 Mar 1996 09:27:35 +0800 Subject: IPG - newest release of the ABC Encryption Algorithms (fwd) In-Reply-To: <2.2.32.19960319175044.00c7bab8@mail.software.net> Message-ID: <314F0DB1.61FE@tivoli.com> John Pettitt wrote: > /* the arrays b,c are filled in from tables of smallish primes supplied > by IPG using 'random' numbers supplied by IPG to select the primes (and the > order of same). since all the values are > 8 bits I've assumed a,b,c = int. > a[] is filled with 13568 + an 8 bit 'random' number. (13568 = 0x3500 which > gets ANDed with the seed value) > */ One tangerine-flavord Starburst to the first cypherpunk who can give a rough estimate for the results of the sub-expression: (random() & 0xff) & 0x3500 ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From llurch at networking.stanford.edu Tue Mar 19 17:37:32 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 20 Mar 1996 09:37:32 +0800 Subject: Judge blocks French ISPs from connecting to revisionist sites In-Reply-To: <199603180605.WAA22293@dns1.noc.best.net> Message-ID: On Sun, 17 Mar 1996 jamesd at echeque.com wrote: > At 04:30 PM 3/17/96 -0800, Rich Graves wrote: > > In other news, Holocaust Revisionist mgiwer at combase.com (Matt Giwer) has > > been *openly bragging* about getting a political opponent kicked off of a > > conservative Texas ISP. The main difference between the French and Texas > > cases being that the information on Rack Jite's web pages was true, and > > the information on the Holocaust Revisionist sites is not. I guess that's > > not important, though, since by definition, Political Correctness only > > targets the right. > > Jack Rite was kicked off for gross and repeated violations of > netiquette, not for his political views. That's a new one. Giwer is bragging that he got him kicked off for either a) copyright violations (two GIFs of Giwer, taken from Giwer's web site) or b) libel (no details given, and difficult to prove because truth is an ironclad defense against a libel suit). The Volant Turnpike system administrators said the problem was that a few instances of the word "FUCK" violated the Communications Decency Act. I've seen their mail. Their reasons for deleting the files after all naughty words and "copyright violations" were deleted were not stated. I'd be curious to know how a web site can pose "netiquette" problems. Jack Rite never sent or received email or news from turnpike.net; he only used their web-hosting services. Anyway, I don't know much about this case, and the guy is a little kooky, agreed, but far less kooky than Giwer. We're all friends here. It just pisses me off to see Giwer claiming to represent the "libertarian" position, and occasionally being taken seriously by people I otherwise respect, when he's really just a racist kook. -rich From vinnie at webstuff.apple.com Tue Mar 19 17:51:23 1996 From: vinnie at webstuff.apple.com (vinnie moscaritolo) Date: Wed, 20 Mar 1996 09:51:23 +0800 Subject: Mac Crypto Conference Message-ID: hey all; I am interested in putting together a Macintosh crypto conference for folks who do or want to write crypto on the mac. I was thinking about a one or two day thing..real tech stuff. (not so much the users), but I am flexable. I plan to hold it here at apple, cupertino. (so as to make it real cheep) If you have any ideas on what you would like to see there, either drop me an email, at or if you think it is worthy of a public discussion reply at cypherpunks. ------------- Vinnie Moscaritolo Apple DTS Sniper "One Shot..One Kill" http://webstuff.apple.com/~vinnie/ Fingerprint = 4F A3 29 81 50 E4 04 F2 78 25 01 87 6E A2 14 6A -------------- From vinnie at webstuff.apple.com Tue Mar 19 17:58:57 1996 From: vinnie at webstuff.apple.com (vinnie moscaritolo) Date: Wed, 20 Mar 1996 09:58:57 +0800 Subject: Mac Crypto Conference Message-ID: hey all; I setup a mac-crypto mailing list at majordomo at thumper.vmeng.com the ususal: to: majordomo at thumper.vmeng.com subscribe mac-crypto will get you on board. I't purpose is to discuss the specifics of macintosh based cryptography, save the politics for cyhperpunks. my first topic of discussion is the idea of a mac crypto conference, here at apple, cupertino. I wsa thinking of a one day afair, a few sessions, mostly tech, open to the developer public. ------------- Vinnie Moscaritolo Apple DTS Sniper "One Shot..One Kill" http://webstuff.apple.com/~vinnie/ Fingerprint = 4F A3 29 81 50 E4 04 F2 78 25 01 87 6E A2 14 6A -------------- From rich at c2.org Tue Mar 19 17:59:16 1996 From: rich at c2.org (Rich Graves) Date: Wed, 20 Mar 1996 09:59:16 +0800 Subject: Judge blocks French ISPs from connecting to revisionist sites Message-ID: <199603182021.MAA08461@Networking.Stanford.EDU> At 01:07 PM 3/18/96 +0100, Anonymous wrote: > >So that y'all can see what the fuss is about, try the following sites : A far better site that is not being censored is: http://members.aol.com/ironfrog/ubootwaffe/brown.html > Institute for Holocaust Revisionism > This site is not blocked. Greg Raven is a serious Neo-Nazi wacko who took over the IHR by force. The police were called in to break up the fight, and the Nazis spent some time suing each other for control. See the Willis Carto/IHR FAQ for alt.revisionism. > Committee for Open Debate On the Holocaust > This site is not blocked. The "censorship" page is full of events that never happened. Brian acknowledges that the errors I pointed out are errors, but complains that he "doesn't have time" to go back and correct them. He has had time, though, to add more events that never happened. See the URL below [sic]. See also http://www.stormfront.org/, which has widely been reported to have been "censored." It's not. That front page is just Don Black's idea of a joke. See http://www.stormfront.org/stormfront/, http://www2.stormfront.org/default.htm, and http://www3.stormfront.org/. The Nazis are quite well-connected. IHR uses AOL because they *want* to be censored so that they can play victim, and get more support from the otherwise reasonable people here. Even Steve Case knows this, which is why, uncharacteristically, he isn't booting them off. -rich http://www.c2.org/~rich/Press/Swedish/ From jlasser at rwd.goucher.edu Tue Mar 19 17:59:51 1996 From: jlasser at rwd.goucher.edu (Bruce Zambini) Date: Wed, 20 Mar 1996 09:59:51 +0800 Subject: FORTUNE666 - AOL postings blamed for Iomega stock troubles (fwd) Message-ID: An interesting question of reputations, plus a kneejerk reaction against anonymity... "It must be true; I read it on AOL..." Jon ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. ---------- Forwarded message ---------- Date: Sun, 17 Mar 96 23:42:34 From: FringeWare Daily Subject: FORTUNE666 - AOL postings blamed for Iomega stock troubles Sent from: sentry at utxvms.cc.utexas.edu () This may be of interest to lovers and haters of chaos, alike- >From Edupage: IOMEGA STOCK VOLATILITY BLAMED ON AOL POSTINGS Iomega, maker of high-capacity removable disk drives, is the focus of controversy on America Online's Motley Fool bulletin board. Company officials have complained to the SEC that postings on Motley Fool and other BBSs have contained false information and may be contributing to the volatility of its stock. Online exposure has "raised the visibility of some stocks as well as the interest in those stocks," says an outside spokesman for Iomega. "At the same time, we're very concerned about how online services can be used to attempt to drive stock prices higher or lower through misinformation." Postings about Iomega escalated to flaming and physical threats last month, causing Motley Fool to pull some of the more offensive ones, but critics of online BBSs note Iomega's problems are a result of the practice of using "screen names" and the lack of verification of information that's posted. "You don't know if the person is a Ph.D. or in Sing Sing," says one critic. (Wall Street Journal 15 Mar 96 A5C) From Y.Adamopoulos at noc.ntua.gr Tue Mar 19 18:14:55 1996 From: Y.Adamopoulos at noc.ntua.gr (Yiorgos Adamopoulos) Date: Wed, 20 Mar 1996 10:14:55 +0800 Subject: Request for reference info + Possible job offer In-Reply-To: Message-ID: <199603191636.SAA15939@noc.ntua.gr> > I would like people to send me (pointers to) reference information on > how to write WinSock-compliant client software. Also tools required, have a look at http://www.sockets.com and at the book it says. -- Yiorgos Adamopoulos adamo at noc.ntua.gr National Technical University of Athens, NOC From munro at ci.com.au Tue Mar 19 19:34:26 1996 From: munro at ci.com.au (Munro Saunders) Date: Wed, 20 Mar 1996 11:34:26 +0800 Subject: IPG - newest release of the ABC Encryption Algorithms (fwd) In-Reply-To: <2.2.32.19960319175044.00c7bab8@mail.software.net> Message-ID: <199603192306.KAA02258@mippet.ci.com.au> > >IPG Sales wrote: > >> Obviously, you meet our requirements for the release of the IPG ABC ... > At 08:01 AM 3/19/96 -0600, Mike McNally wrote in reply: > >On the other hand, the "algorithm" as presented is so hopelessly > >obfuscated by the strange terminology and loose descriptions used ... John Pettitt presents us with C code possibily matching the algorithm (see the end of this email). I imagine that John Pettitt may have written: > I do not endorse the above code or algorithm and make no comment on it's > strength or otherwise. Well I spent 30 seconds on it. Do we get to start with known plain text? This is the usual assumption these days. It so hopeless I imagine more experienced cryptographers won't even bother replying. DON'T USE THIS CODE. It has a long cycle: (the product of all the c[i]) * 64 It can be broken into 64 parts and each part attacked separately. Each part is the outputs with offset i modulo 64. Part i has a cycle of c[i]. (Its irrelevant that the b[i] are prime, helps if they are coprime to c[i].) There is no feedback between parts. Each part looks like a LCM PRNG to me. The cryptanalysis of these was done decades ago by Knuth. From memory the key can be deduced in a known plain text attack with knownledge of about the same amount of plain text as there is unknown key (initial state). (under 1K bytes). Even without known plain text I suspect it would not survive past the maximum c[i] (given some redundancy in the input). I imagine that John Pettitt may have written: > Here is my take on a C version of their code - note that a[] b[] c[] and the > initial d are filled in from the 'one time pad'. The size of a,b,c is not > specified it could be 8 16 or 32 bits from the text ... However the initial > values of a,b & c are set using 8 bits of the 'random' key. > > int a[64] /* Random & 0x3500 */ > int b[64] /* Randomly selected primes */ > int c[64] /* randomly selected primes*/ > char d; /* random start value */ > int i; > > /* the arrays b,c are filled in from tables of smallish primes supplied > by IPG using 'random' numbers supplied by IPG to select the primes (and the > order of same). since all the values are > 8 bits I've assumed a,b,c = int. > a[] is filled with 13568 + an 8 bit 'random' number. (13568 = 0x3500 which > gets ANDed with the seed value) > */ > > while(1) > { > for(i=0; i<64;i++) > { > a[i] = (a[i] + b[i]) % c[i]; > d = (d+a[i]) & 0xFF; > /* output d as next byte in stream */ > /* XOR with plaintext */ > } > } -- Munro Saunders Often seen at Gracelands, but ... P.O. Box 192, munro at ci.com.au I am not an official spokesperson ERSKINEVILLE 2043 61 2 564 6368 for Elvis, IBM, M$ or Corinthian. AUSTRALIA From declan+ at CMU.EDU Wed Mar 20 12:34:45 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 20 Mar 96 12:34:45 PST Subject: The Leahy Crypto Bill is Rancid Sausage In-Reply-To: <199603190315.TAA05777@eff.org> Message-ID: Excerpted from a message to fight-censorship. For the full thread, check out: http://fight-censorship.dementia.org/fight-censorship/dl?thread =The+Leahy+Crypto+Bill+is+Rancid+Sausage&after=1795&type=short (On one line, of course.) -Declan ---------- Forwarded message begins here ---------- From: Stanton McCandlish Message-Id: <199603190315.TAA05777 at eff.org> To: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 18 Mar 1996 19:15:09 -0800 (PST) Cc: fight-censorship+ at andrew.cmu.edu, junger at pdj2-ra.F-REMOTE.CWRU.Edu, tcmay at got.net [...] As our statement on the bill made clear, *EFF does not support the Leahy bill*, nor do we endorse it, like it, find it useful or any other synonym. We're happy to see the issues raise again, a la Cantwell, but we specifically recommended simple and complete deregulation. As our co-founder John Gilmore points out, the Leahy bill as written pre-supposes Congressional authority to legislate in this are, and Executive authority to regulate under that legislation. These are notions that we, and Phil Karn, are challenging in court with Constitutional tests we are throwing at the ITAR export regs. [...] From perry at piermont.com Wed Mar 20 12:36:56 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 20 Mar 96 12:36:56 PST Subject: [NOISE] Re: Dorothy Denning attacks Leahy's crypto bill In-Reply-To: Message-ID: <199603202035.PAA01839@jekyll.piermont.com> Alan Bostick writes: > Declan McCullagh wrote: > > > I may have to adjust my position on Leahy's bill. Any legislation that > > Dorothy Denning attacks so virulently must be worth passing. > > That could be exactly what They want you to think! Oh, God. This is really a bit too much, don't you think? I mean, its obvious that, whatever its flaws, passage of the Leahy bill would be very bad for the export control droids. Has it occurred to you that the whole thing might not be a conspiracy and that the flaws in the bill might just be that -- flaws? Perry From Kevin.L.Prigge-2 at tc.umn.edu Wed Mar 20 12:41:21 1996 From: Kevin.L.Prigge-2 at tc.umn.edu (Kevin L Prigge) Date: Wed, 20 Mar 96 12:41:21 PST Subject: Keep the pressure! Cryptographers Against Cryptography EXPOSED! In-Reply-To: <199603201016.CAA09094@jobe.shell.portal.com> Message-ID: <31506d203ab7002@noc.tc.umn.edu> anonymous-remailer at shell.portal.com said: > > We can be fortunate that their number is small. At least the ones > we know about. Only three more since the last report. But even > one is too many. Well, you can add me to the list. Although there are a couple of problems with the Leahy bill, it still seems to me to be a step in the right direction. > > These people have alot to answer for. Ask them who they work for > and who signs there checks. Ask them why they lie. Ask them why > they are afraid of your right to privacy. (of course we know why) > Show them HOW WE FEEL. Let them serve as examples too others if > they are too cowardly to serve as beacons for truth. I'll answer up front. I work for the University of Minnesota. I don't get a check, I have direct deposit. If you saw how much it is, you'll *know* that I don't speak for them. I haven't lied for a couple of minutes now, and certainly not about my support for the Leahy bill. I'm not afraid of any right to privacy, in fact I insist on it and support it whenever possible. I don't know how you feel, and I wish you wouldn't show me, as I am afraid that you feel squishy and slightly damp. That might cause me to lose my appetite. > > THE LIST OF SHAME: > B. Schneier: bs208 at newton.cam.ac.uk, schneier at counterpane.com > M. Blaze: mab at crypto.com, mab at research.att.com > J. Bizdos: jim at rsa.com > S. Safaddar: shabbir at vtw.org > D. Weinstein: djw at vplus.com > P.. Peterson: padgett at hobbes.orl.mmc.com > B. Stewart: stewarts at ix.netcom.com > B. Unicorn: unicorn at schloss.li > P. Karn: karn at unix.ka9q.ampr.org > D. McCullagh: declan at well.com > > BOYCOTT APPLIED CRYPTOGRAPHY, AT&T, VTW, and RSA!!!! Don't forget grapes! > > THE LEAHY BILL IS 100% PART OF THE PLAN TO KILL FREE CRYPTO. > YOU DON'T NEED EXPERTS TO THINK FOR YOU! REMEMBER RICO AND WORLD GOVERNMENT! I can't remember breakfast, now what was that about RICO and World Government? Did I take over the world again and forget to clean up after myself? Sorry. -- Kevin L. Prigge | "You can always spot a well informed man - University of Minnesota | his views are the same as yours." email: klp at tc.umn.edu | - Ilka Chase PGP Key Fingerprint = FC E5 EE E7 8B 2E E9 D5 DA 1C 5D 6B 98 52 F6 24 From mech at eff.org Wed Mar 20 12:41:39 1996 From: mech at eff.org (Stanton McCandlish) Date: Wed, 20 Mar 96 12:41:39 PST Subject: The Leahy Crypto Bill is Rancid Sausage In-Reply-To: Message-ID: <199603202036.MAA26254@eff.org> Declan B. McCullagh typed: > > Excerpted from a message to fight-censorship. For the full thread, check out: > > http://fight-censorship.dementia.org/fight-censorship/dl?thread > =The+Leahy+Crypto+Bill+is+Rancid+Sausage&after=1795&type=short > > (On one line, of course.) > > -Declan > > > ---------- Forwarded message begins here ---------- > > From: Stanton McCandlish > Message-Id: <199603190315.TAA05777 at eff.org> > To: declan+ at CMU.EDU (Declan B. McCullagh) > Date: Mon, 18 Mar 1996 19:15:09 -0800 (PST) > Cc: fight-censorship+ at andrew.cmu.edu, junger at pdj2-ra.F-REMOTE.CWRU.Edu, > tcmay at got.net > > > [...] > > As our statement on the bill made clear, *EFF does not support the Leahy > bill*, nor do we endorse it, like it, find it useful or any other synonym. > We're happy to see the issues raise again, a la Cantwell, but we raised > specifically recommended simple and complete deregulation. As our > co-founder John Gilmore points out, the Leahy bill as written > pre-supposes Congressional authority to legislate in this are, and area > Executive authority to regulate under that legislation. These are notions > that we, and Phil Karn, are challenging in court with Constitutional > tests we are throwing at the ITAR export regs. > > [...] > > -- Stanton McCandlish
mech at eff.org

Electronic Frontier Foundation

Online Activist From mccoy at communities.com Wed Mar 20 12:51:26 1996 From: mccoy at communities.com (Jim McCoy) Date: Wed, 20 Mar 96 12:51:26 PST Subject: If you can't take the heat... (Was Re: Keep the pressure!) Message-ID: At 12:05 PM 3/20/96, Perry E. Metzger is rumored to have typed: > anonymous-remailer at shell.portal.com writes: > > Some people have wondered why I am anonymous and attack me. > > I am not ashamed of my views. > > Well, then you should be. > > > I write this thread anonymous as a form of protest. > > Why is it a form of protest? If you aren't ashamed, post it under your > name. What amuses me most about this series of rantings by whomever, other than the paranoid and baseless claims made by the anonymous poster, is the number of people who have been complaining about the author doing so anonymously through a remailer. The irony of such a situation is too rich to pass up. It seems that cypherpunks can dish it out when other newsgroups and mailing lists suffer such problems ("well, the remailers do nothing that telneting to port 25 cannot do..." or "internet identity is such a fiction anyway, get used to it" seem to be common responses), but when the cypherpunks lists is the victim of unpleasant anonymous messages we fall back to the tired refrain of "if you have nothing to hide why are you posting anonymously." How sad. So, why the hypocrisy here? If you don't want to be bothered by these messages there is a simple solution, use a mail agent that can filter out remailer postings and trash them. Of course this would also kill interesting messages from others who use remailers, but that's the price we pay for having remailers that do not support anonymous identity upon which reputation can be built. Oh yeah, I forgot...cypherpunks write code (snicker). So why not stop bitching and write a bit of code that provides for useful anonymous reputations and/or fix the glaringly obvious problems with current remailers. jim, who is sorry that he is not the one posting such trolls to the list just to make the puppets dance... From llurch at networking.stanford.edu Wed Mar 20 12:54:15 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 20 Mar 96 12:54:15 PST Subject: ANNOUNCE: Donut: Web Basic Interpreter. (fwd) Message-ID: I just received this as the moderator for comp.os.ms-windows.announce. Would that be "Donut" as in "big hole"? -rich ---------- Forwarded message ---------- Date: Wed, 20 Mar 1996 19:56:54 +0000 (GMT) From: Michael Burford To: comp-os-ms-windows-announce at cs.washington.edu Newgroups: comp.os.ms-windows.announce Subject: ANNOUNCE: Donut: Web Basic Interpreter. ----------------------------------------------------------------------------- Richland, WA. March 20, 1996. Battelle Memorial Institute today released Donut (1.00 Alpha 1), a Visual Basic form Interpreter for the Web. Donut is a program that allows a Visual Basic form file to be transmitted over the internet and viewed on a user's computer as a form. This form will then interact with the user and their web browser to send or request information just like a normal Visual Basic program. Donut does not require any Visual Basic files or DLLs in order to work. This will allow creation of web forms that give the author more control over exactly what the form will look like, allows interaction between the Donut applet and the user's browser, and allows processing of form information on the user's computer instead of on the server. And it allows you to use existing expertise with the very popular and common Visual Basic programming language to do so. Currently Donut is available for the Microsoft Windows operating system (Windows 3.x, Windows 95 or NT). It works with any Windows web browser that supports the standard interprocess (DDE) communication for web browsers. It has been tested and works with Netscape Navigator, Microsoft Internet Explorer, and several variations of Mosaic. Donut should be able to run most simple Visual Basic programs with few if any modifications. (Unlike VBScript where you must now cut and paste the source code into a HTML page.) Donut is available without charge to end users. For more information or to obtain Donut and development information: http://apc.pnl.gov:2080/donut/ Microsoft, Windows and Visual Basic are trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners. ----------------------------------------------------------------------------- From bshantz at nwlink.com Wed Mar 20 13:10:40 1996 From: bshantz at nwlink.com (Brad Shantz) Date: Wed, 20 Mar 96 13:10:40 PST Subject: A MODEST PROPOSAL Message-ID: <199603202114.NAA25699@montana.nwlink.com> Sandy SandFort wrote: > A CYPHERPUNK CALL TO ARMS!!! > > (Did I get the style right?) C'punks, if you feels as I do, > please take a few moments to sign up for the LIST OF SHAME? > Let's show Bill, Bruce, Matt and all the others what most > Cypherpunks really think about them and Mr/Ms Anonymous. This effectively gets the right point across, but might turn Cypherpunks into a USENET newsgroup mass posting of "me too" sentiments. As I agree with Sandy on every point, I reluctantly choose to start.... "Please add me to your list of shame, Mr. Anonymous." Brad Shantz From tcmay at got.net Wed Mar 20 13:12:35 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 20 Mar 96 13:12:35 PST Subject: IPG and "Free Samples" Message-ID: At 7:42 PM 3/20/96, Michael Froomkin wrote: >correct me if I'm wrong, but don't the federal direct mail marketing laws >say that any unsolicited merchandise sent to a person becomes their >property, regardless of any disclaimers to the contrary included in the >package? The _physical_ item, e.g., a box of soap or a free copy of "Newsweek," but presumably not the _intellectual property_, e.g, the contents of "Newsweek." (Just because I get free samples of magazines does not mean I now can do with the contents whatever I wish, such as post them on the Net; copyright law is presumably involved.) This may be more analogous to what IDG has done. Disclaimers: IANAL, I am not defending IDG or their "broken in less than one day" tub of snake oil, nor am I defending copyright and direct mail marketing laws. And I might be wrong about the intellectual property issue, though I doubt it. Copyright laws are such that rights are not waived even if free samples are given out, and so forth. IDG can hardly claim their algorithm has trade secret status when they've distributed it to many people. Which leaves them with only trying to enforce copyright protections, a la the Church of Scientology. Maybe IDG will now seek to collect the only bucks they'll ever get by suing various Cypherpunks who are distributing their so-called system? Helena Kobrin can become their lawyer. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From bshantz at nwlink.com Wed Mar 20 13:15:54 1996 From: bshantz at nwlink.com (Brad Shantz) Date: Wed, 20 Mar 96 13:15:54 PST Subject: NT's C2 rating Message-ID: <199603202119.NAA26183@montana.nwlink.com> I have been working for some time on a project that involves doing proactive file authorization/authentication under Windows NT. In the process, I've been working on an extension to the Kernel layer of the operating system because we need to be able to catch read/writes to the disk. (All perfectly legal according to the DDK, just ot documented worth a damn.) All of this is designed to work directly with the functionality given to us by the NT-Security layer. Basically, I'm now questioning the C2 rating of Windows NT. The entire security layer is modular to the Kernel. As a modular driver, it can be removed, rewritten, and replaced. So, what makes it secure? What gives it the C2 Rating? How would one go about getting a C2 rating? Brad From peponmc at fe3.rust.net Wed Mar 20 13:22:53 1996 From: peponmc at fe3.rust.net (Michael Peponis) Date: Wed, 20 Mar 96 13:22:53 PST Subject: What's wrong with this picture?? Message-ID: <199603202122.QAA19225@Fe3.rust.net> ---------------------------------------------------------------------------- From: To: anonymous-remailer at shell.portal.com Copies to: cypherpunks at toad.com --------------------------------------------------------------------------- Look above, note the "To:" Field, hmmmm, the offending l party mailed a responce to an anon remailer. I have noticed a couple people do this latley. Please people - THINK, you have just proved beond a shadow of a doubt that you are crypto illiterate. The message is not sent back to the origional sender, it is either qued in the remailer's In basket, till the remailer administrator cleans it out, or it is trashed upon reciept since it does not have the required Request-Remailing-To: format. *sigh*, I will spare the offending parties the well deserved "Come back when you get a clue" flame. Regards, Michael Peponis PGP Key Avalible from MIT Key Server From jrochkin at cs.oberlin.edu Wed Mar 20 13:27:41 1996 From: jrochkin at cs.oberlin.edu (Jonathan Rochkind) Date: Wed, 20 Mar 96 13:27:41 PST Subject: The return of the IPG Unbreakable System (fwd) Message-ID: At 1:24 AM 03/20/96, IPG Sales wrote: >Perhaps a battle has been lost, maybe even probably? But the war is not >over, not by a long shot - with minor modifications this system is >absolutely secure as events will prove. However, be assured that we >will not sell our product to anyone until that can be definitively >established. We greatly appreciate the contribution of some of those on You used to claim "our system is absolutely safe, we're sure of it, but we can't tell you the algorithm cause it's secret." People said that was stupid, so you finally agreed to show people the algorithm (apparently sending it to them unsolicited, and then expecting them to be bound to some sort of non-disclosure agreement? You might want to hire a lawyer to familiarize you with how trade secrets work legally, cause they don't work like you think they work). The people you showed the algorithm to pointed out flaws in it. Now you say "Yeah, okay so there were flaws, but we'll fix them and then it will be perfect, except you can't see the code or algorithm cause it's secret." Sounds like we're back where we started, eh? No one was willing to trust the algorithm before without it being reviewed publically. No one will be willing to trust it now either, _especially_ after the previous concerns that the algorithm wasn't secure were _confirmed_. The cypherpunks list doesn't have to provide free cryptanalysis to you. I doubt anyone will want to waste their time looking at future iterations of your algorithm, if you deign to show it to them. The fact that people on the cypherpunks list don't want to waste their time doing free cryptanalysis for you doesn't mean that your code is secure, or endorsed by anyone. It means that even those who may have thought it possible that your algorithm was secure after all have given up on that thought, or at least decided that it's unlikely enough not to be worth much further consideration, at least until you start behaving reasonably. From declan at eff.org Wed Mar 20 13:37:17 1996 From: declan at eff.org (Declan McCullagh) Date: Wed, 20 Mar 96 13:37:17 PST Subject: CDA court challenge begins tomorrow Message-ID: Read on for more information on the details of the court challenge. I'm very happy to know that Donna Hoffman and Howard Rheingold will be testifying. They and other ACLU/CIEC witnesses and plaintiffs have been deposed by the DoJ over the last two weeks in Washington, DC. During the weeks separating the two sets of hearing dates, we will be deposing witnesses that the DoJ plans to call. I would expect those witnesses to dispute, among other things, the effectiveness of filtering software and other forms of indecency-blocking. -Declan // declan at eff.org // I do not represent the EFF // declan at well.com // March 20, 1996 _________________________________________________________________ News from the ACLU National Headquarters ACLU V. RENO: Background Briefing Three-Judge Panel to Hear ACLU Testimony in Landmark Challenge to Internet Censorship Law PHILADELPHIA, PA--Beginning tomorrow, a three-judge panel in federal district court in Philadelphia will hear testimony in the consolidated cases of ACLU et al v. Reno and American Library Association et al v. Reno, the landmark challenge to censorship provisions of the Telecommunications Law of 1996. Free speech in cyberspace is at stake as the first major legal challenge to censorship on the Internet gets underway. The case began when the ACLU filed a motion for a temporary restraining order against indecency provisions of the Telecommunications Bill immediately after it was signed into law by President Clinton on February 8. The suit challenges provisions of the law that criminalize making available to minors "indecent" or "patently offensive" speech. Acting on behalf of 20 individuals and organizations that provide information via the Internet -- including itself -- the ACLU said it was moving quickly because it feared that the telecommunications legislation would have an immediate impact on the Internet. Following this action, a second legal challenge was filed on February 26 by a coalition of more than 20 corporate and trade organizations known as the Citizens Internet Empowerment Coalition (CIEC). The CIEC suit, organized by the American Library Association, America Online and the Center for Democracy and Technology, was formally consolidated with ACLU v. Reno. The CIEC lawsuit, which addresses essentially the same issues as the ACLU challenge, further illustrates the broad spectrum of individuals and organizations that would be affected by the censorship provisions, and strengthens the case for a finding that the law is unconstitutional. The Court Case According to procedures laid out by the judges, direct testimony in ACLU v. Reno is to be submitted via affidavit. During the three days of testimony allowed, which will take place over March 21 and 22 and April 1, lawyers for the Department of Justice will cross-examine coalition witnesses, after which lawyers for the ACLU and ALA coalitions will have an opportunity to redirect, i.e., question their witnesses in response to the government's cross-examination. In preparation for the case, lawyers for the Department of Justice have been deposing all the ACLU and CIEC witnesses it may choose to cross-examine. So far, government lawyers have declined to cross- examine only two witnesses: Christine Soto and Hunter Allen, teenagers whose affidavits attest to the importance of uncensored access to the Internet by minors. The government is scheduled to present its witnesses for cross- examination on April 11 and 12, 1996. A fourth day of testimony has been scheduled for April 26, to allow the ACLU and ALA coalitions to present witnesses rebutting the government's testimony. Following these six days of trial, the judges will issue a ruling. Depending on the outcome, either side may seek an appeal to the U.S. Supreme Court. The Witnesses Thursday, March 21: --Scott O. Bradner, senior technical consultant, Information Technology Services, Harvard University (ALA) --Ann W. Duvall, president, SurfWatch Inc. (ALA) --Patricia Nell Warren, author and publisher, WildCat Press (ACLU) Friday, March 22 --Donna Hoffman, associate professor of management, Owen Graduate School of Management, Vanderbilt University (ACLU) --William Stayton, psychologist and Baptist minister (ACLU) --Robert B. Cronenberger, director, Carnegie Library of Pittsburgh Professor (ALA) --Kiyoshi Kuromiya, director, Critical Path AIDS Project (ACLU) Monday, April 1 --Howard Rheingold, author and cyberspace expert --Barry Steinhardt, associate director, ACLU --Stephen Donaldson, Stop Prisoner Rape (*Note: schedule is subject to change) Chronology February 7 -- At a news conference in Washington, D.C., the ACLU announces plans to seek a temporary restraining order against indecency provisions of the Telecommunications Bill immediately after it is signed into law by President Clinton on February 8. --The ACLU announces the launch of its new "Freedom Network" World Wide Web site, , with a home page declaring, "Keep Cyberspace Free." Over 200,000 hits are recorded in the first 48 hours of the launch. February 8 --The ACLU files its legal challenge in federal district court in Philadelphia before Judge Ronald L. Buckwalter. -- In the first court action over the constitutionality of the Communications Decency Act , Judge Buckwalter directs the government to refrain from prosecuting for so-called indecent or patently offensive material online until the motion for a TRO is decided. -- The judge instructs the government to file a reply brief to the ACLU's request for a TRO within one week. --Government lawyers conceded that the abortion speech restrictions of the CDA are unconstitutional. February 15 -- Judge Buckwalter grants a temporary restraining order on the indecency provisions of the Communications Decency Act, and denies the TRO motions on prosecution for "patently offensive material" and on the "Comstock Law" abortion speech provisions of the CDA. --A three-judge panel is convened to hear the case: Chief Judge Dolores K. Sloviter, Judge Stuart Dalzell, and Judge Ronald L. Buckwalter. February 21 --More than 5,000 visitors to the ACLU website use the "instant action" feature to e-mail or fax Attorney General Janet Reno, urging her not to prosecute under the new law. February 23 -- ACLU announces that government lawyers have agreed not to initiate investigations or prosecute Internet "indecency" until three-judge court rules on the case. --Hearing dates set for the case; the ACLU will present its evidence on March 21 and 22, with April 1 reserved. The government's dates are April 11 and 12, 1996. The total trial is scheduled to last five days. February 26 --More than 20 corporate and trade organizations, known as the Citizens Internet Empowerment Coalition (CIEC), initiate a second legal challenge to the Communications Decency Act. February 27 --The CIEC suit, organized by the American Library Association, America Online and the Center for Democracy and Technology, is formally consolidated with ACLU v. Reno. March 21 --Trial opens at 9:30 a.m. in the ceremonial courtroom in federal district court in Philadelphia. ### Contact: Emily Whitfield, (212) 944-9800 ext.426 _________________________________________________________________ Media Relations Office 132 W 43rd Street, NYC 10036 (212) 944-9800 ext. 414 From llurch at networking.stanford.edu Wed Mar 20 13:39:49 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 20 Mar 96 13:39:49 PST Subject: If you can't take the heat... (Was Re: Keep the pressure!) In-Reply-To: Message-ID: On Wed, 20 Mar 1996, Jim McCoy wrote: > What amuses me most about this series of rantings by whomever, other > than the paranoid and baseless claims made by the anonymous poster, > is the number of people who have been complaining about the author doing > so anonymously through a remailer. The irony of such a situation is > too rich to pass up. > > It seems that cypherpunks can dish it out when other newsgroups and > mailing lists suffer such problems ("well, the remailers do nothing > that telneting to port 25 cannot do..." or "internet identity is such > a fiction anyway, get used to it" seem to be common responses), but > when the cypherpunks lists is the victim of unpleasant anonymous messages > we fall back to the tired refrain of "if you have nothing to hide why > are you posting anonymously." How sad. > > So, why the hypocrisy here? I don't see this as hypocrisy. Hypocrisy would be trying to track the guy down, or turning off the remailer, or filtering anonymous rants at toad.com. I think it's completely legitimate, and healthy, to question why people go anonymous while supporting their right to do so. Sometimes anonymity is necessary, sometimes it's just for fun, sometimes its cowardice, sometimes it's deception. Your point about "stop whining and write code for anonymous reputations" is misplaced. Such code ALREADY EXISTS. There are lots of nyms out there with PGP keys. If you're already PGP-encrypting your message to send it to an anonymous remailer securely, it's really no more trouble to sign it with the key for Alice D'Anonymous. If you don't feel secure using PGP (and "the real Alice" did have some -- some -- valid points), then use a magic number or serialize your messages. It worked for the Unabomber. -rich From jf_avon at citenet.net Wed Mar 20 13:44:23 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Wed, 20 Mar 96 13:44:23 PST Subject: If I were the NSA... Message-ID: <9603202144.AB02917@cti02.citenet.net> If I were the NSA, I would start threads such as the one on the IPG system. They are very valuable to them in assessing and mapping the cryptanalysis capabilities of the CPunks lurkers and regulars members. Just a thought... JFA Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 From declan+ at CMU.EDU Wed Mar 20 13:58:33 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 20 Mar 96 13:58:33 PST Subject: [NOISE] Re: Dorothy Denning attacks Leahy's crypto bill In-Reply-To: Message-ID: Since someone other than Jim Bell and THE LIST OF SHAME author thought I was being serious, I thought it wise to respond. The notion that a measure of criticism from a known enemy, Dorothy Denning, corrects the many problems with Leahy's legislation is absurd. As a case in point, remember that Rush Limbaugh, Catharine MacKinnon, and the radical religious right group American Family Association criticized the CDA. That does not make the CDA worth passing. (Of course Rush likes dirtysexycybertalk so he can pick up chicks online, and the AFA wanted not less, but _more_ liability for ISPs, but I trust my point is clear.) Speaking of the CDA, I'll be in Philadelphia tomorrow and Friday for the hearing. Any other cypherpunks planning to attend? -Declan Excerpts from internet.cypherpunks: 20-Mar-96 [NOISE] Re: Dorothy Denning.. by Alan Bostick at netcom.com > In article , > Declan McCullagh wrote: > > > I may have to adjust my position on Leahy's bill. Any legislation that > > Dorothy Denning attacks so virulently must be worth passing. > > That could be exactly what They want you to think! > > If They wanted us to overlook the actual flaws and trapdoors in Leahy's > bill, what better way than to have our knees jerk in support by arranging > for Denning's opposition? From raph at CS.Berkeley.EDU Tue Mar 19 22:09:55 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Wed, 20 Mar 1996 14:09:55 +0800 Subject: List of reliable remailers Message-ID: <199603181450.GAA09196@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail. For more information, see: http://www.c2.org/~raph/premail.html For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = " cpunk pgp hash ksub ek"; $remailer{"vishnu"} = " cpunk mix pgp hash latent cut ek ksub reord"; $remailer{"robo"} = " cpunk hash mix"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"wmono"} = " cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = " cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ksub"; $remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = " cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = " cpunk pgp hash latent cut ?"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'gondonym'} = ' alpha pgp'; $remailer{'nymrod'} = ' alpha pgp'; $remailer{"lead"} = " cpunk pgp hash latent cut ek"; $remailer{"treehole"} = " cpunk pgp hash latent cut ek"; $remailer{"nemesis"} = " cpunk pgp hash latent cut"; $remailer{"exon"} = " cpunk pgp hash latent cut ek"; $remailer{"vegas"} = " cpunk pgp hash latent cut"; $remailer{"haystack"} = " cpunk pgp hash latent cut ek"; $remailer{"ncognito"} = " mix cpunk latent"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) (vishnu spook wmono nymrod) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 18 Mar 96 6:46:10 PST remailer email address history latency uptime ----------------------------------------------------------------------- ecafe cpunk at remail.ecafe.org ##-++####### 3:40 100.00% alpha alias at alpha.c2.org ++++++++++++ 50:30 99.99% exon remailer at remailer.nl.com *-*++--++*** 18:54 99.99% portal hfinney at shell.portal.com ##-**#*#-**# 11:12 99.99% haystack haystack at holy.cow.net +#-+-**##**# 6:30 99.99% pamphlet pamphlet at idiom.com --+-------++ 5:49:56 99.98% nymrod nymrod at nym.alias.net **-++*****+* 8:47 99.98% flame remailer at flame.alias.net -----------+ 4:03:33 99.97% hacktic remailer at utopia.hacktic.nl **-++******* 13:46 99.97% replay remailer at replay.com **-++***+*** 10:42 99.97% mix mixmaster at remail.obscura.com . - *--...+- 21:59:57 99.97% c2 remail at c2.org -+*++++-++++ 44:35 99.96% tjava remailer at tjava.com ###++####### 1:08 99.96% vishnu mixmaster at vishnu.alias.net **--+*+*--++ 53:01 99.94% nemesis remailer at meaning.com -+-+ **+**** 36:11 99.86% gondolin mix at remail.gondolin.org .__.-----.- 9:38:20 99.66% gondonym alias at nym.gondolin.org .__.-----.. 9:42:41 99.63% extropia remail at extropia.wimsey.com .-.-+-+---- 11:49:50 99.57% shinobi remailer at shinobi.alias.net **#++##-+#++ 6:52 99.53% lead mix at zifi.genetics.utah.edu ++ ++ +*+++ 35:26 99.39% vegas remailer at vegas.gateway.com ** +-- * *** 15:07 99.36% alumni hal at alumni.caltech.edu ** ++# *-+## 1:34:05 98.76% amnesia amnesia at chardos.connix.com +--- 2:30:51 97.82% treehole remailer at mockingbird.alias.net ---- -++-+ 2:50:06 96.47% penet anon at anon.penet.fi _-._.. _.. 38:20:41 95.24% spook remailer at spook.alias.net **-+-**- + 46:36 93.05% ncognito ncognito at gate.net ##* 1:21 87.38% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From gjeffers at ns.htc.net Tue Mar 19 22:18:00 1996 From: gjeffers at ns.htc.net (Gary Lee Jeffers) Date: Wed, 20 Mar 1996 14:18:00 +0800 Subject: No Subject Message-ID: <9603190813.AA31206@ns.htc.net> >From STRATEGIC INVESTMENT March 20, 1996 Strategic Investment 1217 St. Paul St. Baltimore, MD 21202 It is published monthly for US$159 per year for U.S. residents (C$190 for Canadian residents and US$200 for other non-U.S. residents). behind the lines - by Jack Wheeler Is the IRS a paper tiger? One definition of a pioneer is a guy with an arrow in his back. So notice the above headline is a question, not an assertion. But it is nonetheless a question being asked by a lot of folks these days, from Bill Archer, Chairman of House Ways & Means, to a number of smart tax attorneys. The federal tax code has mutated into this gigantically in- comprehensible Rube Goldberg monstrosity that day by day gets closer to collapsing under its own weight. Couple that with the fact that the IRS computer system is about to go belly up. The IRS originally computerized itself AD HOC, with the regional centers getting various platforms and software that can't communicate with each other very well. The agency has now spent over $8 billion on the TSM project to re-computerize, which an independent review recently concluded is a colossal failure. As the IRS teeters on the brink, a fellow named Eddie Kahn has stepped forward and may be about to push the whole creaking mess over the edge. He hasn't got an arrow in his back yet, so he might just succeed. Dis- dainful of "tax protests" such as 5th Amendment or legal tender arguments that quickly get their advocates behind bars, Eddie looked into the stru- ture of federal law. When Congress passes a law, codified as a statute, it then delegates to a regulatory agency the authority to issue the im- plementing regulations specifiying to whom and under what circumstances the statute applies. These regulations must, by law, be published in the Federal Register. Lacking these implementing regulations, the law cannot be applied and has no force. Well, it turns out that the implementing re- gulations for IRS' enforcement statutes-things like the requirement to file a tax return and the authority to place a lien-cannot be found in the Federal Register. When queried on this, the General Counsel for the Office of the Federal Register, Michael White, replied in writing, "Our records indicate that the Internal Revenue Service has not incorporated by reference in the Federal Register a requirement to make an income tax return." This is starting to get interesting, isn't it? And yes, I see that big smile on your face. If Eddie is right, the IRS has no assessment autho- rity, no collection athority to enforce a lien or seize property, no au- thority to pursue criminal penalties for failure to file a return or make a false/fraudulent return. I am not at all suggesting you be a pioneer. But if you should have any difficulty with the lovable folks at the IRS, you might consider making an appointment to see them in person at their nearest office, and tell them face to face that you need to see a copy of the implementing regs published in the Federal Register that show they have the authority to require you to do what they want. Not one of the close to a thousand people who, following Eddie's advice, have done so received a copy-and not one has been further harassed. Better to let these folks drop out of the system quietly than risk a negative decision in court, which would be for them an ultimate catastrophe. You can get more info from Eddie at: 1-800-419-7512. --------------------------------------------------------------------- PUSH EM BACK! PUSH EM BACK! WWWAAAYYY BBBAAACCCK! BBBEEEAAATTTT STATE! Gary Jeffers P.S. This reminds me of something else that I read a few months ago. There is a book with the title The Law that Never Was - the 16th Amendment (this was the title or close) that had a similar affect on the IRS. I believe it was the SPOTLIGHT that said that when the then Commissioner of the IRS found that the book was published, he gave gave instructions that people citing the book in arguments with the IRS be left alone. The 16th Amendment created the IRS.  From mixmaster at vishnu.alias.net Tue Mar 19 22:52:54 1996 From: mixmaster at vishnu.alias.net (Mr. Boffo) Date: Wed, 20 Mar 1996 14:52:54 +0800 Subject: No Subject Message-ID: <199603200345.VAA00644@vishnu.alias.net> ipgsales at cyberstation.net wrote: >Those of you who have had all of the materials will understand the >foregoing. With the information provided heretofore, you can determine >the effect on the other two systems. Also, those people will know my >expressed fear of a premature announcement, such as that which has >now been made, would have. This was the reason, that I resisted >so strongly the release of the materials to the C'punks list >though a few of you recommended that I do so. Perhaps we should have >released everything? Who knows. However, in any case, that is water >over the dam and IPG must go on from here. It is only another of the many >mistakes that we will undoubtedly make along the way. > >Having said that though, we must go back to our prior >evaluation method, a strict confidential mode. However, I believe that we >have added several very good additional people who can help to analyze >the system. English translation: We didn't want to release our algorithm because we were afraid somebody might find a weakness. Sure enough, somebody did. So I guess we're going to keep it a secret after all. Hey, kids, security through obscurity just doesn't work. From WlkngOwl at unix.asb.com Tue Mar 19 22:57:18 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Wed, 20 Mar 1996 14:57:18 +0800 Subject: Would the FTC crack down on snake oil someday? Message-ID: <199603200412.XAA11193@unix.asb.com> On 19 Mar 96 at 19:10, Bill Stewart wrote: > Sure, they'll be happy to, if we really want. The NSA will advise them > on what's good crypto, and what's snake-oil. Certainly any system that > didn't provide for back-up key access doesn't rate...... > > No, I didn't think you wanted that either.... Maybe the NSA will advise them, maybe not... since there is a conflict of interest (not unusual in regulatory circumstances, though). Then again, it would be awkward if the NSA hypothetically said product A is crap and product B is secure but non-NSA people said differently, esp. if the NSA wouldn't let product A be exported. They're a governmental organization, with all the flaws of any organization/bureaucracy, let alone the government. So yes, I've pondered them asking the NSA for advice... but keep in mind it puts the NSA in a double-bind, because they aren't the only experts, and because they'll look bad if they contradict themselves. They (FTC) might go by something different, though. If a company claims their product uses an "unbreakable cipher" when there are cracking programs (commercial or free) available, then obviously its false advertising. Indeed anything that advertises itself as "unbreakable" is a lie. There's also other consumer groups that are non-governmental, like Consumer Reports, PIRGs, and even various state and county consumer advoctates who won't tow the federal line (look at bovine growth hormone for one example... hm, maybe a bad parallel.) Part of it is a public learning curve. After a while more people (though not enough to eliminate snake oil's market) will recognize "PGP", "RSA", 'IDEA", "3DES" and other strong algorithms. (Ascom Tech could do themselves a nice turn by pushing for products with "IDEA Inside" type of messages...) Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From sinclai at ecf.toronto.edu Wed Mar 20 15:46:56 1996 From: sinclai at ecf.toronto.edu (SINCLAIR DOUGLAS N) Date: Wed, 20 Mar 96 15:46:56 PST Subject: Spare CFP '96 student reservation Message-ID: <96Mar20.184624edt.11077@cannon.ecf.toronto.edu> A friend of mine registered as a student for the CFP '96 conference next week, but is unable to go. Registration is transferable, so he can send another student in his place. If anyone is interested, please mail him (not me) at tew2 at cornell.edu. From vznuri at netcom.com Wed Mar 20 15:51:10 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 20 Mar 96 15:51:10 PST Subject: Mr Emmett Page, Asst. Sect. Defense, CCCI In-Reply-To: <960319215351_100022.3167_EHV88-1@CompuServe.COM> Message-ID: <199603202350.PAA24534@netcom16.netcom.com> Tim Fulbright <100022.3167 at compuserve.com> >I think you or someone here recently remarked the U.S.Government has the only >_real_ capability to wage world terrorism on the internet, and after I read >Frank Sowa's feb. Boardwatch article I'm beginning to wonder. I suppose >quoting the article at length will be at least as good as some of the other >traffic around here... just in case anybody missed it, Sowa reviewed 35 federal >reports, and quotes Page saying "As a result, we've had no choice but to create >an offensive capability in cyberspace. I can't discuss it ... However, you'd >feel good and feel safe and secure if you knew about it" (yeah, really) >Further, Sowa reports the Natl Defense U is forming an elite Information Corps, >'a F0rce whose scope is to fight the battles of "Information Warfare from the >Pentagon war room to the home PCs" according to DOD' (p90-92).... And further, >RAND corp is using an "all out cyberwar simulator at their research center in >Santa Monica" and... oh well, the whole article is just crammed with stuff! >Yikes! I would sure like to know what people think about it. thanks. there seems to be a lot of hyperventilating in the military arena about "information warfare" lately. I find it rather strange and incomprehensible. there are two chief areas that this frenzy seems to be in response to: 1. propaganda/espionage areas. 2. hacking. (i.e. breaking in, crashing, etc.) as for (1), I don't know what the fuss is about. what it suggests to me is that there are branches of government that take "psyops" (psychological operations) extremely seriously and are very intent on setting up camp in cyberspace & the internet, and have probably already done so. it is as if they are deathly terrified of the ability of individuals to communicate not only with other individuals but other masses through web pages and email. I find it quite frightening how many people in our government have the mindset that "free communication can be a very dangerous thing." personally I think an application for government should reject anyone that hasn't memorized the entire bill of rights.. but the recent Strassman & Marlow paper on remailers, which addressed (1), seemed a bit incomprehensible and bordered on unintelligible. they talked as if remailers are like weapons that can be fired on an enemy. (huh???) either they are deep into psyop or spook psychology, or they just don't "get it" that remailers are pretty harmless. I tend to believe it is a little of both. (2) is definitely something to take very seriously. if you want to learn about how/why infiltrating computers is incredibly appealing to many in the government, check out info on "danny casolaro" and Inslaw PROMIS software. the behind-the-scenes theme to a lot of this is that our massive cold war apparatus is bored and listless now that the Soviet bogeyman is gone and they are just moving into new territories to continue to suck up billions of dollars. but its awfully hard to read the various scrambled entrails that have been emerging such as the Leahy bill, Strassman & Marlow paper, etc. in relation to info warfare-- I tend to think some of it is just evidence that there are some amazingly addled people in our government. BTW I like "boardwatch" mag, read it regularly, and highly recommend it to anyone as one of the better & more quality cyberspace mags. try www.boardwatch.com. From vznuri at netcom.com Wed Mar 20 16:03:17 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 20 Mar 96 16:03:17 PST Subject: Microsoft's "answer" to Java In-Reply-To: <2.2.32.19960319222247.008b833c@mail.teleport.com> Message-ID: <199603210003.QAA25408@netcom16.netcom.com> AO on MS response to Java: >As a web developer, I have some problems with this scheme. Giving Microsoft >access to virtually every OLE control on the Web does not make me more >secure. Sounds like a way to rip off ideas from the rest of the development >world. If someone has a control that might compete with a Microsoft >product, it could be shelved and/or delayed for "further security testing". > >Java has a decentralized mechanism for security. No one group controls what >is a "certified" control and what is not. You write the code and compile it >and that is that. Furthermore, you are not stuck with Microsoft approved >platforms. (I wonder if there will ever be a version of Explorer for the Mac.) > >I expect the Microsoft plan to garner a bit of resistance from the Web >development community over this one... I think this is a very good example of why nobody should bemoan Java. when it was first introduced I heard a lot of grouching and sniping at this really outstanding software (that was admittedly overhyped). but look what we could have gotten as the first potential standard: the above system. MS was apparently caught completely off guard with Java. they had not a clue about what it was about, why it was important, and scrambled to deal with it. they have apparently only reluctantly licensed it as a temporary ploy. the above motions suggest they ultimately want to control this standard. all the MS responses to Java outside of licensing it appear to me to be pathetically missing the point. they don't seem to understand why Java is so important, namely its decentralized security model you refer to. you cannot create this by adding a few function calls on top of an already insecure language like Visual Basic. it has to be done incredibly carefully from the ground up as it was done with Java. I don't think people realize how carefully this language was constructed, it was developed extremely delicately in a way unlike many other languages. this is a real breakthrough in software that theoretically creates a "secure" programming environment, something that has been sought for decades and is now being delivered to the desktop due to some very hard work and visionary effort. I noticed that Denning, in her Leahy protest letter, referred to glowingly of this MS "endorsement" scheme. I have a very bad suspicion that MS is like a dog that rolls over whenever the NSA comes to visit them and tell them how to write their software (apparently this happens routinely). anyway, I totally agree with you that their centralized scheme is really horrible, and its inferiority and headaches are likely to be spotted and yowled about by many developers as you write. there is no probably no need to fear MS's schemes at the moment. as long as they have an inferior standard its not going to gain much attention or use and Java already has a very intense momentum going. just because MS does something in some area is not necessarily reason to take them seriously. they have had situations where they come out with stuff that never turns into anything and silently evaporates like all companies have. (far less than others, but nonetheless) one thing I just don't really understand about MS is their seeming drive to conquer every market. it seems that whenever a new software market emerges they feel they have to invade it and dominate it like pirates. this has a lot to do with the psychology of Bill Gates. the idea that "gosh, somebody else has already done that really well, and it would be awfully tought to beat them, let's not bother with that" seems to be lost in that environment completely. instead, it is, "oh no!! they are beating us!! we have to make a better widget or we'll all die!!" -- a good example of competition taken to extremely unhealthy extremes imho. I suspect like others that MS' glory days are receding and in fact all extremely large companies may undergo major shifts once our economy fully shifts into the information age. From 100022.3167 at compuserve.com Wed Mar 20 00:20:08 1996 From: 100022.3167 at compuserve.com (Tim Fulbright) Date: Wed, 20 Mar 1996 16:20:08 +0800 Subject: Mr Emmett Page, Asst. Sect. Defense, CCCI Message-ID: <960319215351_100022.3167_EHV88-1@CompuServe.COM> I think you or someone here recently remarked the U.S.Government has the only _real_ capability to wage world terrorism on the internet, and after I read Frank Sowa's feb. Boardwatch article I'm beginning to wonder. I suppose quoting the article at length will be at least as good as some of the other traffic around here... just in case anybody missed it, Sowa reviewed 35 federal reports, and quotes Page saying "As a result, we've had no choice but to create an offensive capability in cyberspace. I can't discuss it ... However, you'd feel good and feel safe and secure if you knew about it" (yeah, really) Further, Sowa reports the Natl Defense U is forming an elite Information Corps, 'a F0rce whose scope is to fight the battles of "Information Warfare from the Pentagon war room to the home PCs" according to DOD' (p90-92).... And further, RAND corp is using an "all out cyberwar simulator at their research center in Santa Monica" and... oh well, the whole article is just crammed with stuff! Yikes! I would sure like to know what people think about it. thanks. From cmca at alpha.c2.org Wed Mar 20 00:20:45 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Wed, 20 Mar 1996 16:20:45 +0800 Subject: IPG - newest release of the ABC Encryption Algorithms (fwd) In-Reply-To: <314F0DB1.61FE@tivoli.com> Message-ID: <199603200542.VAA01082@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: Mike McNally ] [cc: cypherpunks at toad.com] [Subject: Re: IPG - newest release of the ABC Encryption Algorithms (fwd) ] [In-reply-to: Your message of Tue, 19 Mar 96 13:40:33 CST.] <314F0DB1.61FE at tivoli.com> Mike McNally Scribed: >John Pettitt wrote: >> /* the arrays b,c are filled in from tables of smallish primes supplied >> by IPG using 'random' numbers supplied by IPG to select the primes (and the >> order of same). since all the values are > 8 bits I've assumed a,b,c = int . >> a[] is filled with 13568 + an 8 bit 'random' number. (13568 = 0x3500 which >> gets ANDed with the seed value) >> */ >One tangerine-flavord Starburst to the first cypherpunk who can give >a rough estimate for the results of the sub-expression: > (random() & 0xff) & 0x3500 Well, actually, it depends on whether the bytes are treated as signed or unsigned, and we don't know for sure that IPG wanted them treated as unsigned. This means IPG either: a) can't write portable code, or b) really are as stupid as we are giving them credit for. (I'm miffed at being left out of the game... sniff...) Chris Chris McAuliffe (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMU86OoHskC9sh/+lAQExRQQAs97CBv/HdJwqarKVIZeVOr49xqLjeqbT RHaaFb1otqh0iH0twRcyqXoaDfTeSyZZZK/pPCWHqiWmPME8NoVzQY9hW86GxKKO 8bxfDjKL6VH2By08fpGxNqBVLUuqNX19rNpreZtcDTxU5ttD8Rz9vA/654opjPDt 2UToOsmNMcw= =t1pT -----END PGP SIGNATURE----- From m5 at tivoli.com Wed Mar 20 00:21:48 1996 From: m5 at tivoli.com (Mike McNally) Date: Wed, 20 Mar 1996 16:21:48 +0800 Subject: The return of the IPG Unbreakable System In-Reply-To: <199603191525.KAA05569@homeport.org> Message-ID: <314EE23B.36E3@tivoli.com> Adam Shostack wrote: > | Since a copy of the IPG system has apparently arrived unsolicited in my > | mailbox this morning... Me too. > I'd like to add my name to Roy's letter. Oh, uhh, yea; me too. (I've already sent in a comment concerning the bizarre process of ANDing 8-bit numbers with 0x3500, but that should be taken as nothing other than a casual result of my reading the mail; I've made no commitments or entered into any sort of contractual agreement.) > I strongly caution IPG against using my name in their > advertising. I am sure that a company with as much Internet savvy as IPG realizes the degree to which using inappropriate attributions like that could backfire, given the propensity of some netizens to defend their reputations through every technological and legal means at their disposal. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From jpp at software.net Wed Mar 20 00:26:26 1996 From: jpp at software.net (John Pettitt) Date: Wed, 20 Mar 1996 16:26:26 +0800 Subject: IPG - newest release of the ABC Encryption Algorithms (fwd) Message-ID: <2.2.32.19960319175044.00c7bab8@mail.software.net> >IPG Sales wrote: >> Obviously, you meet our requirements for the release of the IPG ABC >> Encryption algorithms. We need no further information from you. though we >> would appreciate your telephone num and snail mail address. > At 08:01 AM 3/19/96 -0600, Mike McNally wrote in reply: >On the other hand, the "algorithm" as presented is so hopelessly >obfuscated by the strange terminology and loose descriptions used >to present it that there's no way I (or anybody else) could seriously >evaluate it. Either publish an algorithm in some accepted format >(a real C program, or even Knuth notation) or cut back your expectations >for public analysis. > IMPORTANT: I have nothing to do with IPG and I don't endorse their stuff, I got the same mail and produced the code below to help me figure out what they are doing. John Here is my take on a C version of their code - note that a[] b[] c[] and the initial d are filled in from the 'one time pad'. The size of a,b,c is not specified it could be 8 16 or 32 bits from the text ... However the initial values of a,b & c are set using 8 bits of the 'random' key. int a[64] /* Random & 0x3500 */ int b[64] /* Randomly selected primes */ int c[64] /* randomly selected primes*/ char d; /* random start value */ int i; /* the arrays b,c are filled in from tables of smallish primes supplied by IPG using 'random' numbers supplied by IPG to select the primes (and the order of same). since all the values are > 8 bits I've assumed a,b,c = int. a[] is filled with 13568 + an 8 bit 'random' number. (13568 = 0x3500 which gets ANDed with the seed value) */ while(1) { for(i=0; i<64;i++) { a[i] = (a[i] + b[i]) % c[i]; d = (d+a[i]) & 0xFF; /* output d as next byte in stream */ /* XOR with plaintext */ } } I would not trust it without spending more time than I have right now to look at it. It arrived with the following text: >The algorithms detailed below are copyrighted 1995 and 1996 by Internet >Privacy Guaranteed, Seymour, TX. All rights are reserved. You may not >provide them to any other party, or parties, by any means or >any media, without the expressed written permission of Internet Privacy >Guaranteed. I have not agreed to this, further I strongly suggest IPG add studying trade secret and copyright law to their todo list. I do not endorse the above code or algorithm and make no comment on it's strength or otherwise. From cmca at alpha.c2.org Wed Mar 20 00:42:29 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Wed, 20 Mar 1996 16:42:29 +0800 Subject: The return of the IPG Unbreakable System (fwd) In-Reply-To: Message-ID: <199603200621.WAA04585@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: IPG Sales ] [Cc: cypherpunks at toad.com] [Subject: Re: The return of the IPG Unbreakable System (fwd) ] [In-reply-to: Your message of Tue, 19 Mar 96 19:24:42 CST.] IPG sales ranted: >Note: There was one error in the description, that is 13568 ANDed to the >8 bit random seed to get starting A values, it is not a C word AND but >the assembly langauge sequnce of moving successive AL values into AX, >where AH is fixed at 35, thus the effect is the same as an add, >(or a byte AND of the random charcter to a zero AL) - the result is >a number in the range of 13,568 to 13,823. Your world-beater algorithm is coded in 286 assembler??? Give up now. Your reputation capital has gone through 0 and is now negative, and I don't think the Universe can tolerate this situation. >Accordingly, this will be the last letter posted to the entire >cypherpunks list for the time being. If any reader posts something to the >entire Cypherpunks list, do not expect any response to from IPG, there >will be none. Yayyyy!!! Chris McAuliffe (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMU99ZoHskC9sh/+lAQFa7wQAt2s9yOknvE9nBk3agFlXJYGyTV2ZpZuf gxrOb35ZV03xZPhHWvqPPv3pFgDTC0O3FBW7IULrIcTpJzZ/ULNcOwpQMEhaRjVo JZ8dud3GUPKU3ses92pBK0MIA2ydDeayXGMXrlFAX3ebF+32VekYZzJzaOFz8KfY aX9bvGoQYqE= =tQdN -----END PGP SIGNATURE----- From unicorn at schloss.li Wed Mar 20 01:19:28 1996 From: unicorn at schloss.li (dirsec) Date: Wed, 20 Mar 1996 17:19:28 +0800 Subject: The return of the IPG Unbreakable System In-Reply-To: Message-ID: On Mon, 18 Mar 1996, IPG Sales wrote: > > Ladies and Gentlemen - > > For the last three plus weeks, some of the members of the C'Punks list > have had the IPG algorithms in their possesion. [...] Spelling and related errors: 14 Double Negatives: 8 Instances of forms of the word; simple: 10 unbreakable: 7 fast: 7 belief: 5 --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From merriman at arn.net Wed Mar 20 01:49:30 1996 From: merriman at arn.net (David K. Merriman) Date: Wed, 20 Mar 1996 17:49:30 +0800 Subject: The return of the IPG Unbreakable System (fwd) Message-ID: <2.2.32.19960319194333.00692c04@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 07:24 PM 03/19/96 -0600, you wrote: ... ... >Accordingly, this will be the last letter posted to the entire >cypherpunks list for the time being. If any reader posts something to the >entire Cypherpunks list, do not expect any response to from IPG, there >will be none. Thank you, thank you, thank you! (see? there *is* a God!) Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMU7xkcVrTvyYOzAZAQGCSAQAj3wI2g4R6W8/iEhRaYn1y3SwfhS5g2UT 0BpdsUqNbJXA3Qbj4OlrT2SSWp7Glm4uymlJVM1AjXo36Jjo3XTZilMeTaVed5DW idH8gfV/Wp6DJIPv3RqwtYysBur1pXgqmsEIEovIHhY7uP5yhW7JJL2NrZ/Dht4T 3DvZ/On3cdk= =+acg -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From jimbell at pacifier.com Wed Mar 20 02:23:49 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 20 Mar 1996 18:23:49 +0800 Subject: Dorothy Denning attacks Leahy's crypto bill Message-ID: At 09:45 PM 3/19/96 -0800, Declan McCullagh wrote: >I may have to adjust my position on Leahy's bill. Any legislation that >Dorothy Denning attacks so virulently must be worth passing. That position would be a serious mistake. Denning knows that she is a negative barometer: Her position will be looked on with contempt by most of us. That, ironically, makes her "useful" to the government should they want to sneak one past us. I think we've already established that this bill sucks, although it could become good with major repairs. Problem is, nothing that Denning wants to do to the bill constitutes an improvement, except not passing it in the first place! ----------------------------------------------------------------- > >Date: Tue, 19 Mar 96 14:53:35 EST >From: denning at cs.cosc.georgetown.edu (Dorothy Denning) >To: farber at central.cis.upenn.edu > March 14, 1996 > >The Honorable Patrick Leahy >United States Senate >Russell Building, Room 433 >1st and C Streets, NE >Washington, DC 20510 > >Dear Senator Leahy: > >As author, scholar, lecturer, researcher, and consultant to the >government and industry in cryptography and information security, I am >concerned that S.1587, the "Encrypted Communications Privacy Act of >1996," is not in balance with society's needs. By removing practically >all export controls on encryption, the bill will make it far easier for >criminals, terrorists, and foreign adversaries to obtain and use >encryption that is impenetrable by our government. "Far easier"? That's an odd statement, because the export of encryption is easy with or without restrictive laws. How much trouble is a "criminal or terrorist" going to risk by violating a few measly export laws? Besides, Denning hasn't established that encryption will be any better inside the country than without; this means that export controls will have no effect even in the most optimistic scenario. >The likely effect >will be to erode the ability of our law enforcement and intelligence >agencies to carry out their missions. Since when is this news? Freedom costs. But it also pays. > This is not consistent with your >own findings in the bill which recognize the need for a "national >encryption policy that advances the development of the national and >global information infrastructure, and preserves Americans' right to >privacy and the Nation's public safety and national security." > >I am concerned that the proposed legislation responds only to a loud >cry for assistance and is not the reasoned and practiced position of >our multinational corporations. Of what significance is the "practised position of our multinational corporations"? They'd sell us out if it preserved THEIR rights. I'm more concerned with the rights of the individual. > At the International Cryptography >Institute, which I chaired in September 1994 and 1995, our discussions >did not find that this unrestricted distribution of encryption >technology was required to satisfy business objectives. Notice that we've already established that this bill in no way produces an "unrestriction distribution of encryption technology." Wish it did, but it doesn't. [much Denning-crap deleted] >The Commerce/NSA study did acknowledge that the existence of foreign >products claiming strong encryption could have a negative effect on >U.S. competitiveness. However, by allowing encryption services to be >sold separately from the applications software that uses them, CAPIs >will make it extremely unlikely that general-purpose software will be >substantially effected by export controls. That's odd. Most people around here seem to be of the opposite opinion: CAPI's seem to be used by the government to justify controls even on software that has no encryption capability. Even security-specific >products, which are a growing industry, can use CAPIs to separate out >the encryption component from the main product (e.g., firewall). >Moreover, if keys can be held in other countries under appropriate >bilateral agreements as noted earlier, export controls need not >substantially impact encryption products. Notice that she seems to be making policy for the government, yet again. > >Export controls are often blamed for the lack of security in our public >infrastructure. The Commerce/NSA study found "little evidence that >U.S. export controls have had a negative effect on the availability of >products in the U.S. marketplace," although they "may have hindered >incorporation of strong encryption algorithms in some domestic >mass-market, general-purpose products." There are many factors which >have played an even larger role in the general lack of security we find >on the Internet: the high cost and low demand for security, the >difficulty of designing systems that are secure, pressure to bring new >products to market before their security implications are understood, >the willingness of users to take risks in favor of acquiring new tools >and services, and lack of a public key infrastructure to support >encryption on a national and international basis. Many systems are so >riddled with security holes that any would-be attacker can gain access >to the system itself, and from there access to plaintext data and >keys. Malicious code can be injected into a victim's system through >electronic mail, documents, images, and web browsers; once there, it >can transmit sensitive data back to its owner. Keyboard sniffers can >capture a user's keystrokes before they are ever encrypted. Thus, >while export controls have played a part in the slow integration of >strong encryption into software and systems, they are not responsible >for most of the security vulnerabilities we see today. Moreover, most >of these vulnerabilities are remedied with non-cryptographic controls >(e.g., process confinement, trusted systems engineering, biometrics, >and location-based authentication) or with cryptographic techniques for >authentication, data integrity, and non-repudiation, which are exempt >from State Department export controls. I do not mean to suggest that >encryption is not important. In fact, it is essential to protect >against certain threats. However, it must be kept in perspective. The >use of encryption for confidentiality protection is but one small, >albeit important, piece of an information security program. > >The provisions is S.1587 regarding trusted key holders could have the >benefit of increasing public trust in key holders. However, I have >some concern that the current provisions may be overly restrictive. >Thus far, we have practically no experience with the operation of third >party key holders and the circumstances under which they will be called >upon to provide keys or decryption assistance. It will be extremely >important that the provisions allow enough flexibility to accommodate >legitimate use of the data recovery services of key holders for >criminal investigations, civil litigation, and intelligence >operations. The liability risks to key holders should not be onerous. >The definition of key holder and exact wording in the bill may also >need some refinement in order to accommodate existing and proposed >methods of trusted third party encryption. > >Encryption policy is a difficult and often emotional issue. It's only emotional because of malicious and counter-productive efforts by government, and government suck-ups like Denning. It is >important that Congress work closely with the Administration, industry, >and other interested parties to develop the best legislative strategy >for promoting information security on the national and global >information infrastructure without diminishing the ability of our law >enforcement and intelligence agencies to protect the public safety and >national security. Export liberalization should proceed cautiously, >tied to key escrow or other methods that accommodate the needs of the >government as well as those of users and industry. The >Administration's plans to liberalize export controls on software key >escrow is a good next step. As trust and confidence in key escrow >grows, the export of virtually unlimited strength encryption systems >may be possible. Because export controls are our only lever for >controlling the spread of encryption, they should be used to their full >advantage. Decisions to liberalize these controls must be fully >informed by classified national security information as well as by >economic analysis and market studies. > >Law enforcement agencies are encountering encryption with ever greater >frequency. Excellent! It means they're being held back! > Within a few years, the successful execution of practically >all court-ordered intercepts and searches and seizures is likely to >depend on their ability to decrypt communications and stored >information. If the encryption cannot be broken, it could be >impossible to successfully investigate or prosecute those cases. Bullshit! [more Denning-shit deleted] >I will be pleased to meet with you and the committee for comment and >questioning, or to assist in any way I can with the development of a >balanced approach to encryption legislation. > >Yours respectfully, > >Dr. Dorothy E. Denning >Professor of Computer Sciences >Georgetown University >denning at cs.georgetown.edu >http://www.cosc.georgetown.edu/~denning I refuse to be used by Denning. If we make the mistake of supporting this bill merely because she claims to oppose it, we would merely be falling into her (and the government's) trap. From blake at bcdev.com Wed Mar 20 02:48:41 1996 From: blake at bcdev.com (Blake Coverett) Date: Wed, 20 Mar 1996 18:48:41 +0800 Subject: Microsoft's "answer" to Java Message-ID: <01BB160E.8178A020@gate.bcdev.com> -----BEGIN PGP SIGNED MESSAGE----- Commenting on a quote from a magazine about MS's new code-download/wintrust stuff Alan Olsen wrote: >As a web developer, I have some problems with this scheme. Giving Microsoft >access to virtually every OLE control on the Web does not make me more >secure. Sounds like a way to rip off ideas from the rest of the development >world. If someone has a control that might compete with a Microsoft >product, it could be shelved and/or delayed for "further security testing". I think you've been badly misled on this one. I've just been through all of the related specs from the MS INetSDK. While they are still incomplete in places, they look pretty workable to me. In particular the certainly don't suggest that MS would be involved in signing anything. To quote from the beta docs: The present tools therefore allow any user of this development release to authorize themselves as a "Software Publisher" for test purposes and to sign their code, allowing for extensive testing of the tools and code used but not actually providing a secure infrastructure. In future releases, the tools will require software publishers to obtain certificates from companies whose function is to verify the identity of the publishers, providing end-users with a high level of assurance about the authenticity and origin of code that they receive. >Java has a decentralized mechanism for security. No one group controls what >is a "certified" control and what is not. You write the code and compile it >and that is that. Furthermore, you are not stuck with Microsoft approved >platforms. (I wonder if there will ever be a version of Explorer for the Mac.) The current version (2.0) is already available on the Mac and the 3.0 alpha versions appear to be about equally buggy on both the Win32 and Mac platforms. (I haven't, on the other hand, heard any news of Unix versions. Perhaps Bristol and/or Mainsoft will cover that port.) ================ Here's my quick overview of the specifications in question for those interested. Microsoft is providing the following components: - - A generic trust management called (ever originally) WinTrust. WinTrust provides an API to ask whether a given subject is trusted to perform a specific action. The API is extensible in that multiple 'Trust Providers' can be installed and each can define the types of subjects and actions they manage. The docs define the role of a 'Trust Administrator' who can configure the rules used by the trust provider services be neglect the give the details. - - An implementation of a trust provider called the 'Windows Software Publishing Trust Provider' This provider supports subjects which are executable images and the action of 'being published software'. The decision to trust is based on a PKCS #7 embedded within the executable containing a signed digest from the author and a chain of X.507 certs back to some configurable set of CAs. If the executable is not verified the user is prompted with the offer to approve it manually. - - A set of developer tools for creating your certificate and signing executables. Note that the beta includes a hard-coded root CA key and all certs must trace back to it. The existing library for munging executable images has also been enhanced to support adding, removing, enumerating and retrieving certs from an image as well as reading the stream that should be included in digest calculations. - - A single function solution for browsers and other applications to download, verify, install, and create a class factory for an OLE object given an URL. In the web case the HTML tag is used to embed an OLE object in a page. The browser tries to create it based on the CLSID attribute (which contains a DCE-ish uuid.) If it fails it calls CoGetClassObjectFromURL() passing in the URL from the CODE attribute of the same tag. This function does all the magic including the WinTrust call from above. (Apparently there will also be support for an 'Internet Search Path' if the CODE attribute isn't specified.) Then of course there is the MS CryptoAPI but that's a discussion for another day. - -Blake (who hasn't worked for Microsoft for years now) -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBMU/Dirmr67p11D8rAQGHnQP/YI+EjCIcpBF3HQznruVBUkGsZls1ZVTf SRvPJN7n+HrtvQ4WFSyAawsPnhRH183GTrtWAy+yhmmuzA6/Br/+rNJ/q0jSIlZw w+RUsni9H9a7NsO1Y9xPQq//SHODYC0K+1vB6tU8XE56lZf9F0IZ4iP4El4PUWxD 7kXMboN1Nf0= =5eH2 -----END PGP SIGNATURE----- From karn at unix.ka9q.ampr.org Wed Mar 20 03:14:33 1996 From: karn at unix.ka9q.ampr.org (Phil Karn) Date: Wed, 20 Mar 1996 19:14:33 +0800 Subject: NSA denies our 3DES license application Message-ID: <199603190720.XAA00297@unix.ka9q.ampr.org> Last month, Qualcomm filed with the State Department an application to export my IP Security (ESP) code for KA9Q NOS to Singapore. Our stated purpose was to encrypt an Internet "tunnel" between Qualcomm's US facilities and our office in Singapore, which is staffed by two US citizens. We stated that the software would be used solely for this purpose and would not be transferred to anyone else. Our application indicated that the software in question supported both single and triple DES. On March 11, the Office of Defense Trade Controls returned our application stamped "RETURNED WITHOUT ACTION". The following form was attached: United States Department of State Bureau of Political-Military Affairs Office of Defense Trade Controls Washington, DC 20520-0602 MAR 11 1996 [stamped] IN REPLY REFER TO DTC CASE - 664149 The enclosed application has been voided and is being RETURNED WITHOUT ACTION for the reasons indicated below: _X_1. Submit a new application including all required background and documentation. Do not return the enclosed application. [25 other unchecked items omitted. These referred mainly to administrative problems like "you used the wrong form", "you didn't file enough copies of the supporting technical data", etc. _X_27. Please submit another license [sic] once your software has been modified so that it no longer contains triple DES. Please specify object code only on your license application. [signed] Darlene Staniszewski Licensing Officer (703) 875-5677 [end of form] So there you have it. NSA makes good on its threat to ANSI X9 that triple DES would not be exportable. This was a case where keeping strong crypto out of the hands of terrorists and unfriendly governments was clearly not at issue. It dealt strictly with the ability of a US corporation to defend its international operations against against industrial espionage. Or, perhaps more to the point, espionage by the NSA. Certainly seems like a good argument in favor of the Leahy bill to me. One mildly interesting thing about this form letter response is that item 27 appeared to be part of the standard form -- it wasn't typed into an "other" field of an existing form. Perhaps they added it to the word processing file for this one occasion. Or perhaps they deny triple DES exports so regularly that they now have a standard form item to deal with it. Phil Karn From jamesd at echeque.com Wed Mar 20 03:17:07 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Wed, 20 Mar 1996 19:17:07 +0800 Subject: monsters et al Message-ID: <199603190758.XAA16388@mail1.best.com> On Mon, 18 Mar 1996 jamesd at echeque.com wrote: > > Those who defend totalitarianism, regardless of the brand name of > > totalitarianism, simply lie. It is as uncomplicated as that. At 02:21 PM 3/18/96 -0800, Charles Bell wrote: > Not very good point. > > Monsters come in many hues and `totalitarianism' is rarely total. > Simplicity is in the mind of the beholder. George Bernard Shaw, leader of the Fabian socialists, visited the Soviet Union during Stalin's artificial famine and said "Where do you see any food shortage", gesturing around. He was sitting in a restaurant reserved exclusively for foreigners at the time, and there was indeed excellent and abundant food in the restaurant. Monsters, plain enough. Very simple. The complications only exist in the clouded minds of those who employ doublethink. Shaw also visited the Gulag, as did many famous English leftists: Here is his report on it: "Whereas in Britain a man enters prison a human being, and leaves prison a criminal type, in Russia he entered prison a criminal type and would come out an ordinary man but for the difficulty of inducing him to come out at all. As far as I could make out they could all stay as long as they liked. " >From which I reasonably conclude that if people like him gained power, they would murder everybody like me. I have heard many very similar tales from folk on Usenet concerning Cuba and the like. In addition to eradicating everyone like me, they would also eradicate their dupes, their useful fools, such as H.G. Wells, who wrote of Stalin: "[...] never met a man more candid, fair and honest, [...] no one is afraid of him and everybody trusts him. " Since they did not give H.G. Wells a tour of the Gulag, I guess they suspected that he might not have approved. Such a suspicion would doubtless have proved fatal had his pals amongst the Fabian socialists gained power. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jf_avon at citenet.net Wed Mar 20 03:21:22 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Wed, 20 Mar 1996 19:21:22 +0800 Subject: Free Flight Message-ID: <9603190721.AA11512@cti02.citenet.net> >The latest Wired and last week's news reports covered the FAA decision to >sloooowly move from the current Positive Control ATC system to one called >Free Flight in which aircraft pick there own routes and separation is >maintained by GPS, computers, and telecommunications. It's about time! JFA Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 From merriman at arn.net Wed Mar 20 03:25:12 1996 From: merriman at arn.net (David K. Merriman) Date: Wed, 20 Mar 1996 19:25:12 +0800 Subject: DESCRIBE Message-ID: <2.2.32.19960318193329.00691228@arn.net> At 09:23 PM 03/18/95 -0800, you wrote: >undescribe cypherpunks at toad.com cyber at ronet.com.br > Well, we're not organized, for starters..... Dave Merriman------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From cmca at alpha.c2.org Wed Mar 20 03:34:17 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Wed, 20 Mar 1996 19:34:17 +0800 Subject: The return of the IPG Unbreakable System (fwd) In-Reply-To: <199603200620.WAA04433@eternity.c2.org> Message-ID: <199603200934.BAA11847@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: cypherpunks at toad.com] [Subject: Re: The return of the IPG Unbreakable System (fwd) ] [In-reply-to: Your message of Tue, 19 Mar 96 22:20:07 PST.] <199603200620.WAA04433 at eternity.c2.org> >-----BEGIN PGP SIGNED MESSAGE----- I wrote once, I mean that I only once wrote: >[To: IPG Sales ] >[the rest deleted] Something at c2 must have burped. I definitely only sent it once. Anyway, sorry about that. I wonder if the same thing will happen to this? Chris McAuliffe (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMU/Ko4HskC9sh/+lAQGK+wP/UR7eANspnegDEW5Bfht3cERUXt4XeTIR LWN4Nv/6VoDaGPwLUDYL1BfHMIjO2tBnxP97UjnKP41c5uaqYEFc+z0LAx10G0WS GiwnuMzJH+437tZHapE7RjJjlVqUEZi9PFhyawoPaJty90yJ1ZNzP38wjMWVTwY3 w7uLmZ8f5bs= =VmM+ -----END PGP SIGNATURE----- From merriman at arn.net Wed Mar 20 03:50:52 1996 From: merriman at arn.net (David K. Merriman) Date: Wed, 20 Mar 1996 19:50:52 +0800 Subject: Win95 Remailer update Message-ID: <2.2.32.19960318113410.00679d98@arn.net> -----BEGIN PGP SIGNED MESSAGE----- I've generated a full installation package for RemailerBot, so that it now includes all required .DLLs, .OCXs, et al. Also includes the source code. It replaces the remailer.zip available through my web page. Simply unzip it to the directory of your choice, and run the setup132.exe file. Alternatively, you can use the MS expand utility to uncompress selective files. "We apologize for the inconvenience" Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMU0tz8VrTvyYOzAZAQGS7QQArcKCBJKrzv9X/qZTaGGoPb1/46LKCKfe hehMiGlc50llJ/J5EqH86CPsGhX2W3DgUE+G/IPG+hD7HLCMrc06dDcO5XkO1Y+9 FNhCkmeA/XhoiDF61cjZ8IWO5oZx0iKsHFBhd4WhkirVRyGREXnveQA0txZmH1JA shzfa1XwqHo= =3gkt -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From declan+ at CMU.EDU Wed Mar 20 03:53:13 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 20 Mar 1996 19:53:13 +0800 Subject: DEC_lan In-Reply-To: <199603181356.IAA09520@pipe1.nyc.pipeline.com> Message-ID: Excerpts from internet.cypherpunks: 18-Mar-96 DEC_lan by John Young at pipeline.com > NYT of 3-18-96 has front page story on Internet copyright > issues, featuring copywebbing terrorist Declan. Thanks -- I wasn't sure if the story ever was going to run, since Doreen interviewed me for it a month ago. In other news, a dozen volunteer net.translators are just about done with the English version of _Le Grand Secret_. I expect it'll appear on my web site when complete. -Declan From prz at acm.org Wed Mar 20 03:57:14 1996 From: prz at acm.org (Philip Zimmermann) Date: Wed, 20 Mar 1996 19:57:14 +0800 Subject: PGP and Human Rights Message-ID: <199603181901.TAA04161@maalox> Recently, I received the following letters by email from Central Europe. The letters provides food for thought in our public debates over the role of cryptography in the relationship between a government and its people. With the sender's permission, I am releasing the letters to the public, with the sender's name deleted, and some minor typos corrected. This material may be reposted, unmodified, to any other Usenet newsgroups that may be interested. -Philip Zimmermann Date: Sat, 09 Mar 1996 19:33:00 +0000 (GMT) >From: [name and email address deleted] Subject: Thanks from Central Europe To: Philip Zimmermann Dear Phil, This is a short note to say a very big thank you for all your work with PGP. We are part of a network of not-for-profit agencies, working among other things for human rights in the Balkans. Our various offices have been raided by various police forces looking for evidence of spying or subversive activities. Our mail has been regularly tampered with and our office in Romania has a constant wiretap. Last year in Zagreb, the security police raided our office and confiscated our computers in the hope of retrieving information about the identity of people who had complained about their activites. In every instance PGP has allowed us to communicate and protect our files from any attempt to gain access to our material as we PKZIP all our files and then use PGP's conventional encryption facility to protect all sensitive files. Without PGP we would not be able to function and protect our client group. Thanks to PGP I can sleep at night knowing that no amount of prying will compromise our clients. I have even had 13 days in prison for not revealing our PGP pass phrases, but it was a very small price to pay for protecting our clients. I have always meant to write and thank you, and now I am finally doing it. PGP has a value beyond all words and my personal gratitude to you is immense. Your work protects the innocent and the weak, and as such promotes peace and justice, quite frankly you deserve the biggest medal that can be found. Please be encouraged that PGP is a considerable benefit people in need, and your work is appreciated. Could you please tell us where in Europe we can find someone who can tell us more about using PGP and upgrades etc. If you can't tell us these details because of the export restriction thing, can you point us at someone who could tell us something without compromising you. Many thanks. --- [ I sent him a response and asked him if I could disclose his inspiring letter to the press, and also possibly use it in our ongoing legislative debates regarding cryptography if the opportunity arises to make arguments in front of a Congressional committee. I also asked him to supply some real examples of how PGP is used to protect human rights. He wrote back that I can use his letters if I delete his organization's name "to protect the innocent". Then he sent me the following letter. --PRZ ] Date: Mon, 18 Mar 1996 15:32:00 +0000 (GMT) >From: [name and email address deleted] Subject: More News from [Central Europe] To: Philip Zimmermann Dear Phil, I have been thinking of specific events that might be of use to your Congressional presentation. I am concerned that our brushes with Governments might be double-edged in that Congress might not like the idea of Human Rights groups avoiding Police investigation, even if such investigations violated Human Rights. However we have one case where you could highlight the value of PGP to "Good" citizens, we were working with a young woman who was being pursued by Islamic extremists. She was an ethnic Muslim from Albania who had converted to Christianity and as a result had been attacked, raped and threatened persistently with further attack. We were helping to protect her from further attack by hiding her in Hungary, and eventually we helped her travel to Holland, while in Holland she sought asylum, which was granted after the Dutch Government acknowledged that she was directly threatened with rape, harrassment and even death should her whereabouts be known to her persecutors. Two weeks before she was granted asylum, two armed men raided our office in Hungary looking for her, they tried to bring up files on our computers but were prevented from accessing her files by PGP. They took copies of the files that they believed related to her, so any simple password or ordinary encryption would eventually have been overcome. They were prepared to take the whole computer if necessary so the only real line of defence was PGP. Thanks to PGP her whereabouts and her life were protected. This incident and the young woman's circumstances are well documented. We have also had other incidents where PGP protected files and so protected innocent people. If the US confirms the dubious precedent of denying privacy in a cavalier fashion by trying to deny people PGP , it will be used as a standard by which others will then engineer the outlawing of any privacy. Partial privacy is no privacy. Our privacy should not be by the grace and favour of any Government. Mediums that ensured privacy in the past have been compromised by advances in technology, so it is only fair that they should be replaced by other secure methods of protecting our thoughts and ideas, as well as information. I wish you well with your hearing. Yours most sincerely [name deleted] --- [end of quoted material] ------------------------------------------------------------------ From anonymous-remailer at shell.portal.com Wed Mar 20 04:05:02 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Wed, 20 Mar 1996 20:05:02 +0800 Subject: Keep the pressure! Cryptographers Against Cryptography EXPOSED! Message-ID: <199603201013.CAA08914@jobe.shell.portal.com> Some people have wondered why I am anonymous and attack me. I am not ashamed of my views. I write this thread anonymous as a form of protest. The 10 PEOPLE on the LIST OF SHAME have their shields. The whole government will come to their aid in helping them spread their lie and is behind them. I have an acount and post regularly under my real name. I am not ashamed of my views. I am proud of them. I write this anonyously as a form of protest because they have there shield and we have our remailers. I WANT TO KEEP IT THAT WAY! THEY MUST NOT BE ALOWED TO TAKE OUR SHIELD AWAY. BOYCOTT THE SELLOUTS AND DO WHAT YOU HAVE TO DO From gnu at toad.com Wed Mar 20 04:10:10 1996 From: gnu at toad.com (John Gilmore) Date: Wed, 20 Mar 1996 20:10:10 +0800 Subject: First encrypted online backup service? Message-ID: <9603201027.AA18962@toad.com> Actually it looks like they're set up for modem access, but I presume that if there's any serious demand they'd do it over the Internet. Of course, Would You Trust Your Backups To This Man? If the random key generated for it was later found to be not random enough, or if any of a dozen other bugs or breakthroughs make the encryption penetrable, would you want to have transmitted every bit of data in your computer, to a site you don't know very well, and to all interested eavesdroppers? Using proprietary and unverified software? Or even using free software? Maybe some reliable cypherpunk should run such a service. Examine what comes through and gets written on tape. Superencipher it yourself before writing it on tape, and keep your own keys securely; maybe with a secret sharing scheme, and a tree of keys that requires going offline to other backup tapes to recover the key for a particular backup tape. And as you look at your customers' data, remember Robert Morris's #1 piece of advice to cryptanalysts: "Look for plaintext". It shows up in the darnedest places where it shouldn't. A c'punk backup service would warn you if you tried to push plaintext into it. Though it'd store it for you regardless: the customer might care a lot more about being able to retain a copy of their data than they care about whether anyone else could see it. I hope they find a market and some workable solutions to these issues. It'd be nice to have automatic backups of my data kept securely in a few spots around the globe for some reasonable price. John Gilmore Forwarded-by: Stanton McCandlish From: Alan Brown Newsgroups: comp.org.eff.news Subject: Protect your computer data with remote tape backup. Date: 13 Mar 1996 01:37:12 GMT Organization: National Computer Company Message-ID: <4i58s8$r65 at news.usaor.net> X-Mailer: Mozilla 1.1 (Windows; U; 16bit) Content-Transfer-Encoding: quoted-printable FACT In the Next 3 Months Another 30 Million Computers Will Crash and Lose Data ***************** This Year Alone Over $1 Billion Worth Of Computers Will Be Stolen ********** Each Month 10 Million In-House Accidents, Operator Error, Viruses & Equipment Failure Will Cause Loss Of Data ***************** With National Computer & Data Back-up Company=92s technology we can safel= y,=20 confidentially and automatically encrypt your data, download to our=20 server and store in our offsite water and fireproof vaults. Our proprietary software is loaded on your computer and at a time that=20 you select, normally after business hours, your computer will=20 automatically call our server, compress and encrypt your files and=20 download the days work. We then download your files to tape and store in=20 our vaults in case of future need. Your files are encrypted and only you=20 have the password so noone but you can see your data. It is quick, safe,=20 reliable and you don=92t have the time consuming chore of doing backups.=20 For those outside the 412 area code we have an 800# for you to use to do=20 your backups so you won=92t have a toll charge. Let us help you For As Little As $2.00 Per Day FOR MORE INFO EMAIL US AT abrown at usaor.net OR CALL US TODAY 412-934-0912 From anonymous-remailer at shell.portal.com Wed Mar 20 04:12:41 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Wed, 20 Mar 1996 20:12:41 +0800 Subject: Keep the pressure! Cryptographers Against Cryptography EXPOSED! Message-ID: <199603201016.CAA09094@jobe.shell.portal.com> This is the third in a regular series of postings to expose the lie that has become of the Leahy bill. I am proud to report that the majority of us have the good sense to see this for what it is but a few cypherpunks continue to lie to us and have not recanted. It is too late to toss this up as a mistake in judgement. We tried to educate these people on the error of their ways but they persist in spreading the lie that the Leahy bill is good for us. We tried to give them the benefit of the dout, but isn't it funny that when presented with the facts NOT ONE OF THESE ""SCIENTISTS"" has admited to his CLEAR MISTAKE. No, they continue spreading the same lie lie lie that the LEAHEY BILL WILL SOMEHOW HELP US. THEY MUST BE STOPPED. We can be fortunate that their number is small. At least the ones we know about. Only three more since the last report. But even one is too many. These people have alot to answer for. Ask them who they work for and who signs there checks. Ask them why they lie. Ask them why they are afraid of your right to privacy. (of course we know why) Show them HOW WE FEEL. Let them serve as examples too others if they are too cowardly to serve as beacons for truth. THE LIST OF SHAME: B. Schneier: bs208 at newton.cam.ac.uk, schneier at counterpane.com M. Blaze: mab at crypto.com, mab at research.att.com J. Bizdos: jim at rsa.com S. Safaddar: shabbir at vtw.org D. Weinstein: djw at vplus.com P.. Peterson: padgett at hobbes.orl.mmc.com B. Stewart: stewarts at ix.netcom.com B. Unicorn: unicorn at schloss.li P. Karn: karn at unix.ka9q.ampr.org D. McCullagh: declan at well.com BOYCOTT APPLIED CRYPTOGRAPHY, AT&T, VTW, and RSA!!!! THE LEAHY BILL IS 100% PART OF THE PLAN TO KILL FREE CRYPTO. YOU DON'T NEED EXPERTS TO THINK FOR YOU! REMEMBER RICO AND WORLD GOVERNMENT! From unicorn at schloss.li Wed Mar 20 04:45:23 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 20 Mar 1996 20:45:23 +0800 Subject: Keep the pressure! Cryptographers Against Cryptography EXPOSED! (fwd) Message-ID: On Wed, 20 Mar 1996 anonymous-remailer at shell.portal.com wrote: > These people have alot to answer for. Ask them who they work for > and who signs there checks. Ask them why they lie. Ask them why > they are afraid of your right to privacy. (of course we know why) > Show them HOW WE FEEL. Let them serve as examples too others if > they are too cowardly to serve as beacons for truth. > > THE LIST OF SHAME: > B. Schneier: bs208 at newton.cam.ac.uk, schneier at counterpane.com > M. Blaze: mab at crypto.com, mab at research.att.com > J. Bizdos: jim at rsa.com > S. Safaddar: shabbir at vtw.org > D. Weinstein: djw at vplus.com > P.. Peterson: padgett at hobbes.orl.mmc.com > B. Stewart: stewarts at ix.netcom.com > B. Unicorn: unicorn at schloss.li WOO HOO! Took long enough. > P. Karn: karn at unix.ka9q.ampr.org > D. McCullagh: declan at well.com > These people have alot to answer for. Ask them who they work for The Executive Office on National Security in the Department of Justice. Fred Baron is my boss. > and who signs there checks. All DOJ paychecks are government paychecks. Duh. > Ask them why they lie. Because we know we can kill crypto for good if only we can keep you fools disorganized for a few more months. Just... a... few... more.... > Ask them why they are afraid of your right to privacy. How the hell am I going to get my paycheck if we can't tax you? --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From nobody at REPLAY.COM Wed Mar 20 09:38:13 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 21 Mar 1996 01:38:13 +0800 Subject: No Subject Message-ID: <199603182057.VAA11926@utopia.hacktic.nl> -----BEGIN PGP SIGNED MESSAGE----- This came from Dave^H^H^H^HAnonymous in the context of that highly entertaining rec.music.white-power hullabaloo. What he was thinking cross-posting to alt.politics.white-power, I can't imagine. The References: and Reply-To: headers are hilarious. - -L. Detweiler alias Rich Graves FUCKING STATIST http://www.c2.org/~rich/ From: nobody at REPLAY.COM (Anonymous) Newsgroups: news.groups,alt.politics.white-power,alt.2600 Subject: L. Detweilers's Back!!! New nym: rich at c2.org (Rich Graves) Date: 16 Mar 1996 15:29:18 +0100 Sender: replay at utopia.hacktic.nl Message-ID: <4iej7u$r6 at utopia.hacktic.nl> References: lying asshole Reply-To: L. Detweiler NNTP-Posting-Host: utopia.hacktic.nl Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 194 XComm: Replay may or may not approve of the content of this posting XComm: Report misuse of this automated service to Xref: nntp.Stanford.EDU alt.2600:179080 news.groups:126480 Give it up, "L" We've got the glass on you -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMU3MjI3DXUbM57SdAQFBKwP9HCsustLeJGLqTzt9WCh2DM9/znj+Xl0E aaidu28dpuhxdju/6phZ0uEHHXC/fUomH/dY5AXu3IaW68N6nLAXAl1TwJvd/dAh JIjmchQpDptmH2039pFn0I/xTKO0nqqK/tMNYHC3v9HTwRxlR2nGUxh/vAUAKObf tWbITC1fNPY= =5/VC -----END PGP SIGNATURE----- From JR at ns.cnb.uam.es Wed Mar 20 09:39:06 1996 From: JR at ns.cnb.uam.es (JR at ns.cnb.uam.es) Date: Thu, 21 Mar 1996 01:39:06 +0800 Subject: Keep the pressure! Cryptographers Against Cryptography EXPOSED! Message-ID: <960320180034.2040307c@ROCK.CNB.UAM.ES> >Some people have wondered why I am anonymous and attack me. >I am not ashamed of my views. I write this thread anonymous >as a form of protest. > >The 10 PEOPLE on the LIST OF SHAME have their shields. The whole >government will come to their aid in helping them spread their >lie and is behind them. > Have you considered visiting your GP or a psychiatrist? No, seriously, that paranoia of yours may get worst and now it may still be time to cure it. You better go now before it gets worst and you end killing a President or something similar. Or at least, use your scarce brains to think a bit (not much needed) to realize that even if these people were of such conspiratorial taste they do have the same right to express their opinions and wants as you do. >I have an acount and post regularly under my real name. I am not >ashamed of my views. I am proud of them. > Oh, I see, that's why you keep using an anonymous remailer. >I write this anonyously as a form of protest because they have >there shield and we have our remailers. I WANT TO KEEP IT THAT WAY! >THEY MUST NOT BE ALOWED TO TAKE OUR SHIELD AWAY. > ^^^� YOUR and who else? Aren't you generalizing a bit? And BTW denying others any right to express themselves? Aren't you stablishing as "me/us" vs. "THEM" where you mistify that "THEM"? Shouldn't you consider if you're not going too far and really need medical assistance? >BOYCOTT THE SELLOUTS >AND >DO WHAT YOU HAVE TO DO > Boyz, do you consider the above concerns too. Before attempting to follow advice of a possibly paranoid, ill, mental patient, consider seriously if you are not really hurting yourselves. The latest thing a cypherpunk should do is enjoin conspiratorial dementia and begin pursuing the very people that is actually supporting cryptography, developing the crypto field and fighting for crypto rights. As he says, "do what you have to": ponder seriously the problem and don't let anyone tell you what to do. Least of all "anonymous" fundamentalists. jr From Robb at SpeakOut.org Wed Mar 20 09:39:20 1996 From: Robb at SpeakOut.org (Robb Hill) Date: Thu, 21 Mar 1996 01:39:20 +0800 Subject: No Subject Message-ID: Does anyone know of a Visual Basic/Quick Basic implementation of the Unix Crypt(3) function used to hash passwords. I have not found any crypto source code in VB. Your help in this search is greatly appreciated. If you would like E-Mail me direcly , Robb at Speakout.org. Many Thanks, Robb Hill From cpunk at remail.ecafe.org Wed Mar 20 11:09:14 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Thu, 21 Mar 1996 03:09:14 +0800 Subject: IPG message Message-ID: <199603200258.CAA11403@pangaea.hypereality.co.uk> could some kind person that got IPGs' many time pad thing post it somewhere so people that never got a copy can see it???????? thanks. From jpp at software.net Wed Mar 20 11:14:56 1996 From: jpp at software.net (John Pettitt) Date: Thu, 21 Mar 1996 03:14:56 +0800 Subject: IPG message Message-ID: <2.2.32.19960320161456.012102e0@mail.software.net> At 02:58 AM 3/20/96 GMT, ECafe Anonymous Remailer wrote: >could some kind person that got IPGs' many time pad thing post it >somewhere so people that never got a copy can see it???????? > > > >thanks. > > > > > > > IPG wrote: Obviously, you meet our requirementsfor the release of the IPG ABC Encryption algorithms. We need no further information from you. though we would appreciate your telephone num and snail mail address. The algorithms detailed below are copyrighted 1995 and 1996 by Internet Privacy Guaranteed, Seymour, TX. All rights are reserved. You may not provide them to any other party, or parties, by any means or any media, without the expressed written permission of Internet Privacy Guaranteed. What is specially claimed as copyrighted and or patentable are: 1. The use of the word Ultima for the system, because it is impossible to have a either a more secure system - it is impossible to break the Ultima system, other equally difficult to break systems may exist, or may be formulated in the future, for example a true OTP, and in those cases, they may "theoretically" be more difficult to break than the IPG Ultima System, for example a true OTP. However, that would exist only in theory, because in those eventiualities, none of the systems would be breakable. Furthermore as to speed, Ultima, or simple variations, XOR, OR, or AND, instead of the Add or Subtract, is the fastest possible algorithm which will produce an unbreakable encryption system, without having a single OTP byte for each byte of plain text to be encrypted, as in an OTP. However, with the IPG system, we can obtain the same speed, or theoretically faster speeds than a pure OTP, with some very simple parrallelism - and that begs how you get humoungous OTPs to use, both in terms of generating them and getting them into a stream to be XORed against the plain text. That FACT, that the IPG algorithms are the fastest possible encryption system which will become evident when you examine the algorithms in detail. Thus it is impossible to produce a better system, in terms of either security or speed, thus we call our system Ultima, the ultimate. 2. The use of the term ABC Encryption algorithm that at once describes the basics of the system and its simplicity as will quickly become evident. 3. The use of a hardware generated OTP, which serves as a purely random seed, for the system to be described. 4. The use of a table of prime numbers, any number of which is greater than 3, from which random selections are made to be used in the algorithms to be described. The prime numbers for the system described have been selected for a specific hardware, namely the IBM PC clone, market. With other 16 bit, 32 bit, or 64 bit hardware, other prime numbers could be used to provide immediate results just as in the system to be described. The use of larger numbers, the use of larger adders, or logic gating systems, is self evident in the copyrights/patents. 5. The use of a random 8 bit seed for the dynamic vaiable that links the sets of equations into one system. This variable, D, for dynamic is the real key that distinguishes our system from any other system - excepting hardware implemented systems that use extremely large numbers, and or possible partitions, that encompass possible meaningful message lengths. Such systems, are self evident extensions of the simple IPG system. 6. The use of partitions within one OTP, pure random seed, PRNG stream - either by using parts of the random seeds, or more likely by using fixed intervals within the PRNG stream, for example, arbitrarily say every 100 gigabytes, or 100 terabytes for that matter. Using this technique, one random seed can be used for any abritrary period of time, one message, 10 messages, one day, one week, one year, one century, one millenium or whatever. The use of multiple Ds, in linear partitions, that is within one otp every terabyte fior example, is a self evident extension of the IPG system. 7. The use of a simple serial hardware implementation of the IPG system is self evident, and produces impressive speeds, mutiple megabyte per second, dependent of course on hardware speeds. 8. The use of a very simple single level of parallelism in hardware implementation, where the ABCs are computed in parrallel, and the D is passed along, is a simple self evident extension of the system and will allow a throughput of over 100 megabytes per second, on state of the sart hardware. 9. The use of a three dimensional parallel system, where the PRG stream is chopped up into several partitions, say every terabyte, and then each module proceeds as in paragraph 8, just above, is a simple extension of the basic IPG system, a would enable a system to operate at any conceivable line speed. 10. The changing of the number of equations, modules, prime number values, length of prime numbers, or length of random sample, probe values, or the other algorithmic values does not change the basic algorithm. It is the same algorithm with different values. With the previously detailed claims relating to the copyrightable and patentable features of the IPG algorithm system, IPG prersents the the Ultima Algorithms. - the ABC Encryption system. Given: 1. A 1792 BIT OTP, RANDOM SEED, generated from a hardware source. 2. A Table of 319 Prime Numbers in the range of 6,667 to 11,997, out of the 580+ available, the 384 selected for dynamic variance, the table is called BPRIMES. 3. A Table of 319 prime numbers in the range of 14,007 to 19,997, out of the 800+ available, the 384 selected for dynamic variance, the table is called CPRIMES The 1792 bits of OTP, Random Seed, are allocated as follows. 1. 512 bits for the 64 probes, for 64 C vales 2. 512 bits for the 64 probes, for 64 B values 3. 512 bits for the 64 starting A values 4. 8 bits for the initial ID value. Those 1544 bits are the actual random seed used for generating the PRNG stream, if you insist on calling it that. In addition, there are 248 bits used as follows. 5. 128 bits for the offset, partition, if applicable into the PRNG stream. Actually they are used to encrypt the actual underlying value of the partition, if any - note - in this case the mode is actually a true OTP, the first time only ot really does not help to know the offset unless you know the OTP, Random Seed. 6. 72 bits for uniquely identifying the OTP being used. 7. 48 bits as spares temporarily - can be used as different D values for partitions. If more As, Bs, Cs, are needed the random seed, OTP, can be expanded as necessary. Unlike RSA, there is no practical limit - I am actually sending you 1792 BYTE Random seeds, so that you can test other variations if you like, or use each of them, there are 32 of them in all, as 8 random seeds for the 1792 bit algorithm. 8 bit random starting A values are sufficient because we are only talking about the effect on the low order 8 bits in our PRNG stream. We actually AND these values with the constant 13,568 to give us a start that will intially have a dynamic effect on the A, B, and C values, that is the smallest possible B+13568, exceeds that largest possible C value. This selection process of course makes the A, B and C values random, 8 bits, as well as the initial ID value - the random range of each set is 2 to 32 but as you will see they are interlimked with the Dynamic variable, D. The procedure is as follows: 1. Using the 64 bytes for B selection, we select 64 Bs, B1,..,B64, as follows. B1=BPRIMES(SB1) WHERE SB1 is the first byte of the Random Number Seed, thus B1 is one of the BPRIMES, BPRIMES(0),..BPRIMES(255) then BPRIMES(SB1)=BPRIMES(256) then B2=BPRIMES(SB2) AS BEFORE EXCEPT Byte 2 of the OTP, Random Seed, is used. then BRPIMES(SB2)=BPRIMES(257) and so forth through 64 Thus you have 64 constants, B1,..,B64, each of which is an unique prime number. This of course, is the same as a lottery selection, except there is no denominator and the section pool does not shrink. Thus you have 1 in 2 to the 512 possibilities of a repeat, or guessing the selections. 2. The same procedure is used for selecting 64 C values, C1 through C64. 3. The 64 starting A byte values, from the random seed, are ANDed to 13,568 to give the 64 starting A values, random, at least 8 bit random. 4. 8 Bits are used for the starting D value Thus the B and Cs are constants - the As and D changes Then quite simply, you have 64 equation sets as follows. A1=(A1+B1) MOD C1 (Move, Add, Compare, Conditional Subtract) D=(D+A1) AND 255 (Really just use DL in assembly language) + A2=(A2+B2) MOD C2 D=(D+A2) AND 255 .............. + A63=(A63+B63) MOD C63 D=(D+A63) AND 255 + A64=(A64+B64) MOD C64 D=(D+A64) AND 255 the XOR operation against the plain text may vary. In our case, we accumulate a pair of DLs in CX, and then XOR it against a wor, two bytes of plain text. Thus we have one XOR for each set of two equations above, 32 XORs for the 64 equations. We string A1 type 8 sets of those 64 equations together, essentially duplicates of each other except for the XOR operation, which are constants, as opposed to indexed variables. Thus we do a disk sector at a time, with only the A values and D being variables. With double buffering, you can see that it cooks, to say the very least. Obviously by definition, there can be no repeat before the product of the C values, that is (C1*C2*C3,..,*C63*C64), and that does not take into account the starting A values and the starting D value. The average C value is slightly over 14 bits. Accordingly, no repeat is possible before 2 to the 864th power,minimum, or 2 to the 896th power average, 10 to the 267th power minimum, which will handle anything that can possibly occur, ever, ever, ever. If every atom in the universe was a Googol of Cray T3E's and they had been computing since the big bang, the possibilities they would have tried so far would be less than 1 part in 1 Googol. And that does not take into account the other 2 to the 1543+ possibilities. There is absolutely no way to prove that any message of any possible length is or is not possible, without trying all of the 1 to the 470th power possibilities, which of course is impossible. As John von Neumann once said to Dr. Bloome (Dottie), in my presence - it in a similar but totally unrelated case, it is not enough to say that it some theoretical message may not be theoretically possible, you must prove that at least one specific message is not possible. Of course, like JvN's case, that is not possible in the case of the IPG system. Continuing along that line, we in recognize that because we are working with a 1544 bit key, over 2 to 1543, but someewhat less than 2 to the 1544, that we only have approximately 10 to the 478th possibilities, that is 2 to the 1543+. Thus with a 125,000 byte message, we do not have 2 to 1,000,000th possible keys, but only 2 to the 1544 possible PRNG streams. Having said that, and fully recognizing that as incontrovertible, we invite you to test a long PRNG generated stream by the method, using a truly random seed of 1544 bits. You will find over both short and long sample sizes that the "effect" is indistinguishable from an OTP of the same length. To facilitate this, we are including herewith: I combined all these files listed below under BSD UNIX with the zip program so you shouldn't have any problems extracting them. If you do, please get back in touch with us and we can re-send the file under a different format, PKZIP. Note: The zipped files are considerably larger than the original because they are random unzippable data files. I promise you that with these, you can write the program to generate the PRNG streams in somewhat less than two hours. I am referring to the 64 sets of the equations set out above: This approach will also demonstrate how incredibly fast the system is and also how incredibly secure it is. Therefore, please find attached in the zipped file BINARY.ZIP consisting of: 1. BPRIMES.DAT - 384 prime numbers used for randomly selecting the B1,..,B64 values in what we are now calling the 1792 bit system - I am including 384 instead of 319 in case you want to try variations.. 2. CPRIMES.DAT - 384 prime numbers used for randomly selecting the C1,..,C64 values in the 1792 bit system - again 384 in case yopu want to try variations. 3. 32 - 1792 BYTE Hardware generated OTPs, specifically OTP.001,..,OTP.032. - any of these may be used in the 1792 BIT system, or the 5600 BIT system, or the 12288 BIT system. Further, any of the 32, can be used for other possible system configurations. The L1792 BYTE OTPs, can also be broken down into 8 - 1792 BIT OTPs. With these variables, you will not have any problem doing any kind of test that you may desire. As a prelude, consider, if you will, the 1st 64 bytes of the PRNG stream. 1. Byte 1 D is random A1=(A1+B1) MOD C1: is where A1 is random, 8 bit, and B1 and C1 are randomly selected from a table of primes and become a constant for that OTP, random seed. THE resultant A1 is some indeterminate number between 0 and C1-1. A1 MOD 256 is therefore likewise some random number between 0 and 255. There are 16,677,216 possible variations, and only 1 is the actual. ID=(ID+A1) AND 255. ID is random and A1 is pseudo random with 16,677,216 possible variations. Accordingly: by definition the new TD is random. Now therefore: if D was used for only this equation, there would only be 2 to the 32nd possible, 8 ID - 8 A1 - 8 B1 & 8 C1 possible variations and what you would have would be a system partioned into 64 didfferent subsystems. However, that is obviously not the case, D is passed from one equation set to the next, so there is no repeat possible until at the very least ID short of the entire C1*C2,..*C63*C64 cycles. 2. Byte 2, The process is the same and the resultant ID is random. The process is the same for all the other 62 bytes. Accordingly, how is it possible to determine the first 512 bits of the PRNG stream? That is 10 to the 158th power possibilities. Obviously they cannot all be tried - and any of the possible 2 to the 512th power of underlying clear text is possible. As stated, the reultant system is absolutely unbreakable - no ifs, no ands, no buts, no maybes, no anything. Also, as you can clearly demonstrate for yourself, there is no more robust system, with respect to speed, possible. It is truly Ultima, the ultimate system, as you will find out for yourself. Enough, I assume. After you have satisfied yourself that the ABC Encryption system is absolutely unbreakable and the fastest system possible. We will proceed to the demonstrate that the Key distribution is no problem and as stated, we are willing to license the process as desired by users. I invite your response, Thanks so much, Ralph, John Pettitt, jpp at software.net VP Engineering, CyberSource Corporation, 415 473 3065 "Technology is a way of organizing the universe so that man doesn't have to experience it." - Max Frisch PGP Key available at: http://www-swiss.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=0xB7AA3705 From WlkngOwl at unix.asb.com Wed Mar 20 11:34:19 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Thu, 21 Mar 1996 03:34:19 +0800 Subject: FTC's privacy list (was "Welcome to privacy") Message-ID: <199603200137.UAA06964@unix.asb.com> I subscribed to the FTC (Federal Trade Comission) Privacy list. I'll lurk a bit [discipline indeed] and see who and what's there. Could be interesting. --Rob ------- Forwarded Message Follows ------- Welcome to the privacy mailing list! [..] Here's the general information for the list you've subscribed to, in case you don't already have it: ABOUT THE PRIVACY MAILING LIST Welcome to the Federal Trade Commission's Bureau of Consumer Protection Privacy Principles mailing list. The Bureau has established this list as a forum for discussing the privacy principles that should be applicable to consumers' use of the Global Information Infrastructure. The Bureau seeks commentary and resource materials from consumers, industry, privacy advocates and others who are concerned about questions such as the following: What information is routinely gathered online now, and what is industry doing with this information? How will the nature of the information gathered or the uses to which it is put change in the next few years? What control should consumers have over personal and transactional information? How should consumers be able to exercise that control? What expectations do consumers have regarding the use of information about them? What are the respective obligations of online service providers, content providers, and consumers themselves to address these privacy concerns? Should certain uses of information be off limits without the consumer's explicit consent? Under what circumstances should consumers have the ability to access and correct information about them? Additional related topics for discussion are welcome. The dialogue that takes place in response to these questions will be invaluable to the Bureau. It will facilitate the creation of a set of voluntary principles governing the use of consumer information in transactions in cyberspace. To post messages to this list, simply address your mail to: privacy at ftc.gov [..] Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From cpunk at remail.ecafe.org Wed Mar 20 11:34:30 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Thu, 21 Mar 1996 03:34:30 +0800 Subject: IPG cracked with known plaintext Message-ID: <199603191732.RAA17262@pangaea.hypereality.co.uk> This information is preliminary and is based on an attempt to understand the IPG algorithm information. That description is not clear in some areas, however, hence this analysis is tentative at this time. First let us describe the IPG system in more conventional C: a[0] to a[63] are initialized to random 8-bit values. (The description is unclear and almost makes it sound like they are initialized to a random 8-bit value anded with 0x3500, which would of course be zero. The attack below will assume that this bizarre step is not done, but will still apply even if it is.) b[0] to b[63] are initialized to random primes selected from some pool. c[0] to c[63] are also initialized to random primes selected from a different pool. d is initialized to a random 8 bit value. The algorithm is: for ( ; ; ) { for (i=0; i<63; i++) { a[i] = (a[i] + b[i]) % c[i]; d = (d + a[i]) & 255; *data++ ^= d; /* xor with data */ } } Note first that with a known plaintext attack, the value of d can be calculated for each iteration, simply by xor'ing the plaintext and ciphertext. So we can easily recover a series of d values under this assumption. Known plaintext is a plausible cryptographic assumption in many contexts. Note second that we can assume that b[i] is less than c[i]. It appears from the description that this will be true, although it is a little unclear. If b[i] is greater than c[i] then simply do b[i] = b[i] % c[i] before beginning the loop. This will produce the same results since (a + (b mod c)) mod c is equal to (a + b) mod c. Note third that when a[i] and b[i], both less than c[i], are added mod c[i], the result will be equal to one of two things: a[i]+b[i], or a[i]+b[i]-c[i]. The reason is that the sum a[i]+b[i] must be less than 2*c[i] so the "mod" operation will be at most a single subtraction of c[i]. In general, half the time it will be necessary to subtract c[i], and half the time it will not. Now, as mentioned above, with known plaintext we can deduce the series of d values. Since each d differs from its predecessor by adding a[i], this allows us to calculate the low 8 bits of a[i] simply by taking the difference between successive d's. Every 64 bytes, i repeats. We know the low byte of a[i] from the previous iteration, and we know it for this iteration. Half of the time (on average) a[i] will change simply by adding b[i], in which case the low 8 bits will change by exactly the low 8 bits of b[i]. So if we take the difference between a[i] values spaced 64 bytes apart, half of the time these values will be a constant which is equal to the low byte of b[i]. The other half the time, the low 8 bits will change by adding b[i] and subtracting c[i]. So the low 8 bits of (b[i]-c[i]) is the other possible constant value which will be seen when you take the difference of a[i] every 64 bytes. So with a few multiples of 64 bytes of known plaintext, you will quickly find all the possible b[i] and b[i]-c[i] low bytes. By itself this should significantly narrow down the possibilities for b[i] and c[i], in many cases to a single prime. Even without this the algorithm can now be run forward or backward with only two possible known changes to a[i] at each step, and the entire message can be easily deduced. So this algorithm is easily broken with known plaintext. From perry at piermont.com Wed Mar 20 12:03:43 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 21 Mar 1996 04:03:43 +0800 Subject: Keep the pressure! Cryptographers Against Cryptography EXPOSED! In-Reply-To: <199603201013.CAA08914@jobe.shell.portal.com> Message-ID: <199603201705.MAA01423@jekyll.piermont.com> anonymous-remailer at shell.portal.com writes: > Some people have wondered why I am anonymous and attack me. > I am not ashamed of my views. Well, then you should be. > I write this thread anonymous as a form of protest. Why is it a form of protest? If you aren't ashamed, post it under your name. > The 10 PEOPLE on the LIST OF SHAME have their shields. Why am I not on the LIST OF CAPITALIZED, oh, pardon, LIST OF SHAME. I feel excluded. > I have an acount and post regularly under my real name. I am not > ashamed of my views. I am proud of them. If you aren't ashamed of posting this, post it under your own name. > I write this anonyously as a form of protest because they have > there shield What shield? > I WANT TO KEEP IT THAT WAY! THEY MUST NOT BE ALOWED TO TAKE OUR SHIELD AWAY. I was unaware that anyone on your list was in favor of eliminating remailers. .pm From perry at piermont.com Wed Mar 20 12:39:15 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 21 Mar 1996 04:39:15 +0800 Subject: Keep the pressure! Cryptographers Against Cryptography EXPOSED! In-Reply-To: <199603201016.CAA09094@jobe.shell.portal.com> Message-ID: <199603201726.MAA01438@jekyll.piermont.com> anonymous-remailer at shell.portal.com writes: > THEY MUST BE STOPPED. Yup, really evil folks. Lets go over some of the people on your list. > THE LIST OF SHAME: > B. Schneier: bs208 at newton.cam.ac.uk, schneier at counterpane.com Bruce Schneier, cryptographic privacy advocate, cryptographer, publisher of "Applied Cryptography", the book that signaled the end of the NSA's ability to keep information on how to build cryptosystems out of the hands of most people. A smart 14 year old, armed with a C compiler and Applied Cryptography, cannot be prevented from writing good cryptographic software. Is this the NSA enemies list, by chance? > M. Blaze: mab at crypto.com, mab at research.att.com Matt Blaze, cryptographer, privacy advocate, anti-authoritarian. The guy who showed that Tessera/Fortezza cards were flawed and embarassed the NSA in public with it. Regularly releases strong cryptographic tools to the public. Participated strongly with me and others in early efforts to build software only "voice crypto" systems. Tirelessly criticizes control on cryptographic software. Is your list of "enemies" supplied by the NSA? > J. Bizdos: jim at rsa.com Well, I'm not going to defend Jim. Besides, he can take care of himself. However, although he isn't necessarily a friend of cypherpunks, he's no friend of control of cryptography by the government, which would put him out of business. > S. Safaddar: shabbir at vtw.org Shabbir: creator of voters telecom watch; privacy advocate, tireless opponent of the CDA, free speech restrictions, network regulation, and any other attempt at stopping freedom on the net. Shabbir is not a guy you would call an advocate of authoritarianism. > B. Stewart: stewarts at ix.netcom.com Bill Stewart: "Hippie Anarchist"; he and his wife, Laura, are about the most anti-government folks I think you are likely to find this side of Alpha Centauri. Bill is as libertarian as they come, and unconditionally opposes any attempts at restricting anyone's freedom to live peacefully. The idea that he'd advocate anything that increased the power of government is absurd. One of the nicest people I know. > P. Karn: karn at unix.ka9q.ampr.org Phil Karn: Engineer's Engineer, crypto-hacker, privacy advocate. Phil is suing the government right now to get the right to export cryptographic software freely -- he has gone through a lot of trouble to try to prove you have a constitutional right to distribute cryptographic software and to prove that if you can ship it in print you can ship it on disk. Phil ceaselessly advocates the use of strong cryptography by everyone, and is one of the people who built the predecessor of the current IETF IPsec standard. Phil worked very hard on creating the Photuris key exchange protocol, which takes care to make sure that all parties remain anonymous to eavesdroppers. Phil has released large amounts of strong cryptographic code to the public, including the fastest implementation of DES ever seen in software. After an NSA flack spoke about his nightmare of every $80 digital phone on earth having unbreakable crypto in it, Phil quipped something like "well, folks, now we know our design goal." Phil tirelessly spreads the gospel of PGP. In short, he isn't on anyone's short list of "friends of the NSA". > D. McCullagh: declan at well.com Declan is a tireless advocate of free speech, going so far as to work hard to distribute speech he highly disagrees with if it is being censored. I don't know him personally, but he hardly fits the profile of "Friends of the NSA" or some such. In short, Mr. Anonymous, you couldn't have picked a bigger bunch of "Enemies of the NSA" for your "Friends of the NSA" list if you had been explicitly instructed to pick the biggest opponents of controls on cryptographic software and write them down. My question to you is this: are you just stupid or ornery, or is the NSA paying you for this? Perry Who is disappointed that he didn't make the "LIST OF SHAME", but understands that perhaps he hasn't done enough to oppose controls on cryptography. I'll work harder, and hopefully you will denounce me soon. From jpp at software.net Wed Mar 20 12:44:42 1996 From: jpp at software.net (John Pettitt) Date: Thu, 21 Mar 1996 04:44:42 +0800 Subject: IPG cracked with known plaintext Message-ID: <2.2.32.19960319194316.00ce76e4@mail.software.net> At 05:32 PM 3/19/96 GMT, ECafe Anonymous Remailer wrote: >This information is preliminary and is based on an attempt to >understand the IPG algorithm information. That description is not >clear in some areas, however, hence this analysis is tentative at this >time. > >First let us describe the IPG system in more conventional C: > >a[0] to a[63] are initialized to random 8-bit values. (The >description is unclear and almost makes it sound like they are >initialized to a random 8-bit value anded with 0x3500, which would of >course be zero. The attack below will assume that this bizarre step >is not done, but will still apply even if it is.) > I think they mean ADD not AND but it's still an odd thing to do IMHO. >So this algorithm is easily broken with known plaintext. > > Agreed. Given that most PC apps generate known headers on files and that only a smallish plaintext is needed it's looks rather weak. John Pettitt, jpp at software.net VP Engineering, CyberSource Corporation, 415 473 3065 "Technology is a way of organizing the universe so that man doesn't have to experience it." - Max Frisch PGP Key available at: http://www-swiss.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=0xB7AA3705 From alano at teleport.com Wed Mar 20 12:47:30 1996 From: alano at teleport.com (Alan Olsen) Date: Thu, 21 Mar 1996 04:47:30 +0800 Subject: Microsoft's "answer" to Java Message-ID: <2.2.32.19960319222247.008b833c@mail.teleport.com> I recieved a copy of "Microsoft Interactive Developer" today in the mail. In it, it has a preview of Microsoft Explorer 3.0. (Flux by David Boling on page 120.) Of interest to Cypherpunks is this paragraph (in the section on OLE support in web browsers): "Since OLE controls could potentially pose a security problem, Microsoft is studying how to create an infrastructure to certify them. The idea is that, once certified, an OLE control would contain an RSA security signature indicating that it has passed muster -- the OLE eqivelent if the Good Housekeeping Seal of Approval! Users of Internet Explorer 3.0 could specify whether or not noncertified OLE controls should be loaded and executed by the browser." As a web developer, I have some problems with this scheme. Giving Microsoft access to virtually every OLE control on the Web does not make me more secure. Sounds like a way to rip off ideas from the rest of the development world. If someone has a control that might compete with a Microsoft product, it could be shelved and/or delayed for "further security testing". Java has a decentralized mechanism for security. No one group controls what is a "certified" control and what is not. You write the code and compile it and that is that. Furthermore, you are not stuck with Microsoft approved platforms. (I wonder if there will ever be a version of Explorer for the Mac.) I expect the Microsoft plan to garner a bit of resistance from the Web development community over this one... I do not expect to see many OLE crypto apps for the web with this plan. --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From admin at dcwill.com Wed Mar 20 12:52:31 1996 From: admin at dcwill.com (Fred) Date: Thu, 21 Mar 1996 04:52:31 +0800 Subject: IPG message In-Reply-To: <2.2.32.19960320161456.012102e0@mail.software.net> Message-ID: <199603201752.JAA05334@python.ee.unr.edu> > IPG wrote: > Obviously, you meet our requirementsfor the release of the IPG ABC > Encryption algorithms. We need no further information from you. though we Obviously, "ABC" stands for "Already Been Cracked". Fred From frogfarm at yakko.cs.wmich.edu Wed Mar 20 13:29:00 1996 From: frogfarm at yakko.cs.wmich.edu (Damaged Justice) Date: Thu, 21 Mar 1996 05:29:00 +0800 Subject: A MODEST PROPOSAL In-Reply-To: Message-ID: <199603201850.NAA08934@yakko.cs.wmich.edu> Sandy Sandfort writes: > > (Did I get the style right?) C'punks, if you feels as I do, > please take a few moments to sign up for the LIST OF SHAME? > Let's show Bill, Bruce, Matt and all the others what most > Cypherpunks really think about them and Mr/Ms Anonymous. What the hell; it can't be any worse than being on Demopublican mailing lists. Sign me an offended customer. -- The word "gaijin" literally means "foreign person". Many Westerners like to think that the Japanese use it in the same way as the Grand Dragon of the Ku Klux Klan uses "nigger", but it ain't really true. They use it when they mean "nigger", but they also sometimes use it to mean "honorable nigger". - Bill Lambert in soc.couples.intercultural From wlkngowl at unix.asb.com Wed Mar 20 13:53:42 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Thu, 21 Mar 1996 05:53:42 +0800 Subject: Would the FTC crack down on snake oil someday? In-Reply-To: Message-ID: <314F5B53.6B07@unix.asb.com> Mark M. wrote: > On Sun, 17 Mar 1996, Deranged Mutant wrote: > > > Enclosed is an excerpt from Edupage. Snake-oil crypto popped into my > > mind.... I wonder if the FTC (Federal Trade Commission... agency > > *meant* to crack down on consumer fraud, for non-US readers here) > > would ever get into act here. > > > > Does the FTC have a home page? (Guess I'll do a search...) > > http://www.ftc.gov . Cool. They now have a privacy mailing list... (Check out http://www.ftc.gov/ftc/privacy.htm) From ses at tipper.oit.unc.edu Wed Mar 20 13:54:01 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Thu, 21 Mar 1996 05:54:01 +0800 Subject: IPG - newest release of the ABC Encryption Algorithms (fwd) In-Reply-To: <2.2.32.19960319175044.00c7bab8@mail.software.net> Message-ID: On Tue, 19 Mar 1996, John Pettitt wrote: my first gut reaction is that there looks like the scheme falls trivially to 64 bytes of known plaintext, but I didn't look at it closely. Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From m5 at tivoli.com Wed Mar 20 13:56:26 1996 From: m5 at tivoli.com (Mike McNally) Date: Thu, 21 Mar 1996 05:56:26 +0800 Subject: IPG cracked with known plaintext In-Reply-To: <2.2.32.19960319194316.00ce76e4@mail.software.net> Message-ID: <314F3855.6BCC@tivoli.com> John Pettitt wrote: > >a[0] to a[63] are initialized to random 8-bit values. (The > >description is unclear and almost makes it sound like they are > >initialized to a random 8-bit value anded with 0x3500, which would of > >course be zero. The attack below will assume that this bizarre step > >is not done, but will still apply even if it is.) > > > > I think they mean ADD not AND but it's still an odd thing to do IMHO. Well, in the description it clearly says AND in two separate places, and the surrounding verbage makes it seem like he really meant AND. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From ipgsales at cyberstation.net Wed Mar 20 13:59:51 1996 From: ipgsales at cyberstation.net (IPG Sales) Date: Thu, 21 Mar 1996 05:59:51 +0800 Subject: The return of the IPG Unbreakable System (fwd) Message-ID: Derek and others, In view of the anonymous remailer's calim to have broken the simple system, which as you and others who have had the system for a period time know, we have had some reservations about. The effect on the 5600 bit system, and the 12288 bit system, are unkown at this time. Our tests indicate that there is not any effect at all on the 12,288 bit system. The 5600 bit system, which is indentical to the system described in our release, except that the D values, are used as an index to one, or two tables of random characters, 512 characters, or 2 - 256 characters, may be effected by a known plain text attack, we do not think so but we are running a battery of tests. The anonymous remailer may be able to confirm or deny that, since that person will presumably receive this letter. The addition is trival, that is the system is identicalin all respects to that set out, which was described accurately by the remailer, except that instead of XORing the D value, the D value is used as an index into a table(s) of random characters, that is the random seed is 5600 bits instead of 1792. That was one reason for providing large random seeds in our release. Our analysis as of 3:00pm CST 3-19-96, indicates that the D values are not recoverable, but we stand to be proven wrong. This system is only fractionally slower, for obvious reasons, than the simple one directly using the D values directly, described previously. Incidentally, for those concerned, it is as you know, the one that the IPG software in your possesion uses. Note: There was one error in the description, that is 13568 ANDed to the 8 bit random seed to get starting A values, it is not a C word AND but the assembly langauge sequnce of moving successive AL values into AX, where AH is fixed at 35, thus the effect is the same as an add, (or a byte AND of the random charcter to a zero AL) - the result is a number in the range of 13,568 to 13,823. Further, with respect to the simple system described in our release, we believe that the trimming procedure, that as some of you know, we used for another purpose - to eliminate the perceived problem of more frequent close pairs, on the average more 0,0's as opposed to 0,255's, defeats the plain text attack, though it may require the jump start as we have described - running the system through a few iterations before commencing the actual encryption. The effect of this, as has been described to some of you, is that some of the D's are not used, that portion of each C value that is not an even multiple of 256, for example 14009 MOD 256 is 185. Thus, those values where A[i] > 13824 are not used to XOR against the plain text - this is easily done in ASM by simply comparing the high order 8 bits, of A[i] with the high order 8 bits of C[i], if they are equal, then the XOR does not take place - thus the 64 interval is not applicable, it is variable depending upon the randomly selected C values. Without having the known 64 interval as a constant, I believe that the system is still solid. As those of you heretofore privy to that information know, that modification to the system system takes about 10% more time, than the system that was "cracked." Maybe, we need to do both this and use the 5600 byte system. We will appreciate any input in this regard. If we must go to the 12288 byte system, the system will be slower. However, as many of you know, it is still extremly fast but not as fast as either of the other two versions. With the 12,288 bit system. Our tests indicate that nothing but random values, can be obtained by either known plain text attack or by pattern recognition methodologies, those of which we are aware, on the 12,288 bit system. Those of you who have had all of the materials will understand the foregoing. With the information provided heretofore, you can determine the effect on the other two systems. Also, those people will know my expressed fear of a premature announcement, such as that which has now been made, would have. This was the reason, that I resisted so strongly the release of the materials to the C'punks list though a few of you recommended that I do so. Perhaps we should have released everything? Who knows. However, in any case, that is water over the dam and IPG must go on from here. It is only another of the many mistakes that we will undoubtedly make along the way. Having said that though, we must go back to our prior evaluation method, a strict confidential mode. However, I believe that we have added several very good additional people who can help to analyze the system. In view of the willful violation of our confidential release, without knowing everything involved, and putting it out on the Internet, please be advised that other than those who have heretofore been evaluating the system, we will make no further releases except on a highly selective basis. The dozens of you who have requested copies of the materials,and have not yet received them, please be patient until we can get back on track. On a selected basis, we will provide then to you, after discussing it with each of you privately. Obviously, this breech occurred from yesterdays posting since no mention was made of the 5600 bit or 12,288 bit random seed systems. Therefore, we intend to be very careful from now on. Accordingly, this will be the last letter posted to the entire cypherpunks list for the time being. If any reader posts something to the entire Cypherpunks list, do not expect any response to from IPG, there will be none. Perhaps a battle has been lost, maybe even probably? But the war is not over, not by a long shot - with minor modifications this system is absolutely secure as events will prove. However, be assured that we will not sell our product to anyone until that can be definitively established. We greatly appreciate the contribution of some of those on the cypherpunks mailing list, including the anonymous remailer, have made. We hope that someway can be found for that person to continue to cooperate with us, since we are herein obviously providing information that can be evaluated. If that person will communicate with us privately, in remailer form, including a PGP public key, we will post our response to the C'Punks list in encrypted form, or suggest an alternate approach. To many of you, you will be hearing from us tomorrow - to the remaining of you, some of whom have objected to our providing you with unsolicited information, which we mistakenly thought that you would want, you will hear from us soon, depending upon the findings made by your C'punk list associates and others. Thanks kindly, Ralph From jya at pipeline.com Wed Mar 20 14:40:06 1996 From: jya at pipeline.com (John Young) Date: Thu, 21 Mar 1996 06:40:06 +0800 Subject: JEK_hyd Message-ID: <199603201914.OAA10636@pipe1.nyc.pipeline.com> 3-20-96. TWP (privatizing the global NatSec frankenstein): "South Africa Weighs Reining In Peddlers of Mercenary Ex-Soldiers." In this once highly militarized society, the transition from white-minority rule produced unemployed commandos and spies suddenly without a cause. So, controversial military and intelligence units are selling their skills to the rest of Africa and beyond. Executive Outcomes, the best known and apparently largest of firms offering overt and covert security services, says the company's services are in great demand. It operates within a murky network of other international companies that specialize in oil drilling, diamond mining and landmine removal. The firm also has been reported to hire former commandos of Britain's SAS and the Selous Scouts of the old white-ruled Rhodesia, as well as military technicians from the former Soviet Union. JEK_hyd From stewarts at ix.netcom.com Wed Mar 20 14:59:53 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 21 Mar 1996 06:59:53 +0800 Subject: Would the FTC crack down on snake oil someday? Message-ID: <199603200310.TAA28716@ix10.ix.netcom.com> At 11:45 PM 3/17/96 +0000, you wrote: >Enclosed is an excerpt from Edupage. Snake-oil crypto popped into my >mind.... I wonder if the FTC (Federal Trade Commission... agency >*meant* to crack down on consumer fraud, for non-US readers here) >would ever get into act here. .... >FTC TARGETS INTERNET FRAUD >The Federal Trade Commission is conducting a "wholesale crackdown" on >perpetrators of allegedly deceptive marketing schemes that are advertised in >Internet news groups or on the World Wide Web. Sure, they'll be happy to, if we really want. The NSA will advise them on what's good crypto, and what's snake-oil. Certainly any system that didn't provide for back-up key access doesn't rate...... No, I didn't think you wanted that either.... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From owner-cypherpunks at toad.com Wed Mar 20 18:59:32 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 21 Mar 1996 10:59:32 +0800 Subject: No Subject Message-ID: Sandy SandFort wrote: > A CYPHERPUNK CALL TO ARMS!!! > > (Did I get the style right?) C'punks, if you feels as I do, > please take a few moments to sign up for the LIST OF SHAME? > Let's show Bill, Bruce, Matt and all the others what most > Cypherpunks really think about them and Mr/Ms Anonymous. This effectively gets the right point across, but might turn Cypherpunks into a USENET newsgroup mass posting of "me too" sentiments. As I agree with Sandy on every point, I reluctantly choose to start.... "Please add me to your list of shame, Mr. Anonymous." Brad Shantz From owner-cypherpunks at toad.com Wed Mar 20 19:56:01 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 21 Mar 1996 11:56:01 +0800 Subject: No Subject Message-ID: If I were the NSA, I would start threads such as the one on the IPG system. They are very valuable to them in assessing and mapping the cryptanalysis capabilities of the CPunks lurkers and regulars members. Just a thought... JFA Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 From llurch at networking.stanford.edu Wed Mar 20 19:58:17 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 21 Mar 1996 11:58:17 +0800 Subject: A MODEST PROPOSAL In-Reply-To: <199603201850.NAA08934@yakko.cs.wmich.edu> Message-ID: I would sign on, but I don't think you want to associate with a crypto- jewish anarchist fucking statist nazi free-speech activist censor asshole l. detweiler tentacle. -rich Liberty is not a means to a higher political end. It is itself the highest political end.-- Lord Acton From owner-cypherpunks at toad.com Wed Mar 20 20:04:25 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 21 Mar 1996 12:04:25 +0800 Subject: No Subject Message-ID: At 7:42 PM 3/20/96, Michael Froomkin wrote: >correct me if I'm wrong, but don't the federal direct mail marketing laws >say that any unsolicited merchandise sent to a person becomes their >property, regardless of any disclaimers to the contrary included in the >package? The _physical_ item, e.g., a box of soap or a free copy of "Newsweek," but presumably not the _intellectual property_, e.g, the contents of "Newsweek." (Just because I get free samples of magazines does not mean I now can do with the contents whatever I wish, such as post them on the Net; copyright law is presumably involved.) This may be more analogous to what IDG has done. Disclaimers: IANAL, I am not defending IDG or their "broken in less than one day" tub of snake oil, nor am I defending copyright and direct mail marketing laws. And I might be wrong about the intellectual property issue, though I doubt it. Copyright laws are such that rights are not waived even if free samples are given out, and so forth. IDG can hardly claim their algorithm has trade secret status when they've distributed it to many people. Which leaves them with only trying to enforce copyright protections, a la the Church of Scientology. Maybe IDG will now seek to collect the only bucks they'll ever get by suing various Cypherpunks who are distributing their so-called system? Helena Kobrin can become their lawyer. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From abostick at netcom.com Wed Mar 20 20:09:17 1996 From: abostick at netcom.com (Alan Bostick) Date: Thu, 21 Mar 1996 12:09:17 +0800 Subject: [NOISE] Re: Dorothy Denning attacks Leahy's crypto bill In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- In article , Declan McCullagh wrote: > I may have to adjust my position on Leahy's bill. Any legislation that > Dorothy Denning attacks so virulently must be worth passing. That could be exactly what They want you to think! If They wanted us to overlook the actual flaws and trapdoors in Leahy's bill, what better way than to have our knees jerk in support by arranging for Denning's opposition? - -- Alan Bostick | I'm laughing with, not laughing at. mailto:abostick at netcom.com | The question is, laughing with WHAT? news:alt.grelb | James "Kibo" Parry http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMVBL5uVevBgtmhnpAQG44wL9H9SCJGukqkXYbBT8mbPWp0aJxnJnDeKu OHfbwwxnbcdpEpc7CaE3Gj9E5V9Tz2PV5L0eXK7su5gEa+UcGZ9vD1jL7ySVTnM3 y15gXFb90dOS2chbI4gKYyIEU8+MM41q =7oBJ -----END PGP SIGNATURE----- From owner-cypherpunks at toad.com Wed Mar 20 20:20:39 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 21 Mar 1996 12:20:39 +0800 Subject: No Subject Message-ID: Since someone other than Jim Bell and THE LIST OF SHAME author thought I was being serious, I thought it wise to respond. The notion that a measure of criticism from a known enemy, Dorothy Denning, corrects the many problems with Leahy's legislation is absurd. As a case in point, remember that Rush Limbaugh, Catharine MacKinnon, and the radical religious right group American Family Association criticized the CDA. That does not make the CDA worth passing. (Of course Rush likes dirtysexycybertalk so he can pick up chicks online, and the AFA wanted not less, but _more_ liability for ISPs, but I trust my point is clear.) Speaking of the CDA, I'll be in Philadelphia tomorrow and Friday for the hearing. Any other cypherpunks planning to attend? -Declan Excerpts from internet.cypherpunks: 20-Mar-96 [NOISE] Re: Dorothy Denning.. by Alan Bostick at netcom.com > In article , > Declan McCullagh wrote: > > > I may have to adjust my position on Leahy's bill. Any legislation that > > Dorothy Denning attacks so virulently must be worth passing. > > That could be exactly what They want you to think! > > If They wanted us to overlook the actual flaws and trapdoors in Leahy's > bill, what better way than to have our knees jerk in support by arranging > for Denning's opposition? From owner-cypherpunks at toad.com Wed Mar 20 20:30:19 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 21 Mar 1996 12:30:19 +0800 Subject: No Subject Message-ID: On Wed, 20 Mar 1996, Jim McCoy wrote: > What amuses me most about this series of rantings by whomever, other > than the paranoid and baseless claims made by the anonymous poster, > is the number of people who have been complaining about the author doing > so anonymously through a remailer. The irony of such a situation is > too rich to pass up. > > It seems that cypherpunks can dish it out when other newsgroups and > mailing lists suffer such problems ("well, the remailers do nothing > that telneting to port 25 cannot do..." or "internet identity is such > a fiction anyway, get used to it" seem to be common responses), but > when the cypherpunks lists is the victim of unpleasant anonymous messages > we fall back to the tired refrain of "if you have nothing to hide why > are you posting anonymously." How sad. > > So, why the hypocrisy here? I don't see this as hypocrisy. Hypocrisy would be trying to track the guy down, or turning off the remailer, or filtering anonymous rants at toad.com. I think it's completely legitimate, and healthy, to question why people go anonymous while supporting their right to do so. Sometimes anonymity is necessary, sometimes it's just for fun, sometimes its cowardice, sometimes it's deception. Your point about "stop whining and write code for anonymous reputations" is misplaced. Such code ALREADY EXISTS. There are lots of nyms out there with PGP keys. If you're already PGP-encrypting your message to send it to an anonymous remailer securely, it's really no more trouble to sign it with the key for Alice D'Anonymous. If you don't feel secure using PGP (and "the real Alice" did have some -- some -- valid points), then use a magic number or serialize your messages. It worked for the Unabomber. -rich From drose at azstarnet.com Wed Mar 20 22:07:31 1996 From: drose at azstarnet.com (drose at azstarnet.com) Date: Thu, 21 Mar 1996 14:07:31 +0800 Subject: ( NOISE) Keep the pressure! Cryptographers Against Cryptography EXPOSED! Message-ID: <199603210053.RAA07261@web.azstarnet.com> anonymous said: > YOU DON'T NEED EXPERTS TO THINK FOR YOU! REMEMBER RICO AND WORLD GOVERNMENT! Hmmm. I still don't get the "world government" bit, but I finally think that I "REMEMBER RICO". 1930's flick, Edward G. Robinson as a gangster about to be riddled with bullets by the Feds has time for a closing line: "Mother of mercy, could this be the end of RICO?" ==OR== (Please bear with me, I'm not up on all of "Their" conspiritorial methods) Could it refer to the chicken liver and pasta dish known as "Spaghetti a la (EnRICO) Caruso"? I only had this dish once, but I'll remember it for a long, long time. From owner-cypherpunks at toad.com Wed Mar 20 22:16:01 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 21 Mar 1996 14:16:01 +0800 Subject: No Subject Message-ID: A friend of mine registered as a student for the CFP '96 conference next week, but is unable to go. Registration is transferable, so he can send another student in his place. If anyone is interested, please mail him (not me) at tew2 at cornell.edu. From perry at piermont.com Wed Mar 20 22:35:34 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 21 Mar 1996 14:35:34 +0800 Subject: snake oil refining Message-ID: <199603200745.CAA01136@jekyll.piermont.com> IPG Salesdroid says: > In view of the willful violation of our confidential release, without > knowing everything involved, and putting it out on the Internet, please > be advised that other than those who have heretofore been evaluating the > system, we will make no further releases except on a highly > selective basis. Why? After all, the first lot of information proved to be worthless (in the literal sense of having no economic value, it being a hunk of junk). I can hardly see how you can complain about the result -- I mean, it isn't like your encryption system was worth anything in the first place, so it was hardly lowered in value. I find it amusing how slippery the snake oil you peddle is, however. This morning you claimed that several "cypherpunks" had been sent information on your system and claimed it was "unbreakable". As soon as a couple of cypherpunks note that what they were sent was garbage, you claim, and I quote: > In view of the anonymous remailer's calim to have broken the simple > system, which as you and others who have had the system for a period > time know, we have had some reservations about. Ah, yes. This morning, unbreakable. Tonight "we had some reservations about". Why don't you stop wasting everyone's time? You can probably have a fine career selling penny stocks or something. Perry From sandfort at crl.com Wed Mar 20 22:46:00 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 21 Mar 1996 14:46:00 +0800 Subject: A MODEST PROPOSAL In-Reply-To: <199603201016.CAA09094@jobe.shell.portal.com> Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Wed, 20 Mar 1996 anonymous-remailer at shell.portal.com wrote: > THE LIST OF SHAME: > B. Schneier: bs208 at newton.cam.ac.uk, schneier at counterpane.com > M. Blaze: mab at crypto.com, mab at research.att.com > J. Bizdos: jim at rsa.com > S. Safaddar: shabbir at vtw.org > D. Weinstein: djw at vplus.com > P.. Peterson: padgett at hobbes.orl.mmc.com > B. Stewart: stewarts at ix.netcom.com > B. Unicorn: unicorn at schloss.li > P. Karn: karn at unix.ka9q.ampr.org > D. McCullagh: declan at well.com > > BOYCOTT APPLIED CRYPTOGRAPHY, AT&T, VTW, and RSA!!!! > > THE LEAHY BILL IS 100% PART OF THE PLAN TO KILL FREE CRYPTO. > YOU DON'T NEED EXPERTS TO THINK FOR YOU! REMEMBER RICO AND WORLD GOVERNMENT! I have to admit I haven't read the Leahy bill in detail. But I do get a little hinky whenever Congress tries to "help" us, so it seems reasonable to look for the worm in every legislative apple--the Leahy bill included. Having said that, I am totally put off by the gradiose and devisive ravings of this commentator. During the Second World War the Nazis required Jews in the occupied countries to wear a yellow star of David to identify themselves. In Denmark, the king so identified himself, and soon so did most of his subjects. In that grand tradition of solidarity with persecuted minorities I request that I be added to anonymous' "LIST OF SHAME." It is MY protest against this utter nonsense. (I have always felt cheated that I was too young and politically naive to make the Nixon Enemies List. I've made it up some since then with a fat FBI file, but it just isn't the same.) A CYPHERPUNK CALL TO ARMS!!! (Did I get the style right?) C'punks, if you feels as I do, please take a few moments to sign up for the LIST OF SHAME? Let's show Bill, Bruce, Matt and all the others what most Cypherpunks really think about them and Mr/Ms Anonymous. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From unicorn at schloss.li Wed Mar 20 22:48:14 1996 From: unicorn at schloss.li (dirsec) Date: Thu, 21 Mar 1996 14:48:14 +0800 Subject: IPG and "Free Samples" In-Reply-To: Message-ID: On Wed, 20 Mar 1996, Timothy C. May wrote: > At 7:42 PM 3/20/96, Michael Froomkin wrote: > >correct me if I'm wrong, but don't the federal direct mail marketing laws > >say that any unsolicited merchandise sent to a person becomes their > >property, regardless of any disclaimers to the contrary included in the > >package? > > The _physical_ item, e.g., a box of soap or a free copy of "Newsweek," but > presumably not the _intellectual property_, e.g, the contents of > "Newsweek." > > (Just because I get free samples of magazines does not mean I now can do > with the contents whatever I wish, such as post them on the Net; copyright > law is presumably involved.) However, there is a case to be made that a basic difference between a magazine, in this example, and source code exists. The magazine itself is the instrumentality. When it's mailed to you, you can give it to whomever you like. The pages and paper are your property, along with the ink. In the case of the code, it is itself the instrumentality. Handing it out for free (unsolicited and without a binding NDA) might render the item itself (the code) public domain. (Or more accurately, the act of so distributing it renders it defacto in the public domain). Especially in the context in which this code was released. I'm not sure it's a compelling argument in and of itself, but in the context of the manner of distribution, and the major goof on the part of IDG in releasing the material generally, I would suspect no one has much to worry about. Asking for a public review of material, and then enforcing "copyrights" when that review releases some of, perhaps even all of the material is rather silly. I'd be surprised if a court paid much attention. Disclaimer: this is an academic, and not a legal opinion. [Mr. May's disclaimer deleted] > --Tim May > > Boycott "Big Brother Inside" software! > We got computers, we're tapping phone lines, we know that that ain't allowed. > ---------:---------:---------:---------:---------:---------:---------:---- > Timothy C. May | Crypto Anarchy: encryption, digital money, > tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero > W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, > Higher Power: 2^756839 - 1 | black markets, collapse of governments. > "National borders aren't even speed bumps on the information superhighway." --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From owner-cypherpunks at toad.com Wed Mar 20 23:05:00 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 21 Mar 1996 15:05:00 +0800 Subject: No Subject Message-ID: AO on MS response to Java: >As a web developer, I have some problems with this scheme. Giving Microsoft >access to virtually every OLE control on the Web does not make me more >secure. Sounds like a way to rip off ideas from the rest of the development >world. If someone has a control that might compete with a Microsoft >product, it could be shelved and/or delayed for "further security testing". > >Java has a decentralized mechanism for security. No one group controls what >is a "certified" control and what is not. You write the code and compile it >and that is that. Furthermore, you are not stuck with Microsoft approved >platforms. (I wonder if there will ever be a version of Explorer for the Mac.) > >I expect the Microsoft plan to garner a bit of resistance from the Web >development community over this one... I think this is a very good example of why nobody should bemoan Java. when it was first introduced I heard a lot of grouching and sniping at this really outstanding software (that was admittedly overhyped). but look what we could have gotten as the first potential standard: the above system. MS was apparently caught completely off guard with Java. they had not a clue about what it was about, why it was important, and scrambled to deal with it. they have apparently only reluctantly licensed it as a temporary ploy. the above motions suggest they ultimately want to control this standard. all the MS responses to Java outside of licensing it appear to me to be pathetically missing the point. they don't seem to understand why Java is so important, namely its decentralized security model you refer to. you cannot create this by adding a few function calls on top of an already insecure language like Visual Basic. it has to be done incredibly carefully from the ground up as it was done with Java. I don't think people realize how carefully this language was constructed, it was developed extremely delicately in a way unlike many other languages. this is a real breakthrough in software that theoretically creates a "secure" programming environment, something that has been sought for decades and is now being delivered to the desktop due to some very hard work and visionary effort. I noticed that Denning, in her Leahy protest letter, referred to glowingly of this MS "endorsement" scheme. I have a very bad suspicion that MS is like a dog that rolls over whenever the NSA comes to visit them and tell them how to write their software (apparently this happens routinely). anyway, I totally agree with you that their centralized scheme is really horrible, and its inferiority and headaches are likely to be spotted and yowled about by many developers as you write. there is no probably no need to fear MS's schemes at the moment. as long as they have an inferior standard its not going to gain much attention or use and Java already has a very intense momentum going. just because MS does something in some area is not necessarily reason to take them seriously. they have had situations where they come out with stuff that never turns into anything and silently evaporates like all companies have. (far less than others, but nonetheless) one thing I just don't really understand about MS is their seeming drive to conquer every market. it seems that whenever a new software market emerges they feel they have to invade it and dominate it like pirates. this has a lot to do with the psychology of Bill Gates. the idea that "gosh, somebody else has already done that really well, and it would be awfully tought to beat them, let's not bother with that" seems to be lost in that environment completely. instead, it is, "oh no!! they are beating us!! we have to make a better widget or we'll all die!!" -- a good example of competition taken to extremely unhealthy extremes imho. I suspect like others that MS' glory days are receding and in fact all extremely large companies may undergo major shifts once our economy fully shifts into the information age. From owner-cypherpunks at toad.com Wed Mar 20 23:22:22 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 21 Mar 1996 15:22:22 +0800 Subject: No Subject Message-ID: Brad Shantz wrote: | I have been working for some time on a project that involves doing | proactive file authorization/authentication under Windows NT. In the | process, I've been working on an extension to the Kernel layer of the | operating system because we need to be able to catch read/writes to | the disk. (All perfectly legal according to the DDK, just | ot documented worth a damn.) All of this is designed to work | directly with the functionality given to us by the NT-Security layer. | | Basically, I'm now questioning the C2 rating of Windows NT. The | entire security layer is modular to the Kernel. As a modular | driver, it can be removed, rewritten, and replaced. | | So, what makes it secure? What gives it the C2 Rating? How would | one go about getting a C2 rating? A C2 rating means that they have some audit trail mechanism, and some means of authentication. Basically, you read the Orange book, spend a few million bucks, and get a C2 rating. Ask MS if their rating is valid after you add an ethernet card. (The answer is no. A system is certified for a particular set of hardware & software.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From abostick at netcom.com Wed Mar 20 23:48:24 1996 From: abostick at netcom.com (Alan Bostick) Date: Thu, 21 Mar 1996 15:48:24 +0800 Subject: [NOISE] Re: IPG message In-Reply-To: <2.2.32.19960320161456.012102e0@mail.software.net> Message-ID: <+EHUx8m9L43I085yn@netcom.com> -----BEGIN PGP SIGNED MESSAGE----- In article <2.2.32.19960320161456.012102e0 at mail.software.net>, John Pettitt wrote: > IPG wrote: > > The algorithms detailed below are copyrighted 1995 and 1996 by Internet ^^^^^^^^^^ ^^^^^^^^^^^ > Privacy Guaranteed, Seymour, TX. All rights are reserved. These clowns are claiming *copyright* protection for *algorithms*???!! *ROTFLMAO!* Alan "This message encrypted with ROTFL-13" Bostick - -- Alan Bostick | I'm laughing with, not laughing at. mailto:abostick at netcom.com | The question is, laughing with WHAT? news:alt.grelb | James "Kibo" Parry http://www.alumni.caltech.edu/~abostick -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMVByguVevBgtmhnpAQFfGAMAk9cqE8lsHZ73rjXisn0gMcKAheo03fyh zepiu6pfF/wIG5ahuBJB7iw/4KtW7fEDthy5AAtkjj0mZyPzPajyzT/THEnkhla9 eWlN6KNwrsQiM3+xJrhzVu+BxqYbB54x =WYBg -----END PGP SIGNATURE----- From stewarts at ix.netcom.com Thu Mar 21 00:03:49 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 21 Mar 1996 16:03:49 +0800 Subject: POINTCAST - Could it be a Trojan Horse? Message-ID: <199603210305.TAA26171@ix6.ix.netcom.com> The following came from another mailing list. An interesting Cypherpunks opportunity is that it appears to provide a general broadcasting capability, depending on what authentication methods (if any) it's using. Aside from the fun of automatic-upgrade software, it's a great opportunity for a media hack. Maybe it won't be widely supported by April 1, 1996, but it certainly should be by April 1, 1997. (Hmmm - isn't X-Day in 1997?) I assume it either runs UDP or runs http to poll. Bill > There is a new web site http://www.pointcast.com which provides a > program file pcninstl.exe. You download pcninstl.exe and run the > program on your PC from Windows 95 or Windows 3.1 > > PCN is a program that interfaces to the Internet using port 80 and > provides you customizable up-to-the minute downloads of news > headlines, stocks, customizable sports, customizable weather, > customizable financial, Internet access (HTTP only with this release) > and personal (horoscopes and lotteries). You can click on the dynamic > advertisements and go directly to their web page. PCN even turns into > a dynamic screen saver with your specific preference. Periodically, > you are informed that there is an upgraded version, would you like to > down load; automatic upgrades. PointCast Network is currently in > Beta 0.9, is FREE and they say it will continue to be free, support by > advertising commercials. Does this sound too good to be true??? > > Well, Maybe it is too good to be true. This program becomes a proxy > operator for you. Downloading, through your firewall, whatever it > decides should be downloaded, data, new executables, etc. What is to > prevent a hacker (or cracker if you like that term better) from > offering a similar product which captures you PC keystrokes and scans > your hard drive and uploads information, accesses your LAN or PC > functions, or destroys PC files and data. > > Even worse what if a hacker breaks into the PointCast Web site after > it has successfully distributed its product to millions of Internet > users? Are you sure you trust PointCast enough to perform that next > automatic upgrade? > > What about other proxy type programs, such as CompuServe's WinCim? It > appears that any type of user proxy program opens the door that most > of us have closed using firewalls. > > What are you thoughts and comments? Do you have any concerns with > products like this? How do you or your company handle these products? > > Thanks, > Bill Roswell > Occidental Petroleum Corporation > email Bill_Roswell at oxy.com or email Messages_Roswell at oxy.com > > #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From trotterf at huck.marktwain.com Thu Mar 21 01:37:49 1996 From: trotterf at huck.marktwain.com (Frank Trotter) Date: Thu, 21 Mar 1996 17:37:49 +0800 Subject: Announce: c2 and Ecash Message-ID: Mark Twain Bank Announces Fees Waived Access For Community ConneXion The World Premier Site for Ecash ****************************************** Ecash - Its Your Money! Mark Twain Bank is pleased to honor Community ConneXion and its customers by providing a special arrangement for new accounts. "Community ConneXion has been a leader in providing the Internet community with innovative solutions through the C2 site, and in developing solutions such as Stronghold: The Apache-SSL-US for secure web traffic," commented Frank Trotter, Director of the International Markets Division at Mark Twain Bank. "We wish to provide Community ConneXion customers with the best deal available for Ecash in recognition of these efforts." "The pricing we have provided Community ConneXion in this promotion, should allow the average participant to utilize Ecash without any charges," noted Trotter. "In addition, merchants can benefit from the special arrangements made available either directly with Mark Twain Bank, or by utilizing the innovative ecash integrated webserver at Community ConneXion." "Ecash is the only private electronic payment system on the Internet today. As the Internet Privacy Provider, we are happy to support the development and deployment of an infrastructure for private electronic commerce," commented Sameer Parekh, President of Community ConneXion, Inc. Community ConneXion customers who sign up for Ecash from Mark Twain Bank using the automated application scripts located on the Community ConneXion site (at https://www.c2.org/ecash/application/) will receive the following benefits: For Schedule 1 Accounts (Basic Consumer): o Waive the set up fee $11.00 until further notice. o Waive the monthly fee of $1.00 for 1996. o Allow monthly withdrawal of $1,000 from Ecash Mint to WorldCurrency Account without withdrawal fee for 1996. o Allow two (2) movements of money from WorldCurrency Access to Ecash Mint without additional charge for 1996. For Merchant Accounts (Schedule 5-8): o Waive One Half of the Listed Set Up Fee until further notice. o Waive the monthly fee for 1996. For either consumer or merchant accounts, Community ConneXion will verify that you are a C2 customer and securely transmit the application directly to Mark Twain Bank. You remain responsible for sending a signed copy of the application to Mark Twain, sending money for deposit, and obtaining and operating the software as usual. Other Schedule 1 charges that apply from time to time will be retained without alteration. Contacts: ******** Mark Twain Bank Frank O. Trotter, III Senior Vice President Director International Markets Division Mark Twain Banks ftrotter at marktwain.com www.marktwain.com Fax: +1 314 569-4906 Community ConneXion Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 --- Ecash is a trademark of DigiCash bv WorldCurrency is a trademark of Mark Twain Bank From sthjyq at amp.com.au Thu Mar 21 01:43:37 1996 From: sthjyq at amp.com.au (Jeffrey Smith) Date: Thu, 21 Mar 1996 17:43:37 +0800 Subject: NEW SUBSCRIBER Message-ID: <3151E943.5D7@amp.com.au> Hi, In my profession (auditing) I endeavour to keep abreast of the latest vulnerabilities of the systems I audit. I would like to be on mailing lists for Novell, AS/400, NT and UNIX security exposures. From sameer at beer.CSUA.Berkeley.EDU Thu Mar 21 01:56:48 1996 From: sameer at beer.CSUA.Berkeley.EDU (sameer at beer.CSUA.Berkeley.EDU) Date: Thu, 21 Mar 1996 17:56:48 +0800 Subject: See sameer run the talk show circuit. Message-ID: <199603210518.VAA05745@beer.CSUA.Berkeley.EDU> Well not really. I am doing the "Electronic Frontiers Forum" thing by Jon Lebkowsky tomorrow evening though on "Club Wired". see http://www.hotwired.com/club/ -sameer From unicorn at schloss.li Thu Mar 21 02:14:40 1996 From: unicorn at schloss.li (dirsec) Date: Thu, 21 Mar 1996 18:14:40 +0800 Subject: unsubsrcribe In-Reply-To: Message-ID: On Wed, 20 Mar 1996, Timothy C. May wrote: > At 4:00 AM 3/21/96, thrdina at ibm.net wrote: > >How can I unsubsribe from this mailing list? > > > > > >From: THOMAS HRDINA > > Manager - Networks > > Bank of Nova Scotia > > New York Agency > > Well, do you want to "unsubsrcribe" or "unsubsribe"? [...] > (Remind me not to open an account at this "Bank of Nova Scotia.") I'd think a better idea would be to open an account in the amount of US$ 10.00 and wait a few months. You'll probably find a bank error has given you US$ 1000.00 > > --Tim > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From owner-cypherpunks at toad.com Thu Mar 21 02:17:36 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 21 Mar 1996 18:17:36 +0800 Subject: No Subject Message-ID: I have been working for some time on a project that involves doing proactive file authorization/authentication under Windows NT. In the process, I've been working on an extension to the Kernel layer of the operating system because we need to be able to catch read/writes to the disk. (All perfectly legal according to the DDK, just ot documented worth a damn.) All of this is designed to work directly with the functionality given to us by the NT-Security layer. Basically, I'm now questioning the C2 rating of Windows NT. The entire security layer is modular to the Kernel. As a modular driver, it can be removed, rewritten, and replaced. So, what makes it secure? What gives it the C2 Rating? How would one go about getting a C2 rating? Brad From tcmay at got.net Thu Mar 21 02:18:02 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 21 Mar 1996 18:18:02 +0800 Subject: If you can't take the heat... (Was Re: Keep the pressure!) Message-ID: At 8:54 PM 3/20/96, Jim McCoy wrote: >It seems that cypherpunks can dish it out when other newsgroups and >mailing lists suffer such problems ("well, the remailers do nothing I think that using the language "it seems that cypherpunks..." is too all-inclusive. Not many of us have complained, fortunately, about the anonymous posts, and I know of no votes or other opinion polls. A better wording might be "It seems that some cypherpunks..." Even better, "some members of the list...." There are something like 1000 list subscribers. A handful of vocal folks are critical of uses of anonymity. Not surprising, given our diversity. And since the "traitor list" is so childish, regardless of being written anonymously or not, it is unlikely that many people will jump up and claim to be impressed. Thus, it is unsurprising that the comments that _have_ been heard tend to be about one of the few things that can be immediately recognized: the anonymous (and to some, "cowardly") nature of the charges. And I think the anonymity issue is interesting. In the past, Detweiler railed against the uses of anonymity while himself being the single most prolific user of anonymous insults and the like, so it's an interesting pathology to study. While I personally trash the "traitor list" posts from Mr. Anonymous, I also trash similar rants from non-anonymous persons. >that telneting to port 25 cannot do..." or "internet identity is such >a fiction anyway, get used to it" seem to be common responses), but >when the cypherpunks lists is the victim of unpleasant anonymous messages >we fall back to the tired refrain of "if you have nothing to hide why >are you posting anonymously." How sad. "We" fall back on this tired refrain? Again, only a handful (no more than 5) have denounced this use of anonymity, which leaves hundreds of others who have said nothing of the kind. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From owner-cypherpunks at toad.com Thu Mar 21 02:19:02 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 21 Mar 1996 18:19:02 +0800 Subject: No Subject Message-ID: anonymous-remailer at shell.portal.com said: > > We can be fortunate that their number is small. At least the ones > we know about. Only three more since the last report. But even > one is too many. Well, you can add me to the list. Although there are a couple of problems with the Leahy bill, it still seems to me to be a step in the right direction. > > These people have alot to answer for. Ask them who they work for > and who signs there checks. Ask them why they lie. Ask them why > they are afraid of your right to privacy. (of course we know why) > Show them HOW WE FEEL. Let them serve as examples too others if > they are too cowardly to serve as beacons for truth. I'll answer up front. I work for the University of Minnesota. I don't get a check, I have direct deposit. If you saw how much it is, you'll *know* that I don't speak for them. I haven't lied for a couple of minutes now, and certainly not about my support for the Leahy bill. I'm not afraid of any right to privacy, in fact I insist on it and support it whenever possible. I don't know how you feel, and I wish you wouldn't show me, as I am afraid that you feel squishy and slightly damp. That might cause me to lose my appetite. > > THE LIST OF SHAME: > B. Schneier: bs208 at newton.cam.ac.uk, schneier at counterpane.com > M. Blaze: mab at crypto.com, mab at research.att.com > J. Bizdos: jim at rsa.com > S. Safaddar: shabbir at vtw.org > D. Weinstein: djw at vplus.com > P.. Peterson: padgett at hobbes.orl.mmc.com > B. Stewart: stewarts at ix.netcom.com > B. Unicorn: unicorn at schloss.li > P. Karn: karn at unix.ka9q.ampr.org > D. McCullagh: declan at well.com > > BOYCOTT APPLIED CRYPTOGRAPHY, AT&T, VTW, and RSA!!!! Don't forget grapes! > > THE LEAHY BILL IS 100% PART OF THE PLAN TO KILL FREE CRYPTO. > YOU DON'T NEED EXPERTS TO THINK FOR YOU! REMEMBER RICO AND WORLD GOVERNMENT! I can't remember breakfast, now what was that about RICO and World Government? Did I take over the world again and forget to clean up after myself? Sorry. -- Kevin L. Prigge | "You can always spot a well informed man - University of Minnesota | his views are the same as yours." email: klp at tc.umn.edu | - Ilka Chase PGP Key Fingerprint = FC E5 EE E7 8B 2E E9 D5 DA 1C 5D 6B 98 52 F6 24 From merriman at arn.net Thu Mar 21 02:25:51 1996 From: merriman at arn.net (David K. Merriman) Date: Thu, 21 Mar 1996 18:25:51 +0800 Subject: MS self-generated X.509 validity? Message-ID: <2.2.32.19960320174659.00687e44@arn.net> -----BEGIN PGP SIGNED MESSAGE----- I've just had a chance to go through the SDK MS is giving away for their ActiveX package. Interestingly, there's a little utility included for generating X.509 certs. The read.me that is included claims that the certs so generated don't have any real validity, as they're not linked to anything in the known universe (paraphrasing :-). My question is, is this an otherwise usable cert? I'll be happy to give anyone interested a copy of the files (shellback.cer and shellback.spc) I generated, if they'd like to examine/validate them. If the certs are, in fact, valid, I'll be glad to make the program available to others for 'testing purposes'. Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVAn/MVrTvyYOzAZAQERywP+IMBiiAEGkBNI88kuw2WRlYfEOsAD92fl mfNpiJmb0pYTzljE1PVtLNjLtrXkeu71fTYX34rC90aU7zD/nufmZz+Nrp6TR1Ce J39A9C5KR7rkNRxvsjOnpyZ1gEHCsOh6ceGVUZidYa+iEvVs20VrlMleS2nz3t6w 4piJt0Bhwqc= =o+LF -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From owner-cypherpunks at toad.com Thu Mar 21 02:29:00 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 21 Mar 1996 18:29:00 +0800 Subject: No Subject Message-ID: ---------------------------------------------------------------------------- From: To: anonymous-remailer at shell.portal.com Copies to: cypherpunks at toad.com --------------------------------------------------------------------------- Look above, note the "To:" Field, hmmmm, the offending l party mailed a responce to an anon remailer. I have noticed a couple people do this latley. Please people - THINK, you have just proved beond a shadow of a doubt that you are crypto illiterate. The message is not sent back to the origional sender, it is either qued in the remailer's In basket, till the remailer administrator cleans it out, or it is trashed upon reciept since it does not have the required Request-Remailing-To: format. *sigh*, I will spare the offending parties the well deserved "Come back when you get a clue" flame. Regards, Michael Peponis PGP Key Avalible from MIT Key Server From llurch at networking.stanford.edu Thu Mar 21 02:29:33 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 21 Mar 1996 18:29:33 +0800 Subject: Upside's TAMING THE INTERNET: Special Report Message-ID: [Who says it needs to be tamed?] Page 78 of the April issue: "Stephen Arnold, author of the recent book _Publishing on the Internet: A New Medium for the New Millenium_ [gag], dispels some of the mystery and myth surrounding on-line security, assesses its current state, and looks forward to new technologies." www.upside.com. Interviews with Bill Gates and other "luminaries." -rich From froomkin at law.miami.edu Thu Mar 21 02:31:16 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Thu, 21 Mar 1996 18:31:16 +0800 Subject: IPG message In-Reply-To: <2.2.32.19960320161456.012102e0@mail.software.net> Message-ID: correct me if I'm wrong, but don't the federal direct mail marketing laws say that any unsolicited merchandise sent to a person becomes their property, regardless of any disclaimers to the contrary included in the package? A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From WlkngOwl at unix.asb.com Thu Mar 21 02:50:17 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Thu, 21 Mar 1996 18:50:17 +0800 Subject: PC: Using BIOS Wait function as a source of entropy? Message-ID: <199603210649.BAA27694@unix.asb.com> In some older versions of the NOISE.SYS random driver I experimented with calling the BIOS Wait function which uses the CMOS timer to pause, using the "drift" between timing differences. There appears to be some variation here, but I don't have enough documentation (and have yet to hack with the BIOS myself) to figure out what goes on exactly when one calls Int 15h/AH=86h, so I don't know if this is "real" clock drift of if the variation is caused by somehting else unsuitable for an RNG. Still, it seems interesting. Does anyone have decently detailed tech specs for this function? Source is enclosed below for reference. No copyrights on it. ---Rob ----- Attachment begins here ----- {$F-} const timer0 = $40; timercntl = $43; WaitInterval = 977; function SampleTimerWord: Word; assembler; asm mov al, 0c2h out timercntl, al { Latch status and count for timer 0 } in al, timer0 { Get status word } test al, 2 { Remember mode 2 v. mode 3 for later } mov ch, al in al, timer0 { Get count low byte } mov ah, al in al, timer0 { Get count high byte } xchg ah, al jz @GotSample { If mode 2, skip this last bit...} add ch, ch { Top bit of status byte into CF} rcr ax, 1 { Shift data down and accumulate} @GotSample: end; function Sample: Integer; assembler; asm { From Ralph Brown's Interrupt List: --------B-1586------------------------------- INT 15 - BIOS - WAIT (AT,PS) AH = 86h CX:DX = interval in microseconds Return: CF clear if successful (wait interval elapsed) CF set on error or AH=83h wait already in progress AH = status (see #0390) Note: the resolution of the wait period is 977 microseconds on most systems because most BIOSes use the 1/1024 second fast interrupt from the AT real-time clock chip which is available on INT 70 SeeAlso: AH=41h,AH=83h,INT 1A/AX=FF01h,INT 70 } call SampleTimerWord push ax xor cx, cx mov dx, WaitInterval mov ah, 86h int 15h jnc @NoError { does this affect timings much? } xor ax, ax jmp @Abort @NoError: call SampleTimerWord pop bx sub ax, bx @Abort: end; begin { Note: repeated/rapid calls to Sample() crashes the system or causes BOUND interrupts (which triggers the Print Screen function on PCs). } WriteLn(Sample:6); end. Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From owner-cypherpunks at toad.com Thu Mar 21 02:56:53 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Thu, 21 Mar 1996 18:56:53 +0800 Subject: No Subject Message-ID: Read on for more information on the details of the court challenge. I'm very happy to know that Donna Hoffman and Howard Rheingold will be testifying. They and other ACLU/CIEC witnesses and plaintiffs have been deposed by the DoJ over the last two weeks in Washington, DC. During the weeks separating the two sets of hearing dates, we will be deposing witnesses that the DoJ plans to call. I would expect those witnesses to dispute, among other things, the effectiveness of filtering software and other forms of indecency-blocking. -Declan // declan at eff.org // I do not represent the EFF // declan at well.com // March 20, 1996 _________________________________________________________________ News from the ACLU National Headquarters ACLU V. RENO: Background Briefing Three-Judge Panel to Hear ACLU Testimony in Landmark Challenge to Internet Censorship Law PHILADELPHIA, PA--Beginning tomorrow, a three-judge panel in federal district court in Philadelphia will hear testimony in the consolidated cases of ACLU et al v. Reno and American Library Association et al v. Reno, the landmark challenge to censorship provisions of the Telecommunications Law of 1996. Free speech in cyberspace is at stake as the first major legal challenge to censorship on the Internet gets underway. The case began when the ACLU filed a motion for a temporary restraining order against indecency provisions of the Telecommunications Bill immediately after it was signed into law by President Clinton on February 8. The suit challenges provisions of the law that criminalize making available to minors "indecent" or "patently offensive" speech. Acting on behalf of 20 individuals and organizations that provide information via the Internet -- including itself -- the ACLU said it was moving quickly because it feared that the telecommunications legislation would have an immediate impact on the Internet. Following this action, a second legal challenge was filed on February 26 by a coalition of more than 20 corporate and trade organizations known as the Citizens Internet Empowerment Coalition (CIEC). The CIEC suit, organized by the American Library Association, America Online and the Center for Democracy and Technology, was formally consolidated with ACLU v. Reno. The CIEC lawsuit, which addresses essentially the same issues as the ACLU challenge, further illustrates the broad spectrum of individuals and organizations that would be affected by the censorship provisions, and strengthens the case for a finding that the law is unconstitutional. The Court Case According to procedures laid out by the judges, direct testimony in ACLU v. Reno is to be submitted via affidavit. During the three days of testimony allowed, which will take place over March 21 and 22 and April 1, lawyers for the Department of Justice will cross-examine coalition witnesses, after which lawyers for the ACLU and ALA coalitions will have an opportunity to redirect, i.e., question their witnesses in response to the government's cross-examination. In preparation for the case, lawyers for the Department of Justice have been deposing all the ACLU and CIEC witnesses it may choose to cross-examine. So far, government lawyers have declined to cross- examine only two witnesses: Christine Soto and Hunter Allen, teenagers whose affidavits attest to the importance of uncensored access to the Internet by minors. The government is scheduled to present its witnesses for cross- examination on April 11 and 12, 1996. A fourth day of testimony has been scheduled for April 26, to allow the ACLU and ALA coalitions to present witnesses rebutting the government's testimony. Following these six days of trial, the judges will issue a ruling. Depending on the outcome, either side may seek an appeal to the U.S. Supreme Court. The Witnesses Thursday, March 21: --Scott O. Bradner, senior technical consultant, Information Technology Services, Harvard University (ALA) --Ann W. Duvall, president, SurfWatch Inc. (ALA) --Patricia Nell Warren, author and publisher, WildCat Press (ACLU) Friday, March 22 --Donna Hoffman, associate professor of management, Owen Graduate School of Management, Vanderbilt University (ACLU) --William Stayton, psychologist and Baptist minister (ACLU) --Robert B. Cronenberger, director, Carnegie Library of Pittsburgh Professor (ALA) --Kiyoshi Kuromiya, director, Critical Path AIDS Project (ACLU) Monday, April 1 --Howard Rheingold, author and cyberspace expert --Barry Steinhardt, associate director, ACLU --Stephen Donaldson, Stop Prisoner Rape (*Note: schedule is subject to change) Chronology February 7 -- At a news conference in Washington, D.C., the ACLU announces plans to seek a temporary restraining order against indecency provisions of the Telecommunications Bill immediately after it is signed into law by President Clinton on February 8. --The ACLU announces the launch of its new "Freedom Network" World Wide Web site, , with a home page declaring, "Keep Cyberspace Free." Over 200,000 hits are recorded in the first 48 hours of the launch. February 8 --The ACLU files its legal challenge in federal district court in Philadelphia before Judge Ronald L. Buckwalter. -- In the first court action over the constitutionality of the Communications Decency Act , Judge Buckwalter directs the government to refrain from prosecuting for so-called indecent or patently offensive material online until the motion for a TRO is decided. -- The judge instructs the government to file a reply brief to the ACLU's request for a TRO within one week. --Government lawyers conceded that the abortion speech restrictions of the CDA are unconstitutional. February 15 -- Judge Buckwalter grants a temporary restraining order on the indecency provisions of the Communications Decency Act, and denies the TRO motions on prosecution for "patently offensive material" and on the "Comstock Law" abortion speech provisions of the CDA. --A three-judge panel is convened to hear the case: Chief Judge Dolores K. Sloviter, Judge Stuart Dalzell, and Judge Ronald L. Buckwalter. February 21 --More than 5,000 visitors to the ACLU website use the "instant action" feature to e-mail or fax Attorney General Janet Reno, urging her not to prosecute under the new law. February 23 -- ACLU announces that government lawyers have agreed not to initiate investigations or prosecute Internet "indecency" until three-judge court rules on the case. --Hearing dates set for the case; the ACLU will present its evidence on March 21 and 22, with April 1 reserved. The government's dates are April 11 and 12, 1996. The total trial is scheduled to last five days. February 26 --More than 20 corporate and trade organizations, known as the Citizens Internet Empowerment Coalition (CIEC), initiate a second legal challenge to the Communications Decency Act. February 27 --The CIEC suit, organized by the American Library Association, America Online and the Center for Democracy and Technology, is formally consolidated with ACLU v. Reno. March 21 --Trial opens at 9:30 a.m. in the ceremonial courtroom in federal district court in Philadelphia. ### Contact: Emily Whitfield, (212) 944-9800 ext.426 _________________________________________________________________ Media Relations Office 132 W 43rd Street, NYC 10036 (212) 944-9800 ext. 414 From jamesd at echeque.com Thu Mar 21 03:06:47 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Thu, 21 Mar 1996 19:06:47 +0800 Subject: Keep the pressure! Cryptographers Against Cryptography EXPOSED! Message-ID: <199603210625.WAA26249@mail1.best.com> At 02:16 AM 3/20/96 -0800, anonymous-remailer at shell.portal.com wrote: > I am proud to report that > the majority of us have the good sense to see [the Leahy bill] for > what it is but > a few cypherpunks continue to lie to us and have > not recanted. I do not like the Leahy Bill, but it is not so plainly and flagrantly bad that good people cannot have different opinions of it. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From prz at acm.org Thu Mar 21 03:30:31 1996 From: prz at acm.org (Philip Zimmermann) Date: Thu, 21 Mar 1996 19:30:31 +0800 Subject: PGP and Human Rights, continued Message-ID: <199603210715.HAA09123@maalox> A few days ago, I posted a note to the cypherpunks list from a human rights group in Central Europe, regarding their use of PGP. Here is a followup note from the same guy. I have edited it to preserve his and his group's anonymity. This version may be freely circulated. -Philip Zimmermann Date: Tue, 19 Mar 1996 10:35:00 +0000 (GMT) >From: [name and email address deleted] Subject: New Message from Europe To: prz at ACM.ORG I hope our story helps. Here is a little tale of pre-PGP days. In the bad old days before we had PGP and before the revolution in Romania, we used to send couriers to Romania to meet with dissidents and help collate information about their troubles. Organisings such trips was a nightmare because briefing couriers to be able to find people, and then bring out accurate reports was quite difficult. Any document was liable to be confiscated, and any notebook with names and addresses would be taken if found by the Police and every Romanian in the book would be visited by the security Police. Yet sometimes we would be given large files of documents to take to the Human Rights Agencies in the West, and couriers would have to visit several dissidents. As Foreigner's you were required to stay in designated hotels, it was illegal to stay in a private home. You were followed, and meetings with dissidents were a stressful experience for everyone. We eventually started to use handheld psion computers to carry information about travel directions, name and addresses, and to input files etc. No sensitive information was carried in the memory of the psion but in a separate memory cartridge. The cartridge resembled a battery, and the psion looked like a sophisticated calculator, so we relied on the Romanians ignorance of that technology, and on keeping the two items separate when travelling. This worked very well until the late eighties when a courier was arrested at the Romanian\Hungarian border, during the initial search the memory cartridge was overlooked, and as such the courier was able to keep the memory cartridge. Later in the day, he was being walked between two buildings when he had opportunity to throw the memory cartridge into a fast moving river ! All very heady stuff, but everyone back in the office was off the wall for several days until the courier was eventually released and able to confirm the destruction of the memory cartridge. Since PGP, we have been able sleep better at nights. The following story is not for publication as we could easily be identified... [story deleted] ... So as you can see the issue of Privacy here is not about tax evasion or child pornography, but the on-going determination by various groups including parts of the media, and Government Agencies, to know everything and to then to profit by such knowledge financially or by the destruction of those opposed to them. In this part of the world PGP is a common sense idea that protects ordinary people from those who have power that they are prepared to abuse. There is no Constitution, enforced by capable courts in this part of the world able to protect us from such abuses, so we must have the right to protect ourselves from abuse. If the NSC considers PGP a restricted weapon system that can't be legally exported, why can't at least Americans who have the right to bear arms have an ongoing guaranteed right to keep uncompromised encryption\PGP under their pillow at night along with their magnum. If you are allowed fatal force to protect your physical person, why can't you have equally powerful protection for your personal thoughts. Now I am no fan of the Gun Lobby, but if Americans can ensure their right to uncompromised encryption, the rest of us can argue for the same more effectively. Anyway I must get back to work... Do keep in touch sometimes.. Best regards [name deleted] --- From gjeffers at ns.htc.net Thu Mar 21 03:59:27 1996 From: gjeffers at ns.htc.net (Gary Lee Jeffers) Date: Thu, 21 Mar 1996 19:59:27 +0800 Subject: Is the IRS a paper tiger? Message-ID: <9603190816.AA31419@ns.htc.net> >From STRATEGIC INVESTMENT March 20, 1996 Strategic Investment 1217 St. Paul St. Baltimore, MD 21202 It is published monthly for US$159 per year for U.S. residents (C$190 for Canadian residents and US$200 for other non-U.S. residents). behind the lines - by Jack Wheeler Is the IRS a paper tiger? One definition of a pioneer is a guy with an arrow in his back. So notice the above headline is a question, not an assertion. But it is nonetheless a question being asked by a lot of folks these days, from Bill Archer, Chairman of House Ways & Means, to a number of smart tax attorneys. The federal tax code has mutated into this gigantically in- comprehensible Rube Goldberg monstrosity that day by day gets closer to collapsing under its own weight. Couple that with the fact that the IRS computer system is about to go belly up. The IRS originally computerized itself AD HOC, with the regional centers getting various platforms and software that can't communicate with each other very well. The agency has now spent over $8 billion on the TSM project to re-computerize, which an independent review recently concluded is a colossal failure. As the IRS teeters on the brink, a fellow named Eddie Kahn has stepped forward and may be about to push the whole creaking mess over the edge. He hasn't got an arrow in his back yet, so he might just succeed. Dis- dainful of "tax protests" such as 5th Amendment or legal tender arguments that quickly get their advocates behind bars, Eddie looked into the stru- ture of federal law. When Congress passes a law, codified as a statute, it then delegates to a regulatory agency the authority to issue the im- plementing regulations specifiying to whom and under what circumstances the statute applies. These regulations must, by law, be published in the Federal Register. Lacking these implementing regulations, the law cannot be applied and has no force. Well, it turns out that the implementing re- gulations for IRS' enforcement statutes-things like the requirement to file a tax return and the authority to place a lien-cannot be found in the Federal Register. When queried on this, the General Counsel for the Office of the Federal Register, Michael White, replied in writing, "Our records indicate that the Internal Revenue Service has not incorporated by reference in the Federal Register a requirement to make an income tax return." This is starting to get interesting, isn't it? And yes, I see that big smile on your face. If Eddie is right, the IRS has no assessment autho- rity, no collection athority to enforce a lien or seize property, no au- thority to pursue criminal penalties for failure to file a return or make a false/fraudulent return. I am not at all suggesting you be a pioneer. But if you should have any difficulty with the lovable folks at the IRS, you might consider making an appointment to see them in person at their nearest office, and tell them face to face that you need to see a copy of the implementing regs published in the Federal Register that show they have the authority to require you to do what they want. Not one of the close to a thousand people who, following Eddie's advice, have done so received a copy-and not one has been further harassed. Better to let these folks drop out of the system quietly than risk a negative decision in court, which would be for them an ultimate catastrophe. You can get more info from Eddie at: 1-800-419-7512. --------------------------------------------------------------------- PUSH EM BACK! PUSH EM BACK! WWWAAAYYY BBBAAACCCK! BBBEEEAAATTTT STATE! Gary Jeffers P.S. This reminds me of something else that I read a few months ago. There is a book with the title The Law that Never Was - the 16th Amendment (this was the title or close) that had a similar affect on the IRS. I believe it was the SPOTLIGHT that said that when the then Commissioner of the IRS found that the book was published, he gave gave instructions that people citing the book in arguments with the IRS be left alone. The 16th Amendment created the IRS.  From fair at clock.org Thu Mar 21 04:28:01 1996 From: fair at clock.org (Erik E. Fair (Time Keeper)) Date: Thu, 21 Mar 1996 20:28:01 +0800 Subject: Dorothy Denning attacks Leahy's crypto bill Message-ID: I feel a bit stupid right now. I read Leahy's bill from top to bottom shortly after it was submitted, and aside from the provision which separately criminalizes the use of encryption in a the comission of a crime or to obstruct justice, I fail to see the flaws that you see. Could you spend a little time enumerating the flaws in this bill as you see them, with reference to the particular wording in Leahy's bill? thanks for your time & trouble, Erik Fair From unicorn at schloss.li Thu Mar 21 04:55:59 1996 From: unicorn at schloss.li (dirsec) Date: Thu, 21 Mar 1996 20:55:59 +0800 Subject: Leahy Bill: Conspiracy, or Predictable Legislation? In-Reply-To: Message-ID: On Wed, 20 Mar 1996, jim bell wrote: > Likewise, nobody on "our side" has made the fact of their input known, > whether or not that input did any good. The question, therefore, is "Who > knew what and when?" Who was consulted? What were their objections? What > objections weren't satisfied? Since the bill at least superficially > addresses some of our concerns, SOMEBODY must have told Leahy what we want. > Who? Leahy had his own opinions about the issues to begin with. Leahy has taken an interest in all these matters since and before the Clipper hearings. Your fault here is assuming that "we" are the only ones who know anything about the crypto issue. "We" represent only a portion of those in the field who know what they are talking about. John Podesta is a good example. Podesta could care less what anyone on this list has to say, but he was fairly key in designing DigiTel clauses, and was deeply involved in development of Clipper as well. Podesta knows the issues without being on this list at all. Now how exactly it was that you came to the conclusion that someone told Leahy "what we want" (as if there was some meaning to "we" and, accordingly, as if "what we want" could even be defined) is a bit of a mystery to me. Legislators are not the morons you seem to take them for. This is conspiracy buff flaw #1: (There is a huge and silent set of people who think exactly as I do. Because they are not heard, they must be oppressed or made to be silent). Being a member of the cypherpunk list is not a requirement to know the issues. Part of your problem is basic arrogance. Many conspiracy buffs share this flaw. The legislator's staff (who are paid quite handsomly to be in the know, and often hired based on their expertise in the first place) don't really need much help in pinning down the issues. This is why I say that pointing to the legislators and yelling "they must have had help! Someone in here is in cahoots with them!" is the height of arrogance. (Conspiracy buff flaw #2) Further, who cares who contributed to the bill? Hundreds of people with basic roles in creating legislation are forgotten every day. So? > 2. I haven't seen any analysis of this bill other than Peter Junger's, even > and especially from some people and organizations that originally came out > in favor of it. If anything, those people would be expected to be defending > their positions, but they've not backed up that early support with anything > close to a believable position. (Most are silent.) The implication is > that they had no such early analysis done, and came out in favor of the bill > anyway. Worse, they aren't correcting their position based on the more > detailed study that has been done subsequently. I'm lazy. But if someone sends me the bill in full via e-mail, I'll do an analysis for the list. > 3. Because she's a negative barometer, Denning knows that a positive > review by her would be as close as she could do to give the "kiss of death" > to this bill. Her putative opposition is, therefore, far more interesting > to us. If anything, it gives us a marvelous opportunity to ensure the death > of a bad bill. I disagree. If Denning wasn't in on the development of the bill to begin with, then how is it you think she is going to be crowned with some glowing mystical authority when she does or does not complain? Even assuming she was given such authority, negative barometer to who? Denning is well respected in the field by "those who matter," (a subset in which your "WE" seems to be poorly represented) and as such I can't imagine how you think that her approval would in any way be the "kiss of death." This is a combination of conspiracy buff flaws #2 (arrogance: because "we" dislike Denning, everyone else must, or if Denning spurred "us" into action, the bill surely would be dead), and conspiracy buff flaw #3: ("Our" "enemy" is already so demonized, they could never agree with us). > I'm waiting for somebody to explain to me why we can't simply re-write the > Leahy bill, take out all the bad parts and put a number of new protections > in, and send it back to Leahy and condition our support on that edited bill. Ok. Who's "we?" (Flaw #1 all over again) And who says that you can't re-write the bill? Be my guest. You seem to be able to type line after line of dribble. One would think you'd be a good legislator. Certainly for all the credit you give lawmakers, your mastery of the legislative process, your expertise in predicting and observing the Supreme Court, one would wager you're just the person. I'm sure you'll have no trouble passing a basically liberal bill that the FBI will scream bloody murder about through a "law and order" republican congress in the middle of an election year and in the wake of a democratic president's public relations coup in dealing with international terrorism. Sure the republicans will look soft for supporting the bill, but at a time like this, security is unimportant to them, right? And this part I love: "and condition our support on that edited bill." Flaws number 1 and 2 all over again. You think Leahy needs our support? Go ahead, Mr. Bell. Rewrite the bill, send it to Leahy. Let me know what he says. FDR couldn't pass a bill like that today. > If Leahy really thinks he's doing a favor for the pro-encryption people, > he'll support the corrected bill wholeheartedly. If, on the other hand, > it's all just a fraud, there's no hope, and in that case it's better than no > bill be passed than one that contains a few booby-traps that will explode > shortly after the bill is passed. Really I've never understood Leahy's position to be a strongly free-speech one in the first place. While at the Clipper and DigiTel hearings, it was fairly clear to me that both Leahy and Specter were uninterested in the free speech issues, (aside a few needed sound bytes) and rather the stagnation of the technology sector of the U.S. economy through export regulation. (The strength and growth in this sector and the phrase "leader in the world" was mentioned several times). Specter cared less so even about this at the time. Even in a public hearing I recall his concern was lackluster. Recall also that Specter chairs the Select Committee on Intelligence. Hardly a free speecher in any shape, even though many on this list hailed him as an provisional ally after the Clipper hearings. >From this perspective there is no major turn of events or dispositions here. Leahy's bill, what of it I see, addresses his main concern, exports and U.S. technology growth. Specter was never much on our side to begin with. In many ways a lot of the attitudes from those yelling "traitors" here are the height of hypocracy. "The enemy of my enemy is my friend." (of Specter and Leahy) "Once an enemy, always an enemy." (of Denning) The proper course to take would have started with a more accurate assessment of the allies of strong and unescrowed encryption. Counting on Leahy and Specter was a major mistake. Industry has always been the way to go (A little back patting here, I said as much at the D.C. cypherpunks meeting back when in the midst of Clipper, no one listened to me then either). This is the reason I was so enraged with netscape. People listen to large, publically traded companies, most of whom are content to take their licks and move on right now. Netscape was about the only one who could have put a foot in the door and given people a taste of what they were missing. > As far as I can see, time is on our side. Industry will continue to insist > on free export of encryption, and there will be few in Congress to oppose > it. We already have the 1st amendment which SHOULD defend encryption, > unless that protection is implicitly weakened by allowing a precent for the > control of encryption. In other words, we're going to win in a year or so > regardless of this Leahy bill, so we can afford to be hard-nosed with our > support or lack of it. I find your assessment optimistic in the extreme. I believe the concentration should be more in the direction of developing crypto tools that have long "half lives," stealth properties, and generally prepare for the regulation or ban of strong crypto without escrow. I've called for this before, I call for it again. Where are more effective (and multiplatform) Stealth PGP versions? 4096 bit RSA type keys? 256 bit conventional cyphers? This political climate is more fear and fourhorsemen driven than anything else. In the face of a democratic shift to law and order, and a matching republican shift even further in the same direction, the First Amendment, which is generally applied to public speech in any event, is unlikely to provide much protection here. > Jim Bell > jimbell at pacifier.com --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From Chris.Liljenstolpe at ssds.com Thu Mar 21 04:58:41 1996 From: Chris.Liljenstolpe at ssds.com (Chris Liljenstolpe - SSDS INFOSEC Eng.) Date: Thu, 21 Mar 1996 20:58:41 +0800 Subject: RC2 or RC4 in silicon Message-ID: <2.2.32.19960321030918.00c1c81c@denver.ssds.com> Greetings, Is anybody aware of an RC2 or RC4 implimentation is silicon? If so, any pointers would be appreciated. Please respond directly. Regards, =Chris -- ( ( | ( Chris Liljenstolpe ) ) (| ), inc. SSDS, Inc; 8400 Normandale Lake Blvd.; Suite 993 business driven Bloomington, MN 55437; technology solutions TEL 612.921.2392 FAX 612.921.2395 Fram Fram Free! PGP Key 1024/E8546BD5 FE 43 BD A6 3C 13 6C DB 89 B3 E4 A1 BF 6D 2A A9 From merriman at arn.net Thu Mar 21 05:00:05 1996 From: merriman at arn.net (David K. Merriman) Date: Thu, 21 Mar 1996 21:00:05 +0800 Subject: Pepsi World - Gotta Have It! Message-ID: <2.2.32.19960320144640.00682484@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 06:46 PM 03/20/96 -0600, you wrote: >Hey Squatter! > >Don't forget to cruise back by Pepsi World! ... >Don't forget your squatter id 'cypherpunk' and password >'cypherpunk', you'll need them to maintain your Squatter's >rights in Pepsi World. Gee. Lucky us. :-b Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMU/9s8VrTvyYOzAZAQEtbwP/c1TamDTSafhTqzbBYIMA1NhgNia3HgnB EsOu0IBe5/G5kxh8AboFLSSAp6jKVQcSkE+7UlqyPwhWSxSNlQqy1TfNdPh8Qk8W T9avJAjIdno/tEvcCZCnSyXwNSqqdCJCtNfxwMyviMxY7g1jbZ3E2onvSRPh+1RW IjLbkhoa1NE= =Z2c7 -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From tcmay at got.net Thu Mar 21 05:00:44 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 21 Mar 1996 21:00:44 +0800 Subject: unsubsrcribe Message-ID: At 4:00 AM 3/21/96, thrdina at ibm.net wrote: >How can I unsubsribe from this mailing list? > > >From: THOMAS HRDINA > Manager - Networks > Bank of Nova Scotia > New York Agency Well, do you want to "unsubsrcribe" or "unsubsribe"? Not that it matters which of these you choose, but perhaps you ought to use a correct spelling ("unsubscribe"). Note to others: Other lists I am on have had the same frantic demands that people be "unsurscribed," "unscribed," and "unnsubscrubbed." I chalk it up to a nation filled with illiterates. (Remind me not to open an account at this "Bank of Nova Scotia.") --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From stewarts at ix.netcom.com Thu Mar 21 05:01:13 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 21 Mar 1996 21:01:13 +0800 Subject: Yeo, Pea-brained Imbecile Message-ID: <199603210305.TAA26073@ix6.ix.netcom.com> At 09:15 PM 3/18/96 +0000, "Michael Peponis" wrote: >Here is my two cents on the whole subject of countries wanting to recieve the >technical and economic benifits of the internet, but reject groups they have >moral or ethical problems with. ... >Given the plethera of reports like this, I will start maintaining a list of >country that will not be given access to my site, no FTP, no HTTP, no nothing, >on top of that, I will hard code into all the new versions of my network aware > programs to check for a domain subfix, if it is on of the black > list, the software will not function. .... >They want isolation, let them enjoy the full benifits of that decision. I've got the opposite view - I think it's worth making access to widespread parts of the Internet _easier_ for people from countries whose governments don't want their subjects\\\\\\\\citizens to access them. Aside from any good that can be accomplished by building, say, a Singapore Banned Religion/Politics web index (since Singapore's recently announced policy is to censor Usenet access but not http access, so auto-indexing newsgroups would work), any technology that makes it easier to work around censorship will be useful for Yankees who want to access controversial groups after Buchanan's elected (:-) One part of the problem is building convenient mirrors in free countries; another is building packet/mail/http/etc. laundries that can be easily ported to make it difficult to block access to _them_. Some of the Andrew File System approaches for the Zundelsite project were interesting, since it's harder to block access to widely supported back channels, and since it provides people with non-subversive reasons to support a relay site, they're more likely to be widespread and supported at sites that censors don't want to totally block. Now, building a blacklist of censorious _government_ sites, like *.gov.sg (or whatever) and blocking them is more interesting. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissable." - US government statement on China... From unicorn at schloss.li Thu Mar 21 05:08:35 1996 From: unicorn at schloss.li (dirsec) Date: Thu, 21 Mar 1996 21:08:35 +0800 Subject: [NOISE] Re: Dorothy Denning attacks Leahy's crypto bill In-Reply-To: Message-ID: On Thu, 21 Mar 1996, jim bell wrote: > At 03:35 PM 3/20/96 -0500, Perry E. Metzger wrote: > > > Has it occurred to you that the whole thing might not be a conspiracy and that the > >flaws in the bill might just be that -- flaws? > >Perry > > This theory is easily testable. As I suggested a LONG time ago (gee, > it must be at least a week now!) let's have a go at re-writing the bill > to delete all the bad parts, modify it to be good, add appropriate > extras to nail down everything, and present it to Leahy as the minimum > acceptable bill. If those are just "flaws" then Leahy should have no > trouble with any of this. If, on the other hand, it's all a fraud, > we'll encounter fierce resistance. > What do you think will happen? I think Leahy will, quite rightly, refuse to adopt the new bill because it has a snowball's chance in hades of passing, and it makes him look soft on crime and terrorists. But I'm sure Mr. Jim "legislative expert" Bell thought of this already and has 10,000 characters stored in a buffer just ready to dump into a letter which will dismiss this most basic of explanations. > Jim Bell > jimbell at pacifier.com --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From nobody at REPLAY.COM Thu Mar 21 06:03:24 1996 From: nobody at REPLAY.COM (Anonymous) Date: Thu, 21 Mar 1996 22:03:24 +0800 Subject: A MODEST PROPOSAL Message-ID: <199603211212.NAA22651@utopia.hacktic.nl> On Wed Mar 20 1996 Sandy Sandfort wrote: : Having said that, I am totally put off by the gradiose and : devisive ravings of this commentator. During the Second World : War the Nazis required Jews in the occupied countries to wear a : yellow star of David to identify themselves. In Denmark, the : king so identified himself, and soon so did most of his subjects. Ohh pleeez!!, give YOUR ravings a rest Next you'll be raving about soap and lampshades made out of Jews. The story about the Danish King and the Yellow star is a famous wartime lie by the US. When Germany invaded Denmark and Norway, the king of Norway fled to London to continue resistance. The king of Denmark surrendered. Many in the US thought the Danish king was a coward. During the war the story about the yellow star was made up to make the king look better. For more details try out IHRs web site on http://www.kaiwan.com/~ihrgreg. A recent article from a British on-line newspaper:- The Electronic Telegraph Tuesday 29 August 1995 Denmark's resistance to Nazis 'is a myth' By John Keegan, Defence Editor DANISH resistance to German occupation during the Second World War is largely a myth, according to a leading historian. The civilian population was not involved in resistance and the celebrated rescue of Denmark's Jews from Nazi deportation was facilitated by the German occupiers themselves. Those caught assisting the Jews' escape were either not punished or else given nominal prison sentences. These astonishing claims were made by Prof Henning Poulsen, of Aarhus University, at a conference on "The Second World War as Myth and History" held in the Swedish Houses of Parliament. The conference was opened by the Swedish foreign minister, Lena Hjelm-Wallen, and closed by the speaker of the Swedish parliament, Birgitta Dahl. Prof Poulsen insisted that his views were not controversial, a view supported by another Danish professor. The official story of the resistance was, he said, no longer accepted by most young Danes, who found it exaggerated and boring. He reminded his audience of fellow historians from Norway, Sweden, Finland, Iceland, Russia, Canada and Germany that Denmark capitulated on the day of the German invasion, May 9, 1940, and was not treated by Germany as a conquered nation. The elected government remained in office and German officials belonging to the administration in Copenhagen made visits to Danish ministers, not vice versa. Danish political parties were allowed to function normally and to maintain democratic debate. The only limitation on their activities was that criticism of Germany was not permitted. The occupation remained a benign one. Werner Best, the SS officer representing the German foreign office, did not wear his black uniform and was not allowed by Himmler to use his high SS rank title. The foreign office was the agency chosen by Hitler to represent German power in Denmark during the occupation. After August 1943, when there were riots in Copenhagen following misbehaviour by German troops, conditions worsened, said Prof Poulsen. The Germans dissolved the elected government and imposed direct administration. Nevertheless, he said, the occupation remained a benign one. Danish civilian rations were more generous than those in Germany and when German police were called on to put down demonstrations in Danish cities they did so under the regulations governing police response to civil disorder in Germany. In his most sensational revelation, he said that the only concentration camp set up by the Germans on Danish soil, at Froesley, never held more than 4,000 inmates, 2,000 fewer than it was designed to contain. Denmark "won a war in which it had not taken part" It was administered by the Danish prison service and was the only concentration camp in the Nazi system where the German guards asked for the same food as the prisoners. It was ironic, Prof Poulsen said, that Denmark was included among the victor nations in 1945 by Britain, America and the Soviet Union. It had thus "won a war in which it had not taken part". Prof Poulsen conceded that there had been resistance in Denmark, but of a military, not civilian, character. By that he appeared to mean that sabotage operations against the Germans were the acts of unrepresentative groups, working in co-operation with the British Special Operations Executive, and did not represent the attitude of the majority of the population. Prof Poulsen's paper is likely to provoke argument, particularly in Britain, America and Israel, where the Danish success in arranging the escape of 95 per cent of the country's 7,000 Jews to neutral Sweden in September, 1943, is hailed as an example of what might have been achieved elsewhere had domestic populations shown the same determination. He suggested that the escape succeeded because the Germans did not try to prevent it and because the worst penalty visited on those fishermen who were caught after smuggling Jews abroad was three months' imprisonment. From crisper at ascensionet.com Thu Mar 21 06:46:47 1996 From: crisper at ascensionet.com (crisper) Date: Thu, 21 Mar 1996 22:46:47 +0800 Subject: Mailing Lists Message-ID: <314F7823.487D@ascensionet.com> Could anyone direct me to some other mailing lists dealing with either computer security or current communication technology, routers,modems etc. Thank you ahead of time. Also could anyone direct me to some good beginner books on cryptography of computer security. When referring books could you make them recent so that they would be regularly available at Barnes&Noble or Borders. Thanks From eagle at armory.com Thu Mar 21 06:53:35 1996 From: eagle at armory.com (Jeff Davis) Date: Thu, 21 Mar 1996 22:53:35 +0800 Subject: NT's C2 rating In-Reply-To: <199603202119.NAA26183@montana.nwlink.com> Message-ID: <9603210453.aa08928@deepthought.armory.com> > Basically, I'm now questioning the C2 rating of Windows NT. The > entire security layer is modular to the Kernel. As a modular > driver, it can be removed, rewritten, and replaced. Good questioning. > So, what makes it secure? What gives it the C2 Rating? How would > one go about getting a C2 rating? The fine print says its insecure as soon as its connected to a network. -- According to John Perry Barlow: *What is EFF?* "Jeff Davis is a truly gifted trouble-maker." *email * *** O U T L A W S On The E L E C T R O N I C F R O N T I E R **** US Out Of Cyberspace!!! Join EFF Today! *email * From crisper at ascensionet.com Thu Mar 21 06:57:36 1996 From: crisper at ascensionet.com (crisper) Date: Thu, 21 Mar 1996 22:57:36 +0800 Subject: Internet Information Message-ID: <314F7B76.C8A@ascensionet.com> Iwas wondering if anyone could pint me to a DETAILED description of the internet routing system. Basically how a message gets from my computer to another lets say in Europe. No need for simplicity I would like a real description. Dont worry abpout protocols just where my message goes. Also does anyone have a list of where the net's routers are located and who runs them. Also their respective routing speeds at the current times. Thank You ahead of time! crisper From sandfort at crl.com Thu Mar 21 06:58:25 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 21 Mar 1996 22:58:25 +0800 Subject: A MODEST PROPOSAL In-Reply-To: Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Wed, 20 Mar 1996, Rich Graves wrote: > I would sign on, but I don't think you want to associate with a crypto- > jewish anarchist fucking statist nazi free-speech activist censor asshole > l. detweiler tentacle. Sure we do. As Detweiler always says, "The more, the merrier." S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From sandfort at crl.com Thu Mar 21 07:09:31 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Thu, 21 Mar 1996 23:09:31 +0800 Subject: Shameless In-Reply-To: Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, On Wed, 20 Mar 1996, Charles Bell wrote: > Uh-huh. And Perry said something about how the `list of shame' looks > like an NSA enemies list. > > Why do I sniff a scent of `provocateur'? Is it just in my nose? Actually, I doubt Mr/Ms Anonymous is a provocateur. Reads more like a paranoid schitzophrenic to me. Dollars to donuts says it's Detweiler. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From eay at mincom.oz.au Thu Mar 21 07:29:16 1996 From: eay at mincom.oz.au (Eric Young) Date: Thu, 21 Mar 1996 23:29:16 +0800 Subject: RC2 speed Message-ID: Just a quick RC2 update, since I have not seen anything about it's speed on this list. I have implemented RC2 from the posting from Message-ID: <4fk39f$f70 at net.auckland.ac.nz> in sci.crypt (This is the 'text' description of the algorithm). The following times are from C code using gcc 2.7.0 on a sparc 20 and cc on 'some old slow alpha box' sparc 20 Alpha rc4 4521k/s 3835k/s des cbc 993k/s 833k/s des ede3 cbc 370k/s 476k/s idea cbc 862k/s 726k/s rc2 cbc 975k/s 1083k/s Documentation I had seen previously about RC2 made the claim it was about 3 times faster than DES is software. From my times it appears to be of a similar speed (depending on the box). It as has been speculated that RC2 was origionally written for effiecent implementation on 16bit hardware, this could well be true, but for modern 32bit processors, it appears to have no real speed advantage over DES or IDEA. I'm mostly interested in RC2 because it is in the SSLv2 and S-MIME specifications :-). Any comments? eric PS If RC2 was implemented in assember, it would obviously be faster due to direct use of machine rotate instructions. I don't quite know how much this would speed things up but obviously the other algorithms would also benifit from hand coding. -- Eric Young | Signature removed since it was generating AARNet: eay at mincom.oz.au | more followups than the message contents :-) From jimbell at pacifier.com Thu Mar 21 07:43:09 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 21 Mar 1996 23:43:09 +0800 Subject: Message-ID: At 09:18 PM 3/20/96 -0500, owner-cypherpunks at toad.com wrote: >Since someone other than Jim Bell and THE LIST OF SHAME author thought I >was being serious, I thought it wise to respond. For the record, I couldn't tell whether you were serious or not. (most other people seem to have assumed that you were serious...) Nevertheless, I replied, because I was afraid there were other people who were anxious to not take good advice merely because they didn't like the source. If anything, I would say the other notes you received make it clear that my concern was justified. >The notion that a measure of criticism from a known enemy, Dorothy >Denning, corrects the many problems with Leahy's legislation is absurd. True. But it was apparently received without negative comment by a number of people who would also have "proudly" put their name on this nameless character's "list of shame." For one, I don't really appreciate the pillorying of some of the names on that list, either, but there are a number of facts which bother me about this whole Leahy bill incident: 1. The bill seems to be without fingerprints on it. Nobody (other than Leahy, of course) has claimed that he had input into it. Denning's recent comment at least implies that either she had no input, or was strongly dissatisfied at the eventual bill. (Despite this, there are plenty of "legitimate needs of law enforcement" clauses in that bill, and it is not conceivable that she wouldn't have been consulted if the author of the bill had any sympathy for the anti-encryption side.) Likewise, nobody on "our side" has made the fact of their input known, whether or not that input did any good. The question, therefore, is "Who knew what and when?" Who was consulted? What were their objections? What objections weren't satisfied? Since the bill at least superficially addresses some of our concerns, SOMEBODY must have told Leahy what we want. Who? 2. I haven't seen any analysis of this bill other than Peter Junger's, even and especially from some people and organizations that originally came out in favor of it. If anything, those people would be expected to be defending their positions, but they've not backed up that early support with anything close to a believable position. (Most are silent.) The implication is that they had no such early analysis done, and came out in favor of the bill anyway. Worse, they aren't correcting their position based on the more detailed study that has been done subsequently. 3. Because she's a negative barometer, Denning knows that a positive review by her would be as close as she could do to give the "kiss of death" to this bill. Her putative opposition is, therefore, far more interesting to us. If anything, it gives us a marvelous opportunity to ensure the death of a bad bill. I'm waiting for somebody to explain to me why we can't simply re-write the Leahy bill, take out all the bad parts and put a number of new protections in, and send it back to Leahy and condition our support on that edited bill. If Leahy really thinks he's doing a favor for the pro-encryption people, he'll support the corrected bill wholeheartedly. If, on the other hand, it's all just a fraud, there's no hope, and in that case it's better than no bill be passed than one that contains a few booby-traps that will explode shortly after the bill is passed. As far as I can see, time is on our side. Industry will continue to insist on free export of encryption, and there will be few in Congress to oppose it. We already have the 1st amendment which SHOULD defend encryption, unless that protection is implicitly weakened by allowing a precent for the control of encryption. In other words, we're going to win in a year or so regardless of this Leahy bill, so we can afford to be hard-nosed with our support or lack of it. Jim Bell jimbell at pacifier.com From maldrich at grctechs.va.grci.com Thu Mar 21 08:10:50 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Fri, 22 Mar 1996 00:10:50 +0800 Subject: POINTCAST - Could it be a Trojan Horse? In-Reply-To: <199603210305.TAA26171@ix6.ix.netcom.com> Message-ID: On Wed, 20 Mar 1996, Bill Stewart wrote: > > There is a new web site http://www.pointcast.com which provides a > > program file pcninstl.exe. You download pcninstl.exe and run the > > program on your PC from Windows 95 or Windows 3.1 > > > > PCN is a program that interfaces to the Internet using port 80 and > > provides you customizable up-to-the minute downloads of news > > headlines, stocks, customizable sports, customizable weather, > > customizable financial, Internet access (HTTP only with this release) > > and personal (horoscopes and lotteries). IBM is also running such a service. It's called InfoMarket and it does the same thing. You load the trojan, uh.., I mean "client," onto your box, and then it listens to the channels for you and puts up on the screen the tasty bits that you want. Of course, on a DOS box, it can also put all sorts of other stuff onto your computer. And, of course, after the "trial period" you'll be charged to dine at their info-trough. ( InfoMarket bullshit is at http://www.infomkt.ibm.com/ ) > > Well, Maybe it is too good to be true. This program becomes a proxy > > operator for you. Downloading, through your firewall, whatever it > > decides should be downloaded, data, new executables, etc. What is to > > prevent a hacker (or cracker if you like that term better) from > > offering a similar product which captures you PC keystrokes and scans > > your hard drive and uploads information, accesses your LAN or PC > > functions, or destroys PC files and data. Thanks for the suggestions. We'll add them to the list.... ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From cmca at alpha.c2.org Thu Mar 21 09:07:45 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Fri, 22 Mar 1996 01:07:45 +0800 Subject: The return of the IPG Unbreakable System (fwd) In-Reply-To: Message-ID: <199603200621.WAA04569@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: IPG Sales ] [Cc: cypherpunks at toad.com] [Subject: Re: The return of the IPG Unbreakable System (fwd) ] [In-reply-to: Your message of Tue, 19 Mar 96 19:24:42 CST.] IPG sales ranted: >Note: There was one error in the description, that is 13568 ANDed to the >8 bit random seed to get starting A values, it is not a C word AND but >the assembly langauge sequnce of moving successive AL values into AX, >where AH is fixed at 35, thus the effect is the same as an add, >(or a byte AND of the random charcter to a zero AL) - the result is >a number in the range of 13,568 to 13,823. Your world-beater algorithm is coded in 286 assembler??? Give up now. Your reputation capital has gone through 0 and is now negative, and I don't think the Universe can tolerate this situation. >Accordingly, this will be the last letter posted to the entire >cypherpunks list for the time being. If any reader posts something to the >entire Cypherpunks list, do not expect any response to from IPG, there >will be none. Yayyyy!!! Chris McAuliffe (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMU99ZoHskC9sh/+lAQFa7wQAt2s9yOknvE9nBk3agFlXJYGyTV2ZpZuf gxrOb35ZV03xZPhHWvqPPv3pFgDTC0O3FBW7IULrIcTpJzZ/ULNcOwpQMEhaRjVo JZ8dud3GUPKU3ses92pBK0MIA2ydDeayXGMXrlFAX3ebF+32VekYZzJzaOFz8KfY aX9bvGoQYqE= =tQdN -----END PGP SIGNATURE----- From cmca at alpha.c2.org Thu Mar 21 09:07:58 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Fri, 22 Mar 1996 01:07:58 +0800 Subject: The return of the IPG Unbreakable System (fwd) In-Reply-To: Message-ID: <199603200620.WAA04433@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: IPG Sales ] [Cc: cypherpunks at toad.com] [Subject: Re: The return of the IPG Unbreakable System (fwd) ] [In-reply-to: Your message of Tue, 19 Mar 96 19:24:42 CST.] IPG sales ranted: >Note: There was one error in the description, that is 13568 ANDed to the >8 bit random seed to get starting A values, it is not a C word AND but >the assembly langauge sequnce of moving successive AL values into AX, >where AH is fixed at 35, thus the effect is the same as an add, >(or a byte AND of the random charcter to a zero AL) - the result is >a number in the range of 13,568 to 13,823. Your world-beater algorithm is coded in 286 assembler??? Give up now. Your reputation capital has gone through 0 and is now negative, and I don't think the Universe can tolerate this situation. >Accordingly, this will be the last letter posted to the entire >cypherpunks list for the time being. If any reader posts something to the >entire Cypherpunks list, do not expect any response to from IPG, there >will be none. Yayyyy!!! Chris McAuliffe (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMU99ZoHskC9sh/+lAQFa7wQAt2s9yOknvE9nBk3agFlXJYGyTV2ZpZuf gxrOb35ZV03xZPhHWvqPPv3pFgDTC0O3FBW7IULrIcTpJzZ/ULNcOwpQMEhaRjVo JZ8dud3GUPKU3ses92pBK0MIA2ydDeayXGMXrlFAX3ebF+32VekYZzJzaOFz8KfY aX9bvGoQYqE= =tQdN -----END PGP SIGNATURE----- From roy at sendai.cybrspc.mn.org Thu Mar 21 09:08:28 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Fri, 22 Mar 1996 01:08:28 +0800 Subject: The return of the IPG Unbreakable System (fwd) In-Reply-To: Message-ID: <960319.234719.5k3.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, ipgsales at cyberstation.net writes: > In view of the willful violation of our confidential release, without > knowing everything involved, and putting it out on the Internet, please > be advised that other than those who have heretofore been evaluating the > system, we will make no further releases except on a highly > selective basis. I submit that this is what one would expect when one sends supposedly confidential material out in the absence of binding NDAs. IPG, why don't you simply post the source code to your system? I know I've suggested this before, but it bears repeating that any truly secure cryptosystem depends _only_ on the secrecy of the key. The algorithm should be able to be published in the New York Times with no compromise to the security of the system. If this is not the case for your system, than perhaps you should be considering alternative entrepreneurial exploits. - -- Roy M. Silvernail -- roy at cybrspc.mn.org "I'm a family man, model citizen." -- Warren Zevon -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMU+dlBvikii9febJAQFQVgP/c1N4VEpsaW7CN27HqIG4yvtsSUGOY2yK iyiVSdXX7FrL6KqGCI2Ei0IckUoBiwDWau9Qwg35ZSllnXqTcEDQ9P4jpd5kz6jS SCpsdwbEFSmn3rhR9Lgo+B1kSIlkG3hGFQMfEai6owgO+Y1IISoKFds4L8epAaCu 74uomtLh2zc= =MRGE -----END PGP SIGNATURE----- From declan at well.com Thu Mar 21 09:08:36 1996 From: declan at well.com (Declan McCullagh) Date: Fri, 22 Mar 1996 01:08:36 +0800 Subject: Dorothy Denning attacks Leahy's crypto bill Message-ID: I may have to adjust my position on Leahy's bill. Any legislation that Dorothy Denning attacks so virulently must be worth passing. -Declan ------------------------------------------------------------------------- Date: Tue, 19 Mar 96 14:53:35 EST From: denning at cs.cosc.georgetown.edu (Dorothy Denning) To: farber at central.cis.upenn.edu March 14, 1996 The Honorable Patrick Leahy United States Senate Russell Building, Room 433 1st and C Streets, NE Washington, DC 20510 Dear Senator Leahy: As author, scholar, lecturer, researcher, and consultant to the government and industry in cryptography and information security, I am concerned that S.1587, the "Encrypted Communications Privacy Act of 1996," is not in balance with society's needs. By removing practically all export controls on encryption, the bill will make it far easier for criminals, terrorists, and foreign adversaries to obtain and use encryption that is impenetrable by our government. The likely effect will be to erode the ability of our law enforcement and intelligence agencies to carry out their missions. This is not consistent with your own findings in the bill which recognize the need for a "national encryption policy that advances the development of the national and global information infrastructure, and preserves Americans' right to privacy and the Nation's public safety and national security." I am concerned that the proposed legislation responds only to a loud cry for assistance and is not the reasoned and practiced position of our multinational corporations. At the International Cryptography Institute, which I chaired in September 1994 and 1995, our discussions did not find that this unrestricted distribution of encryption technology was required to satisfy business objectives. Our corporations recognize the need to respect the legitimate interests of governments and the need for encryption methods that use "key escrow" or "trusted third parties" with data recovery capabilities to protect their own information assets. Businesses are moving in the direction of key escrow, and key escrow is becoming a standard feature of commercial products. I have recently summarized the features of thirty products and proposals for key escrow in a taxonomy which I developed with Dennis Branstad. Because of the need to address information security at an international level, the Organization for Economic Cooperation Development, through its Committee for Information, Computer, and Communications Policy, is bringing together the international business community and member governments to develop encryption policy guidelines that would respect the interests of businesses, individuals, and governments. In support of that objective, the INFOSEC Business Advisory Group (IBAG), an association of associations representing the information security interests of users, issued a statement of principles recognizing the needs of governments, industry, and individuals, and supporting approaches based on trusted third parties. A similar statement was issued by a quadripartite group consisting of EUROBIT (European Association of Manufacturers of Business Machines and Information Technology Industry), ITAC (Information Technology industry Association of Canada), ITI (Information Technology Industry Council, U.S.), and JEIDA (Japan Electronic Industry Development Association), which accounts for more than 90% of the worldwide revenue in information technology. X/Open is pursuing a public key infrastructure project aimed at creating specifications and possibly operating manuals that could be used in conformance testing and site accreditation of trusted parties. The European Commission has proposed a project to establish a European-wide network of trusted parties that would be accredited to offer services that support digital signatures, notarization, confidentiality, and data integrity. The trust centers, which would be under the control of member nations, would hold keys that would enable them to assist the owners of data with emergency decryption or supply keys to their national authorities on production of a legal warrant. Within the U.S., the Clinton Administration is developing federal standards for key escrow encryption (these are in addition to and more general than the original Clipper standard, FIPS 185), adopting escrowed encryption within the federal government, and liberalizing export controls on encryption products that include an acceptable system of key escrow. The Administration's policy has considerable flexibility, allowing for both hardware and software implementations, classified and unclassified algorithms, and government and private sector key holders. Some companies have submitted products for review under the liberalized export controls for key escrow encryption. Trusted Information Systems has already received approval for their Gauntlet firewall. Industry is also developing cryptographic application programming interfaces (CAPIs), which will facilitate the inclusion of cryptographic services in applications, networks, and operating systems. This approach, recently demonstrated by Microsoft, will allow U.S. software companies to develop exportable applications and systems that run with separate security modules. These modules can provide either domestic grade encryption or exportable encryption. The impact of export controls will thus be limited to those companies selling encryption modules, not the entire U.S. hardware and software industry. Even this impact can be made negligible by allowing companies to export security modules with strong encryption where the keys are held with escrow agents in the purchaser's country. Bilateral mutual assistance agreements could ensure that U.S. law enforcement agencies are able to obtain decryption assistance if the exported module is used in a crime against the U.S. CAPIs are providing the technological base for experiments under the International Cryptography Experiment (ICE), an informal international alliance of individuals and organizations working together to promote the international use of encryption within import and export regulations that respect law enforcement and national security interests. As these examples illustrate, businesses and governments are working hard to establish policies and technologies that respect the needs of users, industry, and governments in the furtherance of a secure global information infrastructure. Considerable progress has been made during the past year. The export provisions in S.1587 are likely to undermine those efforts by satisfying the immediate export demands of a few U.S. companies at the expense of other stakeholders and society at large. It will undermine the ability of governments worldwide to fight global organized crime and terrorism. Although some U.S. companies have lost sales because of export controls on encryption, the overall impact of these controls on the U.S. information technology industry as a whole is much less clear. In the most comprehensive study of export controls to date, the Department of Commerce and National Security Agency found that in all but three countries surveyed, sources indicated that U.S. market share (about 75% overall) was keeping pace with overall demand. Most of the impact was found to be on the sale of security-specific products, which account for only a small percentage of the total market, rather than general-purpose software products. Sales of security-specific products are generally few and mostly to customers within the country where the product originates. Visits to 50 computer and software stores in Canada, France, Germany, Japan, S. Korea, Thailand, and the U.K. found that all the general-purpose software products with encryption were from U.S. manufacturers. The study concluded that "the impact of U.S. export controls on the international market shares of general-purpose products is probably negligible" and that "the export licensing process itself is not a major obstacle to U.S. competitiveness." This is in stark contrast to the dire prediction of the Computer Systems Policy Project that U.S. industry stands to lose $30-60 billion in revenues by the year 2000 because of export controls. The Commerce/NSA study did acknowledge that the existence of foreign products claiming strong encryption could have a negative effect on U.S. competitiveness. However, by allowing encryption services to be sold separately from the applications software that uses them, CAPIs will make it extremely unlikely that general-purpose software will be substantially effected by export controls. Even security-specific products, which are a growing industry, can use CAPIs to separate out the encryption component from the main product (e.g., firewall). Moreover, if keys can be held in other countries under appropriate bilateral agreements as noted earlier, export controls need not substantially impact encryption products. Export controls are often blamed for the lack of security in our public infrastructure. The Commerce/NSA study found "little evidence that U.S. export controls have had a negative effect on the availability of products in the U.S. marketplace," although they "may have hindered incorporation of strong encryption algorithms in some domestic mass-market, general-purpose products." There are many factors which have played an even larger role in the general lack of security we find on the Internet: the high cost and low demand for security, the difficulty of designing systems that are secure, pressure to bring new products to market before their security implications are understood, the willingness of users to take risks in favor of acquiring new tools and services, and lack of a public key infrastructure to support encryption on a national and international basis. Many systems are so riddled with security holes that any would-be attacker can gain access to the system itself, and from there access to plaintext data and keys. Malicious code can be injected into a victim's system through electronic mail, documents, images, and web browsers; once there, it can transmit sensitive data back to its owner. Keyboard sniffers can capture a user's keystrokes before they are ever encrypted. Thus, while export controls have played a part in the slow integration of strong encryption into software and systems, they are not responsible for most of the security vulnerabilities we see today. Moreover, most of these vulnerabilities are remedied with non-cryptographic controls (e.g., process confinement, trusted systems engineering, biometrics, and location-based authentication) or with cryptographic techniques for authentication, data integrity, and non-repudiation, which are exempt from State Department export controls. I do not mean to suggest that encryption is not important. In fact, it is essential to protect against certain threats. However, it must be kept in perspective. The use of encryption for confidentiality protection is but one small, albeit important, piece of an information security program. The provisions is S.1587 regarding trusted key holders could have the benefit of increasing public trust in key holders. However, I have some concern that the current provisions may be overly restrictive. Thus far, we have practically no experience with the operation of third party key holders and the circumstances under which they will be called upon to provide keys or decryption assistance. It will be extremely important that the provisions allow enough flexibility to accommodate legitimate use of the data recovery services of key holders for criminal investigations, civil litigation, and intelligence operations. The liability risks to key holders should not be onerous. The definition of key holder and exact wording in the bill may also need some refinement in order to accommodate existing and proposed methods of trusted third party encryption. Encryption policy is a difficult and often emotional issue. It is important that Congress work closely with the Administration, industry, and other interested parties to develop the best legislative strategy for promoting information security on the national and global information infrastructure without diminishing the ability of our law enforcement and intelligence agencies to protect the public safety and national security. Export liberalization should proceed cautiously, tied to key escrow or other methods that accommodate the needs of the government as well as those of users and industry. The Administration's plans to liberalize export controls on software key escrow is a good next step. As trust and confidence in key escrow grows, the export of virtually unlimited strength encryption systems may be possible. Because export controls are our only lever for controlling the spread of encryption, they should be used to their full advantage. Decisions to liberalize these controls must be fully informed by classified national security information as well as by economic analysis and market studies. Law enforcement agencies are encountering encryption with ever greater frequency. Within a few years, the successful execution of practically all court-ordered intercepts and searches and seizures is likely to depend on their ability to decrypt communications and stored information. If the encryption cannot be broken, it could be impossible to successfully investigate or prosecute those cases. Crimes of terrorism and white collar crime, including fraud, embezzlement, and money laundering, would be facilitated and perhaps impossible to solve. Even crimes of economic espionage, which often involve insiders with access to company secrets, are facilitated with encryption. It will be important for Congress to closely monitor the impact of encryption on law enforcement and use that information to guide any encryption legislation. In summary, our national policy can and must promote the legitimate use of strong encryption for information protection without unnecessarily hindering the ability of our law enforcement and intelligence agencies to do their jobs. In so doing, the policy can accommodate reasonable liberalization of export controls and business objectives without undermining other national objectives. Such a policy is consistent with your own guiding principle for the bill: "Encryption is good for American business and good business for Americans." But it goes further in order to be equally guided by the principle that law and order and national security are essential for the American economy and the American people. It is not necessary to so radically lift export controls on encryption in order to accommodate both principles. I will be pleased to meet with you and the committee for comment and questioning, or to assist in any way I can with the development of a balanced approach to encryption legislation. Yours respectfully, Dr. Dorothy E. Denning Professor of Computer Sciences Georgetown University denning at cs.georgetown.edu http://www.cosc.georgetown.edu/~denning From thrdina at ibm.net Thu Mar 21 09:12:31 1996 From: thrdina at ibm.net (thrdina at ibm.net) Date: Fri, 22 Mar 1996 01:12:31 +0800 Subject: unsubsrcribe Message-ID: How can I unsubsribe from this mailing list? From: THOMAS HRDINA Manager - Networks Bank of Nova Scotia New York Agency E-mail: thrdina at ibm.net Date: 03/20/96 Time: 20:00:07 From teddygee at visi.net Thu Mar 21 09:15:35 1996 From: teddygee at visi.net (Ted Garrett) Date: Fri, 22 Mar 1996 01:15:35 +0800 Subject: IPG cracked with known plaintext Message-ID: <2.2.32.19960321010626.00bf2408@mail.visi.net> -----BEGIN PGP SIGNED MESSAGE----- At 05:32 PM 3/19/96 GMT, you wrote: >First let us describe the IPG system in more conventional C: [snip] >So this algorithm is easily broken with known plaintext. I seem to remember some sales named daemon stating that if anyone could break their system, the prize would be the company. I imagine that the continuing rants from IPG are a means of devaluing the company beyond it's already measly worth, thus making the company unworth claiming. It's obvious that the system has been trivially broken after a day and a half of being semi-published. Is there any other point to this? I could as easily generate an OTP pulling pages at random from the New England Journal Of Medicine or the Microsoft Visual C++ Programmer's Guide and XORing the text with my plaintext... But that still leaves me in the cipher.obscurity = cipher.security realm, doesn't it? Think we could sell it??? Of course, as long as it was someone else choosing the pages, I could trust it, right? (Damn, which smiley is it for sarcasm?) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMVCqic1+l8EKBK5FAQHLsgf/SnREwZgJa+mDGgeBi5GsMMyBxheWz0n2 Gl6CfPJ8KlSo80a4o+uQEXXVOw4di0T2zC4swXA8OJ0IvtOaIV0fYSYU0fpjZ4JG yxAfcg/NDkbP6G8WBUC/29JG4p29EyKsZHDVu68SNlyJp6BqWCzBa5WSRrtPd0b7 NLwAnMozdYpV67Q7/uldddm5esIESxHJduCumqlvmOWcP/n3T4IL/B4O9RhC6wXJ 2wa3QO7OMqugl/vJ7WwDLhCDqaHwVDF+wC4r8T25E0LrFuEEFO39otOIebVZF1y6 o16M+UoDZzxASmSTUcyNsT1GohF4ZgSS5FODYGgMYAc/CDzE6jQq1Q== =TVwd -----END PGP SIGNATURE----- --------------------------------------------------------------------------------------------------------- Ted Garrett http://www.visi.net/~teddygee "Those who desire to give up Freedom in order to gain Security will not have, nor do they deserve, either one." Thomas Jefferson From sandfort at crl.com Thu Mar 21 10:22:02 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Fri, 22 Mar 1996 02:22:02 +0800 Subject: A MODEST PROPOSAL Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, Anonymous wrote In reference to my MODEST PROPOSAL: > Ohh pleeez!!, give YOUR ravings a rest > Next you'll be raving about soap and lampshades made out of Jews. No, my post wasn't about Nazis, it was about the principle behind an act attributed to the Danish King. It was offered as an illustration to help explain why I was making my Modest Proposal. Whether or not the story is a lie is irrelevant. It was offered for its allogorical value. Get a grip. Thanks to the Cypherpunks who have signed up for the LIST OF SHAME publicly or by private e-mail. I will post the list soon. I urge anyone else who would like to be on Mr/Ms Anonymous' (Detwieler's, Jim Bell's) LIST OF SHAME to let me know as soon as possible so you can be included. I think to be fair, I should also take applications for inclusion in a list called SUPPORTERS OF MR/MS ANONYMOUS, for those who think he's right. This is NOT an election, democratic vote or even a popularity contest. But Anonymous has made a lot of noise purportedly speaking as and for Cypherpunks. I'd like to see where the consensus more truely lies on this mailing list. Let me know. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From owner-cypherpunks at toad.com Thu Mar 21 12:05:35 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 22 Mar 1996 04:05:35 +0800 Subject: No Subject Message-ID: Tim Fulbright <100022.3167 at compuserve.com> >I think you or someone here recently remarked the U.S.Government has the only >_real_ capability to wage world terrorism on the internet, and after I read >Frank Sowa's feb. Boardwatch article I'm beginning to wonder. I suppose >quoting the article at length will be at least as good as some of the other >traffic around here... just in case anybody missed it, Sowa reviewed 35 federal >reports, and quotes Page saying "As a result, we've had no choice but to create >an offensive capability in cyberspace. I can't discuss it ... However, you'd >feel good and feel safe and secure if you knew about it" (yeah, really) >Further, Sowa reports the Natl Defense U is forming an elite Information Corps, >'a F0rce whose scope is to fight the battles of "Information Warfare from the >Pentagon war room to the home PCs" according to DOD' (p90-92).... And further, >RAND corp is using an "all out cyberwar simulator at their research center in >Santa Monica" and... oh well, the whole article is just crammed with stuff! >Yikes! I would sure like to know what people think about it. thanks. there seems to be a lot of hyperventilating in the military arena about "information warfare" lately. I find it rather strange and incomprehensible. there are two chief areas that this frenzy seems to be in response to: 1. propaganda/espionage areas. 2. hacking. (i.e. breaking in, crashing, etc.) as for (1), I don't know what the fuss is about. what it suggests to me is that there are branches of government that take "psyops" (psychological operations) extremely seriously and are very intent on setting up camp in cyberspace & the internet, and have probably already done so. it is as if they are deathly terrified of the ability of individuals to communicate not only with other individuals but other masses through web pages and email. I find it quite frightening how many people in our government have the mindset that "free communication can be a very dangerous thing." personally I think an application for government should reject anyone that hasn't memorized the entire bill of rights.. but the recent Strassman & Marlow paper on remailers, which addressed (1), seemed a bit incomprehensible and bordered on unintelligible. they talked as if remailers are like weapons that can be fired on an enemy. (huh???) either they are deep into psyop or spook psychology, or they just don't "get it" that remailers are pretty harmless. I tend to believe it is a little of both. (2) is definitely something to take very seriously. if you want to learn about how/why infiltrating computers is incredibly appealing to many in the government, check out info on "danny casolaro" and Inslaw PROMIS software. the behind-the-scenes theme to a lot of this is that our massive cold war apparatus is bored and listless now that the Soviet bogeyman is gone and they are just moving into new territories to continue to suck up billions of dollars. but its awfully hard to read the various scrambled entrails that have been emerging such as the Leahy bill, Strassman & Marlow paper, etc. in relation to info warfare-- I tend to think some of it is just evidence that there are some amazingly addled people in our government. BTW I like "boardwatch" mag, read it regularly, and highly recommend it to anyone as one of the better & more quality cyberspace mags. try www.boardwatch.com. From quester at eskimo.com Thu Mar 21 12:18:09 1996 From: quester at eskimo.com (Charles Bell) Date: Fri, 22 Mar 1996 04:18:09 +0800 Subject: Shameless In-Reply-To: Message-ID: On Wed, 20 Mar 1996, Sandy Sandfort wrote: > > > > BOYCOTT APPLIED CRYPTOGRAPHY, AT&T, VTW, and RSA!!!! > > > > THE LEAHY BILL IS 100% PART OF THE PLAN TO KILL FREE CRYPTO. > > YOU DON'T NEED EXPERTS TO THINK FOR YOU! REMEMBER RICO AND WORLD GOVERNMENT! (...) > > > I am totally put off by the gradiose and > devisive ravings of this commentator. Uh-huh. And Perry said something about how the `list of shame' looks like an NSA enemies list. Why do I sniff a scent of `provocateur'? Is it just in my nose? Charles Bell From webmaster at pepsi.com Thu Mar 21 12:18:12 1996 From: webmaster at pepsi.com (webmaster at pepsi.com) Date: Fri, 22 Mar 1996 04:18:12 +0800 Subject: Pepsi World - Gotta Have It! Message-ID: <199603210046.SAA11725@plwipc10.xweb.eds.com> Hey Squatter! Don't forget to cruise back by Pepsi World! We're gonna keep showing ya the coolest, hippest stuff out there, including: - Shaq/Pepsi World's Slammin' Techno Dream Contest - The Bev-o-Matic Contest - An exciting, original Shockwave game - Chat Rooms - And basically, more entertainment than you can shake a stick at! Don't forget your squatter id 'cypherpunk' and password 'cypherpunk', you'll need them to maintain your Squatter's rights in Pepsi World. From perry at piermont.com Thu Mar 21 12:21:37 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 22 Mar 1996 04:21:37 +0800 Subject: If you can't take the heat... (Was Re: Keep the pressure!) In-Reply-To: Message-ID: <199603202124.QAA02033@jekyll.piermont.com> Jim McCoy writes: > What amuses me most about this series of rantings by whomever, other > than the paranoid and baseless claims made by the anonymous poster, > is the number of people who have been complaining about the author doing > so anonymously through a remailer. The irony of such a situation is > too rich to pass up. I have no problem with the existance of anonymous remailers, and I don't want to see them banned or prevented -- indeed, I encourage their existance. However, that doesn't mean that I always favor their use, or that I won't look down on someone for using one inappropriately. To put it another way: I believe that every adult person has the right to have sex with any other willing adult person. However, I think it might not be tasteful if my neighbors decided to bugger each other on the front lawn. Not, you understand, that it should be illegal, but it does make me wonder about them. In the case of the given poster, he claims that he's using anonymity not because he fears backlash (he should but thats another story) but as a form of "protest". This is as illogical as the content of his messages... > It seems that cypherpunks can dish it out when other newsgroups and > mailing lists suffer such problems ("well, the remailers do nothing > that telneting to port 25 cannot do..." or "internet identity is such > a fiction anyway, get used to it" seem to be common responses), but > when the cypherpunks lists is the victim of unpleasant anonymous messages > we fall back to the tired refrain of "if you have nothing to hide why > are you posting anonymously." How sad. Why is this sad? I think you don't get the difference between what is permissable and what is in good taste. Perry From paul.elliott at hrnowl.lonestar.org Thu Mar 21 12:23:19 1996 From: paul.elliott at hrnowl.lonestar.org (Paul Elliott) Date: Fri, 22 Mar 1996 04:23:19 +0800 Subject: Electronic Frontiers Houston Cyber-Political Questionaire. Message-ID: <31520771.flight@flight.hrnowl.lonestar.org> FOR IMMEDIATE RELEASE Electronic Frontiers Houston 2476 Bolsover, Suite 145 Houston, Texas 77005 (713) 917-5000 voice // (713) 917-5005 fax Internet: efh at efh.org Web site: http://www.efh.org/ Contact: Robbie Westmorland Electronic Frontiers Houston Cyber-Political Questionnaire. Electronic Frontiers Houston has sent all candidates (who survived the recent primaries), a questionnaire relating to the politics of cyberspace. Recently, many questions have arisen relating to the politics of computer networking. These questions often relate to censorship, encryption, or public access to networks. It is important that the public know the candidates' views on these important issues. All candidates will be asked the following questions: If you or your campaign have an Internet electronic mail address, please provide it here: Please answer the questions on the reverse side. Attach additional pages if required. 1. Do you think that electronic publishing should enjoy the constitutional protections that accrue to print media? 2. Do you think that electronic publishing should enjoy the constitutional protections that accrue to broadcast media? 3. Do you think that electronic publishing should enjoy the constitutional protections that accrue to libraries? 4. Do you favor new laws to regulate the content of electronic media? 5. Do you think that the First Amendment rights of free speech protect private use of encryption? 6. Do you favor laws to regulate the private use of encryption? 7. Do you agree with restrictions on the export of technology that incorporates cryptography? 9. Do you support the right of a private individual too publish printed materials anonymously? 10. Should the government play a role in providing access to computer networks? 11. Do you think that the government should guarantee universal access to computer networks? 12. Do you think that access to government computerized information is a right? 13. Should all governmental records that are available to the public be made available via computer resources? 14. Should access to computerized governmental records be free? 15. Should the government regulate electronic financial transactions and require traceability? 16. Do you approve or disapprove of the wiretap provisions in the 1994 Digital Telephony bill? 17. Do you favor expanding law enforcement access to telephonic communications? In addition, candidates for national office will be asked the following additional question: 18. Do you favor legislation which would require a national ID card? Candidates for state office will be asked the following question: 18. Should laws requiring fingerprints to acquire/renew drivers licences be repealed? Electronic Frontiers Houston is a non-profit group that supports civil liberties and the development of culture in cyberspace. -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063 From jamesd at echeque.com Thu Mar 21 12:30:51 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Fri, 22 Mar 1996 04:30:51 +0800 Subject: [NOISE] Re: Dorothy Denning attacks Leahy's crypto bill Message-ID: <199603211619.IAA27641@dns1.noc.best.net> At 05:31 AM 3/21/96 -0500, dirsec wrote: > I think Leahy will, quite rightly, refuse to adopt the new bill because > it has a snowball's chance in hades of passing, and it makes him look > soft on crime and terrorists. Hold it: Backup: Opponents of the bill say it says X: Supporters of the bill say it says Y: The proposal is to rewrite the bill so it actually does say Y in plain english. And you (quite correctly) say that the bill will not pass if says Y. You are right. The bill does not facilitate crypto exports, it just sounds like it does, and it delegates judicial powers to cops. If it was amended to facilitate crypto exports, and to maintain the separation of judiciary and executive, it would not pass. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From owner-cypherpunks at toad.com Thu Mar 21 13:17:07 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 22 Mar 1996 05:17:07 +0800 Subject: No Subject Message-ID: Declan B. McCullagh typed: > > Excerpted from a message to fight-censorship. For the full thread, check out: > > http://fight-censorship.dementia.org/fight-censorship/dl?thread > =The+Leahy+Crypto+Bill+is+Rancid+Sausage&after=1795&type=short > > (On one line, of course.) > > -Declan > > > ---------- Forwarded message begins here ---------- > > From: Stanton McCandlish > Message-Id: <199603190315.TAA05777 at eff.org> > To: declan+ at CMU.EDU (Declan B. McCullagh) > Date: Mon, 18 Mar 1996 19:15:09 -0800 (PST) > Cc: fight-censorship+ at andrew.cmu.edu, junger at pdj2-ra.F-REMOTE.CWRU.Edu, > tcmay at got.net > > > [...] > > As our statement on the bill made clear, *EFF does not support the Leahy > bill*, nor do we endorse it, like it, find it useful or any other synonym. > We're happy to see the issues raise again, a la Cantwell, but we raised > specifically recommended simple and complete deregulation. As our > co-founder John Gilmore points out, the Leahy bill as written > pre-supposes Congressional authority to legislate in this are, and area > Executive authority to regulate under that legislation. These are notions > that we, and Phil Karn, are challenging in court with Constitutional > tests we are throwing at the ITAR export regs. > > [...] > > -- Stanton McCandlish
mech at eff.org

Electronic Frontier Foundation

Online Activist From owner-cypherpunks at toad.com Thu Mar 21 13:17:59 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 22 Mar 1996 05:17:59 +0800 Subject: No Subject Message-ID: At 12:05 PM 3/20/96, Perry E. Metzger is rumored to have typed: > anonymous-remailer at shell.portal.com writes: > > Some people have wondered why I am anonymous and attack me. > > I am not ashamed of my views. > > Well, then you should be. > > > I write this thread anonymous as a form of protest. > > Why is it a form of protest? If you aren't ashamed, post it under your > name. What amuses me most about this series of rantings by whomever, other than the paranoid and baseless claims made by the anonymous poster, is the number of people who have been complaining about the author doing so anonymously through a remailer. The irony of such a situation is too rich to pass up. It seems that cypherpunks can dish it out when other newsgroups and mailing lists suffer such problems ("well, the remailers do nothing that telneting to port 25 cannot do..." or "internet identity is such a fiction anyway, get used to it" seem to be common responses), but when the cypherpunks lists is the victim of unpleasant anonymous messages we fall back to the tired refrain of "if you have nothing to hide why are you posting anonymously." How sad. So, why the hypocrisy here? If you don't want to be bothered by these messages there is a simple solution, use a mail agent that can filter out remailer postings and trash them. Of course this would also kill interesting messages from others who use remailers, but that's the price we pay for having remailers that do not support anonymous identity upon which reputation can be built. Oh yeah, I forgot...cypherpunks write code (snicker). So why not stop bitching and write a bit of code that provides for useful anonymous reputations and/or fix the glaringly obvious problems with current remailers. jim, who is sorry that he is not the one posting such trolls to the list just to make the puppets dance... From owner-cypherpunks at toad.com Thu Mar 21 13:19:07 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 22 Mar 1996 05:19:07 +0800 Subject: No Subject Message-ID: I just received this as the moderator for comp.os.ms-windows.announce. Would that be "Donut" as in "big hole"? -rich ---------- Forwarded message ---------- Date: Wed, 20 Mar 1996 19:56:54 +0000 (GMT) From: Michael Burford To: comp-os-ms-windows-announce at cs.washington.edu Newgroups: comp.os.ms-windows.announce Subject: ANNOUNCE: Donut: Web Basic Interpreter. ----------------------------------------------------------------------------- Richland, WA. March 20, 1996. Battelle Memorial Institute today released Donut (1.00 Alpha 1), a Visual Basic form Interpreter for the Web. Donut is a program that allows a Visual Basic form file to be transmitted over the internet and viewed on a user's computer as a form. This form will then interact with the user and their web browser to send or request information just like a normal Visual Basic program. Donut does not require any Visual Basic files or DLLs in order to work. This will allow creation of web forms that give the author more control over exactly what the form will look like, allows interaction between the Donut applet and the user's browser, and allows processing of form information on the user's computer instead of on the server. And it allows you to use existing expertise with the very popular and common Visual Basic programming language to do so. Currently Donut is available for the Microsoft Windows operating system (Windows 3.x, Windows 95 or NT). It works with any Windows web browser that supports the standard interprocess (DDE) communication for web browsers. It has been tested and works with Netscape Navigator, Microsoft Internet Explorer, and several variations of Mosaic. Donut should be able to run most simple Visual Basic programs with few if any modifications. (Unlike VBScript where you must now cut and paste the source code into a HTML page.) Donut is available without charge to end users. For more information or to obtain Donut and development information: http://apc.pnl.gov:2080/donut/ Microsoft, Windows and Visual Basic are trademarks of Microsoft Corporation. All other trademarks are the property of their respective owners. ----------------------------------------------------------------------------- From frederick_zarndt at novell.com Thu Mar 21 13:20:32 1996 From: frederick_zarndt at novell.com (Frederick Zarndt) Date: Fri, 22 Mar 1996 05:20:32 +0800 Subject: ASN.1 Tools/Compilers Message-ID: Does anyone know of reliable ASN.1 tools/compilers suitable for use on a wide range platforms? I already know about the following tools/compilers, but I would appreciate comments anyone cares to make: ISODE (who to contact for the DE?) Snacc Thanks. Frederick Zarndt Senior Software Engineer Novell, Inc 122 East 1700 South Provo UT 84606 USA Tel 801 429-3348 Fax. 801 429-3500 From gimonca at skypoint.com Thu Mar 21 13:29:06 1996 From: gimonca at skypoint.com (Charles Gimon) Date: Fri, 22 Mar 1996 05:29:06 +0800 Subject: Minneapolis Star Tribune this morning Message-ID: Mpls. Strib did a piece this morning, front page, about AltaVista, Dejanews, etc. Well-worn territory to readers of this list. Your words can come back to haunt you, all that stuff. One paragraph that deserves rebuttal from those of you who are better-informed: "Of course, technology is working on solutions to itself, but mechanisms that would hide the name of a message's author, such as cryptography and anonymous remailers, are convoluted and incomplete." Author was Jonathan Gaw; no e-mail address given. Star Tribune Online is at http://www.startribune.com. *********************************************************************** --The Interview-- | gimonca at skypoint.com George Clinton: "Suck on my soul, | Minneapolis MN USA and I will lick your funky emotions!"| http://www.skypoint.com/~gimonca Dave Letterman: "Yuck!!" | A lean, mean meme machine. *********************************************************************** From andrew_loewenstern at il.us.swissbank.com Thu Mar 21 13:37:43 1996 From: andrew_loewenstern at il.us.swissbank.com (Andrew Loewenstern) Date: Fri, 22 Mar 1996 05:37:43 +0800 Subject: Cypherpunk Enquirer Request Message-ID: <9603211713.AA00912@ch1d157nwk> Would some kind soul please forward to me a copy of the latest Cypherpunk Enquirer? My filter mistakenly tossed the last copy and the archive at hks.net is still down. thanks, andrew (who should probably rewire his filter to toss messages into a temporary 'holding tank') From dwl at hnc.com Thu Mar 21 13:49:23 1996 From: dwl at hnc.com (David Loysen) Date: Fri, 22 Mar 1996 05:49:23 +0800 Subject: NT's C2 rating Message-ID: <199603211813.KAA15750@spike.hnc.com> At 04:53 AM 3/21/96 -0800, you wrote: >> Basically, I'm now questioning the C2 rating of Windows NT. The >> entire security layer is modular to the Kernel. As a modular >> driver, it can be removed, rewritten, and replaced. > >Good questioning. > >> So, what makes it secure? What gives it the C2 Rating? How would >> one go about getting a C2 rating? > >The fine print says its insecure as soon as its connected to a network. Ain't nothing fine about that print. An operating system or piece of hardware may be C2 certifiable. But only a complete system in a specific configuration can be certified as C2 compliant. The way I read the orange book, no system with a network connection can ever be C2. For that matter a system can't get C2 unless it is in an area where you can control and monitor physical access to the system. So if you can't hack it over the wire, and you can't remove, rewrite and replace the kernel because you can't get near the keyboard what's the problem? dwl at hnc.com David Loysen 619-546-8877 x245 From nobody at tjava.com Thu Mar 21 14:26:39 1996 From: nobody at tjava.com (Anonymous) Date: Fri, 22 Mar 1996 06:26:39 +0800 Subject: New FBI Spy Message-ID: <199603211946.NAA05879@tjava.com> Wall Street Journal, 21 March 1996 New FBI Access To Credit Files Raises Concern By Vanessa O'Connell Consumer-rights advocates are sounding alarms about a new law giving the Federal Bureau of Investigation easier access to credit-report information. The little-noticed law enacted in January as part of the Intelligence Authorization Act of 1996, allows FBI officials to obtain key information from a person's credit file without seeking a judge's permission. Investigators still need a court order or a federal grand jury subpoena to view someone's full credit report. But they can get basic information with only written authorization from the head of the FBI or his designee if there's reason to suspect a person is a spy or terrorist or has had contact with one. The basic information available under the new law includes a person's employment history, addresses, and a list of lenders and other financial institutions with which the person has or had relationships. To avoid tipping off suspects to an investigation, the new law also requires credit bureaus to keep secret any FBI request to review a credit report. Privacy and civil-rights experts say the law raises numerous privacy concerns and leaves individuals vulnerable. "The court-order warrant procedure is a major protection of individual rights and it ought not be suspended," said Alan F. Westin, professor of public law and government at Columbia University. Gregory Nojeim, legislative counsel for the American Civil Liberties Union, complained that "all the FBI would have to do is make a secret letter request to a credit bureau based on secret FBI determinations." "It's appalling," said David Banisar, a policy analyst at the Electronic Privacy Information Center, a Washington nonprofit public-interest group promoting better privacy laws. In the past, the FBI sometimes pulled credit reports in criminal cases, but rarely looked at the credit files of individuals it was secretly investigating as suspected spies or terrorists. Before the new law, an FBI request for credit information had to be listed in an individual's file along with the names of lenders or potential employers that asked to review the report. Because FBI officials can now peek at credit reports in secret, they're more likely to use the files to nab suspected spies and terrorists, a Justice Department official said. At the same time, the official said, it is less likely that FBI agents will go to the trouble of obtaining a person's full credit record, including the status of any current accounts. ----- From stewarts at ix.netcom.com Thu Mar 21 14:43:00 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 22 Mar 1996 06:43:00 +0800 Subject: IPG and "Free Samples" Message-ID: <199603211947.LAA01579@ix6.ix.netcom.com> At 02:44 PM 3/20/96 -0800, Tim May wrote: >This may be more analogous to what IDG has done. That's I_P_G, of course; I_D_G are the publishers of the fine Internet Dummies' Guides, who have not yet released "Snake Oil For Dummies" or "Cryptography For Dummies". On the latter title, hmmmmm..... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissible." - US government statement on China... From owner-cypherpunks at toad.com Thu Mar 21 15:13:20 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 22 Mar 1996 07:13:20 +0800 Subject: No Subject Message-ID: Alan Bostick writes: > Declan McCullagh wrote: > > > I may have to adjust my position on Leahy's bill. Any legislation that > > Dorothy Denning attacks so virulently must be worth passing. > > That could be exactly what They want you to think! Oh, God. This is really a bit too much, don't you think? I mean, its obvious that, whatever its flaws, passage of the Leahy bill would be very bad for the export control droids. Has it occurred to you that the whole thing might not be a conspiracy and that the flaws in the bill might just be that -- flaws? Perry From owner-cypherpunks at toad.com Thu Mar 21 15:13:26 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 22 Mar 1996 07:13:26 +0800 Subject: No Subject Message-ID: Excerpted from a message to fight-censorship. For the full thread, check out: http://fight-censorship.dementia.org/fight-censorship/dl?thread =The+Leahy+Crypto+Bill+is+Rancid+Sausage&after=1795&type=short (On one line, of course.) -Declan ---------- Forwarded message begins here ---------- From: Stanton McCandlish Message-Id: <199603190315.TAA05777 at eff.org> To: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 18 Mar 1996 19:15:09 -0800 (PST) Cc: fight-censorship+ at andrew.cmu.edu, junger at pdj2-ra.F-REMOTE.CWRU.Edu, tcmay at got.net [...] As our statement on the bill made clear, *EFF does not support the Leahy bill*, nor do we endorse it, like it, find it useful or any other synonym. We're happy to see the issues raise again, a la Cantwell, but we specifically recommended simple and complete deregulation. As our co-founder John Gilmore points out, the Leahy bill as written pre-supposes Congressional authority to legislate in this are, and Executive authority to regulate under that legislation. These are notions that we, and Phil Karn, are challenging in court with Constitutional tests we are throwing at the ITAR export regs. [...] From alano at teleport.com Thu Mar 21 15:53:01 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 22 Mar 1996 07:53:01 +0800 Subject: IPG message Message-ID: <2.2.32.19960321204027.00942628@mail.teleport.com> [IPG legal nonsense deleted] > 1. The use of the word Ultima for the system, because it is > impossible to have a either a more secure system - it is > impossible to break the Ultima system, other equally difficult > to break systems may exist, or may be formulated in the future, > for example a true OTP, and in those cases, they may > "theoretically" be more difficult to break than the IPG Ultima > System, for example a true OTP. However, that would exist only in > theory, because in those eventiualities, none of the > systems would be breakable. I wonder what Lord British (of the famed Ultima computer game series) would have to say about the trademark of this name? (Not to mention the incredible run-on sentence...) The more I read their prose, the more I think that they must be experimenting with ergotic chemistry on the side. | Remember: Life is not always champagne. Sometimes it is REAL pain. | |"The moral PGP Diffie taught Zimmermann unites all| Disclaimer: | | mankind free in one-key-steganography-privacy!" | Ignore the man | |`finger -l alano at teleport.com` for PGP 2.6.2 key | behind the keyboard.| | http://www.teleport.com/~alano/ | alano at teleport.com | From warlord at MIT.EDU Thu Mar 21 16:05:58 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Fri, 22 Mar 1996 08:05:58 +0800 Subject: NT's C2 rating In-Reply-To: <199603211813.KAA15750@spike.hnc.com> Message-ID: <9603212054.AA24580@portnoy.MIT.EDU> > configuration can be certified as C2 compliant. The way I read the orange > book, no system with a network connection can ever be C2. For that matter a > system can't get C2 unless it is in an area where you can control and > monitor physical access to the system. This is incorrect -- you can have a C2 system which has a network connection. Indeed, you can get a B2 rating with a networked system, c.f. Multics. -derek From nobody at c2.org Thu Mar 21 16:47:22 1996 From: nobody at c2.org (Nobody) Date: Fri, 22 Mar 1996 08:47:22 +0800 Subject: Happy shiny censors holding hands Message-ID: <199603212128.NAA22325@atropos.c2.org> McPaper USA Editorial, March 21st, 10A: Racism on the Net Even in the wildest reaches of the Internet, where anything goes and most things have gone at least twice, the flow of free information is sometimes at risk. Take this ugly battle: on one side, a band of racists wants a formal place on the Net to discuss "white power" music. On the other, a cadre of Internet users believes white power deserves no such setting. At risk is the wondrous anarchy of the Internets newsgroups. These exist by the thousands in an Internet subject called Usenet, where they are divided in two. In the "alternative" category, newsgroups careen about essentially without limits. In the other, qualified newsgroups are organized into eight subject "hierarchies": politics, science, etc. Membership in these is preferred because, for the most part, these hierarchies are carried by the Internet's networks without question. In this case, a fan proposed that the "recereation" hierarchy, which includes music sections, add a white-power newsgroup. This would put the music -- and its central tenets -- smack in the middle of the Net. Then the fight commenced. Although the Usenet contains no real structure, it is self-regulating. Newsgroups proposed for a hierarchy are subject to a discussion period and then balloting by interested Netizens. In this case, opponents argued that white-power advocates should hold their discussions in one of the "alternative" newsgroups; that the hierarchies constituted a special garden in the Net's "village green"; and that white-power music deserved no bench there. To be sure, racism deserves neither respect nor credibility. But in this case, exclusion may have unintended results. If offensive ideas by themselves are a basis for exclusion, then who else should be locked out? Some would make the same argument against the hip-hop and music-poetry newsgroups, where harsh and violent rap lyrics may be discussed. Without their own newsgroup, the white-power devotees will only contaminate other newsgroups with their static. Give them a lair to call their own, and at least you know where not to tread. There are advantages to Usenet's ad hoc self-governance. It helps protect the system from outsiders seeking to control its carbonated anarchy. But if the system then turns against speech, the result is the same: Free exchange of ideas is constricted. Even in the ether -- especially in the ether -- that's something to beware. We Gungir Din From eay at mincom.oz.au Thu Mar 21 18:13:58 1996 From: eay at mincom.oz.au (Eric Young) Date: Fri, 22 Mar 1996 10:13:58 +0800 Subject: MS self-generated X.509 validity? In-Reply-To: <2.2.32.19960320174659.00687e44@arn.net> Message-ID: On Wed, 20 Mar 1996, David K. Merriman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > I've just had a chance to go through the SDK MS is giving away for their > ActiveX package. Interestingly, there's a little utility included for > generating X.509 certs. The read.me that is included claims that the certs > so generated don't have any real validity, as they're not linked to anything > in the known universe (paraphrasing :-). > > My question is, is this an otherwise usable cert? I'll be happy to give > anyone interested a copy of the files (shellback.cer and shellback.spc) I > generated, if they'd like to examine/validate them. Send them to me and I'll have a look and comment on them if you like. I have a few tools for pulling apart X509/ASN.1 objects :-) eric -- Eric Young | Signature removed since it was generating AARNet: eay at mincom.oz.au | more followups than the message contents :-) From jya at pipeline.com Thu Mar 21 19:34:38 1996 From: jya at pipeline.com (John Young) Date: Fri, 22 Mar 1996 11:34:38 +0800 Subject: DIO_fan Message-ID: <199603212327.SAA24806@pipe1.nyc.pipeline.com> The Sciences, March/April, 1996: "Beyond the Last Theorem." On Diophantine equations, by mathematician Dorian Goldfeld. To mathematicians, the statement and proof of the STW conjecture were as revolutionary as the first mingling of waters in the Panama Canal. Until that point, the mathematics of elliptic functions and the mathematics of rigid motions had developed in isolation from each other and in strikingly different ways. The study of elliptic curves was a branch of number theory, small, specialized and provincial -- not unlike the study of Diophantine equations. In contrast, the study of rigid motions was a bustling, sophisticated suburb of topology, geometry and analysis, with many applications to engineering and physics. Mathematicians had been working on rigid motions intensely for a hundred years and had accumulated a vast armamentarium of powerful mathematical machinery. By suggesting that the two fields could be linked, Shimura, Taniyama and Weil delivered that heavy machinery to the construction site of elliptic curves; by proving that the link held, Wiles and Taylor started the engines. The result has been a frenzy of productive mathematical work that has benefited each field and is likely to lead to solutions of outstanding problems in other fields as well. ... If the ABC conjecture yields, mathematicians will find themselves staring into a cornucopia of solutions to long-standing problems. Some of those problems are of more than theoretical interest. Nowadays many methods of ensuring the security of electronic mail and other computerized transactions depend heavily on number theory, as programmers develop ciphers based on time-consuming problems in arithmetic. For example, a highly popular technique depends on the difficulty of determining all the large prime factors of a very large number. In principle, it should also be straightforward to create a cipher based on the difficulty of solving problems in Diophantine analysis. The major hurdle is the solvability barrier: the number of variables above which a Diophantine equation becomes impervious to attack. Any cipher based on an equation with that many variables should be absolutely secure. But where is the threshold? All anyone knows is that it probably lies between three and nine variables. At current or foreseeable processing speeds, a nine-variable cipher is impracticably slow, even for the fastest computers. A four-variable Diophantine cipher, however, would be both practical and extremely useful. DIO_fan (35 kb) From tcmay at got.net Thu Mar 21 20:52:32 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 22 Mar 1996 12:52:32 +0800 Subject: Leahy bill nightmare scenario? Message-ID: At 9:42 PM 3/21/96, E. ALLEN SMITH wrote: > I would like to remind people that the US judicial system, while not as >always mistaken as some believe, is not particularly noted for not making >serious errors in this area. For instance, regarding the forfeiture scheme, >quite a few competent lawyers have examined civil forfeiture - used for _any_ >crime - and found it to be a violation of the Bill of Rights. And yet civil forfeiture continues, in a big way, There are entire police departments who count on civil forfeiture to supply them with cars, boats, planes, helicopters, and who count on sales of seized assets to fund their departments. (From the yachts seized in Dade County to the killing of a retired doctor who had land in Malibu desired by the cops, the civil forfeiture situation is grim.) > Moreover, it is the contention of many lawyers - such as with the >ACLU - that the whole ITAR scheme should have been thrown out long ago as >unconstitutional. That it has not been so may be taken as an indication of how By the way, it was also the opinion of lawyers within the NSA that a real test of the ITARs in court should be avoided because they would likely be ruled unconstitutional. (Source: private conversation with Carl Nicolai, inventor of the PhaserPhone, suppressed by a Patent Secrecy Order, who was allowed, with his lawyer, to look through certain legal papers at NSA headquarters. He encounterd memoranda to the effect that an ITAR challenge would likely see the ITARs thrown out. I communicated this information to Phil Karn and the EFF a couple of years ago.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Thu Mar 21 21:10:28 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 22 Mar 1996 13:10:28 +0800 Subject: Cypherpunk Enquirer Request Message-ID: At 5:13 PM 3/21/96, Andrew Loewenstern wrote: >Would some kind soul please forward to me a copy of the latest Cypherpunk >Enquirer? My filter mistakenly tossed the last copy and the archive at >hks.net is still down. I just did this. Hilarious stuff. Interesting that no one complains about this use of anonymity! (By the way, with 1000+ subscribers, a "would some kind soul" request is possibly a dangerous thing to request. Game theory has some advice about rolling dice, etc., but I doubt this works well.) >(who should probably rewire his filter to toss messages into a temporary >'holding tank') Indeed, with Eudora (for the Mac and Windows), I filter offending messages into a file I call "Kill," though it is persistent and can be perused at any time. With the traffic having gotten lighter these last couple of weeks, I confess to looking at it more often. Some messages I "delete," which Eudora moves to a Trash file...and STILL doesn't delete the messages until the Trash is explicitly emptied! Lots of layers of protection. (Though I confess there have been times when I got an insulting or infuriating item in the mail and decided to remove all temptation to reply by immediately trashing it and then giving the command "Empty Trash." At this point, only a determined effort with Norton Utilities or the like could have any hope of recovering the deleted stuff. A a post offends thee, pluck it out.) --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From Chris.Claborne at SanDiegoCA.ATTGIS.com Thu Mar 21 22:16:52 1996 From: Chris.Claborne at SanDiegoCA.ATTGIS.com (Chris Claborne) Date: Fri, 22 Mar 1996 14:16:52 +0800 Subject: Cypherpunks Key-Signing at Networld Message-ID: <2.2.32.19960321231222.0071baa0@opus.SanDiegoCA.ATTGIS.com> Planning on attending Netoworld / Interop? Want to connect your PGP public key ring to San Diego? If so... Send me an e-mail before 3/29/96 and we will create a meeting place. Best time for me will be Monday night (4/1/96). I can be reached during the show (via my newton so don't mail bomb me) at 76340.2422 at compuserve.com ... __o .. -\<, Chris.Claborne at SanDiegoCA.ATTGIS.Com ...(*)/(*). CI$: 76340.2422 http://bordeaux.sandiegoca.attgis.com/ PGP Pub Key fingerprint = A8 FA 55 92 23 20 72 69 52 AB 64 CC C7 D9 4F CA Avail on Pub Key server. Dreams. They're just screen savers for the brain. From shamrock at netcom.com Thu Mar 21 22:53:31 1996 From: shamrock at netcom.com (Lucky Green) Date: Fri, 22 Mar 1996 14:53:31 +0800 Subject: Kid Gloves or Megaphones Message-ID: At 19:26 3/21/96, E. ALLEN SMITH wrote: >From: IN%"stewarts at ix.netcom.com" "Bill Stewart" 16-MAR-1996 01:55:32.07 > >>Depending on the details of Ian's method, I don't think the debate >>needs to be taken to the public, or even done - it may simply be a >>done deal once the technology's out there. If Mark Twain Bank or >>Merita Bank or the Federal Reserve wants to offer >Digicash(tm) with Payee-Non-Anonymity, they can always make it a contractual >>requirement that their payees not use anonymity techniques in return for >>being paid. > > Wouldn't the viability of such a clause depend on the anonymizing >scheme in question? If the bank's cooperation isn't needed (i.e., going through >a proxy), then such a limit would be empty. It is true that the issuer is unable to discover that double blinding is being used. The real problem with the protocol is that it requires payor/payee collusion, which may make it difficult to execute. -- Lucky Green PGP encrypted mail preferred. From ben.rothke at citicorp.com Fri Mar 22 00:18:41 1996 From: ben.rothke at citicorp.com (Ben Rothke) Date: Fri, 22 Mar 1996 16:18:41 +0800 Subject: NT's C2 rating Message-ID: <199603212246.AA33083@egate.citicorp.com> >>The fine print says its insecure as soon as its connected to a network. Try running the C2config.exe found in the 3.51 resource kit, Should NT detect that you have network connectivity during the C2 test, you will get the following error message: "C2 compliance requires that no networking software be installed on your system. One or more network services have been detected on your system. Select OK to use the Network Control Panel Applet to remove these services. If you click on Help, you will get the following bit of information: Windows NT networking services were not included in the NCSC C2 evaluated configuration. For your system to conform to the evaluated C2 configuration, the network services must be removed or disabled. Should you click on OK, if you are on a NT workstation, you have just disconnect yourself from the network. If you ran the test on a server, you have just shut down your network. ------------------------------------- Ben Rothke Citicorp Global Information Network NY, NY "Views expressed are exclusively my own & not of my employer" ------------------------------------- From stewarts at ix.netcom.com Fri Mar 22 01:09:45 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 22 Mar 1996 17:09:45 +0800 Subject: IPG message Message-ID: <199603220533.VAA29988@ix7.ix.netcom.com> The Seymour, TX Snake Oilers just keep getting better all the time, now that they've left Houston, or was it Boulder! Goat-getting hype about "What is specially claimed as copyrighted and or patentable" (blatantly incorrectly using those terms, and forgetting to include trademarks), several amusing new product names, bombastic claims about speed and strength, anecdotes about things he heard Dr. Von Neumann Himself say, and a sum-of-Linear-Congruential generators algorithm which is not only breakable but far slower than RC4 or RC5 or OTPs about which he's said less recently than before. And hardware random number generators achieving multiple megabytes per second of random numbers on a simple serial port! >Note: The zipped files are considerably larger than the original > because they are random unzippable data files. UnAuTHorIZed ReproDUCTion and DIS-SEMINATION Are STRICTLY ProHIBiTeD! Yee-Hah! P.S. Ralph - you now owe us the keys to your company (Percy still gets his 10%), plus all your remarkably copious Slack! #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissible." - US government statement on China... "SigFiles of Unusual Size? I don't believe they exist!" From stewarts at ix.netcom.com Fri Mar 22 01:16:23 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 22 Mar 1996 17:16:23 +0800 Subject: Electronic Frontiers Houston Cyber-Political Questionaire. Message-ID: <199603220533.VAA00116@ix7.ix.netcom.com> >FOR IMMEDIATE RELEASE >Electronic Frontiers Houston Cyber-Political Questionnaire. I'm not currently a candidate, though I've had the pleasure of running for Congress as a Libertarian a couple of times, and I'd like to comment on some of the issues. >Please answer the questions on the reverse side. Attach additional pages if required. Hmmm - that'll be a bit tough on line. Got any spare anti-electrons? I could run it through rot-13 :-) >1. Do you think that electronic publishing should enjoy the constitutional >protections that accrue to print media? >2. Do you think that electronic publishing should enjoy the constitutional >protections that accrue to broadcast media? >3. Do you think that electronic publishing should enjoy the constitutional >protections that accrue to libraries? The Bill of Rights was a good start, but courts have seriously mishandled it over the past 200 years, whether to support the public mood on an upcoming war (as in the Schenk (sp?) case, which gave us the appallingly misused "fire in a public theater" dictum), or to permit censorship of speech that offends the popular morals, or to support oligopolies through restricting access to radio and TV broadcasting to government-approved companies. I tend to agree with Hugo Black's position that the people who wrote "Congress shall make no law...." meant what they said. In particular, even supposing, as Holmes did, that there are types of speech so offensive and valueless as to not be protected by the First Amendment, the Constitution also doesn't specifically empower them to ban it either. >4. Do you favor new laws to regulate the content of electronic media? Yes - there's a lot of old law and FCC regulation that needs to be repealed, and that takes new laws. >5. Do you think that the First Amendment rights of free speech protect >private use of encryption? First, Second, Fourth, Fifth, Ninth, Tenth >6. Do you favor laws to regulate the private use of encryption? Nope. >7. Do you agree with restrictions on the export of technology that >incorporates cryptography? No - nor of other technology, either. >9. Do you support the right of a private individual too publish printed >materials anonymously? Not only do _I_ favor it, the Supreme Court also supports it. Electronic materials as well. >10. Should the government play a role in providing access to computer >networks? Yes and No. Governments have a role to play in providing access to existing government-run systems that have public information. >11. Do you think that the government should guarantee universal >access to computer networks? No. Government-provided services are government-controlled services. And governments can't guarantee services - they can only force people to buy them (with their own recycled money) from pro-government providers, while interfering with competing technologies and services that the market would otherwise provide. From a Liberal perspective, Internet access is already available on the open market for less than the cost of cable TV, in most of the country - trading government control of the most important media of the next two decades for the cost of a half-pack of cigarettes a day per citizen would be a really bad choice. >12. Do you think that access to government computerized information >is a right? >13. Should all governmental records that are available to the public be >made available via computer resources? >14. Should access to computerized governmental records be free? Not strictly - the public does own most of the government's information, but providing subsidized access to it isn't an appropriate use of tax money. Providing at-cost access certainly is, for information that the government should be giving out, and restricting distribution of that information or giving monopoly access to rent-seeking private companies certainly is wrong. But there's a lot of information the government has today that it shouldn't - people's private data that they've been forced to provide to bureaucrats, or information that wasn't quite as forced such as census data. Most of that data should be destroyed. And there are difficult questions, such as how to reveal details on CIA/NSA/FBI abuses without violating the privacy of people they spied on or interefered with. >15. Should the government regulate electronic financial transactions >and require traceability? Of course not. (I do distinguish between banning fraud and embezzlement, which is arguably a reasonable government function, and regulating the communications often used in those activities.) >16. Do you approve or disapprove of the wiretap provisions in the >1994 Digital Telephony bill? Disapprove. >17. Do you favor expanding law enforcement access to telephonic >communications? Sure - cops need phones, too. And access to the communications of other government officials to investigate crime and corruption in government is mostly safe. But demanding access to citizens' private communications is not only _far_ outside the bounds of government's legitimate access and a bare-faced grab for political power by the folks who brought us COINTELPRO and J Edgar Hoover's files, but is a call to violate individuals' rights to use whatever tools they want to protect their privacy to support their power-grab. And they've been so _disingenuous_ about it... >In addition, candidates for national office will be asked the >following additional question: >18. Do you favor legislation which would require a national ID card? No - I favor legislation to eliminate the half-way measure we have, the single "Social Security" tax-id Number, and, until we eliminate privacy-invasive taxes altogether, give taxpayers a large group of numbers so they don't have to give everybody a universal identifier just to pay their taxes. >Candidates for state office will be asked the following question: >18. Should laws requiring fingerprints to acquire/renew drivers licences >be repealed? Yes, as should driver's licenses and other mandatory ID. >Electronic Frontiers Houston is a non-profit group that supports civil >liberties and the development of culture in cyberspace. While I don't live in Houston, I've been a member and usually a supporter of EFF. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissible." - US government statement on China... "SigFiles of Unusual Size? I don't believe they exist!" From stewarts at ix.netcom.com Fri Mar 22 01:18:21 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 22 Mar 1996 17:18:21 +0800 Subject: Shameless Message-ID: <199603220533.VAA29847@ix7.ix.netcom.com> Sandy wrote: >Actually, I doubt Mr/Ms Anonymous is a provocateur. Reads more >like a paranoid schitzophrenic to me. Dollars to donuts says >it's Detweiler. Doesn't matter if it's Detweiler; what matters is whether it's detweiling.... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissible." - US government statement on China... "SigFiles of Unusual Size? I don't believe they exist!" From declan at eff.org Fri Mar 22 01:33:55 1996 From: declan at eff.org (Declan McCullagh) Date: Fri, 22 Mar 1996 17:33:55 +0800 Subject: CDA Court Challenge: Day #1 Message-ID: ----------------------------------------------------------------------------- The CDA Challenge, Day #1 ----------------------------------------------------------------------------- By Declan McCullagh / declan at well.com / Redistribute freely ----------------------------------------------------------------------------- March 21, 1996 PHILADELPHIA -- In the shadow of the Liberty Bell in downtown Philadelphia, the future of online liberty is being decided. I arrived halfway through the first day of the hearing in our lawsuit challenging the Communications Decency Act. Overall, it went well, though there were a few surprises, like a series of computer crashes and the Department of Justice's embrace of the rhetoric of crusading anti-porn activist Catharine MacKinnon. But most importantly, the judges are engaged in the case. CDT installed a T1 line, which is the first time a courtroom has had a live net-connection -- judges tend to insist on paper. When Ann Duvall of SurfWatch demoed the web and her software this afternoon, the judges paid attention, asked questions, and were proud when they figured out the concept of a hierarchy of pages on a web site. Her demonstration wasn't without problems. The Macintosh laptop she used to demonstrate Netscape and SurfWatch crashed three times as Duvall tried to click on the Philadelphia Phillies web site. (A great idea, though -- at least one judge appeared interested in the team.) Jonah Seiger and the other CDTers fixed the problem quickly, but then net.latency prevented Duvall from accessing the Louvre or Playboy web sites. Penthouse worked properly, though: "Blocked by SurfWatch." As I'm typing this, I saw a mention that a local television station, WCAU News 10, is going to broadcast a special on the hearing early tomorrow morning. Today's press corps included CNN, CBS, NBC, the Washington Post, the New York Times Online, the Philadelphia Inquirer, the Los Angeles Times, and plenty of local reporters. The most interesting witness might have been Dr. William R. Stayton, a psychologist and sex therapist who testified that minors were not necessarily harmed by sexually-explicit materials. Stayton is an American Baptist minister, and holds faculty appointments at LaSalle and the University of Pennsylvania. The DoJ's only female attorney present cross-examined Stayton, spinning her arguments around a twisted MacKinnon-esque logic that I've never heard even from honorary net.mascot Senator James Exon. Seems as though she wasn't just trying to establish that nekkid photos are *harmful to minors* -- she was trying to establish that they're *harmful to women.* She asked questions like: "Do these pictures depict a healthy view of women as sexual beings?" "Do you believe the pictures are a factor in leading minors to view women as sex objects?" "Do you believe that these pictures are part of a socialization process that depicts women as sex objects?" Stayton rallied, replying: "There's nothing inherently harmful about letting a six-year old view these images." Undaunted, DoJ counsel continued, quoting from the Attorney General's 1986 Commission on Pornography, page 343, entered into evidence as exhibit 80. Seems as though that section talks about how nonviolent and nondegrading sexual materials are still harmful to minors. Chris Hansen from the ACLU on redirect asked: "Why is it not harmful for minors to access sexual materials?" Stayton: "We are born sexual beings... Our children are bombarded with sexuality on all sides... 50% of kids are sexually active by 15-16 years old. 85% are active by 18." To illustrate their point, the DoJ showed the judges and Stayton examples of dirty pictures taken from the Internet, complete with URLs. The pictures were _not_ hardcore; they seemed to consist of solo naked women in various lewd and explicit poses. The DoJ did this to demonstrate the types of _nonobscene_ materials available online that they would be unable to prosecute without the CDA. I would report in more detail on the types of images, but as I and members of the press started to page through the exhibit book after the hearing, someone from the DoJ came over and told us we weren't allowed to look at them "since they weren't available to the public." I argued with him, and he maintained that since they weren't _entered into the record_ then the public had no right to see them. How odd that the Feds are unwilling to divulge the URLs of the dirty pix they use in their case! I also met Cathy Cleaver, who's the director of legal studies for the Family Research Council, and a strong supporter of the CDA. She says she thought the hearing went well for her side. I politely disagreed. By the end of the day, the judges might have been starting to "get it." When Kiyoshi Kuromiya testified about his Critical Path AIDS Project web site, which carries safe sex information, the judges grilled him about the number of minors in the USA with HIV. Later, one Patricia Warren from Wildcat Press: "Is it easier to create an ezine than a magazine?" Another asked her if "gay and lesbian information is likely to be censored?" Tomorrow morning Professor Donna Hoffman of Vanderbilt University will testify. (She was instrumental in debunking Marty Rimm's fraudulent cyberporn study. ) Stay tuned for more reports. ----------------------------------------------------------------------------- The DoJ's case has been rescheduled to April 12th and April 15th. For more information and breaking updates, check out: http://fight-censorship.dementia.org/top/ Other relevant web sites: http://www.eff.org/ http://www.cdt.org/ http://www.aclu.org/ ----------------------------------------------------------------------------- From frantz at netcom.com Fri Mar 22 02:18:35 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 22 Mar 1996 18:18:35 +0800 Subject: A MODEST PROPOSAL Message-ID: <199603220752.XAA15483@netcom6.netcom.com> At 7:03 AM 3/20/96 -0800, Sandy Sandfort wrote: >(Did I get the style right?) C'punks, if you feels as I do, >please take a few moments to sign up for the LIST OF SHAME? >Let's show Bill, Bruce, Matt and all the others what most >Cypherpunks really think about them and Mr/Ms Anonymous. Please add my name. I don't abandon my friends when I disagree with them. Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From eay at mincom.oz.au Fri Mar 22 02:20:42 1996 From: eay at mincom.oz.au (Eric Young) Date: Fri, 22 Mar 1996 18:20:42 +0800 Subject: ASN.1 Tools/Compilers In-Reply-To: Message-ID: On Thu, 21 Mar 1996, Frederick Zarndt wrote: > Does anyone know of reliable ASN.1 tools/compilers suitable for use on a > wide range platforms? SSLeay contains a program asn1parse that will decompose ASN.1 structures. It also has C routines to play with X509, CRL and certificate requests. I did not write an ASN.1 compiler, I have written direct C code (using macros). I decided it would be easier that writing a compiler but it has probably worked out about the same amount of effort. eric -- Eric Young | Signature removed since it was generating AARNet: eay at mincom.oz.au | more followups than the message contents :-) From jya at pipeline.com Fri Mar 22 02:25:13 1996 From: jya at pipeline.com (John Young) Date: Fri, 22 Mar 1996 18:25:13 +0800 Subject: DAZ_zle Message-ID: <199603220353.WAA16495@pipe4.nyc.pipeline.com> Foreign Affairs, March/April, 1996, features two policy essays on "The Information Edge: A technological change is transforming the nature of power and the United States is clearly in the lead." In "America's Information Edge," Joseph S. Nye, Jr. former Chairman of the National Intelligence Council and Assistant Secretary of Defense, and Admiral William A. Owen, former Vice Chairman of the JCS, argue that information technology is transforming knowledge, and thereby power. They write of a "system of systems, an integration of ISR, C4I and precision force, which represents a qualitative change in U.S. military capabilities." They envision informational "soft power" -- the ability to achieve outcomes in international affairs through attraction rather than coercion -- as reinforcing the "information umbrella" shielding allies in lieu of the nuclear option. In "A Revolution in Warfare," Eliot A. Cohen, Professor of Strategic Studies at Johns Hopkins, takes issue with Nye and Owen on the radical impact of information technology, and argues that its revolutionary dazzle may distort historical understanding of the more general political and economic forces that are reshaping international and military affairs. He observes that misunderstanding of revolutionary technology all too often has had unexpected, disastrous, consequences: "A revolution in military affairs is under way. It will require changes of a magnitude that military people still do not completely grasp and political leaders do not fully imagine." DAZ_zle From gimonca at skypoint.com Fri Mar 22 02:26:06 1996 From: gimonca at skypoint.com (Charles Gimon) Date: Fri, 22 Mar 1996 18:26:06 +0800 Subject: Minneapolis Star Tribune this morning (fwd) Message-ID: Forwarded message: > > Charles Gimon wrote: > > Mpls. Strib did a piece this morning, front page, about AltaVista, > > Dejanews, etc. Well-worn territory to readers of this list. Your > > words can come back to haunt you, all that stuff. One paragraph that > > deserves rebuttal from those of you who are better-informed: > > > > "Of course, technology is working on solutions to itself, but > > mechanisms that would hide the name of a message's author, such as > > cryptography and anonymous remailers, are convoluted and incomplete." > > Rebuttal? Why? Remailers generally are. There aren't enough penet.fi > type remailers, which people prefer not only because there is a mapping > but because it's easier to use. (It's also a bit more secure if there > are c2-nym remailers mapped to penet.fi type remailers in various > countries). > > Not everyone is on a system that is PGP-friendly. Handling PGP-messages > from commercial services or even most mailer apps is awkward at best, > and the commands for mixmaster/c'punk remailers are not as standard as > they could be. (A PGP3 DLL would improve the use of crypto and anon- > remailers quite a bit.) > > From the excerpt you posted, it doesn't seem as if they were criticizing > remailers... which is a pretty good thing. > I'd rate the whole article as neither good nor bad. It was on the front page of the paper edition, so I was a little unhappy at an offhand remark that might discourage people from using remailers. I'm planning on doing the letters-to-the-editor thing, emphasis on saying good things about remailers. The whole article is online at the site mentioned. > > > > Author was Jonathan Gaw; no e-mail address given. Star Tribune Online > > is at http://www.startribune.com > From EALLENSMITH at ocelot.Rutgers.EDU Fri Mar 22 02:39:41 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 22 Mar 1996 18:39:41 +0800 Subject: Tim's friend's mildly retarded son Message-ID: <01I2M0WLQM7Q8ZDWL7@mbcl.rutgers.edu> From: IN%"asgaard at sos.sll.se" "Asgaard" 15-MAR-1996 14:06:44.11 >The reason FDA has not approved this drug is most probably because >it does not make mildly retarded boys less retarded. But of course, Actually, there is some evidence that nootropics do work. I've been doing a literature review on the subject (soon to be a full meta-analytic review if I can find the proper statistics for combining multiple results from the same study), and there is some evidence for them working... slightly. The lack of FDA approval can be described as being due to a combination of three factors: A. Most sucessful studies of such drugs have been on healthy individuals. (For instance, vasopressin only appears to work on those whose brains are reasonably intact in the portion that deals with memory; I find this unsurprising). However, the FDA refuses to approve drugs for the purpose of enhancement of normal humans. (They have the excuse that it's against their charter). They even include the decline of IQ with aging in this category, unless it's profound or associated with other problems. B. Most of the known to work nootropics, etcetera are beyond the patent period. Thus, the well-researched ones tend not to be profitable for a company to work on getting through the FDA. Instead, they're developing new ones... often with a concentration (as with hydergine) on drugs to treat senile dementia or other categories that the FDA _will_ approve. C. The FDA is notoriously conservative. I'm generally willing to trust anything they pass as safe and (at least marginally) effective, but that's because they're completely anal-retentive about the whole business. Anything they're willing to pass without serious political pressure (of the types mentioned in another post) is OK... it's just that they don't pass a lot of stuff that is OK. This topic's relevance to Cypherpunks, aside from the confirmations that you mentioned, is low... aside from that it's of interest to Extropians such as myself and Tim May. -Allen From llurch at networking.stanford.edu Fri Mar 22 02:59:21 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 22 Mar 1996 18:59:21 +0800 Subject: (X:x)e$ 's other use In-Reply-To: <9603220839.AA14552@ns.htc.net> Message-ID: Digital cash, if people can be convinced to trust it, will be a wonderful thing because of its security, convenience, and anonymity features. I'm sorry, but I just don't buy this "corrupt currency" schtick. On Fri, 22 Mar 1996, Gary Lee Jeffers wrote: > I believe that secret e$'s other use has been overlooked: That is, > e$ would be a sound money replacement for the corrupt currency that > every large state in the world currently pushes. Especially if e$ > can be redeemed in something of real value on demand. But it can't. Please define "something of real value." Please explain why it will always represent the same value to all people, and why it makes sense to pin your money to it rather than letting it float. Money is a convenient fiction that makes civilization work reasonably well most of the time. The value of money is always set by fiat and social consensus. People who reminisce about "the gold standard" are talking ahistorical nonsense. "The gold standard" was fiat money too. The price and transportation of gold was controlled by governments. The move away from "the gold standard" was a recognition of this fact, nothing more. > Note that the book DREAMS COME DUE made the distinction between money > and currency. The author used the word money for real money and the word > currency for false money. It may be the author's private distinction. With all due respect, I think he should have kept it private. -rich From tim at dierks.org Fri Mar 22 03:08:17 1996 From: tim at dierks.org (Tim Dierks) Date: Fri, 22 Mar 1996 19:08:17 +0800 Subject: ASN.1 Tools/Compilers Message-ID: At 10:29 AM 3/21/96, Frederick Zarndt wrote: >Does anyone know of reliable ASN.1 tools/compilers suitable for use on a >wide range >platforms? > >I already know about the following tools/compilers, but I would appreciate >comments >anyone cares to make: > > ISODE (who to contact for the DE?) > Snacc > >Thanks. > >Frederick Zarndt >Senior Software Engineer >Novell, Inc >122 East 1700 South >Provo UT 84606 >USA > >Tel 801 429-3348 >Fax. 801 429-3500 I've recently been looking into this as well. I haven't looked at ISODE yet. Snacc looks reasonable, but can't handle big integers (> 2^32), which may make it hard to use for certificates, due to embedded RSA keys; I haven't yet checked to see what could be done about this. It's free; the compiler is under the GNU license, but the runtime is redistributable without fee or onerous restriction. I also spoke to a company in NJ, Open Systems Solutions (609.987.9073), but their licensing terms were too expensive for my purposes. Their product runs on a lot of platforms and sounds very complete, but requires a licensed run-time environment. They currently support C and Pascal; C++ is coming. Their development environment starts at $11,500. I'm also searching for an ASN.1 product. We can afford to pay for a compiler, but we need unrestrained distribution of the runtime in source form. Any information would be greatly appreciated. You may wish to examine the ASN.1 homepage @: http://www.inria.fr/rodeo/personnel/hoschka/asn1.html Best, - Tim Tim Dierks - Software Haruspex - tim at dierks.org Hastening the heat-death of the universe since 1968. From christopher at nescio.zerberus.de Fri Mar 22 03:08:33 1996 From: christopher at nescio.zerberus.de (Christopher Creutzig) Date: Fri, 22 Mar 1996 19:08:33 +0800 Subject: PGP key spoofing Message-ID: Hello, everybody, (Please note that I sent this to several mailinglists at once. I am not subscribed to cypherpunks any longer, so I won't see any replies there.) I think I have realized a serious flaw in PGPs key-handling. This may lead to people using and signing bogus keys despite the usual security measures. The problem is that PGP fails to differentiate between two keys sharing the same 64-bit-Key-ID. It is not a real problem to generate a key with a given key-ID (just take a prime, invert the desired key-ID modulo this prime and look for another prime whose lower bits are the same as in the number you just calculated), so the following attack would be possible: - Get the real key you wish to mimic. - Generate a fake key with the correct IDs. - Send your bogus key to a person of which you know that - This person does not have the correct key yet. - This person is going to meet the correct key's owner. If the owner of the correct key does not give a fingerprint, but rather a disk with the correct key to the person you are trying to fool, his or her pgp won't ring alarm bells when reading the key (apart from possibly a failed signature), but rather will tell him the key is already there. He will then, most probably, sign the bogus key without any further thought. Therefore, you should *always* check the fingerprint, even if you got the real key, at least if it has no valid signature from its alleged owner. -- Christopher Creutzig # Im Samtfelde 19 # D-33098 Paderborn # V+49-5251-71873 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Sammele Vorschl�ge zur Rettung vom Genitiv. From dwl at hnc.com Fri Mar 22 03:42:56 1996 From: dwl at hnc.com (David Loysen) Date: Fri, 22 Mar 1996 19:42:56 +0800 Subject: NT's C2 rating Message-ID: <199603212223.OAA01460@spike.hnc.com> At 03:54 PM 3/21/96 EST, you wrote: >> configuration can be certified as C2 compliant. The way I read the orange >> book, no system with a network connection can ever be C2. For that matter a >> system can't get C2 unless it is in an area where you can control and >> monitor physical access to the system. > >This is incorrect -- you can have a C2 system which has a network >connection. Indeed, you can get a B2 rating with a networked system, >c.f. Multics. > >-derek > > > Well, I never argue with anyone from MIT..... But. I don't see any reason a C2 or B2 system can't be networked to another system(s) with the same classification. But that isn't really what I meant. Can you make a firewall system that is C2 compliant? Isn't this what you would need in order to connect a C2 system or network to another non secure network, (i.e. the internet)? I do agree that there is no place in the orange book that says "thou shall not speak ethernet" but can you network a system and be able to "require that ADP systems that process, store, or use classified data and produce classified information will, with reasonable dependability, prevent delibrate or inadvertent access to classified material by unauthorized persons, and unauthorized manipulation of the computer and its associated peripheral devices." Which the orange book does say. I guess "reasonable dependability" is a pretty broad term. Pardon a newbie here if I am being unusally obtuse, but you can't learn if you don't ask. dwl at hnc.com David Loysen 619-546-8877 x245 From unicorn at schloss.li Fri Mar 22 04:23:33 1996 From: unicorn at schloss.li (dirsec) Date: Fri, 22 Mar 1996 20:23:33 +0800 Subject: [NOISE] Re: Dorothy Denning attacks Leahy's crypto bill In-Reply-To: <199603211619.IAA27641@dns1.noc.best.net> Message-ID: On Thu, 21 Mar 1996 jamesd at echeque.com wrote: > At 05:31 AM 3/21/96 -0500, dirsec wrote: > > I think Leahy will, quite rightly, refuse to adopt the new bill because > > it has a snowball's chance in hades of passing, and it makes him look > > soft on crime and terrorists. > > Hold it: Backup: Opponents of the bill say it says X: Supporters of the > bill say it says Y: The proposal is to rewrite the bill so it actually > does say Y in plain english. And you (quite correctly) say that the bill > will not pass if says Y. It's even deeper than this really. Opponents of the bill say it says X. Supporters of the bill say it says Y. The bill actually sounds more like X than Y. There is very little incentive to make the bill anything like Y. The bill could probably be a straight forward X and still pass. > > You are right. > > The bill does not facilitate crypto exports, it just sounds like it does, > and it delegates judicial powers to cops. Well, it facilitates them, but it takes with the other hand at the same time. It does not facilitate strong unescrowed crypto exports. > If it was amended to facilitate crypto exports, and to maintain the > separation of judiciary and executive, it would not pass. If it was just amended to facilitate crypto exports, it would not pass. > --------------------------------------------------------------------- > | > We have the right to defend ourselves | http://www.jim.com/jamesd/ > and our property, because of the kind | > of animals that we are. True law | James A. Donald > derives from this right, not from the | > arbitrary power of the state. | jamesd at echeque.com > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From EALLENSMITH at ocelot.Rutgers.EDU Fri Mar 22 04:36:12 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 22 Mar 1996 20:36:12 +0800 Subject: Leahy bill nightmare scenario? Message-ID: <01I2LXKYBUUW8ZDWFS@mbcl.rutgers.edu> I believe the debate about the Leaky bill can essentially be summarized as: A. If the bill is interpreted in light of the Bill of Rights, et al, then we don't have anything to worry about, and it's a good bill. B. If it's not, then it's a bad bill. I would like to remind people that the US judicial system, while not as always mistaken as some believe, is not particularly noted for not making serious errors in this area. For instance, regarding the forfeiture scheme, quite a few competent lawyers have examined civil forfeiture - used for _any_ crime - and found it to be a violation of the Bill of Rights. Moreover, it is the contention of many lawyers - such as with the ACLU - that the whole ITAR scheme should have been thrown out long ago as unconstitutional. That it has not been so may be taken as an indication of how the _politically appointed_ judges on the Supreme Court, et al, are likely to make mistakes. I would also remind you of the ratings given by the American Bar Association to quite a few current judges on the Supreme Court, which may be taken as a reflection of their competency. -Allen From maldrich at grctechs.va.grci.com Fri Mar 22 04:36:23 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Fri, 22 Mar 1996 20:36:23 +0800 Subject: C2 rating of NT Message-ID: Date: Thu, 21 Mar 1996 08:09:14 -0500 (EST) From: Mark Aldrich To: owner-cypherpunks at toad.com Subject: Re: your mail On Wed, 20 Mar 1996 owner-cypherpunks at toad.com wrote: > > Basically, I'm now questioning the C2 rating of Windows NT. The > entire security layer is modular to the Kernel. As a modular > driver, it can be removed, rewritten, and replaced. > > So, what makes it secure? What gives it the C2 Rating? How would > one go about getting a C2 rating? Politics make it C2. The DoD mandated, years ago, that all their OSs had to go to the C2 level of trust. Further, they had also mandated POSIX compliance in just about every procurement that they had to publish in CBD. Well, they then proceeded to ignore their own policy and they bought MS DOS all over the damn place because everyone wanted the stuff just like they have at home. You can't play DOOM on SCO UNIX, ya know... So, in order to not look like a bunch of incoherent IRM loosers, they effectively forced the C2 and POSIX compliance stickers onto Windows NT even though everyone (including some nameless NCSC personnel with whom I've spoken) clearly state that C2/POSIX and MS Windows NT is an oxymoron. Now everyone can claim to be running C2 and POSIX systems, even though, by admission of MS, you can't have NT configured for both at the same time. Duhhhhhh... ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From maldrich at grctechs.va.grci.com Fri Mar 22 04:36:59 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Fri, 22 Mar 1996 20:36:59 +0800 Subject: NT's C2 rating In-Reply-To: <199603211813.KAA15750@spike.hnc.com> Message-ID: On Thu, 21 Mar 1996, David Loysen wrote: > Ain't nothing fine about that print. An operating system or piece of > hardware may be C2 certifiable. But only a complete system in a specific > configuration can be certified as C2 compliant. The way I read the orange > book, no system with a network connection can ever be C2. For that matter a > system can't get C2 unless it is in an area where you can control and > monitor physical access to the system. I have to disagree. C2 most certainly can be given to a network product. That's why we have the TNI (Trusted Network Interpretation) of the criteria. There are actually A1 network products on the EPL. I've personally worked on both C2 and B1 network and database product evaluations, for example. Also, evaluation is given to commercial products, not "complete systems." A complete system goes through certification and accreditation, not evaluation against the Criteria. Also, the physical security measures make no difference in regard to a C2 rating. A product can be C2 whether it's in a kiosk in a shopping mall, or inside of a SCIF. The over-all security policy of the system dictates the right mix of software countermeasures (C2, B1, B2, ,etc.) and the physical countermeasures (public, locked room, not networked, in a SCIF). Normally, as you boost one side of the equation, you can lower the other. In short, the criteria is used to rate the level of trust that can be placed in a given commercial product. Sort of like a UL rating. Once you buy it, though, the security posture in which you operate it is up to you. ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From sophi at best.com Fri Mar 22 04:49:30 1996 From: sophi at best.com (Greg Kucharo) Date: Fri, 22 Mar 1996 20:49:30 +0800 Subject: A funny story Message-ID: <3151EE5C.F4E@best.com> I was driving on the Foothill Expressway in Palo Alto today when I came to a stop at a light. I glanced over at the car next to me and noticed that someone had left thier keys in the door lock. So being the good cypherpunk that I am I jumped out and grabbed the keys from the lock, then knocked on the window. The passenger rolled down the window and accepted the keys back. Much to my surprise the passenger was none other than Whitfield Diffie. Very goofily I exclaimed, "aren't you Whifield Diffie!?". "Yes, who are you", was the reply. "I'm a cypherpunk", I retorted. I'm not sure his exact reply by I think it was along the "excellent" lines. I got handshakes from he and his driver. -- ----------------------------------------------------------------- "When they came for the Fourth Amendment I didn't say anything because I had nothing to hide. When they came for the Second Amendment I didn't say anything because I wasn't a gun owner. When they came for the Fifth and Sixth Amendments I didn't say anything because I had committed no crimes. When they came for the First Amendment I couldn't say anything." -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCPAzEIa2wAAAEEALouE7MNxsG+QTOJSrMTygYWKblpI9MgOKaFA+5AICNelAw6 6Gj3B0EQr7bwLILk8EJULG+kYh/ND9Kn1EXBK+elXbwpFCLqoyEZrbHJnurhH/t6 VFEwhbN1V0e/bFOCTq8nykoJjZ/uq0mz8HouIbEt6BYWoKVSUIU/T+iDV3TVABEB AAG0DWdoa0Bzb3BoaS5jb20= =gwax -----END PGP PUBLIC KEY BLOCK----- From jmoll at acquion.com Fri Mar 22 04:52:10 1996 From: jmoll at acquion.com (Joseph L. Moll) Date: Fri, 22 Mar 1996 20:52:10 +0800 Subject: protection on IoMega ZIP drives Message-ID: <2.2.32.19960322120637.006acd68@mail.acquion.com> This is in regard to the now popular ZIP disks, the removable 100MB cartridge for PC's/MAC's. Anyone have any idea how secure the ZIP disk is once it is "protected?" I know that the disk will refuse to be mounted without the passkey, but what is really happening here? Best Regards, --- Joseph (Joe) L. Moll mailto:jmoll at acquion.com Network/Communications Engineering http://www.acquion.com phone:864-281-4108 fax:864-281-4576 Acquion, Inc. Greenville, SC USA -- Specialists in Electronic Commerce From gjeffers at ns.htc.net Fri Mar 22 05:57:02 1996 From: gjeffers at ns.htc.net (Gary Lee Jeffers) Date: Fri, 22 Mar 1996 21:57:02 +0800 Subject: (X:x)e$ 's other use Message-ID: <9603220839.AA14552@ns.htc.net> (X=:x)e$ 's other use. My dear fellow Cypherpunks, I believe that secret e$'s other use has been overlooked: That is, e$ would be a sound money replacement for the corrupt currency that every large state in the world currently pushes. Especially if e$ can be redeemed in something of real value on demand. As some of us know, the U.S. Fed State's Federal Reserve Notes are corrupt currency. The corruption is at 5 different levels: 1. They are DEBT currency - they are lent into existence and it is mathematically impossible to pay off this debt. If you borrow $100, then where do you get the interest - say 8% since all FRN's are borrowed into existence?. This turns the great majority of Americans into victims. If you want freedom for your citizens, you do NOT allow monopoly DEBT currency. Note: bankruptcies & good counterfeiting are the only ways. 2. Fractional Reserve Banking. That means that the bank can lend out several times the money that it actually has. I believe that that is currently 8 times but that is a rough estimation. 3. Fiat money. That means that FRN's are backed by nothing more than the willingness of banks to redeem them with other FRN's. 4. Private banks with monopoloy privledges issue the currency. The Federal Reserve is a private (non-U.S. State) institution with the mono- poly on U.S. currency manufacture. The U.S. Treasury prints the currency for the Federal Reserve. Other major states have similar arrangements. These major banks are properly called Central Banks. To turn your currency ownership over to a private Central Bank is monstrous! If the people knew what was going on, the U.S. Federal State would be destroyed along with the hidden ruling class. 5. The Legal Tender Laws. These laws force the acceptance of FRN's in the U.S.. "This money good for all debts public and private". Note that the book DREAMS COME DUE made the distinction between money and currency. The author used the word money for real money and the word currency for false money. It may be the author's private distinction. I suggest that Iran did us a good turn in making and passing billions of dollars worth of uncatchable hundred dollar bills: they allowed the retirement of billions of dollars of debt for the American people without forcing Americans into bankruptcy. In a debt currency economy, good count- terfeiting is GOOD! It adds superior counterfeit to the mass of "legiti- mate" counterfeit. kind of improves the pool :-) Secret e$ offers the possibility of ridding ourselves of the slavery of private monopoly money issue. It would also give us a choice in what currency that we would like to use. Another possibility is that due to its high quality, it would be used during depressions and would possibly even break depressions. Its extremely FLUID nature might also be a pro- tection against depressions. It would be a TRUE MONEY and would give the people the advantages of true money. Let me emphasize: we do not current- ly have REAL money nor do the people of the other major States. We do not know what real money is like. Another possibility exists with secret e$: that several different kinds could exist. They would all be convertible into each other, of course. Major differences?: Different redeemablity schemes, etc.. Secret e$ offers more that just the freedom of private transactions (as great as that is). It also offers us the power and freedom of true money! Central power is stolen freedom. THE UNITED STATES "FEDERAL" GOVERNMENT HAS NO LEGITIMACY. The United States "Federal" Government - We'll be even more American without it. PUSH EM BACK! PUSH EM BACK! WWWAAAYYYY BBBAAACCCCK! BBBEEEAAATTTT STATE! Gary Jeffers  From stewarts at ix.netcom.com Fri Mar 22 05:59:26 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 22 Mar 1996 21:59:26 +0800 Subject: NT's C2 rating Message-ID: <199603220713.XAA03976@ix15.ix.netcom.com> At 02:30 PM 3/21/96 -0800, David Loysen wrote: >I don't see any reason a C2 or B2 system can't be networked to another >system(s) with the same classification. But that isn't really what I meant. >Can you make a firewall system that is C2 compliant? Isn't this what you >would need in order to connect a C2 system or network to another non secure >network, (i.e. the internet)? Leaving out Red Book details (since back when I last read the Red Book, nobody really had any general solutions to the problems), the problem is that the Orange Book demands that for C-level and above, the operating system must know the identity of all the users so it can track file, process, and authentication accesses, and for B1 and up, it also needs to know what users are allowed to use what security levels and what levels they're actually operating at. 1) It's difficult to do that - you have to trust the messages coming over a wire from the other machine to tell you who they're from, unless you can be sure there's only one user per wire. That means you need a mechanism for trusting the other machine, a mechanism for communicating that trust, a shared or mappable mechanism for identifying users, etc. That takes a certain amount of work even when you control all the machines that your machine can talk to, which you often can't (e.g. on an outer firewall.) 2) To _certify_ a system for general use (as opposed to certifying a specific instantiation of a system), you need to be sure that it will be installed and maintained in a way that will provide that identification and assurance. That's even harder, because you either need cryptographic authentication and session control, or else you need a way to guarantee that the system you're certifying only talk to machines that are administered in coordination with it, in spite of being installed by some Army grunt or military contractor who may RTFM but isn't a security wizard. And in the C2-certification biz, "cryptographic" means "something you got from the NSA", because they're the ones who do military crypto, and they tend not to trust software. Fortezza cards may do this stuff ok.... 3) The networking code becomes part of the Trusted Comptuting Base, which means you have to be able to verify that it can't mess with anything that you don't want it messing with, and if it supports more than one simultaneous user, it's got to be able to keep track of sessions and communicate them reliably to the OS and TCB. That works relatively well for serial-port user logins and maybe uucp. TCP/IP, on the other hand, is typically implemented down in the guts of the OS, partly because IP needs to talk to hardware a lot, partly because it's often easier to do the TCP and IP together, partly for "speed", and partly because it's much more efficient to hand stuff to multiple users from kernel space than to hand it up to a user-space application which then IPCs things back through the kernel to their destination user processes. It also tends to have various pieces running as root, either to access hardware or protected parts of the software, or to make it easier to transfer ownership of information to processes owned by different users. (Yes, this is a Unix-centric view, but other systems tend to do similar stuff.) This makes it difficult to verify that it's clean (hey, parts of it are tough enough to get working really well, much less bug-free), and it's even tougher at higher levels like B2 that want Least Privilege rather than having a SuperUser root that can do everything. Root stuff is just basically dangerous anyway. And B1-level OSs often run the TCB (including root) at System Low to make sure no regular user can mess with it, which makes it hard for root-owned processes to write up to users. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissible." - US government statement on China... "SigFiles of Unusual Size? I don't believe they exist!" From proff at suburbia.net Fri Mar 22 06:15:54 1996 From: proff at suburbia.net (Julian Assange) Date: Fri, 22 Mar 1996 22:15:54 +0800 Subject: BOAF Sat April 6, Melbourne Message-ID: <199603220751.SAA00159@suburbia.net> ____ _ _ _ / ___| _ _| |__ _ _ _ __| |__ (_) __ _ \___ \| | | | '_ \| | | | '__| '_ \| |/ _` | ___) | |_| | |_) | |_| | | | |_) | | (_| | |____/ \__,_|_.__/ \__,_|_| |_.__/|_|\__,_| ------------------------------------------------------------------------------- Birds of a feather ____ _ _ | _ \ __ _ _ __| |_ _ _| | | |_) / _` | '__| __| | | | | | __/ (_| | | | |_| |_| |_| |_| \__,_|_| \__|\__, (_) |___/ Saturday April 6, 1996 (easter weekend) 8:30pm till day light boaf at suburbia.net Melbourne Australia (http://www.lonelyplanet.com/dest/aust/melb.htm) Q: who's invited? A: you Q: who will be there? A: a cross-social strata of individuals, occupations and ages. It will be an eclectic evening. Q: no, I mean who will *really* be there? A: now is not the time for potentially dichotomatic simplifications of character, but what the heck... (a) Suburbia users: From magistrates and politicians to convicted computer hackers. We have as users private investigators, writers, programmers, QC's, record producers, musicians, film directors, journalists, policemen, intelligence agents, chess champions, members of obscure religious sects, netball umpires, many, many types of scientists and engineers, security experts, doctors, accountants, bartenders, choral conductors, comedians, nurses, DJ's, military police, drivers license testing officers, farmers, haematologists, herbalists, unionists, lecturers, librarians, linguists, paramedics, basketball umpires, air force pilots, singers, surgeons, system operators, linesmen, TV service men, solicitors, taxi drivers, teachers, unemployed inventors, veterinarians, actresses, aerobics instructors, art directors, athletes, chefs, bank clerks, cleaners, prison officers, dentists, dishwashers, film marketers, housewives, locksmiths, pensioners, radiologists and waiters (to name a few) (b) members of the following Suburbia run mailing lists: Avenue St. Etienne (a musical group) fans. BoS (best-of-security digest) Paranoid system admins, computer hackers, security professionals and a whole bunch of spooks Inside-Source (inside-source) As above, but don't introduce these guys to your sister. LACC (Legal Aspects of Computer Crime) Lawyers, security professionals, police, hackers, certifyably paranoid system admins and political activists (c) Memebers of the: Powerline Action Group Alternative Technology Association Center for Comtempory Photography Ross House Association Australian Public Access Network Association Private Inquiry Agents Association (d) Selected people and organisations that we owe favors to, and who shall remain anonymous. (e) Fans of T. Capody, P.K Dick, Stanislaw Lem, Pushkin, Nabakov, Dostoevesky or Thomas Pynchon. Venue: A computationally secure address in North Melbourne, approximately 10 minutes drive from the city center and 5 minutes walk from the North Melbourne railway station. There will be around 15 Internet ISDN connected PC's and a pro-tem dedicated link to Suburbia. Though, we encourage you to forget all about life as a keyboard interface for the night. Main course meals will be available for around $10 a head. Drinks will be served till 1am. Email boaf at suburbia.net for the ADDRESS and DIRECTIONS on how to get to it. You will need to include the number of people you plan bringing and how many of those (including yourself) desire to digest something other than the fascinating conversation. Do not request the address unless you definitely plan on coming, or our calculations and your reputation will go down like a V1. There is NO door fee, but small donations of dollars and/or computer/radio/microwave hardware/cables are encouraged (or you might get a few funny looks) to help cover costs. Music: BYO and we will play it provided it is something people can background if they want to talk. Most techno, hard-rock and pop will end up as a North Melbourne UFO sighting before it gets anywhere near the audio equipment. R&B, Jazz fusion, and Syd Barret (early Pink Floyd) style/derived material will be looked upon a good deal more favorably, but some of us are open minded. Dress: Anything that doesn't get you an indecent exposure charge will get you in the door. 1930's incognito is just fine. ps. the undercover colour of the day is purple. From weinberg at accessus.net Fri Mar 22 06:39:50 1996 From: weinberg at accessus.net (WThinker) Date: Fri, 22 Mar 1996 22:39:50 +0800 Subject: LET'S ROCK!!!! Message-ID: <199603221326.HAA22835@mtvernon1.accessus.net> Ok, here is the situation. I have a person mad at me in one of my mailing lists. Turns out, this person was the owner of the mailing list! Well now I'm stuck, knocked out of the list. The owner can not see any of my mail, no matter how hard I try. I need some ideas to eather get through to her, or really fuck up the mailing list. Any ideas? WThinker P.S. please E-Mail directly to me. If you can. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WThinker Social Deviant, W.W., and CHIPs expert! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From wlkngowl at unix.asb.com Fri Mar 22 06:59:31 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Fri, 22 Mar 1996 22:59:31 +0800 Subject: Minneapolis Star Tribune this morning In-Reply-To: Message-ID: <3151F296.1331@unix.asb.com> Charles Gimon wrote: > Mpls. Strib did a piece this morning, front page, about AltaVista, > Dejanews, etc. Well-worn territory to readers of this list. Your > words can come back to haunt you, all that stuff. One paragraph that > deserves rebuttal from those of you who are better-informed: > > "Of course, technology is working on solutions to itself, but > mechanisms that would hide the name of a message's author, such as > cryptography and anonymous remailers, are convoluted and incomplete." Rebuttal? Why? Remailers generally are. There aren't enough penet.fi type remailers, which people prefer not only because there is a mapping but because it's easier to use. (It's also a bit more secure if there are c2-nym remailers mapped to penet.fi type remailers in various countries). Not everyone is on a system that is PGP-friendly. Handling PGP-messages from commercial services or even most mailer apps is awkward at best, and the commands for mixmaster/c'punk remailers are not as standard as they could be. (A PGP3 DLL would improve the use of crypto and anon- remailers quite a bit.) >From the excerpt you posted, it doesn't seem as if they were criticizing remailers... which is a pretty good thing. > > Author was Jonathan Gaw; no e-mail address given. Star Tribune Online > is at http://www.startribune.com From EALLENSMITH at ocelot.Rutgers.EDU Fri Mar 22 07:18:38 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Fri, 22 Mar 1996 23:18:38 +0800 Subject: Kid Gloves or Megaphones Message-ID: <01I2M16O9GGG8ZDWL7@mbcl.rutgers.edu> From: IN%"stewarts at ix.netcom.com" "Bill Stewart" 16-MAR-1996 01:55:32.07 >Depending on the details of Ian's method, I don't think the debate >needs to be taken to the public, or even done - it may simply be a >done deal once the technology's out there. If Mark Twain Bank or >Merita Bank or the Federal Reserve wants to offer Digicash(tm) with Payee-Non-Anonymity, they can always make it a contractual >requirement that their payees not use anonymity techniques in return for >being paid. Wouldn't the viability of such a clause depend on the anonymizing scheme in question? If the bank's cooperation isn't needed (i.e., going through a proxy), then such a limit would be empty. -Allen From shamrock at netcom.com Fri Mar 22 07:20:28 1996 From: shamrock at netcom.com (Lucky Green) Date: Fri, 22 Mar 1996 23:20:28 +0800 Subject: Ecash API about to be released Message-ID: With the Ecash API due to be released within a matter of days, I would welcome anyone on this list interested in building applications on top of such an API to contact me. The API will determine the calls to a libecash that DigiCash will provide. Try to send emails that contain "I would like to code..." and please don't send the ones that contain "it would be nice if someone coded..." :-) -- Lucky Green PGP encrypted mail preferred. From hoz at univel.telescan.com Fri Mar 22 07:21:15 1996 From: hoz at univel.telescan.com (rick hoselton) Date: Fri, 22 Mar 1996 23:21:15 +0800 Subject: A funny story [noise] Message-ID: <9603220452.AA03455@toad.com> >... someone had left thier keys in the door lock. > So being the good cypherpunk that I am I jumped out and grabbed the >keys from the lock, then knocked on the window. The passenger rolled >down the window and accepted the keys back. Much to my surprise the >passenger was none other than Whitfield Diffie. Let me get this straight. You performed a key exchange with Whitfield Diffie? His keys were publicly available, and you securely transferred them back again? What a concept! Rick F. Hoselton (who doesn't claim to present opinions for others) From stewarts at ix.netcom.com Fri Mar 22 07:31:47 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 22 Mar 1996 23:31:47 +0800 Subject: NT's C2 rating Message-ID: <199603220533.VAA29930@ix7.ix.netcom.com> At 10:21 AM 3/21/96 -0800, David Loysen wrote: >>The fine print says its insecure as soon as its connected to a network. >Ain't nothing fine about that print. An operating system or piece of >hardware may be C2 certifiable. But only a complete system in a specific >configuration can be certified as C2 compliant. The way I read the orange >book, no system with a network connection can ever be C2. A system with a network connection _can_ be C2 or higher rated - *if* it can adequately verify that it knows who its users are. That's hard, but it's doable, if it restricts access to a limited set of users, and has enforcement mechanisms to support it. For instance, connection over an encrypted, crypto-authenticated LAN which can enforce session ownership or trustably label all data packets could work; you'd typically do that with some kind of wrapper over IP or TCP and a bullet-proofed OS interface. It's far cleaner if you can do networking in user space rather than the kernel; I think the UUCP-equipped configurations for AT&T's B1-rated System V/MLS were part of the rated configuration, though it's been a while since I've been near that world. It's also easier if you limit each system (or at least level) to one local user per machine so machine ID tells you user ID. Compartmentd Mode Workstations were just coming out when I last did that stuff, so I don't know quite how much of the Red Book they implement, but they had goals of supporting networked above-B1 computing. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissible." - US government statement on China... "SigFiles of Unusual Size? I don't believe they exist!" From stewarts at ix.netcom.com Fri Mar 22 07:37:08 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Fri, 22 Mar 1996 23:37:08 +0800 Subject: Dorothy Denning attacks Leahy's crypto bill Message-ID: <199603220533.VAA29941@ix7.ix.netcom.com> Hey, wait, are Jim Bell and I supposed to be in fairly complete agreement on something? :-) At 12:09 AM 3/20/96 -0800, jim bell wrote: >At 09:45 PM 3/19/96 -0800, Declan McCullagh wrote: ... >>From: denning at cs.cosc.georgetown.edu (Dorothy Denning) >"Far easier"? That's an odd statement, because the export of encryption is >easy with or without restrictive laws. How much trouble is a "criminal or >terrorist" going to risk by violating a few measly export laws? It probably would make it much easier for Designated Scary People to use crypto without having to take special precautions. If IPv6 security was part of the standard Microsoft Win2000 networking stack (ok, without major botches, and with a convenient user interface :-), and PGPphone came on the Soundblaster N+1 installation disk, all those tax-evaders and pharmaceutical wholesalers and, and, and father-rapers could talk to their accountants in private and chat with each other about tax-evadin' and father-rapin' and _crime_, and it'd be much harder to Federalize their money and arrest their clients. And a lot of that probably won't happen if Microsoft and Soundblaster have to make domestic and international versions of their software. >>I am concerned that the proposed legislation responds only to a loud >>cry for assistance and is not the reasoned and practiced position of >>our multinational corporations. Well, certainly not the position of MNCs who are big players in the military-industrial complex. But what's this _our_ terminology? In particular, cryptography offers the only technical defense against the ability of computers to centralize and correlate information from many sources, which is one of the primary threats to personal privacy today, and MNCs are generally supportive of centralizing any information they can. >> At the International Cryptography >>Institute, which I chaired in September 1994 and 1995, our discussions >>did not find that this unrestricted distribution of encryption >>technology was required to satisfy business objectives. Well, I'd expect not. It wasn't exactly an unbiased crowd; there were a couple people there on Our Side, but it was largely people who agreed with Dr. Denning on the political objectives, and the business contingent included companies like TIS which _sell_ so-called escrow software. > >Notice that we've already established that this bill in no way produces an >"unrestriction distribution of encryption technology." Wish it did, but it >doesn't. Yeah. >>The Commerce/NSA study did acknowledge that the existence of foreign >>products claiming strong encryption could have a negative effect on >>U.S. competitiveness. However, by allowing encryption services to be >>sold separately from the applications software that uses them, CAPIs >>will make it extremely unlikely that general-purpose software will be >>substantially effected by export controls. Which side is Dr. Denning _on_ here? At present, software using CAPIs is not exportable under the ITAR, since the CAPI is a "component of a munitions system"; is she now advocating legalized export of software using government-approved CAPIs only? >Notice that she seems to be making policy for the government, yet again. She seems to have been the big public advocate of it for years.... >>Export controls are often blamed for the lack of security in our public >>infrastructure. Sure - the fact that Microsoft Office built-in file protection isn't even up to RC4/40 standards isn't primarily the fault of export controls, but the lack of a clearly defined official export standard doesn't _help_ them make a business case for including good encryption. >>Encryption policy is a difficult and often emotional issue. > >It's only emotional because of malicious and counter-productive efforts by >government, and government suck-ups like Denning. She certainly hasn't helped, and she's aided and abetted and provided assistance to the folks like Freeh who want to stop free speech and privacy, but it's also emotional because many of us really don't want our privacy compromised and our freedom of speech restricted. The Bill of Rights isn't perfect, but it's far better than what the government is using today, and it's got provisions like the 9th and 10th amendments to remind readers that it's just a set of examples of civil rights, not an exhaustive inventory. >>I will be pleased to meet with you and the committee for comment and >>questioning, or to assist in any way I can with the development of a >>balanced approach to encryption legislation. I've always enjoyed discussing issues with people who offer an outrageously extreme set of proposals, then back off to a still offensive level and call it "balanced". The status quo already gives too much effective power to the government, and she's proposing to give in where it the alternatives are unenforceable and strenghten her position where there's new power to be seized. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissible." - US government statement on China... "SigFiles of Unusual Size? I don't believe they exist!" From dsmith at midwest.net Fri Mar 22 09:04:05 1996 From: dsmith at midwest.net (David E. Smith) Date: Sat, 23 Mar 1996 01:04:05 +0800 Subject: A funny story [noise] Message-ID: <2.2.32.19960322142245.00693c74@204.248.40.2> At 08:52 PM 3/21/96 PST, hoz at univel wrote: >>... someone had left thier keys in the door lock. >> So being the good cypherpunk that I am I jumped out and grabbed the >>keys from the lock, then knocked on the window. The passenger rolled >>down the window and accepted the keys back. Much to my surprise the >>passenger was none other than Whitfield Diffie. > >Let me get this straight. You performed a key exchange with >Whitfield Diffie? His keys were publicly available, and you >securely transferred them back again? What a concept! Weren't those his _private_ keys, though? You probably shouldn't be able to transfer those in a secure system. ObCrypto: would the transfer of private keys be necessarily a good thing? Or would a transfer of "reputation" be a better idea? Example: suppose, and this is _very_ hypothetical, that the President of the U.S. has a PGP key. (We can dream, eh?) Would it be wiser to transfer that key from one President to the next, or have the President sign the President-elect's new key? (I'm stretching here - feel free to killfile me.) dave --- David Smith, Intellecutal Terrorist http://www.midwest.net/scribers/dsmith/ From kkirksey at appstate.campus.mci.net Fri Mar 22 09:26:52 1996 From: kkirksey at appstate.campus.mci.net (Ken Kirksey) Date: Sat, 23 Mar 1996 01:26:52 +0800 Subject: Mac Keystroke Capture Message-ID: I've always warned my network users and other clients against using software that "protects" you from data loss by capturing your keystrokes, e.g. NowSave, Last Resort, and Thunder 7's Ghostwriter feature. NowSave 6.0 adds a new wrinkle to the problem, as I discovered yesterday when I installed the Now Utilities 6.0 public beta. NowSave 6.0 has a new feature: when you re-start your machine after a system crash, NowSave automatically opens at startup a SimpleText file containing all the keystrokes it captured before the crash. My machine crashed yesterday during an internet session, and when it re-started I was greeted with a SimpleText window containing my internet account password, two CryptDisk passphrases, and my PGP passphrase. This is not a good thing. But it could be a good thing, IMHO. Most people install these programs without realizing exactly what they do. With this new version of Now Utilities, users are likely to be greeted with a screenful of information, as I was, that they would just as soon not have saved anywhere on their hard drive. This kind of incident would, hopefully, encourage them not to use key capture software. One can only hope... Ken = Ken Kirksey | If Pat Buchanan is elected President of the = = Mac Developer & | United States, at least the trains will run = = Resident Cypherpunk | run on time. = = kkirksey at appstate.campus.mci.net - Me = From jlowry at bbn.com Fri Mar 22 09:29:14 1996 From: jlowry at bbn.com (John Lowry) Date: Sat, 23 Mar 1996 01:29:14 +0800 Subject: ASN.1 Tools/Compilers Message-ID: <199603221451.JAA12020@dave.bbn.com> Not to toot my own horn, but take a look at http://ests.bbn.com for a free ASN.1 to C++ compiler that runs on solaris 1 and 2 and has been ported (with relatively little effort) to Windows. Free for non-commercial use. Commercial use terms have unrestricted rights for runtime. > From <@relay3.uu.net:owner-cypherpunks at toad.com> Fri Mar 22 06:36 EST 1996 > Mime-Version: 1.0 > Date: Fri, 22 Mar 1996 01:12:27 -0800 > To: cypherpunks at toad.com > From: tim at dierks.org (Tim Dierks) > Subject: Re: ASN.1 Tools/Compilers > Cc: frederick_zarndt at novell.com (Frederick Zarndt) > > At 10:29 AM 3/21/96, Frederick Zarndt wrote: > >Does anyone know of reliable ASN.1 tools/compilers suitable for use on a > >wide range > >platforms? > > > >I already know about the following tools/compilers, but I would appreciate > >comments > >anyone cares to make: > > > > ISODE (who to contact for the DE?) > > Snacc > > > >Thanks. > > > >Frederick Zarndt > >Senior Software Engineer > >Novell, Inc > >122 East 1700 South > >Provo UT 84606 > >USA > > > >Tel 801 429-3348 > >Fax. 801 429-3500 > > I've recently been looking into this as well. I haven't looked at ISODE > yet. Snacc looks reasonable, but can't handle big integers (> 2^32), which > may make it hard to use for certificates, due to embedded RSA keys; I > haven't yet checked to see what could be done about this. It's free; the > compiler is under the GNU license, but the runtime is redistributable > without fee or onerous restriction. > > I also spoke to a company in NJ, Open Systems Solutions (609.987.9073), but > their licensing terms were too expensive for my purposes. Their product > runs on a lot of platforms and sounds very complete, but requires a > licensed run-time environment. They currently support C and Pascal; C++ is > coming. Their development environment starts at $11,500. > > I'm also searching for an ASN.1 product. We can afford to pay for a > compiler, but we need unrestrained distribution of the runtime in source > form. Any information would be greatly appreciated. > > You may wish to examine the ASN.1 homepage @: > http://www.inria.fr/rodeo/personnel/hoschka/asn1.html > > Best, > - Tim > > Tim Dierks - Software Haruspex - tim at dierks.org > Hastening the heat-death of the universe since 1968. > > > From clewton at netcom.com Fri Mar 22 09:54:29 1996 From: clewton at netcom.com (Charles Lewton) Date: Sat, 23 Mar 1996 01:54:29 +0800 Subject: LET'S ROCK!!!! In-Reply-To: <199603221326.HAA22835@mtvernon1.accessus.net> Message-ID: On Fri, 22 Mar 1996, WThinker wrote: -snip- > I need some ideas to eather get through to her, > or really fuck up the mailing list. > > Any ideas? > > WThinker Sure, start your own list. Chuck (nonthinker) From perry at piermont.com Fri Mar 22 10:09:04 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 23 Mar 1996 02:09:04 +0800 Subject: (X:x)e$ 's other use In-Reply-To: <9603220839.AA14552@ns.htc.net> Message-ID: <199603221506.KAA23445@jekyll.piermont.com> I won't enumerate all the economic and technical errors in this message; they are numerous and this isn't the correct forum. It is my personal hope that free banking (that is, competitive currency issue by banks without regulation) will some day again be the rule as it once was, and that electronic mechanisms will be a portion of the way that currency works under a free banking system. However, that does not mean that fractional reserve banking (which isn't even what the Fed does), debt currency (all notes are debt currency), etc. are wrong, or that the Fed is a private organization. I'll happily discuss this in private mail if anyone wishes. Cryptographically secured electronic money does, of course, provide the promise to have banks, especially ones outside of the U.S. regulatory regime, issue their own money and have it freely circulate even in places like, say, China, or the U.S., where such money might not be technically legal. However, to do that, it will be necessary for some financial institution that people have substantial confidence in to fill this role. Money is partially about trust, and cryptography can only go so far in convincing people that their savings are secure. Even encrypted "open books" protocols like the ones Eric Hughes has proposed can only go so far in preventing systematic frauds. Perry Gary Lee Jeffers writes: > (X=:x)e$ 's other use. > > My dear fellow Cypherpunks, > > I believe that secret e$'s other use has been overlooked: That is, > e$ would be a sound money replacement for the corrupt currency that > every large state in the world currently pushes. Especially if e$ > can be redeemed in something of real value on demand. > > As some of us know, the U.S. Fed State's Federal Reserve Notes are > corrupt currency. The corruption is at 5 different levels: > > 1. They are DEBT currency - they are lent into existence and it is > mathematically impossible to pay off this debt. If you borrow $100, then > where do you get the interest - say 8% since all FRN's are borrowed into > existence?. This turns the great majority of Americans into victims. If > you want freedom for your citizens, you do NOT allow monopoly DEBT > currency. Note: bankruptcies & good counterfeiting are the only ways. > > 2. Fractional Reserve Banking. That means that the bank can lend out > several times the money that it actually has. I believe that that is currently 8 times but that is a rough estimation. > > 3. Fiat money. That means that FRN's are backed by nothing more than the > willingness of banks to redeem them with other FRN's. > > 4. Private banks with monopoloy privledges issue the currency. The > Federal Reserve is a private (non-U.S. State) institution with the mono- > poly on U.S. currency manufacture. The U.S. Treasury prints the currency > for the Federal Reserve. Other major states have similar arrangements. These > major banks are properly called Central Banks. To turn your currency > ownership over to a private Central Bank is monstrous! If the people > knew what was going on, the U.S. Federal State would be destroyed along > with the hidden ruling class. > > 5. The Legal Tender Laws. These laws force the acceptance of FRN's > in the U.S.. "This money good for all debts public and private". > > Note that the book DREAMS COME DUE made the distinction between money > and currency. The author used the word money for real money and the word > currency for false money. It may be the author's private distinction. > > I suggest that Iran did us a good turn in making and passing billions > of dollars worth of uncatchable hundred dollar bills: they allowed the > retirement of billions of dollars of debt for the American people without > forcing Americans into bankruptcy. In a debt currency economy, good count- > terfeiting is GOOD! It adds superior counterfeit to the mass of "legiti- > mate" counterfeit. kind of improves the pool :-) > > Secret e$ offers the possibility of ridding ourselves of the slavery > of private monopoly money issue. It would also give us a choice in what > currency that we would like to use. Another possibility is that due to its > high quality, it would be used during depressions and would possibly > even break depressions. Its extremely FLUID nature might also be a pro- > tection against depressions. It would be a TRUE MONEY and would give the > people the advantages of true money. Let me emphasize: we do not current- > ly have REAL money nor do the people of the other major States. We do not > know what real money is like. > > Another possibility exists with secret e$: that several different kinds > could exist. They would all be convertible into each other, of course. > Major differences?: Different redeemablity schemes, etc.. > > Secret e$ offers more that just the freedom of private transactions > (as great as that is). It also offers us the power and freedom of true > money! > > > > Central power is stolen freedom. > THE UNITED STATES "FEDERAL" GOVERNMENT HAS NO LEGITIMACY. > The United States "Federal" Government - We'll be even more American > without it. > > PUSH EM BACK! PUSH EM BACK! > WWWAAAYYYY BBBAAACCCCK! > BBBEEEAAATTTT STATE! > > Gary Jeffers >  > > From perry at piermont.com Fri Mar 22 10:18:23 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 23 Mar 1996 02:18:23 +0800 Subject: LET'S ROCK!!!! In-Reply-To: <199603221326.HAA22835@mtvernon1.accessus.net> Message-ID: <199603221537.KAA23507@jekyll.piermont.com> WThinker writes: > Ok, here is the situation. I have a person mad at me in one of my mailing > lists. Turns out, this person was the owner of the mailing list! Well now > I'm stuck, knocked out of the list. The owner can not see any of my mail, > no matter how hard I try. I need some ideas to eather get through to her, > or really fuck up the mailing list. > > Any ideas? 1) Learn to spell. 2) Figure out what the cypherpunks mailing list is for; you don't seem to know. 3) I will point out that deliberately trying to disable or sabotage a computer on the net is a federal crime, and that you are probably currently engaging in conspiracy to do so. .pm From jf_avon at citenet.net Fri Mar 22 10:27:55 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Sat, 23 Mar 1996 02:27:55 +0800 Subject: executable e-$ code for DOS Message-ID: <9603221544.AB04541@cti02.citenet.net> Hi. I would like to toy around with a e-cash program. I got Magic Money but it is only sources and I have no compiler. Is there a location I where I can get the executables for DOS? I want to do nothing serious with it, so the security aspect of pre-compiled code does not bother me too much. Thanks JFA Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 From hfinney at shell.portal.com Fri Mar 22 11:56:16 1996 From: hfinney at shell.portal.com (Hal) Date: Sat, 23 Mar 1996 03:56:16 +0800 Subject: PGP key spoofing Message-ID: <199603221700.JAA23618@jobe.shell.portal.com> From: christopher at nescio.zerberus.de (Christopher Creutzig) > I think I have realized a serious flaw in PGPs key-handling. This may > lead to people using and signing bogus keys despite the usual security > measures. > > The problem is that PGP fails to differentiate between two keys sharing > the same 64-bit-Key-ID. It is not a real problem to generate a key with a > given key-ID (just take a prime, invert the desired key-ID modulo this > prime and look for another prime whose lower bits are the same as in the > number you just calculated), so the following attack would be possible: PGP checks specifically for the case of keys whose IDs match but the keys themselves differ. It has always been obvious that keys can easily be synthesized with given IDs. I added this warning in version 2.0 about four years ago, in the keyadd code: "\n\007Warning: Key ID %s matches key ID of key already on key ring '%s', but the keys themselves differ. This is highly suspicious. This key will not be added to ring. Acknowledge by pressing return: " > If the owner of the correct key does not give a fingerprint, but rather > a disk with the correct key to the person you are trying to fool, his or > her pgp won't ring alarm bells when reading the key (apart from possibly > a failed signature), but rather will tell him the key is already there. As you can see, it does in fact literally ring an alarm bell - the "\007" above is the ASCII bell character. Disclaimer: I have not worked on PGP since version 2.0 so possibly my code has been changed or eliminated, but I think that is unlikely. Hal Finney From ac at hawk.twinds.com Fri Mar 22 12:09:56 1996 From: ac at hawk.twinds.com (Arley Carter) Date: Sat, 23 Mar 1996 04:09:56 +0800 Subject: Microchip Technologies and Nanoteq Message-ID: Microchip Technologies, the "PIC" people, according to the grapevine is introducing smart card products apparently based upon Nanoteq's algorithm's. Microchip calls it "Keeloq Code Hopping". Bruce Schneier's short description of the Nanoteq algorithm (p 390 2nd edition Applied Crypto ) is not too favorable. I'm not sure how code hopping interacts or is used in the system. Can anybody shed further light on this subject and the viability of this cryptographic system? Regards: -arc Arley Carter Tradewinds Technologies, Inc. email: ac at hawk.twinds.com www: http://www.twinds.com "Trust me. This is a secure product. I'm from ." From EALLENSMITH at ocelot.Rutgers.EDU Fri Mar 22 12:10:08 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Sat, 23 Mar 1996 04:10:08 +0800 Subject: Medical Privacy List Message-ID: <01I2LZ863OJA8ZDWL7@mbcl.rutgers.edu> From: IN%"rre at weber.ucsd.edu" 14-MAR-1996 00:33:07.87 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Wed, 13 Mar 1996 14:50:40 -0500 (EST) From: James Love Subject: Re: medical privacy list [...] the list is called med-privacy. Subscriptions are open, from listproc at essential.org. The one line subscription request is subscribe med-privacy yourfirstname yourlastname It is an unmoderated discussion about medical privacy legislation. Traffic is moderate. Archives at available at: http://www.essential.org/listproc/med-privacy/ best, jamie ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ James Love / love at tap.org / P.O. Box 19367, Washington, DC 20036 Voice: 202/387-8030; Fax 202/234-5176 Center for Study of Responsive Law Consumer Project on Technology; http://www.essential.org/cpt Taxpayer Assets Project; http://www.essential.org/tap ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From steve at aztech.net Fri Mar 22 12:20:05 1996 From: steve at aztech.net (Steve Gibbons) Date: Sat, 23 Mar 1996 04:20:05 +0800 Subject: [NOISE] Re: IPG message Message-ID: <0099FA44.AAEFE920.98@aztech.net> The exchange between IPG and CypherPunks sounds more and more like a Troll every time I see a new message on the subject. (My 'D'elete key is starting to wear out from over-use...) [ Yes, I realize that this post is just _more_ noise... ] -- Steve at AZTech.Net From jimbell at pacifier.com Fri Mar 22 12:20:23 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 23 Mar 1996 04:20:23 +0800 Subject: [NOISE] Re: Dorothy Denning attacks Leahy's crypto bill Message-ID: At 03:35 PM 3/20/96 -0500, Perry E. Metzger wrote: > >Alan Bostick writes: >> Declan McCullagh wrote: >> >> > I may have to adjust my position on Leahy's bill. Any legislation that >> > Dorothy Denning attacks so virulently must be worth passing. >> >> That could be exactly what They want you to think! > >Oh, God. This is really a bit too much, don't you think? > >I mean, its obvious that, whatever its flaws, passage of the Leahy >bill would be very bad for the export control droids. I disagree, strongly. "Export controls" are worthless against the major characters they CLAIM they are intended to be directed at: "Terrorists, drug dealers, pornographers, etc." They'll get good crypto regardless, either from foreign sources or "illegal" export that happens anyway. The main attraction of export controls (to the govt) is that if they had been played "well," the government might have been able to foist some sort of Clipper-system on us indirectly, by building up a domestic market for crypto that is designed to be incompatible with the rest of the world, because nobody would buy the exports anyway. It didn't work, of course, but the Feds are still flailing away, trying to control the situation. In addition, the government really has no choice but to relax export controls, because of industry pressure. The result, I think, is that the Leahy bill does little or nothing for us that wouldn't otherwise happen in the next year. If that's the case, we win nothing and we compromise away our rights. > Has it occurred to you that the whole thing might not be a conspiracy and that the >flaws in the bill might just be that -- flaws? >Perry This theory is easily testable. As I suggested a LONG time ago (gee, it must be at least a week now!) let's have a go at re-writing the bill to delete all the bad parts, modify it to be good, add appropriate extras to nail down everything, and present it to Leahy as the minimum acceptable bill. If those are just "flaws" then Leahy should have no trouble with any of this. If, on the other hand, it's all a fraud, we'll encounter fierce resistance. What do you think will happen? Jim Bell jimbell at pacifier.com From RUSSELLDH at aol.com Fri Mar 22 12:20:24 1996 From: RUSSELLDH at aol.com (RUSSELLDH at aol.com) Date: Sat, 23 Mar 1996 04:20:24 +0800 Subject: Two "libertarian" interviews... Message-ID: <960320222654_357360276@emout09.mail.aol.com> to:cypherpunks at toad.com re: Two "libertarian" interviews... Hi! Last month I interviewed Phil Zimmermann, the author of PGP (Pretty Good Privacy) and last summer, I interviewed Jim Warren about public access to government information (and vice-versa). I have transcribed both these interviews and found your name on the Web as someone who might be interested in these two items. The Zimmermann interview is at: http://www.animatedsoftware.com/hightech/philspgp.htm and the Jim Warren interview is at: http://www.animatedsoftware.com/hightech/jimwarre.htm I hope you will find these interviews interesting and will want to link to them. Thank you in advance for your consideration. Russell Hoffman Host, High Tech Today From whitfield.diffie at Eng.Sun.COM Fri Mar 22 13:34:17 1996 From: whitfield.diffie at Eng.Sun.COM (whitfield.diffie at Eng.Sun.COM) Date: Sat, 23 Mar 1996 05:34:17 +0800 Subject: Thanks for the keys Message-ID: <9603221753.AA18913@ushabti.eng.sun.com> I would like to thank the gentleman, who identified himself only as a cypherpunk, who fetched my keys out of the door of my wife's car (I frequently leave keys sticking in the doors of cars), knocked on the window, and handed them to me. To those who have seen the Equinox TV piece on cryptography, I will remark that it was the same set of keys and the same car that appeared on that show. Whit From jimbell at pacifier.com Fri Mar 22 13:34:26 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 23 Mar 1996 05:34:26 +0800 Subject: Ecash API about to be released Message-ID: At 10:32 PM 3/21/96 -0800, Lucky Green wrote: >With the Ecash API due to be released within a matter of days, I would >welcome anyone on this list interested in building applications on top of >such an API to contact me. The API will determine the calls to a libecash >that DigiCash will provide. For obvious reasons, I am interested in ecash with full payee, as well as payer, anonymity. Last I heard, Digicash didn't provide this. Any updates? From mpd at netcom.com Fri Mar 22 14:08:08 1996 From: mpd at netcom.com (Mike Duvos) Date: Sat, 23 Mar 1996 06:08:08 +0800 Subject: executable e-$ code for DOS In-Reply-To: <9603221544.AB04541@cti02.citenet.net> Message-ID: <199603221839.KAA29330@netcom3.netcom.com> jf_avon at citenet.net (Jean-Francois Avon) writes: > I would like to toy around with a e-cash program. I got > Magic Money but it is only sources and I have no compiler. > Is there a location I where I can get the executables for > DOS? > I want to do nothing serious with it, so the security > aspect of pre-compiled code does not bother me too much. I compiled Magic Money and ran a bank through my Netcom account when the software first came out. The coins were called "Tacky Tokens" and had no monetary value. The compiled DOS binaries for the client and server are still sitting in my FTP dir if anyone wants to grab them. Please don't expect me to process any new transactions for "Tacky Tokens", but feel free to grab the software and play with it all you want. ftp:/ftp.netcom.com/pub/mp/mpd/mgmnyexe.zip -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From jis at mit.edu Fri Mar 22 14:55:35 1996 From: jis at mit.edu (Jeffrey I. Schiller) Date: Sat, 23 Mar 1996 06:55:35 +0800 Subject: New Beta Test of PGPfone available WINDOWS '95 Included! Message-ID: <9603220251.AA29117@big-screw> (A copy of this message has also been posted to the following newsgroups: alt.security.pgp, sci.crypt) -----BEGIN PGP SIGNED MESSAGE----- We have finally released a Windows '95 version of PGPfone. This release includes PGPfone for Macintosh version 1.0b6 and PGPfone for Windows '95 version 1.0b1. Note: The Macintosh version does not talk to earlier versions. However the Macintosh and Windows version talk to each other! Connections can be either via modem or the Internet. Note: This code is beta test code. Future changes may continue to be incompatible with these versions. Also Note: We are now only distribution PGPfone via the World Wide Web, we have shutdown the PGPfone FTP site. To get PGPfone over the Web, go to the PGPfone home page at: http://web.mit.edu/network/pgpfone WE CAN ONLY DISTRIBUTE PGPFONE TO U.S. PERSONS AND CANADIAN CITIZENS. -Jeff -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVIVssUtR20Nv5BtAQHMLAQAnP6vw+vSwqtvY20T9wjEbSn8jafaUjc2 NPJThVLs9YL0GfuOb0LICJk4I+1W51cJG5CU7McC2gxFSm9DqBmqaemcPUrepY+8 x9WAIUnRI0zhInwOSk7XeRNZLuosve/qruj/OVkttSg4sGo39ZOM43iihSIcwvT/ AeyHbZEKT44= =XqHc -----END PGP SIGNATURE----- From tcmay at got.net Fri Mar 22 14:56:57 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 23 Mar 1996 06:56:57 +0800 Subject: Tim's friend's mildly retarded son Message-ID: At 11:17 PM 3/21/96, E. ALLEN SMITH wrote: > This topic's relevance to Cypherpunks, aside from the confirmations >that you mentioned, is low... aside from that it's of interest to Extropians >such as myself and Tim May. In recent months, a self-appointed group of list members have taken upon themselves to argue that _anything_ that does not have to do with certain topics they find appropriate is "not related to crypto, so take it elsewhere." Regrettably, most reasonable people have grown quiet about anything that smacks of politics or ideology, leaving the field clear for certain ranting lunatics. While I agree that the Cypherpunks list is not a libertarian or socialist theory discussion area, the fact is that crypto is tied intimately to incredibly important policy and jurisprudential areas. The early meetings were not held, and the list was not formed, solely to debate the merits of 3DES vs. IDEA or other crypto arcania, for which sci.crypt and sci.crypt.research already existed. The link between the FDA and crypto is not as much of a reach as some might think. When a government passes what are the equivalent of "dietary laws" (what one may eat, drink, etc.), even if based on supposed studies, this is a major limit on personal freedom. Would members of this list support an FDA-like organization passing judgement on which algorithms are considered "safe and effective" (and by whose standards?)? I mentioned my friend's detour to Mexico to obtain medicine for his son in passing, not to distract the list. I feel, however, that anyone who argues that a group of bureacrats and lawyers in Washington, D.C. have the "right" to send someone to jail for eating something they have decided is evil should reconsider their committment to this position. I have no problem with people deciding that certain foods or herbs or medicines are not to their liking, or are "snake oil," but I have a real problem with them raiding the houses of those who think differently and seizing their property, sending them to prison, etc. Think of the parallels to crypto. Believe me, I don't even want the bozos at IPG to be enjoined from selling their snake oil. Suckers are born every minute, as IPG knows, and I have to think of it as evolution in action. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From raph at cs.berkeley.edu Fri Mar 22 14:58:12 1996 From: raph at cs.berkeley.edu (Raph Levien) Date: Sat, 23 Mar 1996 06:58:12 +0800 Subject: Free speech debate on MSN Encarta Message-ID: <31521BDF.49EEA1D4@cs.berkeley.edu> First, a heads-up on the free speech debate on MSN Encarta this month. I found out about it because it was featured (sans URL, of course) on the NBC Nightly News. Here's the URL they missed: http://www.msn.com/encarta/otr/mar/otthis.htm One of the major axes of debate is whether programs like SurfWatch are sufficient to keep pornography out of the hands of children. One concern that was raised more than once is that children tend to be more technically sophisticated ("computer-literate") than parents. I think there is a point there. My dad just got Internet access this afternoon. Basically, all he needed was to install a PPP dialer and Netscape on his Mac, but it was a bit too much for him, so he had a friend come over and help him out. I had tried to guide him over the phone, but that just didn't work out (among other things, Netscape really needs to change their "DNS failure on the following hosts" error message to "you don't have a connection to the Internet, dummy"). Adding SurfWatch or something similar might not have been possible at all. So here's a random idea: have an ISP that essentially firewalls the Internet connection to the house, so that it is very difficult to get unwanted stuff over the wire at all. The ISP can maintain and update the latest high-tech tools, including filtering by URL, filtering by keyword, and other stuff like detecting proxies. While they're at it, they can filter out junk email. Just a random thought. Raph (whose son, Alan Mathison, was born Sunday morning at 5:01 am) From cp at proust.suba.com Fri Mar 22 14:58:29 1996 From: cp at proust.suba.com (Alex Strasheim) Date: Sat, 23 Mar 1996 06:58:29 +0800 Subject: [NOISE] Re: Dorothy Denning attacks Leahy's crypto bill In-Reply-To: Message-ID: <199603220237.UAA01376@proust.suba.com> > It's even deeper than this really. Opponents of the bill say it says X. > Supporters of the bill say it says Y. The bill actually sounds more like > X than Y. There is very little incentive to make the bill anything like > Y. The bill could probably be a straight forward X and still pass. This will probably be unpopular, but: There has been a defacto toleration of some cheap arguments in many online forums dedicated to crypto discussions, including this one. People who agree with us are brave freedom fighters, and our enemies are evil people who want to take everyone's freedoms away. There are honest, intelligent, and well informed people on both sides of the Leahy bill here on this list. We are appalled, rightfully so, when Schneier, Blaze, et al are smeared by anonymous posts dencouncing their characters and calling for mailbombings. But we shouldn't be surprised -- those tactics have been used repeatedly during the larger crypto debate. Remember when Bizdos was the anti-christ? I think we'd all be better off if people like Denning felt that they could come online and mix it up with the rest of us without worrying about being shouted down or harassed. I remember when she used to answer questions on sci.crypt with some regularlity. Say what you want about her politics, she wrote a good crypto textbook and she's good at teaching. There'd be more people who know their crypto if she was still hanging around. Arguing exclusively against straw men isn't good for us. It lets us slide by with weaker arguments than good opponents would coax from us, and it hurts our ability to repsond effectively to their arguments. Crypto technology is going to effect society in lots of ways, some blunt and others subtle. It's complicated stuff, and intelligent people can disagree without being evil or in cahoots with the forces of tyranny. There's a line from an old Neil Young song -- even Richard Nixon has got soul. Well, so does Dorothy Denning, and so do the people at the NSA, and the management at AT&T. Those who would restrict crypto are wrong, and if they prevail in the debate they will do a lot of damage, and yes, they will end up depriving us of a big part of our liberty. But to them *we* are doing a lot of damage -- we're creating a dangerous and lawless world where personal safety will be nothing but a dim memory. Who's right? How can you tell? With an open and honest debate between their best people and ours. I am absolutely certain that we would prevail in such a debate. But we can't get together to stage such a thing -- here on our home turf they're not welcome, and we're certainly not welcome at the security briefings, or whatever it is they call it when the feds lobby lawmakers about crypto issues. I do not mean to imply that any of the leading figures here on cypherpunks stoop to character assination and harassment. But there has been what seems to me to be an effort to romanticize the issue, create a sort of counter-culture fervor. There is a tendency to shout and protest rather than to argue and persuade. Unthinking intolerance of dissent is common among a lot of the transient people on the list, as is a bias against people affiliated with large companies. All I'm suggesting is that the next time somone get creamed for saying something unpopular, that maybe we should defend their right to say it, as long as they say it well and honestly. From owner-cypherpunks at toad.com Fri Mar 22 15:11:18 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Sat, 23 Mar 1996 07:11:18 +0800 Subject: No Subject Message-ID: At 1:24 AM 03/20/96, IPG Sales wrote: >Perhaps a battle has been lost, maybe even probably? But the war is not >over, not by a long shot - with minor modifications this system is >absolutely secure as events will prove. However, be assured that we >will not sell our product to anyone until that can be definitively >established. We greatly appreciate the contribution of some of those on You used to claim "our system is absolutely safe, we're sure of it, but we can't tell you the algorithm cause it's secret." People said that was stupid, so you finally agreed to show people the algorithm (apparently sending it to them unsolicited, and then expecting them to be bound to some sort of non-disclosure agreement? You might want to hire a lawyer to familiarize you with how trade secrets work legally, cause they don't work like you think they work). The people you showed the algorithm to pointed out flaws in it. Now you say "Yeah, okay so there were flaws, but we'll fix them and then it will be perfect, except you can't see the code or algorithm cause it's secret." Sounds like we're back where we started, eh? No one was willing to trust the algorithm before without it being reviewed publically. No one will be willing to trust it now either, _especially_ after the previous concerns that the algorithm wasn't secure were _confirmed_. The cypherpunks list doesn't have to provide free cryptanalysis to you. I doubt anyone will want to waste their time looking at future iterations of your algorithm, if you deign to show it to them. The fact that people on the cypherpunks list don't want to waste their time doing free cryptanalysis for you doesn't mean that your code is secure, or endorsed by anyone. It means that even those who may have thought it possible that your algorithm was secure after all have given up on that thought, or at least decided that it's unlikely enough not to be worth much further consideration, at least until you start behaving reasonably. From tbyfield at panix.com Fri Mar 22 15:28:25 1996 From: tbyfield at panix.com (t byfield) Date: Sat, 23 Mar 1996 07:28:25 +0800 Subject: [NOISE] Re: Ecash API about to be released Message-ID: 9:34 AM 3/22/96, jim bell: > For obvious reasons, I am interested in ecash with full payee, as well as > payer, anonymity. Last I heard, Digicash didn't provide this. Any updates? Finally setting up shop, eh? I can see your shingle already: ------------------------------------ | | | JIM "Yeah, THOSE Daltons" BELL | | | | Anonymous Assassination Broker | | | | "redefining | | random violence | | since 1996" | ------------------------------------ From tighe at spectrum.titan.com Fri Mar 22 15:36:16 1996 From: tighe at spectrum.titan.com (Mike Tighe) Date: Sat, 23 Mar 1996 07:36:16 +0800 Subject: NT's C2 rating Message-ID: <1.5.4b11.32.19960322131321.006d1880@softserv.spectrum.titan.com> >> Basically, I'm now questioning the C2 rating of Windows NT. The >> entire security layer is modular to the Kernel. As a modular >> driver, it can be removed, rewritten, and replaced. Has the product actually been evaluated and put on the EPL? Or is Microsoft just claiming it meets the C2 requirements? Mike Tighe tighe at spectrum.titan.com http://www.tcst.com/~tighe/ From tighe at spectrum.titan.com Fri Mar 22 15:43:13 1996 From: tighe at spectrum.titan.com (Mike Tighe) Date: Sat, 23 Mar 1996 07:43:13 +0800 Subject: NT's C2 rating Message-ID: <1.5.4b11.32.19960322131211.006d298c@softserv.spectrum.titan.com> >At 10:21 AM 3/21/96 -0800, David Loysen wrote: >>>The fine print says its insecure as soon as its connected to a network. >>Ain't nothing fine about that print. An operating system or piece of >>hardware may be C2 certifiable. But only a complete system in a specific >>configuration can be certified as C2 compliant. The way I read the orange >>book, no system with a network connection can ever be C2. To address that problem, they wrote the Trusted Network Interpretation a few years after the Orange Book Mike Tighe tighe at spectrum.titan.com http://www.tcst.com/~tighe/ From iang at cs.berkeley.edu Fri Mar 22 16:00:35 1996 From: iang at cs.berkeley.edu (Ian Goldberg) Date: Sat, 23 Mar 1996 08:00:35 +0800 Subject: Ecash API about to be released In-Reply-To: Message-ID: <31530BB5.61952101@cs.berkeley.edu> Lucky Green wrote: > > With the Ecash API due to be released within a matter of days, I would > welcome anyone on this list interested in building applications on top of > such an API to contact me. The API will determine the calls to a libecash > that DigiCash will provide. > > Try to send emails that contain "I would like to code..." and please don't > send the ones that contain "it would be nice if someone coded..." > By this, do you mean that just the API will be released (which we had pretty much finalized in mid-January), or actual code to go with it? They've had far too much time to add wrappers to their existing ecash client to turn it into a library. I hope that (very soon) we see a properly-implemented libecash; however, that's unlikely, since no one has discussed a low-level API yet... - Ian "I'll write it, if someone can get around these **** INS problems..." From wlkngowl at unix.asb.com Fri Mar 22 18:39:28 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sat, 23 Mar 1996 10:39:28 +0800 Subject: protection on IoMega ZIP drives In-Reply-To: <2.2.32.19960322120637.006acd68@mail.acquion.com> Message-ID: <31533A8F.3A9E@unix.asb.com> For the PC you might be able to hack SecureDrive to handle SyQuest and ZIP drives. I recall R.Brown's interrupt lists showed that the drivers set up different subfunctions for Int 13h (low-level disk ops). It's only speculation though. Has anyone done this? From WlkngOwl at unix.asb.com Fri Mar 22 19:07:58 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Sat, 23 Mar 1996 11:07:58 +0800 Subject: Maybe not (was "PC: Using BIOS Wait function as a source of entr Message-ID: <199603220446.XAA21329@unix.asb.com> I did some more tests with the variation when sampling the timer before and after a call to the BIOS Wait function on my PC. Set the delay to 977ms, which is allegedly the counter's resolution and collected samples at even intervals (various ones) and found recurring patterms. For instance, sampling every timer tick (about 55ms) produced a repeating pattern where every 16th sample had a delta well over 1200 while all the others were under 900, usually under 800. Every so often the 16th sample delta was very low instead (between 400 and 600). Plotting the samples in a noise sphere showed very definite streaks with a few spots in isolated areas. So this is NOT a good method to use after all. I'm still curious as to what causes the variation. Maybe has to do with the CPU cache or port interfaces with the CMOS timer? Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From ichudov at algebra.com Fri Mar 22 21:42:13 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Sat, 23 Mar 1996 13:42:13 +0800 Subject: Please criticize PGP-based robomoderator Message-ID: <199603230338.VAA10601@manifold.algebra.com> -----BEGIN PGP SIGNED MESSAGE----- Date: Fri Mar 22 21:25:47 CST 1996 To: cypherpunks at toad.com Subject: Please criticize PGP-based robomoderator Hello, Today UVV's announced that a new group, soc.culture.russian.moderated, was voted into existence. If all goes well, it should be newgrouped soon. For this group, I wrote a robomoderator program that does the following: 1) Enforces posting style required by the charter 2) Checks PGP signatures on incoming messages and prevents some types of forgeries 3) Implement secure (PGP-based) exchange between robomoderator program and human moderators, for messages requiring their approval 4) Black lists, white lists, and lists of suspicious words (Cypherpunks may imagine that ``medusa'' would be a suspicious word for this list) 5) Signs (with Greg Rose's PMApp) approved articles to prevent posting articles with forged approval 6) supports appeals, moderators' mailing list, and more. A specification for the robomoderator is on my home page at http://www.algebra.com/~ichudov/usenet/scrm/robomod/robomod.html and your criticisms and suggestions are more than welcome. For security reasons, we cannot post the code yet. We'll do it after I systematically proofread it to make sure that it is secure. Robomoderator is written in perl and sh, with some C code. It is working, but there are sopme minor things to do (they are listed in the TODO list on my WWW Page). Thanks to Dr. Dimitri Vulis for several good suggestions that I implemented. - Igor. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVNx8sJFmFyXKPzRAQEgVwP+Il58rOpbWtlC0MW4tPrYEnuF9JC5OJET VhaWud9lYzMDo9sdiBBmmgPqs5n3/lPpvxuNX4oCNbooP/U7SE8iqqOlcEdRDI3d KCSS8jol+T+VQGyVg8GkNrjSzSrfBrnka/CYMCXzKPGCFKcj5QiO1ufuBlhcxNsa glTt8xf5BrY= =xUgQ -----END PGP SIGNATURE----- From unicorn at schloss.li Fri Mar 22 22:17:37 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 23 Mar 1996 14:17:37 +0800 Subject: Conference of Interest Message-ID: Interested Cypherpunks might wish to review the following: The U.S. Russia Business Council presents its Fourth Annual U.S.-Russian Trade and Investment Forecast '96 While at first glance not crypto related, in past this conference has brought together a fascinating combination of spooks, private sector types, TLA's and academics. The amount of access to otherwise secretive and shadowy officials and "big name" types is significant. I have found in past that everyone at the conference is fairly approachable. The networking and back room, off topic discussions are so numerous that in some ways the title of the conference is a misnomer. Though the fees are hefty, I encourage c'punks who will be in the area to consider attending. Additional information is available at (202) 739-9180. The U.S. Russia Business Council presents its Fourth Annual U.S.-Russian Trade and Investment Forecast '96 on Monday, April 1, 1996 at The Four Seasons Hotel Corcoran Ballroom 2800 Pennsylvania Avenue, NW Washington, DC 20006 Preliminary Agenda 8:00-9:00 am Registration 9:00-9:15 am Welcoming Remarks - Eugene K. Lawson, President, U.S.-Russia Business Council Introductory Remarks - Ambassador Robert S. Strauss Chairman, U.S.-Russia Business Council 9:15-9:45 am The Honorable Anthony Lake Assistant to the President for National Security Affairs 9:45-10:15 am H.E. Yuli Vorontsov Ambassador of the Russian Federation 10:15-10:30 am Break 10:30-11:00 am The Honorable Jan Kalicki Counselor to the Department of Commerce and U.S. Ombudsman for Energy and Commercial Affairs to the NIS 11:00-11:30 am Eugene K. Lawson - Financing Update 1996 11:30-12:00 am The Honorable John M. Deutch Director of Central Intelligence 12:00-12:30 pm Reception 12:30-2:00 pm Luncheon Luncheon Speaker - The Honorable Michel Camdessus Managing Director of the International Monetary Fund 2:00-2:30 pm The Honorable Lawrence H. Summers Deputy Secretary of the Treasury 2:30-3:30 pm Panel Discussion - "View from the Trenches" 3:30-5:00 pm Panel Discussion - "Russian Presidental Election and Beyond" 5:00-6:00 pm Cocktail Reception --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From alano at teleport.com Fri Mar 22 22:20:52 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 23 Mar 1996 14:20:52 +0800 Subject: Digital Signature Inititiative Message-ID: <2.2.32.19960323011508.0092e328@mail.teleport.com> I am glad to see this clarification on the signature policy. (Sorry for the paranoia, but I have reasons to be wary of plans made in Redmond...) The article that I quoted in the first post was quite misleading as to a number of points. (Which is why I should not believe things written in one page articles, but that is another point...) With the author's credentials, I would have expected a wee bit more accuracy (or clarity). I do have a number of comments on what you posted, however... At 04:04 PM 3/22/96 -0800, Stuart Theodore wrote: >Good afternoon, > >I am the program manager at Microsoft responsible for putting the >digital signature program in place. I am sending this mail in response >to a recent mail string sent to these aliases appearing at the bottom. > >To summarize some important points of the program: > >* The program creates a certificate authority infrastructure which >consists of thrid party non-software affiliated companies such as >VeriSign and GTE who will act to grant certificates to allow code to be >signed. The policies defining who can be a certificate authority and >what it means to be a trusted software publisher will be a matter of >public policy(standard). The point being that Microsoft does NOT >control who can/cannot sign code. This is a good thing. (This was clarified after I posted by a developer who had returned from an MS developers conference on Internet Apps.) It is also nice to see that there will be more than one option of signing services. Hopefully the policies will not be such as to shut out the small, independant web designers/developers. >* This approach solves the problem of identity and integrity, and is >viewed by MS as complementary to the sandboxing approach used by Java >scripting, which we view to be incomplete and unsatisfactory by itself. >We believe that Java needs to sign platform dependent Java classes in >addition to their sandboxing scheme. Actually it protects against mallicious code (for the most part), but not against badly designed code. I can see where improperly tested and designed code could cause problems on host machines. I have not seen anything that makes OLE code more secure (or more stable) in the real world environment. (Just lots of paperwork being signed that says "We will not use these powers for Evil".) With Java, there has been alot of work to make the language less subject to abuse. I have not seen anything in that regards involving OLE. >* The W3C is creating a working group in this area to develop standards >around the policies mentioned in the first point, and the formats of the >certificate and signature formats. Microsoft is committed to making >this a open, industry, x-platform standard... This is a good thing. And I hope that they release them to the rest of the world before implementing them and releasing in a bunch of MS products. (This is one of my big beefs with Microsoft. I have seen a number of cases where APIs are released to developers MONTHS after they appear in Microsoft products. Not cool.) >* regarding the mac question - there already is a version of Internet >Explorer for the Macintosh, available for download at >www.microsoft.com/ie. Microsoft is has already announced its committment >to building cross-platform internet products. I am glad to hear it. Before this thread i had not heard of a Mac version. (Maybe it is becuase my friends who use the Mac have dropped using any Microsoft products. Come to think of it, it was because of how Word for the Mac implemented OLE... (Among other things.)) >I would be happy to answer more questions you may have about this >program, inluding proving more information. The part that interests me about the signing of executables is not for distribution over the web. (I beleive that OLE is not abuse proof enough for that yet.) What I would like to see is an API (or internal routines) to allow the app to check the signature opon loading and perform checks to detect tampering within the executable. This I see as a very useful thing, mpore so than the web applications. Is such a thing planned? Also, is there a web page that has additional information/plans about this API? --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From nobody at REPLAY.COM Fri Mar 22 23:21:54 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sat, 23 Mar 1996 15:21:54 +0800 Subject: No Subject Message-ID: <199603230455.FAA13248@utopia.hacktic.nl> So what? I've gone years without filing a damned tax return because I don't owe anything. And the couple of times I realized they owed me something I filed tax returns a year or two late. They don't give a shit unless they think you owe them money (or technically, if you actually do even if they don't know it). CP-Lite warning: no crypto. CDA Warning: Fuck you too. gjeffers at ns.htc.net (Gary Lee Jeffers) scritten: >From STRATEGIC INVESTMENT March 20, 1996 ... > Is the IRS a paper tiger? ... > As the IRS teeters on the brink, a fellow named Eddie Kahn has stepped >forward and may be about to push the whole creaking mess over the edge. >He hasn't got an arrow in his back yet, so he might just succeed. Dis- >dainful of "tax protests" such as 5th Amendment or legal tender arguments >that quickly get their advocates behind bars, Eddie looked into the stru- >ture of federal law. When Congress passes a law, codified as a statute, >it then delegates to a regulatory agency the authority to issue the im- >plementing regulations specifiying to whom and under what circumstances >the statute applies. These regulations must, by law, be published in the >Federal Register. Lacking these implementing regulations, the law cannot >be applied and has no force. Well, it turns out that the implementing re- >gulations for IRS' enforcement statutes-things like the requirement to >file a tax return and the authority to place a lien-cannot be found in >the Federal Register. When queried on this, the General Counsel for the >Office of the Federal Register, Michael White, replied in writing, "Our >records indicate that the Internal Revenue Service has not incorporated >by reference in the Federal Register a requirement to make an income tax >return." From jimbell at pacifier.com Fri Mar 22 23:22:07 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 23 Mar 1996 15:22:07 +0800 Subject: [NOISE] Re: Ecash API about to be released Message-ID: At 02:49 PM 3/22/96 -0500, t byfield wrote: >9:34 AM 3/22/96, jim bell: > >> For obvious reasons, I am interested in ecash with full payee, as well as >> payer, anonymity. Last I heard, Digicash didn't provide this. Any updates? > > Finally setting up shop, eh? No, just keeping the pot boiling. > I can see your shingle already: > > ------------------------------------ > | | > | JIM "Yeah, THOSE Daltons" BELL | > | | > | Anonymous Assassination Broker | > | | > | "redefining | > | random violence | > | since 1996" | > ------------------------------------ One reason I can say with a good degree of confidence that I've already won the debate is that my opponents are stuck with fielding silly "feel-good" one-liners such as the one you've crafted above. Nothing I've said indicates that I'm in favor of "random violence": the kind I would _enthusiastically_ facilitate is a highly-directed form of violence, in the direction of people who have historically maintained a high degree of implied and potential violence in this society for decades. That's right, government employees. You know, the ones who can attack you (as they did Rodney King), illegally search your house (as they did OJ Simpson), shoot up and eventually burn your residence (a la Waco) and kill innocent people in a standoff (Ruby Ridge.) Oh, yes, I can't forget Donald Scott's fate, to be killed in a hail of police bullets fired during a search obtained with perjured testimony. Not to mention the collection of well over a trillion dollars in individual and corporate income taxes, none of which could be collected without the ultimate threat of violence against those who resist. Naturally, the closet (and not-so-closet) statists see nothing wrong with this kind of government-authorized violence, and therefore they would object to any attempt to prevent it as I am doing. The only way you will ever be able to effectively challenge my opinions is if you're forced to deal with reality: This society is already saturated with violence and the threat of violence, and the only way to stop it is to disable those who maintain that violence. The best way is to force them to resign, or eliminate them if they do not. Care to try again with a more credible argument? Jim Bell jimbell at pacifier.com From jpb at miamisci.org Fri Mar 22 23:27:50 1996 From: jpb at miamisci.org (Joe Block) Date: Sat, 23 Mar 1996 15:27:50 +0800 Subject: Free speech debate on MSN Encarta Message-ID: At 10:17 PM 3/21/96, Raph Levien wrote: >So here's a random idea: have an ISP that essentially firewalls the >Internet connection to the house, so that it is very difficult to get >unwanted stuff over the wire at all. The ISP can maintain and update the >latest high-tech tools, including filtering by URL, filtering by >keyword, and other stuff like detecting proxies. While they're at it, >they can filter out junk email. This is easily done from a technical standpoint. There is a set of patches for the CERN server that lets you have it automatically delete advertisments from certain prominent sites (used to be called NoShit, I heard they changed the name) when you're running in proxy mode. You can even have it change profanity into "EXON EXON" on the fly. Running something like this is probably a good thing for the ISP as running a cache will allow them to get more mileage out of their net connection. However, I don't think it likely that many ISPs will go this route from a liability point of view - if some parent is paying them to filter out smut, and little Zippy finds a brand new x-rated site, chances are some irate parent will sue them. With the proliferation of new pages, it is impossible for anyone to keep up, unless the authors voluntarily include some smutscan codes in their pages. >Raph (whose son, Alan Mathison, was born Sunday morning at 5:01 am) Congrats. Joseph Block "We can't be so fixated on our desire to preserve the rights of ordinary Americans ..." -- Bill Clinton (USA TODAY, 11 March 1993, page 2A) PGP 2048bit-Fingerprint: F8 A2 A5 15 56 42 9B 16 3F BD 57 0F 8A ED E3 21 No man's life, liberty or property are safe while the legislature is in session. From jpb at miamisci.org Fri Mar 22 23:36:13 1996 From: jpb at miamisci.org (Joe Block) Date: Sat, 23 Mar 1996 15:36:13 +0800 Subject: protection on IoMega ZIP drives Message-ID: re: >This is in regard to the now popular ZIP disks, the removable 100MB >cartridge for PC's/MAC's. > >Anyone have any idea how secure the ZIP disk is once it is "protected?" I >know that the disk will refuse to be mounted without the passkey, but what >is really happening here? In my experience (on a Mac) the Zip doesn't get any slower once protected so I expect it is probably some mickeymouse bit that gets set somewhere, and the Iomega driver simply refuses to mount the disk. I don't think Linux would even blink before mounting the purportedly "protected" volume. If you're concerned about securing your carts, I recommend creating a CryptDisk file on the Mac disk. I don't use DOS/Windows, so I can't suggest anything for that, but I'm sure someone else on the list will jump in. Matt Blaze recently posted an announcement of a new release of his secure filesystem for unix to the list, which I believe also runs under Linux. Joseph Block "We can't be so fixated on our desire to preserve the rights of ordinary Americans ..." -- Bill Clinton (USA TODAY, 11 March 1993, page 2A) PGP 2048bit-Fingerprint: F8 A2 A5 15 56 42 9B 16 3F BD 57 0F 8A ED E3 21 No man's life, liberty or property are safe while the legislature is in session. From jpb at miamisci.org Fri Mar 22 23:39:24 1996 From: jpb at miamisci.org (Joe Block) Date: Sat, 23 Mar 1996 15:39:24 +0800 Subject: LET'S ROCK!!!! Message-ID: At 8:26 AM 3/22/96, WThinker wrote: >Ok, here is the situation. I have a person mad at me in one of my mailing >lists. Turns out, this person was the owner of the mailing list! Well now >I'm stuck, knocked out of the list. The owner can not see any of my mail, >no matter how hard I try. I need some ideas to eather get through to her, >or really fuck up the mailing list. > >Any ideas? Learn to spell, write a really poignant suicide note, and then cut off your head with a chainsaw. That'll make her sorry. Joseph Block "We can't be so fixated on our desire to preserve the rights of ordinary Americans ..." -- Bill Clinton (USA TODAY, 11 March 1993, page 2A) PGP 2048bit-Fingerprint: F8 A2 A5 15 56 42 9B 16 3F BD 57 0F 8A ED E3 21 No man's life, liberty or property are safe while the legislature is in session. From JonWienke at aol.com Sat Mar 23 00:04:33 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sat, 23 Mar 1996 16:04:33 +0800 Subject: New Encryption Software-Encrypt Image & Text Files (fwd) Message-ID: <960322224449_253590813@mail06> Has anyone suggested that these folks at Antelope do a merger with IPG? Inquiries can be forwarded to matchmakers at snake-oil.org... Jonathan From tcmay at got.net Sat Mar 23 00:06:59 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 23 Mar 1996 16:06:59 +0800 Subject: Excluding articles from DejaNews Message-ID: At 4:38 AM 3/23/96, Rich Graves wrote: >I just noticed this in their FAQ, dated February 20th: > > Q: I don't want my Usenet articles to appear in Deja News. What do I do? > A: We have implemented a feature whereby if your article contains an > X-Header looking like > > X-No-Archive: Yes > > your article will be excluded from our database forever. > >Anyone know if other search engines support this? I think such a standard >would be a Good Thing. Of course there will be the odd private archive, >and of course some nastyfolks might grep Usenet just for X-No-Archive >headers, but this is a good step for casual alt.support - type privacy. Even facetiously, count me as one of the "nastyfolks." If someone has made comments to the entire Usenet, any search engine which purports to index articles on the Usenet and does not index _all_ articles is misleading its customers. (Being a market sort of person, I'll let market forces work. I don't user DejaNews at this time, and now don't expect to. My preferred search engine, Alta Vista, catches even posts marked "X-No-Archive: Yes", which I count as A Good Thing.) I don't think the security-through-obscurity approach is a good thing. It is the security that ostriches have. If folks don't want their words haunting them, they should either say nothing or use anonymizing services. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From sonicpty at sirius.com Sat Mar 23 00:07:27 1996 From: sonicpty at sirius.com (Sonic Purity) Date: Sat, 23 Mar 1996 16:07:27 +0800 Subject: CD-reading for random keys In-Reply-To: <4i5gtu$99i@news2.realtime.net> Message-ID: In article <4i91h4$lp5 at nero.omega.co.nz>, bruce at omega.co.nz wrote: >>Doe anyone know where sample code exists to enable one to read the digital >>stream from an audio CD? >>crypto system. You merely start reading at a specific spot, tossing away >>bytes using a reproducable random number generator, then permuting >>those to form a XOR one time key of any length you want. > >The "entropy" or randomness of audio data is LOW. That's why audio compresses >so well. However, the idea of keeping a one-time key on CD-ROM is good. CD-ROM--good. CD-Audio--weeeelll...could be trouble. Keep in mind Red Book audio does not require 100% error correction, so it would be pretty likely the keys would not match given the tiniest data hiccup. A data mode should work (i'd think). Then you can send up to 600M of totally secure data before you >dispose of the disks (Microwave oven is fun :) and write a new pair. 3-4 sec. on High; no more, no less. Remove the oven bulb beforehand for best viewing:) ))Sonic(( over 1192 CD players served, but who's counting? -- All spelling & grammar errors �1996 Sonic Purity. � Now available in two tasty flavors: new (sonicpty at sirius.com) and original (sonicpure at aol.com) � @@ Demopublicans are dead, @ @ Support free speech online ribbons are blue: @ @ (and everywhere else too) @@ @ @ @ @ @ @ From anon-remailer at utopia.hacktic.nl Sat Mar 23 00:47:32 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Sat, 23 Mar 1996 16:47:32 +0800 Subject: IPG - newest release of the ABC Encryption Algorithms (fwd) In-Reply-To: <314F0DB1.61FE@tivoli.com> Message-ID: <199603230638.HAA16135@utopia.hacktic.nl> Chris McAuliffe (cmca at alpha.c2.org) wrote: : >One tangerine-flavord Starburst to the first cypherpunk who can give : >a rough estimate for the results of the sub-expression: : > (random() & 0xff) & 0x3500 : : Well, actually, it depends on whether the bytes are treated as signed or : unsigned, and we don't know for sure that IPG wanted them treated as : unsigned. This means IPG either: : : a) can't write portable code, or : b) really are as stupid as we are giving them credit for. a) is obvious, since they explicitly say that they coded it in 80x86 assembler, but I wouldn't discount the possibility of b) being true also. From nobody at REPLAY.COM Sat Mar 23 01:07:14 1996 From: nobody at REPLAY.COM (Anonymous) Date: Sat, 23 Mar 1996 17:07:14 +0800 Subject: detweiling Message-ID: <199603230713.IAA16986@utopia.hacktic.nl> I've been studying "detweiling" in old archives as this issue is raised here every so often. imho the lesson of detweiler has nothing to do with detweiler, but in fact more to do with his targets. effective "detweiling" would be impossible if it were not for the large egos of his quarry. he selects his targets carefully based on the size of their egos, presses their obvious buttons, and stands back to watch the fireworks ensue. the larger the ego, the more easy it is to do this. (i.e. larger fireworks/provocation ratio). detweiler took a lot of pride in how much reaction he could get with just a few posts or barbs. he is not really apparently responsible for ever actually mailbombing the cpunk list from what I can tell. he believed he was perfecting the art of playing with people's egos. a sort of depraved cyberspatial psychology experiment. the amusing thing about "detweiling" is the way that it is something like a bad, self-perpetuating virus among those with big egos. detweiler took great glee in starting the virus wherein these people with big egos blame all their obvious personal problems on him (i.e. atrocious lack of interpersonal skills). since the virus propagates not because of any action on his part, but because of the inherent psychology of those with big egos, it continues on this list even though there seems to be no evidence that Detweiler has had anything to do with this list for perhaps over a year. the cypherpunks is a rabid breeding ground for this detweiler virus, because of the vast array of throbbing egos. the flamewars are routine because of the immature psychology of many posters, esp. the more "prominent" ones. even anonymous or pseudonymous posters defend themselves because of their large egos, and those with big egos feel they have to defend themselves against anonymous or pseudonymous accusations, or take intermittent jabs at whatever hapless pseudonym-of-the-week is thought to be detweiler. imho from what I have seen (which is admittedly not everything, as the detweiler stuff is rather endless), detweiler is not really destructive in himself. but he is an amazing catalyst to those that already have destructive tendencies within themselves, and he tweaks them into erupting. in a sense it is almost a public service in helping people with big egos temporarily relieve their "painful flareups". but I see no sign that he has been anywhere near the list for a long, long time, and I think all the ranting and scapegoating of him is quite strong evidence of all the big egos and small minds that litter this list. there is nothing new about detweiler's approach. there was a classic greek who was put to death for the same reason: not provoking people by calling them names, so much as asking them questions that embarrassly exposed all their ego problems. his name was called "socrates" and he was put to death for refining his art beyond that which was tolerated by a power structure largely populated by those with the ego problems (power structures are always dominated by these types, it is like flies and dead meat, or moths and flames). the joke of course may be that detweiler could have been dead for a long time, and people here would still be blaming him for their problems. perhaps we have a new convenient substitute for Satan in the cyberspace age. "the detweiling made me do it." (hee, hee). "projection" was identified by freud in another century as a basic device of the ego, a pity that few in our modern era are aware-- or perhaps it is not such a pity from detweiler's perspective. (p.s. I imagine quite a few people will accuse "me" of being detweiler. I assure you my amusement will at least exceed or match that which detweiler ever obtained.) From jeff at Molasar.BlackMagic.Com Sat Mar 23 01:10:59 1996 From: jeff at Molasar.BlackMagic.Com (Jeff Humphrey KSC) Date: Sat, 23 Mar 1996 17:10:59 +0800 Subject: e$'s (mini-rant) Message-ID: <199603230546.AAA14968@Molasar.blackmagic.com> The Internet Economy Must Be Grass Roots (or, why can't we mint coins YET ?) Just a few thoughts. Being a small business, here are some of the things we THOUGHT we'd be able to do by now with anonymously transferable digital tokens (e$'s) that I'm amazed we still can't do. 1) Issue tokens backed by services our site offers, or the services of our consultants, etc. Obviously, this isn't intended for general use (though we certainly wouldn't care if the currency was traded to organizations who would accept it for it's value)- it's intended to be traded with those people on the net that we do business with on a regular basis, rather like a ledger system, but slightly different (Even an online system that wasn't anonymous, a ledger, would be better than what's out there right now, which is NOTHING). 2) Run our own mint- obviously, it's to our advantage to run the mint, we want to make sure it's secure, it's responsible for keeping value in OUR COINS, something of great importance to our reputation. Businesses want to issue all kinds of currencies- state currency is only ONE FORM of value. We want to mint coins and distribute them freely in some cases, to advertise our services, to attract new customers, etc. We want to mint "coupons" that have the same effect. We want to mint coins that are actually licenses for use of products that we want to distribute, licenses people can TRADE, licenses that hold their value past site-by-site use. We want to be able to issue coins that we can optionally expire, optionally have anonimity, and optionally can or can't be transferred (some uses of these token systems are not served well by anonimity or by transferability). The possibilities are only endless if there is a transport, if there is a mechanism. Not in theory, but in PRACTICE. When I played with the Magic Money software, my only thought was "YES!" but then it "went away" ? It went away because it was difficult to use, which I'm sure would have been resolved (obviously, it would have needed extensions for network transport with email transport as an option but not a necessity). It went away because the inventor of the original scheme holds the patents (which I have no problem with, obviously, but aren't there any competeing ideas ? or does the inventor plan to "let" us mint our own currencies in the future ?). That this mechanism is being restricted to some "higher purpose" of a universal cash system, beginning (and ending I suspect) with backing by state currency makes me down right mad. There are a million and one uses for this mechanism that nobody has even THOUGHT OF yet, and there are plenty that people HAVE thought of- but the mechanism isn't available to the public, it's being used instead in a very narrow way. And in my Not So humble opinion, the way to Internet Economy isn't from the top anyway, it's from the people who provide the value in the first place, it's from the businesses who desperately want to get moving but feel their hands are tied. I have communicated with every author of "e$" type systems that I know of, and they all had very big plans for their systems, were all looking for sponsorship and talking to banks, and everyone of them completely FAILED to even ANSWER email from me when I asked when we could use their mechanisms for minting our own currencies and running our own mints on the Internet (I take that back, one of them answered, they just said, in a word, "no"). And I find that ANNOYING, mostly because it's just putting things off-- years now and we're not much closer to "Internet Economy" than we were when we started. It's gotta be grass roots, it's gotta be free (or cheap), and most importantly, it's gotta be SOON. History has show in endless repetition, that the only standards on the Internet are free standards. The Web would have never taken off if both the thing that "lets the user access the system" (the client) and the thing that "allows distribution of content" (the server) hadn't been available freely-- and the mint software in any of the proposed token systems are just that, content distributing servers. Every single person on this planet is a business. All good things start with the individuals (especially on the net, as we've seen OVER and OVER). The world is full of things that were "good", but were too propietary, they fill the backrooms of many a code shop. In the words of a very common-sensical post I saw just a few days ago, "... because of a Betamax attitude, I'll follow the market to VHS." The only thing lacking right now is a VHS to follow, but beware, the need is so high, there will be one ... In short, give us the mechanism! Once it's available, sit back and watch the net soar ... just like it always does ... The most recent application of this type of mechanism that I saw, or at least it could have been an application for it if there WAS a mechanism, was a group of organizations that wanted to trade certain types of information among themselves-- they wanted it to be based on merit, that is, those individuals/organizations who PROVIDE data also GET data from the system. It was a perfectly contained closed economy that desperately needed a token system as it's heart, but alas, there wasn't one. Trying to remain patient. Woowoo! Spring is here! :) Jeff. -- Simply Be. From frantz at netcom.com Sat Mar 23 01:25:41 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 23 Mar 1996 17:25:41 +0800 Subject: NT's C2 rating Message-ID: <199603230800.AAA24157@netcom6.netcom.com> At 5:11 PM 3/22/96 -0600, Rick Smith wrote: >The big deal is that few vendors have tried to get NCSC evaluations. We walked KeyKOS a long way down the path to a B2 rating. Our investors refused to fund the estimated $1 million it would cost to do all the paperwork. They felt there was no market for NCSC secure systems. Perhaps others felt the same way. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From tcmay at got.net Sat Mar 23 01:29:17 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 23 Mar 1996 17:29:17 +0800 Subject: Excluding articles from DejaNews Message-ID: At 6:48 AM 3/23/96, Rich Graves wrote: >AltaVista doesn't index web sites that follow the Robots Exclusion >Standard. Does that mean you won't use AltaVista anymore, either? I didn't say that an indexing policy is the determinant of my using it or not, only that DejaNews looks less attractive than it did before (which wasn't very attractive anyway, compared to AV...your mileage may vary, so I won't be engaging in Search Engine Wars). >Agreed, anyone really concerned about their privacy should be using >anonymity/pseudonymity, but a temporary hidey-hole is a Good Thing. Well, I mostly disagree with this point. It gives the poster the _comforting illusion_ of privacy, when in fact the Real Threat (tm) is that the search engines of 2-5 years from now will trivially uncover all of the "asides" (to use Rich's term) made in rec.music.white-power and alt.sex.cypherpunks. It is the searches done several years from now that will no doubt be of greatest concern to job seekers, professors seeking tenure, and candidates for political office. No matter the "no archive" headers, somebody will archive it. Thus, spiders will find it. This is the "ostrich effect" I was referring to. The illusion of security. >But I can think of a lot of reasons you might want to post something >under your real name, or your regular pseudonym -- gaining the benefit of >your good (or bad) reputation, mostly -- but on the other hand, you don't >want that post archived. It's called an "aside." The point is that just because one or more sites is not archiving the traffic does not mean that other sites are not. Look at the parallels to cancellation: some sites strongly believe that "cancellation" is a bogus concept, that once a message has gone out it is part of the overall feed. (I concur with this view, and, if I ran a site, would not honor so-called "cancellations.") >For example, I might want to say, "Tim May is a big fat idiot because of >what he just said." I do want to say that, publicly, under my name and It created a best-seller for Al Franken..... >address, but for various reasons, I don't want that saved in the >archives. Since X-Headers are readable by most newsreaders, and are in Well, what you _want_ and what you're gonna git are not necessarily the same thing. I expect some sites are going to advertise that they archive and/or index _all_ public traffic, becoming a "site of record." >OK, you've convinced me that this isn't a privacy thing, really, but I >think is a valid and useful thing. What's the alternative, really? If I At the risk of repeating myself: -- some people will want to request "no archives" (for "asides" and "off the record" comments. -- some sites will honor these requests. -- other sites will not. -- that at least one site keeps the traffic and makes indices available is sufficient to negate the effect of requesting "no archives." -- the practical effect will be initially to make a search for the "no archive" words _slightly_ more difficult, but not practically so...in spiderspace, the distances are compressed and a search will still turn up the words. >want to say something, now, are you going to tell me that I don't have >the right to request that you not take my comments on the record? That >sounds sort of totalitarian. I either have to create a new, unique nym on "Totalitarian"? You spoke publically, in this example, and I remembered your words. What is totalitarian about this? Trying to purge uttered words is the hard thing to do, actually. >the fly, in which case my comments lose anything associated with my name, >or I have to keep my comments to myself. Recognizing "Well, the full >context is recorded too, you can defend youself with that" only makes it >worse, really. > >Just thinking out loud, my thoughs being recorded for posterity on >hks.net and Exon-knows where else... Indeed, the storage densities and net connections that are coming will make your words here trivially searchable by your daughter in her third-grade class in 2005. Maybe on her handheld terminal. (And she'll probably be most interested in the words that Daddy thought to label as "no archives," as you yourself presaged in an earlier message. Those are likely to be the juicier things to read.) --Tim May THE X-ON CONGRESS: INDECENT COMMENT ON AN INDECENT SUBJECT, by Steve Russell, American Reporter Correspondent....You motherfuckers in Congress have dropped over the edge of the earth this time... "the sorriest bunch of cocksuckers ever to sell out the First Amendment" or suggesting that "the only reason to run for Congress these days is to suck the lobbyists' dicks and fuck the people who sent you there," ....any more than I care for the language you shitheads have forced me to use in this essay...Let's talk about this fucking indecent language bullshit. From WlkngOwl at unix.asb.com Sat Mar 23 02:18:22 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Sat, 23 Mar 1996 18:18:22 +0800 Subject: protection on IoMega ZIP drives Message-ID: <199603231021.FAA24721@unix.asb.com> On 23 Mar 96 at 3:00, Ed Carp wrote: > Has anyone tried SFS? It should work on the zip drive, though I've not > tried it (yet)... If I recall some recent threads on alt.security.pgp (or sci.crypt?), SFS doesn't work on ZIP drives (since ZIPs use the parallel port...). [Or do ZIPs use Scuzzies and the people who had problems were just too lame to figure out that they had to load the driver before SFS?] Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From wlkngowl at unix.asb.com Sat Mar 23 02:35:59 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Sat, 23 Mar 1996 18:35:59 +0800 Subject: http://anarchy-online.dementia.org/book/ In-Reply-To: Message-ID: <3153D109.5CB6@unix.asb.com> [..] > A New Book Investigating Sex on the Internet > is Pre-Published, Free, via the World Wide Web[..] > ...It includes transcripts from > pornographic IRC chat sessions and sexually oriented Usenet > news groups... Interesting. An investigative report that could technically be banned under the CDA, simply by including "illegal" material. From adam at lighthouse.homeport.org Sat Mar 23 02:47:10 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 23 Mar 1996 18:47:10 +0800 Subject: protection on IoMega ZIP drives In-Reply-To: <2.2.32.19960322120637.006acd68@mail.acquion.com> Message-ID: <199603221552.KAA16944@homeport.org> Joseph L. Moll wrote: | | Anyone have any idea how secure the ZIP disk is once it is "protected?" I | know that the disk will refuse to be mounted without the passkey, but what | is really happening here? Its weak software encryption. Paul Kocher announced he had cracked it in Sept/Oct, but is not distributing the crack program. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From jya at pipeline.com Sat Mar 23 02:48:36 1996 From: jya at pipeline.com (John Young) Date: Sat, 23 Mar 1996 18:48:36 +0800 Subject: Summary of NIST GAK Meeting Message-ID: <199603222049.PAA11327@pipe3.nyc.pipeline.com> Pat, We received today by snail mail from NIST a March 5 "Summary of the Proposed 64-bit Software Key Escrow Encryption Export Criteria Meeting" on December 5, five-pages, "prepared by an outside observer from Martin Marietta Systems, Inc." You've probably got a copy as well. If you've not already done so, and if you like, we'll be happy to scan it and send over for your Web site. Let us know. John From wlkngowl at unix.asb.com Sat Mar 23 02:48:39 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Sat, 23 Mar 1996 18:48:39 +0800 Subject: New Beta Test of PGPfone available WINDOWS '95 Included! Message-ID: <199603222109.QAA22574@unix.asb.com> jis at mit.edu (Jeffrey I. Schiller) writes: >We have finally released a Windows '95 version of PGPfone. This release >includes PGPfone for Macintosh version 1.0b6 and PGPfone for Windows '95 >version 1.0b1. Note: The Macintosh version does not talk to earlier versions. >However the Macintosh and Windows version talk to each other! >Connections can be either via modem or the Internet. [..] Will there ever be a Win32s version of PGPfone? I have one of those systems with non-(MS)DOS partitions that MS-DOS/Wind95 doesn't like, so until MS can deal with the fact that people use other OSs, I'm staying clean of Win95. From alano at teleport.com Sat Mar 23 02:55:39 1996 From: alano at teleport.com (Alan Olsen) Date: Sat, 23 Mar 1996 18:55:39 +0800 Subject: protection on IoMega ZIP drives Message-ID: <2.2.32.19960323104511.0091c3e4@mail.teleport.com> At 05:08 AM 3/23/96 +0000, Deranged Mutant wrote: >On 23 Mar 96 at 3:00, Ed Carp wrote: > >> Has anyone tried SFS? It should work on the zip drive, though I've not >> tried it (yet)... > >If I recall some recent threads on alt.security.pgp (or sci.crypt?), >SFS doesn't work on ZIP drives (since ZIPs use the parallel port...). > >[Or do ZIPs use Scuzzies and the people who had problems were just >too lame to figure out that they had to load the driver before SFS?] There are two versions of the Zip drive. One is SCSI and one is Parallel faking scsi. The big problem is with the zip drivers. There is some sort of incompatibility between SFS and the zip drivers. (I hacked on it for a couple of hours with no luck.) Win95 makes the problem worse, as it is difficult to judge just when the driver for the zip drive loads. (I have a number of complaints about the zip drive drivers. Lack of documentation is one of them...) Sometime I will have to fire up SoftICE and see exactly what the conflict is... --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From erc at dal1820.computek.net Sat Mar 23 03:12:03 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Sat, 23 Mar 1996 19:12:03 +0800 Subject: protection on IoMega ZIP drives In-Reply-To: <199603231021.FAA24721@unix.asb.com> Message-ID: On Sat, 23 Mar 1996, Deranged Mutant wrote: > On 23 Mar 96 at 3:00, Ed Carp wrote: > > > Has anyone tried SFS? It should work on the zip drive, though I've not > > tried it (yet)... > > If I recall some recent threads on alt.security.pgp (or sci.crypt?), > SFS doesn't work on ZIP drives (since ZIPs use the parallel port...). > > [Or do ZIPs use Scuzzies and the people who had problems were just > too lame to figure out that they had to load the driver before SFS?] Perhaps the latter, but Zip drives come in two flavors: parallel and SCSI. I have the SCSI version :) -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From smith at sctc.com Sat Mar 23 03:13:11 1996 From: smith at sctc.com (Rick Smith) Date: Sat, 23 Mar 1996 19:13:11 +0800 Subject: NT's C2 rating Message-ID: <199603222311.RAA09121@shade.sctc.com> Regarding the comment: >> Basically, I'm now questioning the C2 rating of Windows NT. The >> entire security layer is modular to the Kernel. As a modular >> driver, it can be removed, rewritten, and replaced. C2 is no big deal. It means you have the typical security measures that can be disabled or bypassed by a trojan horse. You're not doing serious protection till you put in mandatory protections like what appears in B or A level systems. The big deal is that few vendors have tried to get NCSC evaluations. Rick. smith at sctc.com secure computing corporation From unicorn at schloss.li Sat Mar 23 03:14:28 1996 From: unicorn at schloss.li (dirsec) Date: Sat, 23 Mar 1996 19:14:28 +0800 Subject: protection on IoMega ZIP drives In-Reply-To: <2.2.32.19960322120637.006acd68@mail.acquion.com> Message-ID: On Fri, 22 Mar 1996, Joseph L. Moll wrote: > This is in regard to the now popular ZIP disks, the removable 100MB > cartridge for PC's/MAC's. > > Anyone have any idea how secure the ZIP disk is once it is "protected?" I > know that the disk will refuse to be mounted without the passkey, but what > is really happening here? Not much. Use CryptDisk, shareware from Mr. W. Price. I believe the current version is 1.1.3 Much more secure. > > > Best Regards, > --- > Joseph (Joe) L. Moll mailto:jmoll at acquion.com > Network/Communications Engineering > http://www.acquion.com phone:864-281-4108 fax:864-281-4576 > Acquion, Inc. Greenville, SC USA -- Specialists in Electronic Commerce > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From wendigo at pobox.com Sat Mar 23 03:18:37 1996 From: wendigo at pobox.com (wendigo at pobox.com) Date: Sat, 23 Mar 1996 19:18:37 +0800 Subject: New Encryption Software-Encrypt Image & Text Files (fwd) Message-ID: <199603222241.RAA07882@apollo.gti.net> -----BEGIN PGP SIGNED MESSAGE----- Thought y'all might find this interesting ... if not funny. : Press Release from Antelope Productions, Inc : : Subject: New Encryption Software; Quick at Crypt : : : Antelope Productions, Inc. is releasing our new encryption package : called Quick at Crypt that has several advantages over any other : encryption software available on the market. Now more than ever, : there is a need for security in transferring sensitive information : through the Internet and networks worldwide. There has not been a : universal way for people to send all types of files easily, : inexpensively and securely through the Internet or networks UNTIL NOW. : All other encryption software available on the market requires a : separate license for each site (the sender as well as the receiver). : With Quick at Crypt you may freely distribute the decryption program. : Only the encryption side requires a licensed copy of Quick at Crypt. : There is also no limit on the password size and there is no : restriction on overseas use. : : You will find pricing of Quick at Crypt a real bargain, given the : pricing and functionality compared to other available encryption : packages. Our price is only $99.95 plus $5 shipping in US plus state : sales tax in Texas, New Jersey and Florida. Quantity discounts are : also available. : : Installation is performed easily on any Windows or Windows 95 system. : Memory requirements with as little of 2 MB of RAM (I tried it on a : Tandy portable with 2 MB!). We also have a version to work in DOS. : There is a floating toolbar that always remains on top of your current : open window. Quick at Crypt's floating toolbar gives you four options. : 1. Encryption-You have a user friendly screen to select the drive, : directory and files that you want to encrypt. Chosen files for : encryption are grouped together and compiled into a single executable : file with an assigned password you enter. There is no limitation on : the password size. Overseas distribution of the encrypted files is not : restricted. File encryption often takes less then ten seconds. 2. : Decryption- Allows you to select the drive, directory and file you : want to decrypt. The password is requested once you select the : encrypted file. Decryption is performed in Windows or Windows 95 with : the freely distributed decryption module. Decryption module is sent : to each receiver with no licensing requirement. Decryption of the : executable file may also be performed at the DOS prompt with no : additional software. 3. Help- A user friendly system for all of : Quick at Crypt's functions, along with an index and glossary. 4. Exit : : For more information, wholesale quotations, or ordering, please email : your requests to schek at airmail.net (Walter Chek), Subject: Quick at Crypt : < Inquiry> : - -- Mark Rogaski 100,000 Lemmings GTI GlobalNet System Administrator Can't Be Wrong! -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVMsog0HmAyu61cJAQHGGAQAxa1n7zXlD49TH7SlQTRGlRdEp2QGmvTt Vcdp/9VrbXqNIhSHQC5yxT7rc7SDOS2mvyFx9kz4rraiBOEMt5wZpGHkExpXMFHS T8mrHHrONEUjLDiiGZSLWtCPTjd0OZ4Qp/251OJxT8kZ9P/Sdmx3NueG6dlMFMpm m5qz167wK3M= =0+8d -----END PGP SIGNATURE----- From stuartt at MICROSOFT.com Sat Mar 23 03:18:42 1996 From: stuartt at MICROSOFT.com (Stuart Theodore) Date: Sat, 23 Mar 1996 19:18:42 +0800 Subject: Digital Signature Inititiative Message-ID: Good afternoon, I am the program manager at Microsoft responsible for putting the digital signature program in place. I am sending this mail in response to a recent mail string sent to these aliases appearing at the bottom. To summarize some important points of the program: * The program creates a certificate authority infrastructure which consists of thrid party non-software affiliated companies such as VeriSign and GTE who will act to grant certificates to allow code to be signed. The policies defining who can be a certificate authority and what it means to be a trusted software publisher will be a matter of public policy(standard). The point being that Microsoft does NOT control who can/cannot sign code. * This approach solves the problem of identity and integrity, and is viewed by MS as complementary to the sandboxing approach used by Java scripting, which we view to be incomplete and unsatisfactory by itself. We believe that Java needs to sign platform dependent Java classes in addition to their sandboxing scheme. * The W3C is creating a working group in this area to develop standards around the policies mentioned in the first point, and the formats of the certificate and signature formats. Microsoft is committed to making this a open, industry, x-platform standard... * regarding the mac question - there already is a version of Internet Explorer for the Macintosh, available for download at www.microsoft.com/ie. Microsoft is has already announced its committment to building cross-platform internet products. I would be happy to answer more questions you may have about this program, inluding proving more information. Stuart Theodore Program Manager Microsoft Corporation Stuartt at microsoft.com >I recieved a copy of "Microsoft Interactive Developer" today in the >mail. >In it, it has a preview of Microsoft Explorer 3.0. (Flux by David >Boling on >page 120.) > >Of interest to Cypherpunks is this paragraph (in the section on OLE >support >in web browsers): > >"Since OLE controls could potentially pose a security problem, >Microsoft is >studying how to create an infrastructure to certify them. The idea is >that, >once certified, an OLE control would contain an RSA security signature >indicating that it has passed muster -- the OLE eqivelent if the Good >Housekeeping Seal of Approval! Users of Internet Explorer 3.0 could >specify >whether or not noncertified OLE controls should be loaded and executed >by >the browser." > >As a web developer, I have some problems with this scheme. Giving >Microsoft >access to virtually every OLE control on the Web does not make me more >secure. Sounds like a way to rip off ideas from the rest of the >development >world. If someone has a control that might compete with a Microsoft >product, it could be shelved and/or delayed for "further security >testing". > >Java has a decentralized mechanism for security. No one group controls >what >is a "certified" control and what is not. You write the code and >compile it >and that is that. Furthermore, you are not stuck with Microsoft >approved >platforms. (I wonder if there will ever be a version of Explorer for >the >Mac.) > >I expect the Microsoft plan to garner a bit of resistance from the Web >development community over this one... > >I do not expect to see many OLE crypto apps for the web with this plan. > >--- >Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction > `finger -l alano at teleport.com` for PGP 2.6.2 key > http://www.teleport.com/~alano/ > "We had to destroy the Internet in order to save it." - Sen. Exon > > > > > > > From llurch at networking.stanford.edu Sat Mar 23 03:29:34 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 23 Mar 1996 19:29:34 +0800 Subject: detweiling In-Reply-To: <199603230713.IAA16986@utopia.hacktic.nl> Message-ID: On Sat, 23 Mar 1996, Anonymous wrote: > imho the lesson of detweiler has nothing to do with > detweiler, but in fact more to do with his > targets. effective "detweiling" would be impossible if it > were not for the large egos of his quarry. he This is true. Without realizing it (until I took a look a the alleged Detweiler web pages), I've been Detweiling on a number of Neo-Nazi lists for a while. This type of psychological warfare is pretty interesting. > detweiler took a lot of pride in how much reaction > he could get with just a few posts or barbs. he is not > really apparently responsible for ever actually > mailbombing the cpunk list from what I can tell. > he believed he was perfecting the art of playing > with people's egos. a sort of depraved cyberspatial > psychology experiment. It's not an art. It's just being an asshole, and there's nothing new about it. the alleged Detweiler had a few interesting observations, but most of them were cypherpunk-specific. I do see a real tension between the norms of anonymity and full disclosure, though, which I'll have to think about a bit more before committing it to Tim May's eternal data haven with my name atached. > the amusing thing about "detweiling" is the way > that it is something like a bad, self-perpetuating > virus among those with big egos. I should have a good example of this on the Stormfront list shortly. > there is nothing new about detweiler's approach. > there was a classic greek who was put to death > for the same reason: not provoking people by calling > them names, so much as asking them questions that > embarrassly exposed all their ego problems. > his name was called "socrates" and he was put to > death for refining his art beyond that which was > tolerated by a power structure largely populated > by those with the ego problems (power structures > are always dominated by these types, it is like > flies and dead meat, or moths and flames). I'm not so sure. I'd say that these types are more concentrated in political activism (where I would place many political cypherpunks) nad in mid-level politics and bureaucracies, not in high-level power structures. The people who come to power, and stay in power, have learned to transcend ego and paranoia. Nixon, who had been very good at this, lost it. Clinton seems to be holding up quite well. (This is not to say anything about their politics or characters, just their temperaments.) > the joke of course may be that detweiler could have > been dead for a long time, and people here would > still be blaming him for their problems. Read Milan Kundera's _The Joke_ for an interesting twist on this. Or maybe _Rosencrantz and Guildenstern are Dead_. -rich From perry at piermont.com Sat Mar 23 05:56:26 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 23 Mar 1996 21:56:26 +0800 Subject: New Beta Test of PGPfone available WINDOWS '95 Included! In-Reply-To: <199603222109.QAA22574@unix.asb.com> Message-ID: <199603222210.RAA24083@jekyll.piermont.com> Mutatis Mutantdis writes: > Will there ever be a Win32s version of PGPfone? I have one of those systems > with non-(MS)DOS partitions that MS-DOS/Wind95 doesn't like, so until MS can > deal with the fact that people use other OSs, I'm staying clean of Win95. I run Win95 and other operating systems simultaneously. What is the problem? .pm From tcmay at got.net Sat Mar 23 05:56:59 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 23 Mar 1996 21:56:59 +0800 Subject: Thanks for the keys Message-ID: At 12:00 AM 3/22/96, whitfield.diffie at Eng.Sun.COM wrote: > I would like to thank the gentleman, who identified himself only >as a cypherpunk, who fetched my keys out of the door of my wife's car >(I frequently leave keys sticking in the doors of cars), knocked on >the window, and handed them to me. That anonymity was successfully preserved demonstates the perfect forward secrecy of Diffie key exchange. Or something like that. --Tim "Not the Key Master" May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From frantz at netcom.com Sat Mar 23 05:57:23 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 23 Mar 1996 21:57:23 +0800 Subject: Forward: Essay: Political-economy of the Internet Message-ID: <199603222230.OAA16205@netcom6.netcom.com> Date: Thu, 21 Mar 1996 13:40:53 -0800 (PST) From: "Michael Strangelove" To: Multiple recipients of list Subject: Essay: Political-economy of the Internet Here are the first few paragraphs from an essay on the relationship between of freedom of speech on the Net and the "statehood" of cyberspace. I am trying to define the role of values (ethics) in the new culture of online speech and am searching for sources/theories that will help explain the new value system of the Net within the larger context of global media culture. For the complete text of this essay, send the command GET POLITICS in the SUBJECT line of an e-mail message to Michael at Strangelove.Com Michael Strangelove The Political Economy of the Internet (Previously published in The Internet Business Journal, http://www.phoenix.ca/sie) -- Revised -- March 12, 1996 Copyright (C) 1996, Michael Strangelove. All Rights Reserved. Comments to the author at Michael at Strangelove.Com This document may be forwarded and archived on the Internet, so long as no changes are made to the text, Publishers take note, this draft is part of a book on freedom and speech and the Internet which I am working on -- contact michael at strangelove.com for table of contents (for publishers only). Introduction "There is a growing concern that the very existence of the Internet is a threat to the nation-state" (Globe and Mail, Feb 3/96, p. A1). Recently, the headline "Nations see Internet as threat to security" appeared on the front page of Canada's national daily newspaper, The Globe and Mail. Consider for a moment that more than two decades after its "invention" and three years after its integration into popular culture and the business process, the Internet has distinguished itself on two fronts. It remains the only mass media system to escape monopolistic ownership by media conglomerates (with no sign of this changing) and it is increasingly seen, correctly, as a threat to national security and sovereignty. Meanwhile, the business community throughout the world is gradually integrating the Internet into the core of its communication and marketing infrastructure. The inevitable outcome of these trends is that the communication infrastructure (including marketing, customer service, and financial transactions) of the business community is destined to conflict with the information policies of governments. One way of looking at the Internet is to understand it as an emerging nation-state, a state that, with each passing day, becomes more entwined with the fabric of the geo- political balance of power. The corporate world, particularly multinational corporations, and governments are soon going to have to come to terms with the statehood of the Internet. Political theorist Anthony Giddons writes that "significant power, within any type of organization, consists in the capacity to determine or shape policy." This understanding of power -- policy making -- is one that any manager, executive, or bureaucrat can certainly appreciate. Power-as-policy-making sheds light on the type of power the Net, (and more comprehensively, cyberspace,) wields. More precisely, the statehood of the Net is founded on its power to deny existing nations any concrete method to exercise direct, unilateral influence over the "policy" of the Internet. It is quite clear that, congressional saber-rattling aside, no nation has successfully legislated the information policy of the Internet. As a landless nation-state, the Net's constitution, or bill of rights, is its internal information policy -- no one group, community, ideology or nation is universally recognized to have the right to determine what values, art forms, beliefs, or private thoughts can or cannot be expressed on the Net. While this information policy is framed by pre- existing international treaties concerning copyright, thus far this unwritten but very real policy has not been further defined or amended by any individual nation's internal moral standards or legislature. Bear in mind that no significant content has ever been removed from the Net as a result of any one nation's information-policy making process. Indeed, just the opposite is the case -- every attempt at censoring content on the Net has lead to increased exposure of the censored or banned content and its further proliferation throughout the Net. Admittedly, it is theoretically possible for a government to censor material on Internet servers within its borders. Yet all previous attempts at doing so have simply resulted in the censored material migrating to the Net servers of other nations and remaining accessible via the Net to all. The dynamic of regional censorship being undermined by the international Net community is now almost a daily occurrence. This "end of censorship" in the international information sphere is not threatened by the possibility of a global information policy trade agreement on censorship. Any attempt to impose the freedom of speech standards of one nation on another will certainly be interpreted as a violation of national sovereignty. As a new form of borderless state, Cspace (Internet/cyberspace) has demonstrated sovereign power over its internal information policy. The front pages of newspapers around the world are demonstrating a growing awareness of this new political animal. But neither the global body politic nor the corporate realm have come to terms with the extent of the Net's sovereignty and the future impact of this "new wired world order". For the complete text of this essay, send the command GET POLITICS in the SUBJECT line of an e-mail message to Michael at Strangelove.Com From frantz at netcom.com Sat Mar 23 05:57:58 1996 From: frantz at netcom.com (Bill Frantz) Date: Sat, 23 Mar 1996 21:57:58 +0800 Subject: Dorothy Denning attacks Leahy's crypto bill Message-ID: <199603222230.OAA16208@netcom6.netcom.com> At 9:33 PM 3/21/96 -0800, Bill Stewart wrote: >>From: denning at cs.cosc.georgetown.edu (Dorothy Denning) >>>The Commerce/NSA study did acknowledge that the existence of foreign >>>products claiming strong encryption could have a negative effect on >>>U.S. competitiveness. However, by allowing encryption services to be >>>sold separately from the applications software that uses them, CAPIs >>>will make it extremely unlikely that general-purpose software will be >>>substantially effected by export controls. > >Which side is Dr. Denning _on_ here? At present, software using CAPIs >is not exportable under the ITAR, since the CAPI is a "component of a >munitions system"; is she now advocating legalized export of software >using government-approved CAPIs only? Case in point. I recently had a client ask me to locate a reference implementation of SSL. I fired up AltaVista and quickly found two of them. One was available thru Netscape, and the other was Eric Young's from Australia. Now, in good conscience, do I give them Netscape's non-exportable version, or Eric's already exported version. Of course I gave them Eric's. They were delighted since they can just point their foreign customers to Eric's site and avoid the whole export issue. I would like to publicly thank Eric for making his code available to US sites. I hope that this description, in some small way, helps to overcome the idiocy of not being able to export what is already freely available abroad. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From llurch at networking.stanford.edu Sat Mar 23 06:07:44 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 23 Mar 1996 22:07:44 +0800 Subject: Excluding articles from DejaNews Message-ID: I just noticed this in their FAQ, dated February 20th: Q: I don't want my Usenet articles to appear in Deja News. What do I do? A: We have implemented a feature whereby if your article contains an X-Header looking like X-No-Archive: Yes your article will be excluded from our database forever. Anyone know if other search engines support this? I think such a standard would be a Good Thing. Of course there will be the odd private archive, and of course some nastyfolks might grep Usenet just for X-No-Archive headers, but this is a good step for casual alt.support - type privacy. -rich From nobody at vegas.gateway.com Sat Mar 23 06:07:53 1996 From: nobody at vegas.gateway.com (Anonymous Remail Service) Date: Sat, 23 Mar 1996 22:07:53 +0800 Subject: Censorship Message-ID: <199603230448.XAA07822@black-ice.gateway.com> drose at AZStarNet.com wrote: William B. F--- er, F. Buckley? The "libertarian" who supports blue laws and prayer in schools wanting to censor the internet? Nahhhhh... (And maybe it's not rational, but anyone with a name like "Arianna Huffington" is not worth taking seriously outside a room full of hundred- and fifty year old WASPs burning Beatles albums and copies of Origin of Species.) [...Sniperoo!...] _Firing Line_ debate Resolved: The Government Has the Right to Regulate the Internet "A current communications controversy fuels the proposed resolution in the latest installment of William F. Buckley Jr.'s recurring series, in which participants debate whether the Internet should be federally regulated. Among those arguing for it with Buckley are Arianna Huffington and Reid Hoffman; those against it include Susan Estrich and John Perry Barlow." From pfarrell at netcom.com Sat Mar 23 06:11:04 1996 From: pfarrell at netcom.com (Pat Farrell) Date: Sat, 23 Mar 1996 22:11:04 +0800 Subject: Martin Marietta Energy Systems' summary of December GAK meeting Message-ID: <199603231353.FAA21838@netcom3.netcom.com> Thanks to John Young, who scanned the snailmail document sent out by NIS&T, I have made the available on my NIST meeting web the document that NIS&T says is: "The enclosed document is an unofficial summary of the December 5, 1995 meeting held at the National Institute of Standards and Technology to discuss the 64-bit software key escrow encryption exportability initiative." URL is http://www.isse.gmu.edu/~pfarrell/nist/dec5sum.html Nothing really new here, the author recorded essentially what I wrote up and posted back in December. But this author has a different viewpoint. Pat Pat Farrell Grad Student http://www.isse.gmu.edu/~pfarrell Info. Systems & Software Engineering, George Mason University, Fairfax, VA PGP key available on homepage #include From declan at eff.org Sat Mar 23 06:15:07 1996 From: declan at eff.org (Declan McCullagh) Date: Sat, 23 Mar 1996 22:15:07 +0800 Subject: http://anarchy-online.dementia.org/book/ Message-ID: [I'm not associated with this book except that I helped HTMLize it. -Declan] For Immediate Release ------------------------------------------------------------- A New Book Investigating Sex on the Internet is Pre-Published, Free, via the World Wide Web ------------------------------------------------------------- While the fate of online freedoms is being determined by federal judges in Philadelphia, a contributing writer to Wired magazine has decided to give away his investigative book on the subject. Charles Platt spent six months gathering data about netporn for a book to be published later this year by HarperCollins. According to Platt, "My publishers hoped to rush the book into print. When their plans changed as a result of factors outside my control, I decided the material was so topical and so important, it should be placed freely on web sites." Titled ANARCHY ONLINE, the book is divided into two parts. The first deals with net crimes such as hacking, viruses, and data piracy. Platt includes first-hand descriptions of hackers and pirates and debunks myths created by melodramatic press coverage. Part Two of the book explores free speech online and examines netporn more frankly and in greater depth than has been achieved elsewhere. Platt concludes that although a genuine problem does exist, a "war on porn" will be as unwinnable, expensive, and divisive as the "war on drugs." Part Two of the book contains about 65,000 words and is being placed online in its entirety. It includes transcripts from pornographic IRC chat sessions and sexually oriented Usenet news groups; a look at pedophilia on America Online; a new, damning investigation of Martin Rimm (whose porn study was immortalized in Time magazine); and a reassessment of issues raised by Jake Baker (who faced years in jail after he placed sadistic stories on Usenet). Platt also examines federal attempts to control encryption; the Guardian Angels; anonymous remailers; repressive laws at the state level; content-filtering software; and content rating schemes. There are exclusive interviews with Scott Charney at the Department of Justice, Ann Beeson of ACLU, Louis Rossetto and Kevin Kelly of Wired magazine, anti-child-porn crusader Barry Crimmins, David Chaum of DigiCash, and Phil Zimmermann, creator of PGP. Many other industry figures and commentators make cameo appearances. Platt concludes that net fears have been exaggerated and demands for censorship are unwarranted. "Most people who want to censor the net don't use it and are willfully ignorant of it. They tend to be religious extremists and opportunistic legislators looking for a hot-button issue. I question their right to inflict laws on a community that they don't live in and know nothing about." Platt feels that if widely available methods are used to control access by children, the net can be safer than a day- care center. "My daughter started net surfing when she was 15. Even if children have totally unrestricted access, the net is still more benign than most real-world environments. I believe this is thoroughly substantiated by my book." ANARCHY ONLINE is freely available at http://anarchy-online.dementia.org/book/ Charles Platt is the author of 40 books, ranging from computer guides to science fiction. His novel PROTEKTOR was published this year by Avon Books. He is a contributing writer to Wired magazine and has an article on net censorship in the current issue, dated April. Platt can be contacted at (212) 929 3983 or via email at cp at panix.com. ------------------------------------------------------------- From jya at pipeline.com Sat Mar 23 06:35:07 1996 From: jya at pipeline.com (John Young) Date: Sat, 23 Mar 1996 22:35:07 +0800 Subject: Martin Marietta Energy Systems' summary of December GAK meeting Message-ID: <199603231422.JAA12441@pipe2.nyc.pipeline.com> Responding to msg by pfarrell at netcom.com (Pat Farrell) on Sat, 23 Mar 8:57 AM >Nothing really new here, the author recorded >essentially what I wrote up and posted back in >December. But this author has a different viewpoint. Pat's report was much better, and it's worth wondering why NIST bothered to send out this "unofficial" summary rather than one of its own professional reports. Perhaps to flash the name of a big corporation as evidence of industry input, perhaps to induce paranoia that something else is going on beneath the camouflage and shrewd business better get on board. I'm nasty enough to think that NIST hopes this throwaway will sedate their opponents. Recall that the Administration has not really responded to authentic, open, industry criticism. And seems to be stonewalling in public while making mutually beneficial arrangements favored insiders -- like Martin Marietta, eager to claim, with relief, that nothing of importance happened at the meeting to upset covert deals? From erc at dal1820.computek.net Sat Mar 23 06:58:27 1996 From: erc at dal1820.computek.net (Ed Carp) Date: Sat, 23 Mar 1996 22:58:27 +0800 Subject: protection on IoMega ZIP drives In-Reply-To: <31533A8F.3A9E@unix.asb.com> Message-ID: On Fri, 22 Mar 1996, Mutant Rob wrote: > For the PC you might be able to hack SecureDrive to handle SyQuest > and ZIP drives. I recall R.Brown's interrupt lists showed that the > drivers set up different subfunctions for Int 13h (low-level disk ops). Has anyone tried SFS? It should work on the zip drive, though I've not tried it (yet)... -- Ed Carp, N7EKG Ed.Carp at linux.org, ecarp at netcom.com 214/993-3935 voicemail/digital pager 800/558-3408 SkyPager Finger ecarp at netcom.com for PGP 2.5 public key an88744 at anon.penet.fi "Past the wounds of childhood, past the fallen dreams and the broken families, through the hurt and the loss and the agony only the night ever hears, is a waiting soul. Patient, permanent, abundant, it opens its infinite heart and asks only one thing of you ... 'Remember who it is you really are.'" -- "Losing Your Mind", Karen Alexander and Rick Boyes The mark of a good conspiracy theory is its untestability. -- Andrew Spring From llurch at networking.stanford.edu Sat Mar 23 07:00:26 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 23 Mar 1996 23:00:26 +0800 Subject: Excluding articles from DejaNews In-Reply-To: Message-ID: On Fri, 22 Mar 1996, Timothy C. May wrote: > At 4:38 AM 3/23/96, Rich Graves wrote: > > X-No-Archive: Yes > > > >Anyone know if other search engines support this? I think such a standard > >would be a Good Thing. Of course there will be the odd private archive, > >and of course some nastyfolks might grep Usenet just for X-No-Archive > >headers, but this is a good step for casual alt.support - type privacy. > > Even facetiously, count me as one of the "nastyfolks." If someone has made > comments to the entire Usenet, any search engine which purports to index > articles on the Usenet and does not index _all_ articles is misleading its > customers. AltaVista doesn't index web sites that follow the Robots Exclusion Standard. Does that mean you won't use AltaVista anymore, either? Interesting and correct opinion, but they're not saying they index _all_ of Usenet. They're saying, "We archive Usenet." "Well, what about excluded articles?" "Oh, we don't archive _those_ articles, of course," they say. The proposed exclusion standard is posted publicly. Ain't their fault that I didn't read that part of the FAQ until just now. Agreed, anyone really concerned about their privacy should be using anonymity/pseudonymity, but a temporary hidey-hole is a Good Thing. But I can think of a lot of reasons you might want to post something under your real name, or your regular pseudonym -- gaining the benefit of your good (or bad) reputation, mostly -- but on the other hand, you don't want that post archived. It's called an "aside." For example, I might want to say, "Tim May is a big fat idiot because of what he just said." I do want to say that, publicly, under my name and address, but for various reasons, I don't want that saved in the archives. Since X-Headers are readable by most newsreaders, and are in fact shown by default in at least the default install of trn, I don't think I'm doing anything particularly "sneaky." If you (or someone else) wants to make sure that I am on record saying, "Tim May is a big fat idiot," then you'd post a followup, perhaps pointing out that I'd tried to be sneaky by using an X-No-Archive header. X-No-Archive is like preceding your remarks with "Off the record..." People and bots can heed, ignore, or flaunt that disclaimer at their option. OK, you've convinced me that this isn't a privacy thing, really, but I think is a valid and useful thing. What's the alternative, really? If I want to say something, now, are you going to tell me that I don't have the right to request that you not take my comments on the record? That sounds sort of totalitarian. I either have to create a new, unique nym on the fly, in which case my comments lose anything associated with my name, or I have to keep my comments to myself. Recognizing "Well, the full context is recorded too, you can defend youself with that" only makes it worse, really. Just thinking out loud, my thoughs being recorded for posterity on hks.net and Exon-knows where else... -rich From dlv at bwalk.dm.com Sat Mar 23 07:32:51 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sat, 23 Mar 1996 23:32:51 +0800 Subject: Cancel-proof archives (Was: Excluding articles from DejaNews) In-Reply-To: Message-ID: tcmay at got.net (Timothy C. May) writes: ... > The point is that just because one or more sites is not archiving the > traffic does not mean that other sites are not. Look at the parallels to > cancellation: some sites strongly believe that "cancellation" is a bogus > concept, that once a message has gone out it is part of the overall feed. > (I concur with this view, and, if I ran a site, would not honor so-called > "cancellations.") ... Dave Hayes's definition of a "Site of Virtue" includes not honoring cancels and rmgroups and certain other things. Check out Dave's site: jetcafe.org. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From rah at shipwright.com Sat Mar 23 08:22:57 1996 From: rah at shipwright.com (Robert Hettinga) Date: Sun, 24 Mar 1996 00:22:57 +0800 Subject: detweiling Message-ID: At 6:18 AM 3/23/96, Rich Graves wrote: > On Sat, 23 Mar 1996, Anonymous wrote: >> > Uh, Rich?... You've probably been detweiled by Detweiler himself. Someone around here has a concordance program, called MEDUSA, if I remember right, which can spot Detweiler pretty well by statistical analysis of the words he uses. My hunch is that this particular "anonymous" is LD himself. I take my hint from this line: > the joke of course may be that detweiler could have > been dead for a long time, and people here would > still be blaming him for their problems. perhaps > we have a new convenient substitute for Satan in > the cyberspace age. "the detweiling made me do it." > (hee, hee). "projection" was identified by freud ^^^^^^^^^^^ > in another century as a basic device of the ego, > a pity that few in our modern era are aware-- or > perhaps it is not such a pity from detweiler's > perspective. > > (p.s. I imagine quite a few people will accuse "me" of > being detweiler. I assure you my amusement will at least > exceed or match that which detweiler ever obtained.) ... Which could have been put there on purpose. You Never Know... ;-). All this and the fact that he now wants to convert his name into a verb. Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From jemmett at goodnet.com Sat Mar 23 09:33:57 1996 From: jemmett at goodnet.com (David Jemmett) Date: Sun, 24 Mar 1996 01:33:57 +0800 Subject: remove Message-ID: <199603231715.KAA15099@goodguy.goodnet.com> remove NOW Thanks GoodNet, LLC David Jemmett 602-303-9500 ext. 224 From tcmay at got.net Sat Mar 23 10:14:29 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 24 Mar 1996 02:14:29 +0800 Subject: "Look to the skies!" Message-ID: I urge any of you haven't to look at Comet Hyakutake tonight or in the next few days. While this has nothing to do with "crypto," it is a sufficiently impressive sight that I urge you to check it out. If you have children, all the more reason to. It could spark an interest in science in some young child otherwise preoccupied with memorizing the words (all 7 of them) to "Gangsta's Paradise." Newspapers are carrying sky charts, and the Web has numerous charts (one I've been using is http://wkuweb1.wku.edu/Dept/Academic/Ogden/Phyast/k5_.htm). By around midnight last night it was overhead, near Arcturis and almost in a straight line with the Big Dipper's handle. (The comet is moving generally from Bootes toward Polaris, the North Star, so it will be visible most of the night, rotating around Polaris as the constellations rotate--as the Earth rotates, of course.) Don't rely on this description to try to find it--consult a star chart specifically intended for finding the comet. The moon is setting early, with the sun, so skies are optimum for seeing it. A dark location is of course best. City lights will make the tail hard or impossible to see, though the comet core itself is a bright object and should be visible anywhere even a handful of stars are visible (but you may not realize you're looking at a comet unless you can see the tail). Binoculars are great (I'm using 7 x 50 and 14 x 70), but the comet and its tail is a naked-eye subject in dark skies. I found the tail to extend several fist-widths at arm's length. The tail was visible with the naked eye. Pretty impressive. Tim says: "Check it out!" --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From teddygee at visi.net Sat Mar 23 10:17:11 1996 From: teddygee at visi.net (Ted Garrett) Date: Sun, 24 Mar 1996 02:17:11 +0800 Subject: LET'S ROCK!!!! Message-ID: <2.2.32.19960323175759.0074962c@mail.visi.net> At 07:26 AM 3/22/96 -0600, you wrote: >Ok, here is the situation. I have a person mad at me in one of my mailing >lists. Turns out, this person was the owner of the mailing list! Well now >I'm stuck, knocked out of the list. The owner can not see any of my mail, >no matter how hard I try. I need some ideas to eather get through to her, >or really fuck up the mailing list. Seems to me that you could set up a pseudonymous account, then mail the list owner from that account. She'll get you first couple of messages before she realizes it's you. If you can be persuasive enough in these messages that she'll re-instate you on the list, you're good to go. If she doesn't decide to re-instate you, set up an alias somewhere, and subscribe to the list using that alias. Fucking up the mailing list is NOT something you should even consider. Childish and irresponsible behavior is seldom a means of gaining respect. --------------------------------------------------------------------------------------------------------- Ted Garrett http://www.visi.net/~teddygee "Those who desire to give up Freedom in order to gain Security will not have, nor do they deserve, either one." Thomas Jefferson From jf_avon at citenet.net Sat Mar 23 10:36:06 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Sun, 24 Mar 1996 02:36:06 +0800 Subject: e-cash FAQ anywhere? Message-ID: <9603231819.AB04841@cti02.citenet.net> Could anybody tell me where I can find a FAQ or some primer on e-cash? I recently played with magic money but I would like to learn more about the various concepts. Thanks JFA Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 From jf_avon at citenet.net Sat Mar 23 10:38:51 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Sun, 24 Mar 1996 02:38:51 +0800 Subject: e$'s (mini-rant) Message-ID: <9603231819.AA04841@cti02.citenet.net> Jeff wrote: > Hi! I do not know about monetary systems and US laws, but I think that a national currency has it's role. I also think that it should be backed by a physical agreed-on value such as gold, to prevent the government of the day to tamper with the monetary system. But what I think is very wrong with the actual system is the govt control over all other systems. Have you ever tried to raise capital for a technological venture lately? The govt enforces with its own guns a monopoly in favor of certain peoples we call stock brokers. The SEC and their counterparts in most countries is a nightmare to anybody who has a good idea, the knowhow to develop it and no taste for "smart" scheming with money. The SEC rules ultimate result is that it permits peoples to acquire money without accomplishing any productive work related to the creation of that money. I do not mean to say that the broker job is wrong, but the government gun that backs them up is. E-cash might be or might not be a violation of the current rules, I have no ideas. But I see infinite possibilities to finance small idea/knowledge rich and capital poor ventures.... I just downloaded magic money yesterday night and played with it long past bedtime. JFA Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 From teddygee at visi.net Sat Mar 23 11:05:23 1996 From: teddygee at visi.net (Ted Garrett) Date: Sun, 24 Mar 1996 03:05:23 +0800 Subject: New Beta Test of PGPfone available WINDOWS '95 Included! Message-ID: <2.2.32.19960323184919.00763830@mail.visi.net> At 08:56 PM 3/22/96 GMT, you wrote: >jis at mit.edu (Jeffrey I. Schiller) writes: >>We have finally released a Windows '95 version of PGPfone. This release >>includes PGPfone for Macintosh version 1.0b6 and PGPfone for Windows '95 >>version 1.0b1. Note: The Macintosh version does not talk to earlier versions. >>However the Macintosh and Windows version talk to each other! > >Will there ever be a Win32s version of PGPfone? I have one of those systems >with non-(MS)DOS partitions that MS-DOS/Wind95 doesn't like, so until MS can >deal with the fact that people use other OSs, I'm staying clean of Win95. Windows95 doesn't complain at all about other operating systems resident on your machine, nor does it invalidate partitions which it can't read. You just can't access the partitions. --------------------------------------------------------------------------------------------------------- Ted Garrett http://www.visi.net/~teddygee "Those who desire to give up Freedom in order to gain Security will not have, nor do they deserve, either one." Thomas Jefferson From proff at suburbia.net Sat Mar 23 11:43:53 1996 From: proff at suburbia.net (Julian Assange) Date: Sun, 24 Mar 1996 03:43:53 +0800 Subject: ar380-5.aip.html Message-ID: <199603231914.GAA14103@suburbia.net> AR 380-5 Appendix H Classified Document and Materiel Storage Standards and Information AR 380-5 Section I Minimum Class A, B, and C Vault Construction Standards AR 380-5 H-1. Consolidated masonry vault specifications These specifications are given in table H-1. =============================================================================== ================= Class Approved storage lev- Thicknesses el Floors Walls Ceiling A TOP SECRET 8"RC(1) 8"RC 8"RC B SECRET 4"RC 8"(2) 4"RC C CONFIDENTIAL 4"C(1) 8"(3) 4"RC ------------------------------------------------------------------------------- ----------------- Legend: RC = Reinforced concrete; C = Concrete without reinforcement Notes: (1) All concrete used in vault construction will be monolithic cast in place, Class A, con- forming to US Army Corps of Engineers Specification C.E. 204 (minimum compressive strength of 3000 psi after 28 days of aging). Reinforcing will be by minimum 5/8-inch diameter steel rein- forcing bars (rebars) laid a maximum of 6 inches on centers, creating a cross-hatched steel curtain, to be sandwiched at half thickness of the concrete, parallel to the longest surface. Rebars will be anchored or imbedded in all contiguous walls/surfaces. (2) Class B vault walls will be constructed of masonry at least 8 inches thick, such as brick or concrete block employing adequate bond. Hollow masonry, only of the vertical cell (load bearing) type, can also be used, but if used, each cell will have from ceiling to floor 1/2-inch diame- ter or larger rebar inserted, and then be filled with pea gravel and Portland cement grout. Rebars will be anchored in both floor and ceiling to a depth of at least 4 inches. In seismic areas, 6-inch or thicker RC will be required. (3) Class C vault walls will be constructed of thick-shell concrete block or vertical cell clay tile and be not less than 8 inches thick. In seismic areas, 6-inch or thicker RC will be used. =============================================================================== ================= AR 380-5 H-2. Lightweight alternate Class A vault specifications Interim lightweight alternate class A and B vault specifications (for use above ground level only). Where building structural design factors preclude the use of a standard class A or B vault design at above ground level locations, a modular vault-ASTM type I, U.L. class-M approved under ANSI/UL Standard 608, dated 27 June 1983 or later, may be used. Until final testing of this product is completed, it will not be used in lieu of the conventional designed vaults, at or below grade. Existing steel lined rooms, built to previously approved specifications, will continue to be approved for use, but further construction of steel liners will be deferred in favor of the above specified ANSI/UL Standard 608 product. AR 380-5 H-3. Doors for both methods of vault construction The vault will be equipped with an approved vault door of the type presently listed on the Federal Supply Schedule. The Class 5 vault door will be used with reinforced concrete vaults. Where weight of construction is a factor and a steel-lined vault is used, a Class 6 vault door may be used, if obtainable. Normally, a vault should have only one entrance. When a vault exceeds 1,000 square feet of floor space or has more than eight occupants, it should have a minimum of two exits (one of which will be the entrance) for safety purposes. When more than one entrance is required, each must be equipped with the approved door, but only one door will be used for normal access. The use of a vault door for controlling movement into and out of a facility is not authorized as this continued use will create undue wear on the door and will eventually weaken the locking mechanism and cause malfunctioning. Therefore, a vestibule should be constructed at the entrance with an access door to achieve control when the vault door is open. Where building codes require that the vault entrance meet a specified fire rating, the vestibule and its access door must be of the required fire rating. Where permissible, the vault door optional day gate may be employed as the entrance control in lieu of the above vestibule. There will be no windows in a vault, and all ventilator openings or other access routes into the vault will be properly treated to deny unauthorized access. Sound attenuation will be fully employed and where inadequate, white noise masking will be added to prevent classified discussions from being overheard. AR 380-5 H-4. Additional security safeguards for vaults All vaults designated Class A or B will have intrusion and fire protection. In addition, when a vault is unattended, the areas contiguous to such vault will be supervised either by frequent routine guard patrols or electronic means so as to increase the depth of security and to allow early detection of trespass. Detection of trespass outside the vault is preferred to detection of vault penetration, since response to the former should preclude the latter. Detection systems that indicate attempted penetration (such as vibration sensors) are acceptable, provided they allow adequate response time before actual barrier violation. AR 380-5 H-5. Security assistance If requested in writing, additional technical advice and guidance relative to vault security problems, may be obtained from the Commander, Intelligence Materiel Activity (IMA), ATTN: AMXIM-PS, Fort Meade, MD 20755. AR 380-5 Section II Security Upgrading Via Construction-Buildings, Offices, and Rooms AR 380-5 H-6. Approved standards for security upgrading The following guidance is offered as a norm against which- a. To evaluate the adequacy of existing structural security safeguards. b. To provide security guidance for new construction in areas which will contain activities and material of foreign intelligence interest. AR 380-5 H-7. Hardware Heavy-duty builder's hardware should be used in construction, and all screws, nuts, bolts, hasps, clamps, bars, 2-inch-square mesh of No. 11 wire, 18-gauge expanded metal screen, hinges, pins, etc., should be securely fastened to preclude surreptitious removal and ensure visual evidence of tampering. Hardware accessible from outside the area should be peened, pinned, brazed, or tack-welded to preclude removal. The term ""2-inch-square mesh of No. 11 wire,'' which meets the requirements of Federal Specification RR-F-191d, 17 June 1965, hereinafter shall be referred to as ""wire mesh.'' AR 380-5 H-8. Interior walls Construction should be plaster, gypsum wallboard, metal panels, hardboard, wood, plywood, or other opaque materials offering similar resistance to, and evidence of, unauthorized entry into the area. If insert-type panels are used, a method should be devised to prevent the removal of such panels without leaving visual evidence of tampering. Area barriers up to a height of 8 feet should be of opaque or translucent construction where visual access is a factor. If visual access is not a factor, the area barrier walls may be of wire mesh or other nonopaque material offering similar resistance to, and evidence of, unauthorized entry into the area. AR 380-5 H-9. Windows Window openings 18 feet or less from an access point (for example, another window outside the area, roof, ledge, door, and so forth) should be fitted with 1/2-inch bars (separated by no more than 6 inches), plus crossbars to prevent spreading, or 18-gauge expanded metal screen, or wire mesh securely fastened on the inside. When visual access is a factor, the windows should be kept closed and locked at all times, and also should be made translucent or opaque by any practical method such as painting or covering the inside of the glass. During nonduty hours the windows should be closed and securely fastened to preclude surreptitious removal of classified material. AR 380-5 H-10. Doors Doors should be substantially constructed of wood or metal. When windows, panels, or similar openings are used in the door, they should be secured with 18-gauge expanded metal screen or wire mesh securely fastened on the inside. If visual access is a factor, the windows should be translucent or opaqued. When doors are used in pairs, a mullion insert anchored top and bottom should be installed between the doors. AR 380-5 H-11. Door louvers or baffle plates When used, they should be reinforced with 18-gauge expanded metal screen, or wire mesh fastened inside the area. AR 380-5 H-12. Door locking devices a. Entrance doors should be secured with either a GSA-approved built-in, three-position, dial-type, changeable combination lock; a GSA-approved combination padlock (per paragraph 5-101) as amended and as specified in paragraph 5-102d; a key-operated padlock or locking device with high security cylinder and hasp (see figure H-1) as described in the same paragraph; or a built-in 1-inch throw, deadbolt lock equipped with the GSA-approved high- security cylinder; or preferably a combination of these. Other doors should be firmly secured from the inside with a panic bolt (actuated by a panic bar), a deadbolt, a rigid wood or metal bar (fitted to preclude ""springing''), extending across the width of the door and held in position by solid clamps, preferably on the door casing, or other means approved by the cognizant OPSEC Support Unit and Fire Marshal. b. The new High-Security Padlock approved July 1982 became available within the supply system late fall 1982. It has the same Federal Stock Number as the Sargent and Greenleaf (S&G) Model 831B Padlock, which is being phased out of service. AR 380-5 H-13. Ceilings Ceilings should be constructed of plaster, gypsum wallboard material, panels, hardboard, wood, plywood, ceiling tile, or other material offering similar resistance to and detection of unauthorized entry. Wire mesh, 18-gauge expanded metal screen, or other nonopaque material offering similar resistance to, and evidence of, unauthorized entry into the area may be used if visual access to classified material is not a factor. When wall barriers do not extend to the ceiling, and a false ceiling is used, this false ceiling should be reinforced with wire mesh or 18-gauge expanded metal screen, alarmed and otherwise secured with heavy-duty builder's hardware. (This measure also applies when panels are removable, and entry can be gained into the area without visible detection.) When wire mesh or expanded metal screens are used, they must be secured to adjoining walls in a manner which precludes removal without leaving evidence of tampering. In those instances where barrier walls of an area extend to a solid ceiling, there is no need to reinforce a false ceiling; however, an Intrusion Detection System (IDS) should monitor this otherwise unobserved area. AR 380-5 H-14. Ceilings (unusual cases) It is recognized that instances may arise where activities have a valid justification for not erecting a solid suspended ceiling as part of the area, especially in high-ceiling hangars. The activity may contend that the use of a suspended ceiling is impractical because of production methods, such as the use of overhead cranes for moving bulky equipment within the area. Cases also exist where the air conditioning system may be impeded by the construction of a solid suspended ceiling (such as ADP centers). At times, even the height of the classified material may make a suspended ceiling impractical. In such cases, special provisions should be made to ensure that surreptitious entry cannot be achieved by entering the area over the top of the barrier walls (for example, employ approved intrusion detection systems, sensors, and more frequent guard patrols). Areas of this type should be closely scrutinized to ensure that the structural safeguards are adequate to preclude entry via adjacent pipes, catwalks, and ladders, or to preclude observation, if visual access is a factor. AR 380-5 H-15. Miscellaneous openings Where ducts, pipes, registers, sewers, and tunnels are of such size and shape as to permit unauthorized entry (in excess of 96 square inches, for example), they will be secured by 18-gauge expanded metal screen, wire mesh, or where more practical steel bars at least 1/2-inch in diameter with a maximum space of 6 inches between the bars. The steel bars will be securely fastened at both ends to preclude removal, and will have 1/4-inch thick by 1-1/2-inch wide steel crossbars at 18-inch intervals to prevent spreading. When wire mesh, expanded metal screen, or steel bars are used, installation should ensure that classified material cannot be removed through the openings with the aid of any type of instrument. Care also will be taken to ensure that a barrier placed across any waterway (sewer or tunnel) will not cause clogging or offer obstruction to the free flow of water or sewage. AR 380-5 H-16. Approved alarm systems Information and limitation on use of approved intrusion detection systems, both commercial and DOD J-SIIDS equipment, can be found in DIA Manual 50-3, chapter III, dated 2 May 1980. Model designations of items specifically approved for use in protection of U.S. classified information and material are provided in that chapter, along with other pertinent information. All detailed information relative to an alarmed area and the electronic system protecting its classified defense information or materiel (i.e., electrical diagrams indicating wire runs, sensor and control placements, as well as sensor types and area of coverage, floor plans, and photographs revealing the position or existence of such items within the area), will be tightly controlled and marked For Official Use Only. Figure H-1. New high-security padlock  From maldrich at grctechs.va.grci.com Sat Mar 23 11:54:17 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Sun, 24 Mar 1996 03:54:17 +0800 Subject: Digital Signature Inititiative In-Reply-To: Message-ID: On Fri, 22 Mar 1996, Stuart Theodore wrote: > * regarding the mac question - there already is a version of Internet > Explorer for the Macintosh, available for download at > www.microsoft.com/ie. Microsoft is has already announced its committment > to building cross-platform internet products. If this is the case, then why did you discontinue Mac support for your own MAPI standard? While the ability exists to bind cryptographic protocols onto your MS Mail a/o Exchange via MAPI (as we have done), you trashed MS Mail for the Mac. Star Nine doesn't even have the ability to port MAPI onto the Mac, even though you sold them the rights to MS Mail server software for that platform. You have crippled the interoperability of your so-called messaging standard between the Mac and Windows platform, thus preventing third party developers (such as myself) from being able to incorporate the use of different cryptographic engines seamlessly across your product line. Now you say, "Microsoft is [sic] has already announced its committment to building cross-platform internet products." Excuse me, but this is exactly the same thing you used to say about cross-platform messaging products (before you woke up to the Internet). Now, whenever I have to put together a messaging system or O/A environment that requires cryptographic protections, I tell my clients to avoid MS like the plague. Hell, I'd rather work in VIM than deal with this "MS commitment" that turns out to be empty lies and marketing hype. Forgive me if I, and any number of other people, assign no merit whatsoever to any so-called "commitment" from MS, particularly in regard to security and standards issues. ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From maldrich at grctechs.va.grci.com Sat Mar 23 12:07:13 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Sun, 24 Mar 1996 04:07:13 +0800 Subject: NT's C2 rating In-Reply-To: <199603230800.AAA24157@netcom6.netcom.com> Message-ID: On Sat, 23 Mar 1996, Bill Frantz wrote: > At 5:11 PM 3/22/96 -0600, Rick Smith wrote: > >The big deal is that few vendors have tried to get NCSC evaluations. > > We walked KeyKOS a long way down the path to a B2 rating. Our investors > refused to fund the estimated $1 million it would cost to do all the > paperwork. They felt there was no market for NCSC secure systems. Perhaps > others felt the same way. Hopefully, with the Common Criteria replacing the Orange Book (pray, this year), you'll now be able to evaluate against a profile for a lot less money. And, believe it or not, customers will actually get security products they need instead of another instance of the Bell-LaPadula model crafted to military specs. ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From Chris.Claborne at SanDiegoCA.ncr.com Sat Mar 23 12:38:09 1996 From: Chris.Claborne at SanDiegoCA.ncr.com (Chris Claborne) Date: Sun, 24 Mar 1996 04:38:09 +0800 Subject: San Diego Cypherpunks Physical Meeting Message-ID: <2.2.32.19960323202431.0038d320@opus.SanDiegoCA.ATTGIS.com> San Diego Area CPUNKS symposium Thursday, March 28, 1996 Invitation to all Cypherpunks to join the San Diego crowd at "The Mission Cafe & Coffee Shop" were I hope to get an update of Lance Cottrell's anonymous e-mail server, "mixmaster", exchange keys, and discuss other topical CP stuff. There's always the semi-topical discussions; Internet Service Provider in San Diego (providing, anonymous remailers and other privacy services), stelth communications, latest Cypherpunk goings-on, Internet happenings. Don't forget to bring your public key fingerprint. If you can figure out how to get it on the back of a business card, that would be cool. Place: The Mission Cafe & Coffee Shop 3795 Mission Bl in Mission Beach. 488-9060 Time:1800 Their Directions: 8 west to Mission Beach Ingram Exit Take west mission bay drive Go right on Mission Blvd. On the corner of San Jose and mission blvd. It is located between roller coaster and garnett. It's kind of 40s looking building... funky looking (their description, not mine) They serve stuff to eat, coffee stuff, and beer. See you there! New guy, bring your fingerprint. Drop me a note if you plan to attend. 2 -- C -- ... __o .. -\<, Chris.Claborne at SanDiegoCA.ATTGIS.Com ...(*)/(*). CI$: 76340.2422 http://bordeaux.sandiegoca.attgis.com/ PGP Pub Key fingerprint = A8 FA 55 92 23 20 72 69 52 AB 64 CC C7 D9 4F CA Avail on Pub Key server. Dreams. They're just screen savers for the brain. From alano at teleport.com Sat Mar 23 12:53:40 1996 From: alano at teleport.com (Alan Olsen) Date: Sun, 24 Mar 1996 04:53:40 +0800 Subject: New Beta Test of PGPfone available WINDOWS '95 Included! Message-ID: <2.2.32.19960323204011.009396d4@mail.teleport.com> At 01:49 PM 3/23/96 -0500, Ted Garrett wrote: >>Will there ever be a Win32s version of PGPfone? I have one of those systems >>with non-(MS)DOS partitions that MS-DOS/Wind95 doesn't like, so until MS can >>deal with the fact that people use other OSs, I'm staying clean of Win95. > >Windows95 doesn't complain at all about other operating systems resident on your >machine, nor does it invalidate partitions which it can't read. You just can't access >the partitions. Win95 does alter the Master Boot Record on the drive. This tends to screw up previously installed boot managers. Reinstalling lilo (or whatever boot manager you use) usually does the trick. (The MBR changes do not seem to be a requirement. I have no idea why they do it. Maybe to make sure that you use *ONLY* Mr. Bill's OS.) I get around the problem by having removable drives. (Each one with a different OS.) Avoids having to deal with the chance of messing up all of my operating systems at once... --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From jamesd at echeque.com Sat Mar 23 13:13:19 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sun, 24 Mar 1996 05:13:19 +0800 Subject: LET'S ROCK!!!! Message-ID: <199603232050.MAA06804@mail1.best.com> At 07:26 AM 3/22/96 -0600, WThinker wrote: > Ok, here is the situation. I have a person mad at me in one of my mailing > lists. Turns out, this person was the owner of the mailing list! Well now > I'm stuck, knocked out of the list. The owner can not see any of my mail, > no matter how hard I try. I need some ideas to eather get through to her, > or really fuck up the mailing list. > > Any ideas? Life is short. Get a life. Of course you could simply spoof the identity of someone else in order send some exit mail. use the port 25 trick. A parting shot will work wonders, by alerting others that their views are likely to be censored, thus discouraging them from posting on the list, thus causing the list to die, but if you actually put serious work into this and make a big effort to keep up a conversation and keep on going and going then you are a total loon. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From stewarts at ix.netcom.com Sat Mar 23 13:44:45 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 24 Mar 1996 05:44:45 +0800 Subject: (X:x)e$ 's other use Message-ID: <199603232131.NAA10965@ix9.ix.netcom.com> Hi, Gary - actually this comes up every 3-6 months. There are some fundamental problems with the using e$ as a new currency. At 02:33 AM 3/22/96 -0600, you wrote: >e$ would be a sound money replacement for the corrupt currency that >every large state in the world currently pushes. Especially if e$ >can be redeemed in something of real value on demand. E$ is a fine medium for exchanging certificates of whatever it is you're trying to certify, just as paper with pictures of dead politicians is. Printing paper is easy, and it's easy to add lots of zeros when you do. Printing 1s and 0s is also easy, and there are plenty of zeros out there. Digging shiny malleable ductile yellow metal out of the ground is harder. The tough part, with all these media, is getting somebody to give you real stuff in return for a certificate that claims to be worth 1000. The three basic ways certificate-issuers have done this are 1) Guarantee that they'll give you stuff or services in return 2) Convince a lot of people to exchange stuff or services for them, so you can usually redeem them without going to the bank 3) Threaten to beat people up if they don't accept them. Method 1 works if people trust you and you've got stuff to sell. Subway tokens and postage stamps have been used as money because most people want to ride subways and mail letters, and the subway and mail-carrying companies were big enough that you'd expect to be able to redeem them before the companies went out of business (or you moved out of town), so you can spend some money safely. Note that this method works both for stuff you have on hand, like shiny metal, or for services you're promising to do later and will have to get resources for. Banknotes work because well-behaved banks only issue enough promises to deliver shiny metal to cover the amount of metal they have; if they start making more promises than they can deliver on, the market gets annoyed at them and people stop accepting their paper in return for goods and services, and stop giving them shiny metal in return for convenient paper, and Method 2 fails for them. But if banks keep their promises, people trust them, and they make money. This works both in free markets and in government-controlled markets. As long as the banks are _honest_ about their policies for issuing notes, it doesn't matter if they're doing fractional reserve or printing the stuff outright; you can decide how much to trust them, or whether to do all your transactions with shiny metal. Method 3 you'll recognize. There'd be nothing wrong with the Federal Reserve if they only used methods 1 and 2; individual consumers can decide whether to trust them not to print a lot more zeros than they should. And they don't have a monopoly on currency - there are some kinds of taxes that apply to some private currencies, but you can go into the average bank today, ask them to write a cashier's check to someone (and probably still to "bearer"), pay them, and they'll be happy to do it for only a small commission, and American Express will do it as well. And people will take their paper, though in the case of traveller's checks it's sometimes a hassle to accept on an occasional basis. On line, of course, it's tough to use metal as a way to pay people, so technologies like e$ are necessary. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissible." - US government statement on China... "SigFiles of Unusual Size? I don't believe they exist!" From weidai at eskimo.com Sat Mar 23 13:54:38 1996 From: weidai at eskimo.com (Wei Dai) Date: Sun, 24 Mar 1996 05:54:38 +0800 Subject: Java questions Message-ID: There has been a lot of discussion on coderpunks about implementing cryptography in Java. This got me thinking. We don't see every C++ compiler using the same back end. So why is everyone licensing Sun's Java implementation? As a consequence of this if there is a bug in Sun's implementation, then that bug exists in every Java implementation. Imagine a future scenario where a virus/worm takes advantage of a single Java bug and infects 90% of all computers attached to the Internet overnight. There may not be much we can do about this, but we should at least be more aware of the possibility. On a more positive note, has anyone thought of writting a remailer server or client in Java? It would be really nice if we could run or use a remailer by clicking a link on the web. Wei Dai From wlkngowl at unix.asb.com Sat Mar 23 14:46:41 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Sun, 24 Mar 1996 06:46:41 +0800 Subject: Noise sphere graphical tests of randomness Message-ID: <199603232243.RAA07378@unix.asb.com> I've got a short program for the PC (w/TPascal source) that plots a noise sphere from a file of (pseudo) random data, if anyone is interested. Requires a VGA card that handles mode 5Fh (640 x 480, 256 color) though the source can be eaily recompiled to use something else, or standard Borland Graphics drivers. Send a reply with the subject "send nsphere" or check ftp.funet.fi in the /pub/crypt/random directory in a few days [the ftp site would be easier on my mailer ;] The source has a brief explanation of what noise spheres are and a reference to the Pickover article the program was based on. The source code is not copyrighted, and it would be nice to see it ported to other systems, or maybe a portable C version that writes the output to a .PCX file in RBG(?). [I'm not that fluent in C to write one...] I've gotten some *very* interesting results. Raw samples collected from fast timings between Windows message broadcasts do nicely with some of the randomness tests (compressability, Maurer, chi-sq) but clearly plots a spiral. Raw samples from the keyboard don't do as nicely in other tests (~50% compressability, <6 bits/byte Maurer, and "non-random" in chi-squared] but in the plot no discernable pattern shows up.... similar to plotting the output from /dev/urandom [even when /dev/urandom was configured *not* to use keyboard...] Needless to say this will affect sampling methoids in the next version of NOISE.SYS. take care, Rob --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From JonWienke at aol.com Sat Mar 23 14:48:28 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sun, 24 Mar 1996 06:48:28 +0800 Subject: protection on IoMega ZIP drives Message-ID: <960323172854_254143352@emout05.mail.aol.com> In a message dated 96-03-23 05:19:55 EST, it was written for God and everyone to see: >> Has anyone tried SFS? It should work on the zip drive, though I've not >> tried it (yet)... > >If I recall some recent threads on alt.security.pgp (or sci.crypt?), >SFS doesn't work on ZIP drives (since ZIPs use the parallel port...). > >[Or do ZIPs use Scuzzies and the people who had problems were just >too lame to figure out that they had to load the driver before SFS?] The Syquest EZ drive (130MB twice as fast as the ZIP, a little cheaper too--around $200 for an internal drive and cartridge, with additional carts around $20, and a 1 GB version available for $500, + $100 / additional cartridge) comes in IDE, SCSI, and parallel flavors. You can get an internal IDE drive and DOS doesn't know or care that you can replace the cartridge. You can DoubleSpace the drive, (I have personally done this) so you should be able to SecureDrive it too. It is a full fledged IDE (or SCSI) drive. Jonathan Wienke From mch at squirrel.com Sat Mar 23 16:14:39 1996 From: mch at squirrel.com (Mark C. Henderson) Date: Sun, 24 Mar 1996 08:14:39 +0800 Subject: protection on IoMega ZIP drives Message-ID: <199603240002.QAA04583@squirrel.com> On Mar 23, 17:28, JonWienke at aol.com wrote: } The Syquest EZ drive (130MB twice as fast as the ZIP, a little cheaper } too--around $200 for an internal drive and cartridge, with additional carts } around $20, and a 1 GB version available for $500, + $100 / additional } cartridge) comes in IDE, SCSI, and parallel flavors. You can get an internal } IDE drive and DOS doesn't know or care that you can replace the cartridge. } You can DoubleSpace the drive, (I have personally done this) so you should } be able to SecureDrive it too. It is a full fledged IDE (or SCSI) drive. The SCSI version of the ZIP drive is a "fully fledged" SCSI drive. I use one on a Sun workstation without any special software/drivers, and secure the ZIP disks with CFS. It isn't terribly fast, but one hardly notices when one is dealing with the overhead of encrypting and decrypting the data anyway. -- Mark Henderson -- markh at wimsey.bc.ca, mch at squirrel.com, henderso at netcom.com ViaCrypt PGP Key Fingerprint: 21 F6 AF 2B 6A 8A 0B E1 A1 2A 2A 06 4A D5 92 46 unstrip for Solaris, Wimsey crypto archive, TECO, computer security links, change-sun-hostid, Sun NVRAM/hostid FAQ - http://www.squirrel.com/squirrel From markm at voicenet.com Sat Mar 23 18:13:43 1996 From: markm at voicenet.com (Mark M.) Date: Sun, 24 Mar 1996 10:13:43 +0800 Subject: Free speech debate on MSN Encarta In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 23 Mar 1996, Joe Block wrote: > This is easily done from a technical standpoint. There is a set of patches > for the CERN server that lets you have it automatically delete > advertisments from certain prominent sites (used to be called NoShit, I > heard they changed the name) when you're running in proxy mode. You can > even have it change profanity into "EXON EXON" on the fly. Running > something like this is probably a good thing for the ISP as running a cache > will allow them to get more mileage out of their net connection. > > However, I don't think it likely that many ISPs will go this route from a > liability point of view - if some parent is paying them to filter out smut, > and little Zippy finds a brand new x-rated site, chances are some irate > parent will sue them. With the proliferation of new pages, it is > impossible for anyone to keep up, unless the authors voluntarily include > some smutscan codes in their pages. Couldn't the proxy be configured to deny access to all "unrated" pages? Of course, this would mean that some kind of standardized web page rating system be devised; however, I think there are already several proposals for rating schemes. BTW, does anyone know how such a proxy system could be used in all Internet traffic, not just the web. It is not very difficult to get a gopher client or telnet client to communicate with a web server, bypassing any access restrictions. ObCrypto: The next step would be a rating system using digital signatures and the proxy software being setup to trust certain signatures more than others. - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMVSsCbZc+sv5siulAQFJWQP/cA4Mmciv8u6InH/8cXU9aq36qLCKVUQT Y/uhpWJXfWd1gdv8+TanIYFj6oSoLSMCmqk/Q71bICajajrz1znyyNWT+S0X1hE/ maXQriu5CW1bj7ncA6L9Eb8Snk95ARiOSE2lPlfTcKq0jOwxsDVD6QrliBrYHpuW AuW5Ml57JUE= =z174 -----END PGP SIGNATURE----- From janimmo at ionet.net Sat Mar 23 18:32:40 1996 From: janimmo at ionet.net (Jeffrey A Nimmo) Date: Sun, 24 Mar 1996 10:32:40 +0800 Subject: Unused WWW and anon FTP space Message-ID: <3154e154.6119578@mail> Greetings Cypherpunks: I have no idea if this is the appropriate place or way to broach this topic, but I have a great deal of space on my account that is just going to waste. I am allowed a www page, and in a couple of weeks my shell space quota will be upgraded to 20 meg, with anon ftp capability. As I said, this is just going to waste, so I was wondering if anyone had some faqs, files, or whatever that they wanted to distribute or if anyone needed space for a web page. Frankly, I've never written an html document, but I suppose I could learn. Please respond directly, as I'm sure that the rest of the list doesn't want to hear the responses. ___ ( > /) /) __/_/> // // janimmo at ionet.net / / (__//__//_ <_/ /> /> janimmo at aol.com Hey Squatter! Have you found the hidden "hot" spots and registered to win the Shaq/Pepsi World's Slammin' Techno Dream Contest? Deadline to enter is March 31st, only a few days away. Don't miss out on your chance to win a $25,000 Gateway computer shopping spree and a trip to Orlando, Florida to meet Shaq and catch the Magic in action. All ya gotta do is find the hidden "hot" spots. Seem impossible? Well, here are a couple of hints: "Shaquille O'Neal is his name, Movies and basketball are his game. So cruise by La La Land or Adrenalin to give your luck a try, And find the ball that Shaq has left behind." "Twinkle, twinkle little star, 25 grand could go real far..." Good luck! From proff at suburbia.net Sat Mar 23 18:43:55 1996 From: proff at suburbia.net (Julian Assange) Date: Sun, 24 Mar 1996 10:43:55 +0800 Subject: email profit centre Message-ID: <199603240210.NAA28247@suburbia.net> Who wants to take this site down first? [http://unix.lgn.com/email.htm] GET A JUMP ON THE INTERNET TODAY, BEFORE YOUR COMPETITION DOES! Can you afford not to??? The Email'ers Profit Center * Increase market penetration * Great for Multi-Level marketing * Virtually no mailing expense * $$ Save money $$ You will have access to 500,000+ Email addresses * Make your product or service known to thousands of people. * Save money. (To mail postcards to 500,000 people would run you over US$95,000.00). The Email'ers Profit Center is a mailing list of over 500,000 email addresses, all gathered within the last six months. It is available on your choice of CD-ROM or 100meg ZIP disk. They both contain the list in ASCII and .dbf. FREE MONTHLY UPDATES VIA TELNET! THE LIST IS EXPECTED TO DOUBLE WITHIN SIX MONTHS! The list is $500 for your own unlimited use. You may not resell, rent or loan the listings to any other person or company. _________________________________________________________________ For more information contact George. Phone: (209)276-1707 or E-mail: bubba at lgn.com -- "I mean, after all; you have to consider we're only made out of dust. That's admittedly not much to go on and we shouldn't forget that. But even considering, I mean it's sort of a bad beginning, we're not doing too bad. So I personally have faith that even in this lousy situation we're faced with we can make it. You get me?" - Leo Bulero/PKD +---------------------+--------------------+----------------------------------+ |Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union | |proff at suburbia.net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = | |proff at gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 | +---------------------+--------------------+----------------------------------+ From declan+ at CMU.EDU Sat Mar 23 20:05:35 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sun, 24 Mar 1996 12:05:35 +0800 Subject: CDA Court Challenge: Day #2 Message-ID: The DoJ also quizzed Donna Hoffman about anonymous remailers. They wanted to make sure that she wasn't an expert on them, had conducted no studies of remailers, and had collected no statistics on their use. -Declan ----------------------------------------------------------------------------- The CDA Challenge, Day #2 ----------------------------------------------------------------------------- By Declan McCullagh / declan at well.com / Redistribute freely ----------------------------------------------------------------------------- March 22, 1996 PHILADELPHIA -- At 2:21 pm today, one of the judges hearing our challenge to the Communications Decency Act finally "got it." "The folks in Luxembourg don't give a damn what our laws are. So my son, who's 10, can still view 'Sexy European Girls?'" asked U.S. District Court Judge Stewart Dalzell. "That's correct," replied Scott Bradner of Harvard University, who took the stand today to describe net.technology. Bradner told me afterwards he thought Friday's hearing went well -- he had come to Philadelphia to testify because this "is such an important issue." Judge Dalzell's remark hints that he, at least, is starting to understand the Internet -- and the consequences of the court's eventual ruling. This comes not a picosecond too soon for those of us who have been fidgeting in our seats, wincing as Department of Justice attorneys misuse technical terms and hoping the judges can sort through the cyberconfusion in just six days of hearings. Dalzell has a keen sense of humor and seems sympathetic to our arguments. In fact, I'd guess he's been doing some out-of-court web-surfing himself. In an _astounding_ question at the end of the day, he asked Bradner: "Isn't it true that the exponential and incredible growth of the Internet came about because the government kept their hands off of it?" Bradner gladly agreed. (What else would he say?) The other two judges aren't quite as reflective. In an incomprehensible decision last month, Judge Ronald Buckwalter granted us only a _partial_ restraining order preventing the Feds from enforcing the CDA. Now he's justifying his original mistake by taking a critical stance during this hearing -- that is, when he's not dozing. During one of his more alert moments, Buckwalter asked if labeling all online content is possible: "Your problems are technical and financial? If thse problems are solved and we agree on the definition of indecent, is it possible?" "Yes, it is," our witness replied. Buckwalter also asked earlier: "What do you mean by saying the Internet is a very democratic medium? Isn't there someone who steers discussion?" As proof, he held up a copy of a recent Atlantic magazine article that claimed the most popular USENET newsgroups are moderated and are therefore "quasi-authoritarian." I suggested to our attorney, Chris Hansen from the ACLU, that he clarify what percentage of newsgroups were moderated. On redirect, Hansen posed that question to Donna Hoffman of Vanderbilt University. She replied that most newsgroups are unmoderated. Later, Bradner of Harvard University added that moderated newsgroups amount to less than 10 percent of the total. Dolores Sloviter is the third judge on the panel. As the chief judge of the U.S. Third Circuit Court of Appeals, she penned a sparkling decision upholding free expression in a phone sex case. In this hearing, Sloviter's questions are the most pointed and incisive. When Robert Cronenberger of Pittsburgh's Carnegie Library was testifying, Sloviter asked him if under the CDA "would something have to be removed from your collection?" Cronenberger replied: "We don't know. We would be afraid that someone might find something indecent or patently offensive." The Department of Justice attorneys are an interesting lot. Jay Baron is a short, heavyset man who tries hard to land roundhouse punches during cross-examination but instead comes across as prone to malapropisms. I think he was the DoJer who confused with and "ISP" with "IP address." Before the hearing resumed for the afternoon, I introduced myself to him. He recognized me as a plaintiff and said he included one of my articles on Marty Rimm as evidence (!) and used it during depositions. Tony Coppolino is more reserved and didn't say much when we chatted, except to say that his office is busy enough with this case that they won't be sending anyone to the Computers, Freedom and Privacy conference next week. I was impressed by the poise of Patricia Rosado, the DoJ's point person on porn. Yesterday she floated the MacKinnonesque theory that porn is harmful not just to minors, but also to women. Today she greeted our witnesses with a barbed, stinging cross-examination. Unfortunately for Rosado, she was up against Cronenberger, a likable gent who came across as a traditional librarian close to the judges' own ages -- not a net.geek like Donna Hoffman and Scott Bradner. (At one point, Judge Sloviter demanded that Bradner explain URLs and linking in English, not net-ese.) The judges gladly related to Cronenberger's description of the Net as a library -- finally, something they could grasp! The ACLU's Chris Hansen expanded on this in a brilliant redirect, pointing out that the concept extends beyond that of a traditional library, allowing a user to link "from the fourth floor of Wiedner Library in Boston to the third floor of the Carnegie Mellon University library in Pittsburgh." Rosado from the DoJ rallied with questions like: DoJ: "You can do a keyword search on the seven dirty words?" DoJ: "Would a search on Abraham Lincoln turn up articles about sex?" R.C.: "I've read many articles about his sex life, or lack of sex life. DoJ: "Would a search on travel turn up articles about sex?" DoJ: "Would a search on geology turn up articles about sex?" R.C. "Only if rock is put together with roll!" ) DoJ: "Would a search on food turn up articles about sex?" DoJ: "You exercise discretion as to what you make available. You don't carry everything, do you?" DoJ: "You select materials that reflect the local community standards?" Not surprisingly, the DoJ is trying to keep the hearing focused on porn and sex. (At least it keeps Buckwalter awake!) Not the truly extreme stuff that obscenity laws already ban online, but the softcore Playboy-style cyberpix that would be permitted in the absence of the CDA. The Justice Department asked Vanderbilt's Hoffman: DoJ: "You stated in your deposition that you were generally familiar with the web page called Bianca's Smut Shack?" Judge Dalzell immediately looked up, startled: "Bianca's WHAT?" DoJ: "Bianca's SMUT Shack." Judge Dalzell: "Oh, okay." Other DoJ questions included a passing reference to would-be cyberporn researcher Marty Rimm, who claimed that pornographers were using the Net to recruit customers. (Last month, the DoJ attached Rimm's study as an exhibit in their response to our complaint and cited it as evidence of the pervasiveness of nasty stuff on USENET.) Some examples: DoJ: "You will concede, will you not, that this law will not have a profound adverse effect [on password-protected smutty sites]?" DoJ: "Pornographers are using USENET newsgroups to advertise, are they not?" DoJ: "Tell us about bots and spiders." Judge Dalzell, trying hard: "That's an acronym, right?" My fellow plaintiffs are wonderful. Kiyoshi Kuromiya testified the first day, followed by Patricia Nell Warren. Warren and I had dinner on Thursday with Jonathan Wallace of the Ethical Spectacle; we talked about the political and social forces behind the push for the CDA. I asked Wallace why he came down from New York City -- he told me because "this is the most important free speech case in 60 years." Today I sat next to the DoJ's net.experts, who kept leaning forward to whisper technical data into the ears of the Justice Department's attorneys. One of the two experts was from Brigham Young University. The other was Steve Nesbitt from the Department of Defense. One or both likely will be testifying as expert witnesses for the DoJ, but Justice isn't releasing the list until April 3. Stay tuned for more reports. ----------------------------------------------------------------------------- We're back in court on 4/1, 4/12, 4/15, and 4/26. The DoJ will be taking depositions from our remaining witnesses the week of March 24. For more information and breaking updates, check out: http://fight-censorship.dementia.org/top/ To subscribe to the fight-censorship announcement list, send email with "subscribe fight-censorship-announce" in the body to: majordomo at sojourn.com Other relevant web sites: http://www.eff.org/ http://www.cs.cmu.edu/~declan/rimm/ http://www.cdt.org/ http://www.aclu.org/ ----------------------------------------------------------------------------- From jimbell at pacifier.com Sat Mar 23 20:34:49 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 24 Mar 1996 12:34:49 +0800 Subject: DAZ_zle Message-ID: At 10:53 PM 3/21/96 -0500, John Young wrote: > Foreign Affairs, March/April, 1996, features two policy > essays on "The Information Edge: A technological change is > transforming the nature of power and the United States is > clearly in the lead." [deleted] > He observes that misunderstanding of > revolutionary technology all too often has had unexpected, > disastrous, consequences: "A revolution in military affairs > is under way. It will require changes of a magnitude that > military people still do not completely grasp and political > leaders do not fully imagine." Sounds like this guy has been reading my stuff. From fletch at ain.bls.com Sat Mar 23 22:03:52 1996 From: fletch at ain.bls.com (Mike Fletcher) Date: Sun, 24 Mar 1996 14:03:52 +0800 Subject: Java questions In-Reply-To: Message-ID: <9603240538.AA12547@outland.ain_dev> > There has been a lot of discussion on coderpunks about implementing > cryptography in Java. This got me thinking. We don't see > every C++ compiler using the same back end. So why is > everyone licensing Sun's Java implementation? As a consequence of > this if there is a bug in Sun's implementation, then that bug > exists in every Java implementation. Imagine a future scenario Why does everyone licensing Microsloth's MS-DOS implementation? If (If :) there's a bug in MS's implementation, then that bug . . . . It's done, it's available, it (mostly) works. I believe that there's a Mac version called Roaster for Macs that even came out before Sun had a Mac port. > where a virus/worm takes advantage of a single Java bug and > infects 90% of all computers attached to the Internet overnight. > There may not be much we can do about this, but we should at > least be more aware of the possibility. But when we get signed classes you'll at least know whom to go after if it does. > On a more positive note, has anyone thought of writting a > remailer server or client in Java? It would be really nice if we > could run or use a remailer by clicking a link on the web. Client would be kinda difficult to do until there's a crypto lib available. Either that, or you'd have to load it from local disk so you could run PGP (the security model for applet hosts such as NS prevents exec'ing outside programs from code thats loaded from the network) which kinda defeats the purpose of doing it in Java (aside from a single cross platform front end). A server, being a stand alone app most likely, would be doable but again you'ld need a native PGP for the crypto. --- Fletch __`'/| fletch at ain.bls.com "Lisa, in this house we obey the \ o.O' ______ 404 713-0414(w) Laws of Thermodynamics!" H. Simpson =(___)= -| Ack. | 404 315-7264(h) PGP Print: 8D8736A8FC59B2E6 8E675B341E378E43 U ------ From llurch at networking.stanford.edu Sat Mar 23 23:32:21 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sun, 24 Mar 1996 15:32:21 +0800 Subject: detweiling In-Reply-To: Message-ID: On Sat, 23 Mar 1996, Robert Hettinga wrote: > At 6:18 AM 3/23/96, Rich Graves wrote: > > On Sat, 23 Mar 1996, Anonymous wrote: > >> > > > > Uh, Rich?... > > You've probably been detweiled by Detweiler himself. Gee, really? What makes you think so? > Someone around here has a concordance program, called MEDUSA, if I remember > right, which can spot Detweiler pretty well by statistical analysis of the > words he uses. Someone has a stylistic spoofing program, called markov, that can produce output triggering a positive on the MEDUSA test. One of the distributors of this program is (or was) qut at netcom.com. See the recent posts by "L. Detweiler" in alt.2600, news.groups, and news.admin.net-abuse.misc. This "L. Detweiler" seems to have failed to appreciate how frequently I write in conscious self-parody, especially as rich at c2.org. His analysis of the "detweiling" attack is largely correct, but he greatly overestimated my ego. It'll all come out soon enough, probably about the time the comet drops under the horizon. > > (p.s. I imagine quite a few people will accuse "me" of > > being detweiler. I assure you my amusement will at least > > exceed or match that which detweiler ever obtained.) > > > ... Which could have been put there on purpose. You Never Know... ;-). > > All this and the fact that he now wants to convert his name into a verb. Why not? I think it's a useful term. John Crapper's name will always be remembered; why not Detweiler's? I think he deserves that kind of recognition. -rich From gjeffers at ns.htc.net Sat Mar 23 23:36:37 1996 From: gjeffers at ns.htc.net (Gary Lee Jeffers) Date: Sun, 24 Mar 1996 15:36:37 +0800 Subject: e$'s (mini-rant) Message-ID: <9603240706.AA31508@ns.htc.net> e$'s (mini-rant) I have some thoughts on John Humphrey's post. I thought the big problem with E$ was with the clearing house. Is it the consensus that it is the e$ patents? If the problem is that the inventors are sitting on their patents, then why can't we just RIP THEM OFF$ When the patent system was started in the U.S., it was done for the population in order to stimulate the invention process and so improve the lot of the people. Invention is a SPECIAL kind of production. It is not normal mass property! Patents are only property because it is considered that they are of value to the people rather than the owners! Patents pro- cess was started to give property to patent "owners" in order to persuade the inventors to invent for the people. If an inventor "SITS ON A PATENT", then it is ABUSE OF PATENT! Fuck the patent owner! Fuck him with bells on! RIP HIM OFF! its a noble cause! If this has become a serious problem then finding techniques of riping off e$ patent owners is a moral and practical undertaking. Then it should be a topic of Cypherpunks. I am not sure that hoarding of patents is the main hinderance of useful e$. What do other Cypherpunks say? patents? workable e$ schemes! clearing- houses? P.S. Maybe doing private Internet business while hiding from the owner of the e$ patent will be a new privacy concern :-) P.P.S. Thoughts for a rip-off technique. Take a good private e$ tech., restate it in different terms, throw in a few changes, options, extras so it doesn't look so much like the original. Then offer it to the public with a variety of very low cost deals - especially for start-ups. By the time the original inventor gets you into court, you'll have a ton of money he'll have nothing and with our system of "justice" you can bury him. :-) Even if he "wins" - with your privacy skills you can take it with you and hide it - talk to Duncan Frissell. Note: You'll have the money to talk to Duncan, the original inventor won't. :-) P.P.P.S Why not just take the best features of several private e$ tech.s and make a hybrid? It wouldn't even be plaguerism! (sorry, I lost my dict- ionary). Central power is stolen freedom. THE UNITED STATES "FEDERAL" GOVERNMENT HAS NO LEGITIMACY. The United States "Federal" Government - We'll be even more American without it. PUSH EM BACK! PUSH EM BACK! WWWAAAYYYY BBBAAACCCCK! BBBEEEAAATTTT STATE! Gary Jeffers  From stewarts at ix.netcom.com Sun Mar 24 01:35:10 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sun, 24 Mar 1996 17:35:10 +0800 Subject: e$'s (mini-rant) Message-ID: <199603240924.BAA27180@ix5.ix.netcom.com> At 01:00 AM 3/24/96 -0600, Gary Lee Jeffers wrote: > e$'s (mini-rant) > I have some thoughts on John Humphrey's post. I thought the big problem >with E$ was with the clearing house. Is it the consensus that it is the e$ >patents? If the problem is that the inventors are sitting on their >patents, then why can't we just RIP THEM OFF$ Yes, it's the patents. Chaum owns them, and he's not Easy To Do Business With. On the other hand, a couple of banks _have_ recently started doing business with him - Mark Twain Bank in St. Louis, and Merita Bank in Finland - check the cypherpunks archives (www.hks.net / nntp.hks.net) for details. There were a couple of earlier attempts, in which one group discovered that there are an appalling number of banking laws which make it hard to get a real bank started, and another group discovered that it's much easier to be a Credit Union than a Bank under US banking law, but it's still hard to get a business model that's likely to make non-negative amounts of money that way. The reason you can't just rip them off (unlike, say, PGP's early relationships with RSADSI/PKP) is that electronic commerce can only work well if it's legitimate - if you want real businesses to deal with you, and real banks to handle money for you, they need to be assured that they won't lose their assets in a patent lawsuit. On the other hand, Doug Barnes posted some interesting articles on "agnostic banking", a variant on Chaum's digicash where the bank can run simpler digital cash protocols that don't violate Chaum's patent, but the bank can't tell whether the customer is using Chaum's blinded signatures or not, so the customer can rip off Chaum's intellectual property without the bank having to be knowledgeable or involved (nudge, nudge, wink, wink.) On a non-financial level, Chaum didn't complain about the Magic Money / Tacky Tokens demos that some of the cypherpunks did, and Digicash came out with a play-money version that some of us used before the commercial deal was done. > [patent rant] Yeah, yeah, many of us can rant against patents as well. Been there, done that, even invented stuff and found somebody else had previously invented and patented it. The League for Programming Freedom has some high-quality detailed patent rants, and if you give RMS a grant for airfare he'd probably be happy to go picket Chaum's company for you :-) As far as Chaum hoarding the patents, he's always been willing to deal, but since he's mostly an academic rather than a businessman, he's set a very high up-front price so little guys don't bother him, only mega-banks that will come now that he built it. I'd guess the prices the banks he's now dealing with paid are rather lower than that, but it's a start for getting real business to evolve. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissible." - US government statement on China... "SigFiles of Unusual Size? I don't believe they exist!" From frantz at netcom.com Sun Mar 24 02:18:48 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 24 Mar 1996 18:18:48 +0800 Subject: (X:x)e$ 's other use Message-ID: <199603241007.CAA05877@netcom5.netcom.com> At 1:31 PM 3/23/96 -0800, Bill Stewart wrote: >Method 3 you'll recognize. There'd be nothing wrong with the Federal >Reserve if they only used methods 1 and 2; individual consumers can >decide whether to trust them not to print a lot more zeros than they should. >And they don't have a monopoly on currency - there are some kinds of >taxes that apply to some private currencies, but you can go into the >average bank today, ask them to write a cashier's check to someone >(and probably still to "bearer"), pay them, and they'll be happy to do it >for only a small commission, and American Express will do it as well. >And people will take their paper, though in the case of traveller's checks >it's sometimes a hassle to accept on an occasional basis. My experience in China in 1993 was that US Federal Reserve Notes were easy to use and American Express Traveler's checks were not. After hearing that the dollar isn't worth anything, it was refreshing to go to a country where they are in high demand. I recommend carrying good old fashioned USA dollars when going to communist countries. Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From ncognito at gate.net Sun Mar 24 02:21:55 1996 From: ncognito at gate.net (Ben Holiday) Date: Sun, 24 Mar 1996 18:21:55 +0800 Subject: Crypto CD Message-ID: I'm considering the idea of cutting a crypto CD, and wanted to see if there was any potential interest in the idea, or not. Basically what i forsee is a disk with the basic algorithms (DES/IDEA/Etc), and steg tools, along with a few large crypto aps like PGP, and basic cracking software (Crypt Breakers Work Bench, XOR-type crackers, and dictionary attacks with a few dozen dictionaries). I'd also like to include a remail directory with some remailer sources, remailer-aware clients, and the mixmaster sources. And of course as much infomation as possible -- cyphernomicon preferably, possibly even archives of this list.. I would plan to put unix/dos/mac all on one CD. I'm thinking that realistically I can expect 50 megs or so. Possibly as much as 100 if I find a TON of wonderful text. Could be useful to individuals, as well as for groups wishing to create FTP sites etc. Pricing with shipping would wind up around US$20.00, give or take 5 dollars.. I'd like to know first off whether such a thing already exists. Secondly whether anyone would be interested in possesing such a thing. And lastly any suggestions for/about content that I may have missed.. Thanks Benji From hal9001 at panix.com Sun Mar 24 02:23:13 1996 From: hal9001 at panix.com (Robert A. Rosenberg) Date: Sun, 24 Mar 1996 18:23:13 +0800 Subject: protection on IoMega ZIP drives Message-ID: At 2:45 3/23/96, Alan Olsen wrote: >The big problem is with the zip drivers. There is some sort of >incompatibility between SFS and the zip drivers. (I hacked on it for a >couple of hours with no luck.) Win95 makes the problem worse, as it is >difficult to judge just when the driver for the zip drive loads. (I have a >number of complaints about the zip drive drivers. Lack of documentation is >one of them...) I can state that with a Zip Disk formatted for Macintosh use (and the drive plugged into a Macintosh), the drive and disk are seen by the Macintosh as a NORMAL SCSI HD and eligible for use as a Boot Drive (ie: There is a Mac Driver on the Disk in a SCSI Driver Partition). I've Booted from a ZIP Disk so this is actual not just theoretical . I'd assume that if a Wintel Machine had the Microcode to be able to boot off an external SCSI Drive (something I do not know is normal for Wintel machines as it is normal for Macintosh ones) the same situation would exist for Wintel Zip Formatted Disks. All NORMAL SCSI HDs (or Cartridges) have their driver in a Driver Partition so the HD/Cartridge can be read. From thecrow at iconn.net Sun Mar 24 06:49:01 1996 From: thecrow at iconn.net (Jack Mott) Date: Sun, 24 Mar 1996 22:49:01 +0800 Subject: private key encryption program for you to hack at Message-ID: <3155621F.5FA2@iconn.net> Ok, I have been working on this for a while, and I wanted to let you guys have a go at it. I wrote a private key encryption program that I think should be hard to break, I will provide you with the EXE (MS DOS) file, some ciphertext, AND a big chunk of plaintext. The key is not ridiculously large, but it won't be anything obvious so don't bother brute forcing. To encrypt, the program read in some system/time specific info, uses it to encrypt the file along with the key. It then write the system/time specific info to the end of the file encrypted with the key. I THINK that the only weaknesses should be predicitability of the system/time info, or possibly finding patterns in the encrypted values. I dont want to give out any source code yet, but it anyone wants some pieces of it just ask. crackme.zip file with paradox.exe, cipher.txt, and plain.txt -- ___ ___ _____ / \/ \ / \ || | || | || | ||he \_____/row thecrow at iconn.net "It can't rain all the time" -------------- next part -------------- A non-text attachment was scrubbed... Name: zip00000.zip Type: application/octet-stream Size: 39720 bytes Desc: "Crackme.zip" URL: From jis at mit.edu Sun Mar 24 07:52:40 1996 From: jis at mit.edu (Jeffrey I. Schiller) Date: Sun, 24 Mar 1996 23:52:40 +0800 Subject: New Beta Test of PGPfone available WINDOWS '95 Included! In-Reply-To: Message-ID: <9603241538.AA19602@big-screw> (A copy of this message has also been posted to the following newsgroups: alt.security.pgp, sci.crypt) -----BEGIN PGP SIGNED MESSAGE----- I have received reports that some people are getting only partial files when downloading PGP and PGPfone with our new distribution server. This problem is caused by higher then normal packet loss on the Internet. Some browsers (notably the AOL browser) give up when they fail to receive any more data for a period of time (caused by high losses or other conditions that block our server). For now people should continue to attempt to download PGPfone and PGP until they get a good copy. Trying late at or on weekends when the net load is lower may help. I am working on a "fix" where our server will let the browser know up front (there is a way to do that with http) how large an item to expect. This hopefully will improve the situation, if not complete fix it. However this change will not be installed until at least Tuesday. So if you can wait, you might want to wait until Tuesday if you are having difficulties getting a complete distribution from MIT. Note: I will send out another message when this fix is in place. -Jeff -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVVrMMUtR20Nv5BtAQEQ3gP/XjwEPbqSJXJesRYo+N4aAcMfl3O2PGoP LP/uGOOLCyx05EXkJidGly4IjY/qK325J8xDADCpJdoJgcM3CH+7EPghxAEmCIRd MttmADDv6U3QHnvPn7/L2mDtItueOCLsdeWtj7bQnRECoS/XsdQAUgZFbLlWsNhd uFm3bVG82LI= =m3v8 -----END PGP SIGNATURE----- From adam at lighthouse.homeport.org Sun Mar 24 09:35:34 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Mon, 25 Mar 1996 01:35:34 +0800 Subject: Crypto CD In-Reply-To: Message-ID: <199603241717.MAA25157@homeport.org> Ben Holiday wrote: | I'm considering the idea of cutting a crypto CD, and wanted to see if | there was any potential interest in the idea, or not. Basically what i | forsee is a disk with the basic algorithms (DES/IDEA/Etc), and steg tools, | along with a few large crypto aps like PGP, and basic cracking software (Crypt | Breakers Work Bench, XOR-type crackers, and dictionary attacks with | a few dozen dictionaries). I'd also like to include a remail directory | with some remailer sources, remailer-aware clients, and the mixmaster | sources. And of course as much infomation as possible -- cyphernomicon | preferably, possibly even archives of this list.. | | I would plan to put unix/dos/mac all on one CD. I'm thinking that | realistically I can expect 50 megs or so. Possibly as much as 100 if I | find a TON of wonderful text. 50 megs? You expect me to pay 20 bucks, and you won't even download the contents of ftp.dsi.unimi.it, the archives on hks.net, and maybe a few other international crypto archives? More seriously, a completist cd rom would be nice, but the marginal cost of filling the CD with stuff is pretty low. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From vipul at pobox.com Sun Mar 24 12:50:18 1996 From: vipul at pobox.com (Vipul Ved Prakash) Date: Mon, 25 Mar 1996 04:50:18 +0800 Subject: Crypto CD Message-ID: <199603242024.PAA27982@pobox.com> > Could be useful to individuals, as well as for groups wishing to create > FTP sites etc. Excellent Idea. At least I haven't seen one around. > Pricing with shipping would wind up around US$20.00, give or take 5 dollars.. > I'd like to know first off whether such a thing already exists. Secondly > whether anyone would be interested in possesing such a thing. And lastly > any suggestions for/about content that I may have missed.. How about PGP key archives? Vipul .od8888bo. \|/ .d%::::88::888b. (@ @) .d888::::::::8:888%. ------------------oOO-(_)-OOo----------------- 88888:::::::88888::%. You walk across with your flowers in your hand d888888:::88;888888::b Trying to tell me no one understands 888888888:888888888888 Trade in your hours for a hand full of dimes Y8888888::::::888888%P Gonna make it baby in our prime. '8888888:::::::8888:%' ---------------------------------------------- '88888888:::888888%' Vipul Ved Prakash Fax : +91-11-3328849 '8888888::88888%' Positive Ideas. Internet : vipul at pobox.com '"Y88%B8P"' ---------------------------------------------- PGP Key : Finger PGP Key fingerprint = 35 FF A2 CA BD 6B 80 82 61 30 F2 23 96 93 77 E4 ~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-= From blancw at accessone.com Sun Mar 24 13:29:04 1996 From: blancw at accessone.com (blanc) Date: Mon, 25 Mar 1996 05:29:04 +0800 Subject: If you can't take the heat... (Was Re: Keep the pressure!) Message-ID: <01BB1982.5E3FC120@blancw.accessone.com> From: Timothy C. May And I think the anonymity issue is interesting. In the past, Detweiler railed against the uses of anonymity while himself being the single most prolific user of anonymous insults and the like, so it's an interesting pathology to study. ....................................................................................... Just wanted to mention that the reason Detweiler used anonymity was as a counter-example of why he opposed the use of it. He wanted to impress upon the cpunks the points he was making against anonymity by using it in the ways which he warned could become a problem. As he said in his recent post "detweiling", he aimed his efforts against those whom he considered the "big egos" - i.e., the ones who disagreed with him on his prognosis for the future. .. Blanc From alano at teleport.com Sun Mar 24 13:41:01 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 25 Mar 1996 05:41:01 +0800 Subject: protection on IoMega ZIP drives Message-ID: <2.2.32.19960324205553.009382cc@mail.teleport.com> At 02:47 AM 3/24/96 -0500, Robert A. Rosenberg wrote: >At 2:45 3/23/96, Alan Olsen wrote: > >>The big problem is with the zip drivers. There is some sort of >>incompatibility between SFS and the zip drivers. [snip] >I can state that with a Zip Disk formatted for Macintosh use (and the drive >plugged into a Macintosh), the drive and disk are seen by the Macintosh as >a NORMAL SCSI HD and eligible for use as a Boot Drive (ie: There is a Mac >Driver on the Disk in a SCSI Driver Partition). I've Booted from a ZIP Disk >so this is actual not just theoretical . I'd assume that if a Wintel >Machine had the Microcode to be able to boot off an external SCSI Drive >(something I do not know is normal for Wintel machines as it is normal for >Macintosh ones) the same situation would exist for Wintel Zip Formatted >Disks. All NORMAL SCSI HDs (or Cartridges) have their driver in a Driver >Partition so the HD/Cartridge can be read. The SCSI Zip drives do act as normal SCSI drives (though they have a limited number of SCSI ids available. (5 & 6 if I remember correctly.) Later drives may have this changed.) The problems i am encountering are due to the _parellel_ version of the Zip drive. (I bought it because I needed to be able to visit customer sites and not all of them have SCSI.) The drivers fake a scsi port. (Some laptops use a similar driver to attach hard drives to non-scsi systems.) Maybe I will just get a Jaz drive and not worry about it... --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From alano at teleport.com Sun Mar 24 13:51:35 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 25 Mar 1996 05:51:35 +0800 Subject: Crypto CD Message-ID: <2.2.32.19960324211510.00908844@mail.teleport.com> At 01:52 AM 3/24/96 -0500, Ben Holiday wrote: >I would plan to put unix/dos/mac all on one CD. I'm thinking that >realistically I can expect 50 megs or so. Possibly as much as 100 if I >find a TON of wonderful text. If you include the archives of this list, the main forign archives, and the various sources in the US, you will EASILY exceed 100 megs. (More like 200.) If you seperate out all the duplications, you might squeeze under the 100 megs mark. >Could be useful to individuals, as well as for groups wishing to create >FTP sites etc. It would be a nice thing to have if it is reletivly complete. Hopefully it can be created with a minimum of government interfearence. (But then, I have been xpecting alt.binaries.crypto to be created as well...) >Pricing with shipping would wind up around US$20.00, give or take 5 dollars.. Sounds about right. You will probibly need to run about 1000 or so. Actually, the prices for CDs in bulk are pretty cheap. (Just expensive up front.) Depends how much premastering you are able to do up front. (If you need information and/or contacts to get mastering done, send me private e-mail. I used to work for a CD-ROM company.) >I'd like to know first off whether such a thing already exists. Not that I know of... I have seen a few of the "Hacker" discs with crypto code on it, but nothing complex (other than ancient versions of PGP) and you have to wade though alot of crap to get to it. >Secondly >whether anyone would be interested in possesing such a thing. And lastly >any suggestions for/about content that I may have missed.. Archives of the PGP key database, the archive at hacktic.nl, ftp.dsi.unimi.it, ftp.informatik.uni-hamburg.de, and probibly a few other archives would be useful. An index/search engine would also be helpful. --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From nobody at mockingbird.alias.net Sun Mar 24 13:58:16 1996 From: nobody at mockingbird.alias.net (Anonymous) Date: Mon, 25 Mar 1996 05:58:16 +0800 Subject: private key encryption program for you to hack at In-Reply-To: <3155621F.5FA2@iconn.net> Message-ID: <199603242123.NAA19311@myriad> thecrow at iconn.net (Jack Mott) wrote: > Ok, I have been working on this for a while, and I wanted to let you > guys have a go at it. I wrote a private key encryption program that I > think should be hard to break, I will provide you with the EXE (MS DOS) > file, some ciphertext, AND a big chunk of plaintext. The key is not > ridiculously large, but it won't be anything obvious so don't bother > brute forcing. > To encrypt, the program read in some system/time specific info, > uses it to encrypt the file along with the key. It then write the > system/time specific info to the end of the file encrypted with the key. > I THINK that the only weaknesses should be predicitability of the > system/time info, or possibly finding patterns in the encrypted values. > I dont want to give out any source code yet, but it anyone wants some > pieces of it just ask. crackme.zip file with paradox.exe, cipher.txt, > and plain.txt Look, newbie, there are many people here who would be happy to review your algorithm, but playing silly games like you are doing isn't going to win you any points. Most of the people on this list don't even use messydos, so an exe file without source is kinda pointless. If you're serious about writing a secure crypto application, then stop giving us the runaround and get to the point. That means either post source code, or a thorough technical description of your algorithm. From jpb at miamisci.org Sun Mar 24 14:03:03 1996 From: jpb at miamisci.org (Joe Block) Date: Mon, 25 Mar 1996 06:03:03 +0800 Subject: Free speech debate on MSN Encarta Message-ID: At 8:57 PM 3/23/96, Mark M. wrote: On Sat, 23 Mar 1996, I wrote: >> However, I don't think it likely that many ISPs will go this route from a >> liability point of view - if some parent is paying them to filter out smut, >> and little Zippy finds a brand new x-rated site, chances are some irate >> parent will sue them. With the proliferation of new pages, it is >> impossible for anyone to keep up, unless the authors voluntarily include >> some smutscan codes in their pages. > >Couldn't the proxy be configured to deny access to all "unrated" pages? Yes. The same filter software that Exonizes the language could also replace the whole html body with "Access Denied" if the ratings codes aren't present. >Of course, this would mean that some kind of standardized web page rating >system be devised; however, I think there are already several proposals for >rating schemes. BTW, does anyone know how such a proxy system could be >used in all Internet traffic, not just the web. It is not very difficult >to get a gopher client or telnet client to communicate with a web server, >bypassing any access restrictions. CERN will already proxy gopher & ftp as well as http. There is another package, delegate, that will proxy nntp & telnet. However, the main problem with using proxies as a censorship tool is that nothing prevents the client software from just not using the proxy. By the time Zippy is old enough to care about hunting down smut/bomb designs/drug formulae, Zippy is a lot more likely to know how to do this than the parental units, in a manner undetectable by the parent (invisible System Folder/Windows directories with unsanitized browser prefs files comes immediately to mind - now that 1GB drives are common, it isn't too difficult to hide them) >ObCrypto: The next step would be a rating system using digital signatures >and the proxy software being setup to trust certain signatures more than >others. I agree, if you're going to bother with rating pages, digitally signing the signature so that terrorist X can't just copy the "Good Clean Fun" rating code into his Phosgene formula page is the only rational solution. Gotta love that overhead, though. Joseph Block "We can't be so fixated on our desire to preserve the rights of ordinary Americans ..." -- Bill Clinton (USA TODAY, 11 March 1993, page 2A) PGP 2048bit-Fingerprint: F8 A2 A5 15 56 42 9B 16 3F BD 57 0F 8A ED E3 21 No man's life, liberty or property are safe while the legislature is in session. From stewarts at ix.netcom.com Sun Mar 24 14:45:13 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Mon, 25 Mar 1996 06:45:13 +0800 Subject: protection on IoMega ZIP drives Message-ID: <199603242233.OAA23171@ix9.ix.netcom.com> At 12:55 PM 3/24/96 -0800, Alan Olsen wrote: >The SCSI Zip drives do act as normal SCSI drives (though they have a limited >number of SCSI ids available. (5 & 6 if I remember correctly.) Later drives >may have this changed.) >The problems i am encountering are due to the _parellel_ version of the Zip >drive. (I bought it because I needed to be able to visit customer sites and >not all of them have SCSI.) The drivers fake a scsi port. (Some laptops >use a similar driver to attach hard drives to non-scsi systems.) Hmmm - I've got the Syquest parallel-port drive. Syquest offers SCSI and IDE flavors of their drive - and the parallel port version emulates IDE (don't know if it's EIDE or vanilla IDE...) #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissible." - US government statement on China... "SigFiles of Unusual Size? I don't believe they exist!" From thecrow at iconn.net Sun Mar 24 15:08:52 1996 From: thecrow at iconn.net (Jack Mott) Date: Mon, 25 Mar 1996 07:08:52 +0800 Subject: apology - here is C source code Message-ID: <3155D414.6E38@iconn.net> I apologize to everyone for the binary posting, I figured it was small enough to not cause problems. Here is the source. I do not claim to be either a good programer, or any good at cryptography. I am a junior in high school and I am interested in it, and I think I have some good ideas here. The code may be kinda hellish, any CONSTRUCTIVE criticism would be appreciated. I have been programming about a year. I can assure you though, this isn't some stupid XOR encryption...at least it is better than WordPerfect ecryption (I hope to god :) I originally wrote this in Pascal, and ported it to Turbo C++, I think the only C++ in it is the comments and inline declarations, might want to double check though. I think the only non-portable code is the gotoXY statements, and the random function works differently under GCC if I remember correctly (I have had Linux for a little while) Oh yeah, I kinda stretched the definition of HASH in my code a lot... here goes. --------------- // encryption program - constructive flames appreciated // ***************************INCLUDES************************************ #include #include // <-- dont need this in Unix #include #include #include #include #include #include #define BLOCK 16384 #define HASHSIZE 256 // ***************************PROTOTYPES************************************ void input(void); // Input KEY, FILENAMES, etc. void openfiles(void); // Open files void closefiles(void); // Close em void encrypt(void); // Encrypt file void decrypt(void); void superhash(void); // Time/System/File/Specifics void initblocks(void); void grabhash(void); // Grabs encrypted hash value from file void CopyBack(void); // ***************************VAR***************************************** char key[80]; char ifn[12]; char ed[1]; int infile,outfile,backfile; int x,y; int i; float Havg,Kavg,BKHavg; char SuperHash[HASHSIZE],ESuperHash[HASHSIZE]; char BSH[BLOCK],KEY[BLOCK]; //**************************************************************************// // Main Program // //**************************************************************************// main(int argc,char* argv[]) { randomize(); if (argc < 4) { input(); } else { strcpy(ifn,argv[1]); strcpy(ed,argv[2]); strcpy(key,argv[3]); } openfiles(); if (ed[0] == (('e') | ('E')) ) { superhash(); initblocks(); encrypt(); } else if (ed[0] == (('d') | ('D')) ) { grabhash(); initblocks(); decrypt(); CopyBack(); } else printf("%s was not an option",ed[0]); closefiles(); } //**************************************************************************// // input() Takes in all inputs // //**************************************************************************// void input() { char vkey[80]; char c; for (i = 0; i < 80; i++) { key[i] = ''; vkey[i] = ''; } printf("\nEnter Filename:"); gets(ifn); printf("(E)ncrypt or (D)ecrypt?:"); gets(ed); printf("Enter Key:"); i = 0; int startx = wherex(); do { if (kbhit()) { c = getch(); if (c == 8) { if (wherex() != startx) { key[i] = ''; i -= 1; key[i] = ''; gotoxy(wherex()-1,wherey()); printf(" "); gotoxy(wherex()-1,wherey()); } } else { if (c != 13) { key[i] = c; i++; printf("�"); } else break; } } } while (c != 13); flushall(); printf("\nVerify key:"); startx = wherex(); i = 0; c = 0; do { if (kbhit()) { c = getch(); if (c == 8) { if (wherex() != startx) { vkey[i] = ''; i -= 1; vkey[i] = ''; gotoxy(wherex()-1,wherey()); printf(" "); gotoxy(wherex()-1,wherey()); } } else { if (c != 13) { vkey[i] = c; i++; printf("�"); } else break; } } } while (c != 13); if (strcmp(key,vkey) != 0) { printf("\nKeys were not the same. They need to be"); exit(EXIT_SUCCESS); } if (strlen(key) <= 0) { printf("\nThe key was blank, it needs to have some characters."); exit(EXIT_SUCCESS); } printf("\n"); } //**************************************************************************// // openfiles(void) -- Opens all files // //**************************************************************************// void openfiles(void) { infile = open(ifn,O_BINARY | O_RDONLY); if (ed[0] == (('e') | ('E')) ) { outfile = open(ifn,O_BINARY | O_WRONLY); } else { chmod("KRYPT000.TMP",S_IWRITE); unlink("KRYPT000.TMP"); outfile = open("KRYPT000.TMP", O_BINARY | O_RDWR | O_CREAT | O_TRUNC | S_IWRITE); } } //**************************************************************************// // Closes All Files // //**************************************************************************// void closefiles(void) { if (ed[0] == (('e') | ('E')) ) { close(outfile); close(infile); } else { close(backfile); close(infile); } } //**************************************************************************// // Main Encryption Routine // //**************************************************************************// void encrypt(void) { char buf[BLOCK]; float blocks = 0; long sizeoffile = filelength(infile); long numread; long maxblocks = sizeoffile / BLOCK; if (maxblocks == 0) maxblocks = 1; printf("\nEncrypting:"); x = wherex(); while ((numread = read(infile,buf,BLOCK)) > 0 ) { BKHavg = (blocks * Kavg) + Havg; for(i = 0; i < numread; i++) { buf[i] = buf[i] + floor(9845845*cos((KEY[i]+ BSH[i]) * (i+BKHavg))); } gotoxy(x,wherey()); int pd = floor(blocks/maxblocks*100 + 1); printf("%d%",pd); write(outfile,buf,numread); blocks++; } gotoxy(x,wherey()); printf("100%"); write(outfile,ESuperHash,HASHSIZE); } //**************************************************************************// // Copy Back For Decryption // //**************************************************************************// void CopyBack(void) { backfile = open(ifn,O_BINARY | O_WRONLY | O_TRUNC); char buf[BLOCK]; long pos; long size = filelength(outfile) - HASHSIZE; long blocks = 0; int numread; long maxblocks = size / BLOCK; if (maxblocks == 0) maxblocks = 1; printf("\nRemoving encryption block:"); x = wherex(); lseek(outfile, 0L, SEEK_SET); do { numread = read(outfile,buf,BLOCK); pos = tell(outfile); if (pos > size) { write(backfile, buf,numread - (pos - size)); break; } else { write(backfile, buf, numread); } blocks = blocks+1; gotoxy(x,y); int pd = floor(blocks/maxblocks*100 + 1); printf("%d% ",pd); } while (pos != size); close(outfile); chmod("KRYPT000.TMP",S_IWRITE); unlink("KRYPT000.TMP"); } //**************************************************************************// // Main Decryption Routine // //**************************************************************************// void decrypt(void) { char buf[BLOCK]; float blocks = 0; long sizeoffile = filelength(infile); long numread; long maxblocks = sizeoffile / BLOCK; if (maxblocks == 0) maxblocks = 1; printf("\nDecrypting:"); x = wherex(); while ((numread = read(infile,buf,BLOCK)) > 0 ) { BKHavg = (blocks * Kavg) + Havg; for(i = 0; i < numread; i++) { buf[i] = buf[i] - floor(9845845*cos((KEY[i]+ BSH[i])*(i+BKHavg))); } gotoxy(x,wherey()); int pd = floor(blocks/maxblocks*100 + 1); printf("%d%",pd); write(outfile,buf,numread); blocks++; } gotoxy(x,wherey()); printf("100%"); } //**************************************************************************// // SuperHash Procedure // // // // the idea here is to get a block of totally unpredictable bytes, // // if anyone has any 'true random number generators' stick em here // // this just pulls in HASHSIZE bytes from random positions from the file, // // the idea being that they would have to know what the whole file was // // in the first place to guess these values // // // //**************************************************************************// void superhash(void) { printf("Generating System/Time/File specific SuperHash:"); x = wherex(); long MaxPos = filelength(infile) - 1; char hbuf; int keylen = strlen(key); Havg = 0; for (i = 0; i < HASHSIZE; i++) { long SeekValue = ((93617583 * random(32000)) * key[i % keylen]) % MaxPos; if (SeekValue < 0) SeekValue *= -1; lseek(infile,SeekValue, SEEK_SET); read(infile,&hbuf,1); SuperHash[i] = floor(923723723 * cos(random(256) * hbuf * key[i % keylen])); ESuperHash[i] = SuperHash[i] + floor(989898989 * sin(key[i % keylen])+i); Havg = Havg + SuperHash[i]; printf("%d ",random(256)); gotoxy(x, wherey()); } if ((key[SuperHash[5] % keylen] + (key[SuperHash[3] % keylen] / 10)) != 0) { Havg = Havg / (key[SuperHash[5] % keylen] + (key[SuperHash[3] % keylen] / 1000)); } else { Havg = Havg / 7.2; } lseek(infile, 0L, SEEK_SET); } //**************************************************************************// //grabhash() Grab ESuperHash from file // //**************************************************************************// void grabhash() { printf("Grabbing SuperHash Values..."); long sizeoffile = filelength(infile); int keylen = strlen(key); lseek(infile,sizeoffile - HASHSIZE,SEEK_SET); read(infile,ESuperHash,HASHSIZE); Havg = 0; for (i = 0; i < HASHSIZE; i++) { SuperHash[i] = ESuperHash[i] - floor(989898989 * sin(key[i % keylen])+i); Havg = Havg + SuperHash[i]; } Havg = Havg / key[SuperHash[5] % keylen]; lseek(infile, 0L, SEEK_SET); } //**************************************************************************// //initblocks() Dumps small hash arrays into big BLOCK arrays // //**************************************************************************// void initblocks(void) { long total = 0; int keylen = strlen(key); for (i = 0; i < keylen; i++) { total += key[i]; } Kavg = total / keylen + total; for (i = 0; i < BLOCK; i++) { KEY[i] = key[i % keylen]; BSH[i] = SuperHash[i % HASHSIZE]; } } ---------- seeya - thanks -- thecrow at iconn.net "It can't rain all the time" From rah at shipwright.com Sun Mar 24 15:19:43 1996 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 25 Mar 1996 07:19:43 +0800 Subject: The Crow meets the Troll... Message-ID: At 4:23 PM 3/24/96, Larry Detweiler wrote: > Look, newbie, Heees Baaack! My guess is that Jim Bell's assassination server has gone up, and Detweiler's psychopharmacologist was the first hit on the list... Of course, given the quality of the post Larry's responding to, Mr. Mott may be a "tentacle" of Detweiler himself. ;-) Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From rah at shipwright.com Sun Mar 24 16:21:21 1996 From: rah at shipwright.com (Robert Hettinga) Date: Mon, 25 Mar 1996 08:21:21 +0800 Subject: apology - here is C source code Message-ID: At 6:00 PM 3/24/96, Jack Mott wrote: > I apologize to everyone for the binary posting, I figured it was small > enough to not cause problems. Here is the source.... I am a junior in high school ... > --------------- > // encryption program - constructive flames appreciated Looks like I spoke too soon about the "tentacle" thing. My apologies. Welcome, Mr. Mott. I have no idea of the quality of your code, but you *do* write code, which is a *good* thing around here (at least until the "coderpunks" flap). You should be aware, however, that even though there are many active cryptographers on this list, most of whom *do* write code, that people probably won't fall over themselves to look at your first effort. As people say, "cryptography is hard". It's a science. As such, it takes a long time to get to the point where you're actually improving the state of the art. Don't let that stop you from coding new stuff. Far from it. Especially if you're coding strong cryptographic software based on algorithms of proven reputation. Lord knows, there are lots of potentially good algorithms out there that need implementation. My suggestion is that you put out a request for correspondence so that people could talk to you about your new work privately, in e-mail. That's because this list periodically gets unsolicited code like yours, and most of it isn't worth the time to read, much less do a proper vetting. So it tends to get trashed upon receipt. Getting together with a bunch of people in your own shoes may be the best way to start, and I'm sure there are one or two others on this list who are plinking around implementing stuff just to see what it looks like. Nonetheless, the trick, it seems to me, (and I'm a poor person to ask, because I couldn't code my way out of a paper bag) is to keep plugging away at stuff like your application, because cryptography is the principal technology of internet commerce, among other things. You also might want to look at the cypherpunks archives, read Tim May's "cyphernomicon" FAQ, and read some good crypto books, not the least of which is "Applied Cryptography" by Bruce Schneier. If you've done all of that, and have written your code afterwards, then you probably have made a nice start. If you haven't looked at the above resouces, you might want to, and check your new code in light of that new information, and give yourself a head start on what others might say. If they looked at your code, I mean. ;-). Anyway, welcome to cypherpunks. It's great to have someone of the next generation on board! Cheers, Bob Hettinga ----------------- Robert Hettinga (rah at shipwright.com) e$, 44 Farquhar Street, Boston, MA 02131 USA "Reality is not optional." --Thomas Sowell The e$ Home Page: http://thumper.vmeng.com/pub/rah/ From unicorn at schloss.li Sun Mar 24 17:09:03 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 25 Mar 1996 09:09:03 +0800 Subject: private key encryption program for you to hack at In-Reply-To: <3155621F.5FA2@iconn.net> Message-ID: On Sun, 24 Mar 1996, Jack Mott wrote: > Ok, I have been working on this for a while, and I wanted to let you > guys have a go at it. I wrote a private key encryption program that I > think should be hard to break, I will provide you with the EXE (MS DOS) > file, some ciphertext, AND a big chunk of plaintext. The key is not > ridiculously large, but it won't be anything obvious so don't bother > brute forcing. I'm not sure anyone will bother brute forcing or anything else given your approach. Many c'punks take offense at being used like unpaid crypto consultants. A good portion of people on this list bill hefty fees for their time (or should). This is not freecryptanalysis at toad.com. I think, should you have the right attitude, many people here will be happy to review your source code, given some pre-conditions. Mr. May summed these up quite well only days ago in the IDG (or whatever) snakeoil thread. I would suggest you take a gander at his post on the subject. Briefly, (and I hope I'm not butchering his points to bitterly), he indicated that unless you had hit on most of the basic source material to begin with (applied cryptography for example), and really knew a bit about the subject, most people wouldn't much care to pay attention to you. I think, however, that if you know your stuff, and you release the source code to the list, many people here will be open minded enough to take a good look, give you some pointers, perhaps even improve your work. I know, however, that almost no one is going to go for that "crack this for me please" crap unless there is a bonded cash award attached. To much time, nothing in it for us. Take a look at Mr. May's cyphermonicon, (anyone have the URL/FTP handy for our new friend?) In sum, read the basic source material, know your stuff, release the source, don't be coy. --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From sandfort at crl.com Sun Mar 24 19:15:35 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Mon, 25 Mar 1996 11:15:35 +0800 Subject: LIST OF SHAME VOLUNTEERS Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, As promised, below is the list of folks who have asked to be put on Mr/Ms Anonymous' LIST OF SHAME. In addition, I am including one volunteer who supports Mr/Ms Anonymous...sort of. S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LIST OF SHAME VOLUNTEERS Dan Harmon Jim Ray Robby Havasy Perry Metzger (didn't volunteer, exactly, but wrote: "Perry, Who is disappointed that he didn't make the "LIST OF SHAME", but understands that perhaps he hasn't done enough to oppose controls on cryptography. I'll work harder, and hopefully you will denounce me soon." Damaged Justice brianh at u163.wi.vp.com Rich Graves Brad Shantz Kevin L Prigge Jim Gillogly Robert Hettinga David Macfarlane Brad Shantz Mark Aldrich Charles Gimon Jamie Lawrence Doug Hughes David K. Merriman Lucky Green Raph Levien Bill Frantz Paul E Robichaux Glenn Powers Brian D Williams "Vladimir Z. Nuri" !!!!! SUPPORTERS OF MR/MS ANONYMOUS E. Clark, who wrote: Subject: A vote for ANON's position [with reservations] Supporters of the Leahy Bill are, to me, well-intentioned dupes. I've lurked on this list under this and a previous usename since the list was a couple months old. I came here to learn crypto, not debate politics. And, while the urge has often been all but overwhelming, I've for most part kept my silence, prefering back channels to posting on the list. The Politics of the Absurd has in the last year or three found me in agreement with figures on the national scene whose pockets I would decline to piss were their balls on fire. Nor am I quite comfy siding with anonymous in regard to the Leahy Bill, but... I neither like nor trust the bill and, after the Digital Telephony Bill and its manner of passage, my trust in the good senator is zero. I am still a little puzzled why there was so little discussion on the list of what Freeh might have told the congresscritters that long summer when he seems to have visited them all. Sort of makes this leftie wonder if, just maybe, the rightwing conspiracy boys who claim the unusual number of congressional dropouts was the result of FINCIN findings might not have stumbled upon a quarter-grain of truth. While I applaud the efforts of those working for the cause in the political sphere, I have scant faith. Business will be on the side of privacy until it gets what it wants, then walk away from individual concerns for privacy, etc. I've always enjoyed your posts and sense of humor. Apologies for going on at length. e. clark --- Comments, Anonymous? From pgut001 at cs.auckland.ac.nz Sun Mar 24 19:48:01 1996 From: pgut001 at cs.auckland.ac.nz (pgut001 at cs.auckland.ac.nz) Date: Mon, 25 Mar 1996 11:48:01 +0800 Subject: protection on IoMega ZIP drives Message-ID: <199603250149.NAA26580@cs26.cs.auckland.ac.nz> Death rays from Mars made alano at teleport.com (Alan Olsen) write: >At 05:08 AM 3/23/96 +0000, Deranged Mutant wrote: >>On 23 Mar 96 at 3:00, Ed Carp wrote: >> >>> Has anyone tried SFS? It should work on the zip drive, though I've not >>> tried it (yet)... >> >>If I recall some recent threads on alt.security.pgp (or sci.crypt?), >>SFS doesn't work on ZIP drives (since ZIPs use the parallel port...). >> >>[Or do ZIPs use Scuzzies and the people who had problems were just >>too lame to figure out that they had to load the driver before SFS?] > >There are two versions of the Zip drive. One is SCSI and one is Parallel >faking scsi. > >The big problem is with the zip drivers. There is some sort of >incompatibility between SFS and the zip drivers. (I hacked on it for a >couple of hours with no luck.) The Zip drives have a firmware bug in that they don't do anything if the (appropriately-named) FUA bit is set in SCSI requests, and then return a command complete status. SFS 1.20 has a workaround for this problem. It works with both SCSI and parallel-port versions. Before anyone asks when it's due out, its the end of February, probably about the 60th of the month. Peter. From stevenw at best.com Sun Mar 24 20:06:40 1996 From: stevenw at best.com (Steven Weller) Date: Mon, 25 Mar 1996 12:06:40 +0800 Subject: RISKS: Princeton discovers another Netscape security flaw Message-ID: Posted on RISKS: ---------------------------------------------------------------------- Date: Fri, 22 Mar 1996 17:27:56 -0500 From: Ed Felten Subject: Java/Netscape security flaw We have discovered another serious security flaw in the Java programming language, which allows a malicious Java applet running under Netscape Navigator (version 2.0 or 2.01) to execute arbitrary machine code. We have implemented an applet that exploits the flaw to remove a file. Until a fix is issued, Netscape users can protect themselves by disabling Java in the Security Preferences dialog. At present we are not releasing technical details about the flaw. We will announce the full details later; some of the details will also appear in our upcoming paper in the proceedings of the IEEE Symposium on Security and Privacy, to be published in May. Our paper also contains an overall analysis of Java's security. For an advance copy of the paper, send mail to felten at cs.princeton.edu. The paper will be available in about a week. [Note that the "security enhancements" announced by Netscape in version 2.01 of Netscape Navigator do not fix this flaw. They fix two separate flaws found last month, one found by us (RISKS-17.77) and independently by Steve Gibbons, and the other found by David Hopwood (RISKS-17.83).] For more information, see http://www.cs.princeton.edu/~ddean/java, or contact Ed Felten at (609) 258-5906 or felten at cs.princeton.edu. Drew Dean, Ed Felten, Dan Wallach, Dept of Computer Science, Princeton Univ. [See the CIAC item at the end of this issue for some background on the earlier problems. PGN] ------------------------------ ------------------------------------------------------------------------- Steven Weller | Weller's three steps to Greatness: | 1. See what others cannot | 2. Think what others cannot stevenw at best.com | 3. Express what others cannot From declan+ at CMU.EDU Sun Mar 24 22:37:53 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 25 Mar 1996 14:37:53 +0800 Subject: LIST OF SHAME VOLUNTEERS In-Reply-To: Message-ID: E. Clark writes: > I neither like nor trust the bill and, after the Digital Telephony > Bill and its manner of passage, my trust in the good senator is zero. I spoke to a couple folks about this at the CDA hearings in Philadelphia last week. Word on the streets from those who would know is that the Leahy Bill has NOT A CHANCE IN HELL of passing, and so is worth supporting to raise awareness of crypto. After DT and Clipper, it's our chance to put Clinton and the DoJ on the defensive for a change. -Declan From shamrock at netcom.com Sun Mar 24 22:50:13 1996 From: shamrock at netcom.com (Lucky Green) Date: Mon, 25 Mar 1996 14:50:13 +0800 Subject: RISKS: Princeton discovers another Netscape security flaw Message-ID: At 23:48 3/24/96, Perry E. Metzger wrote: > When you build something large and complex, and >you require that the entire thing work for you to be secure, there are >just too many failure modes. That just about sums it up. Chisel these in granite: o Thou shall not execute untrusted code. Java or no Java. o Privileges that an user doesn't have can't be abused. o The only safe firewall is a non-networked computer. o A feature that doesn't exist won't introduce security holes. Yes, I know that there is a balance between functionality and security. Where to draw the line depends on the application. -- Lucky Green PGP encrypted mail preferred. From unicorn at schloss.li Sun Mar 24 23:28:13 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 25 Mar 1996 15:28:13 +0800 Subject: LIST OF SHAME VOLUNTEERS In-Reply-To: Message-ID: On Mon, 25 Mar 1996, Declan B. McCullagh wrote: > E. Clark writes: > > I neither like nor trust the bill and, after the Digital Telephony > > Bill and its manner of passage, my trust in the good senator is zero. > > I spoke to a couple folks about this at the CDA hearings in Philadelphia > last week. Word on the streets from those who would know is that the > Leahy Bill has NOT A CHANCE IN HELL of passing, and so is worth > supporting to raise awareness of crypto. I did a little weekend poking, I can confirm this. If the Leahy bill passes, it will be a surprise (putting it mildly). > > After DT and Clipper, it's our chance to put Clinton and the DoJ on the > defensive for a change. > I suggest instead that everyone be nice and quiet. If they get busy enough, this issue might not rear its ugly head for a few terms. > -Declan > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From alano at teleport.com Sun Mar 24 23:55:10 1996 From: alano at teleport.com (Alan Olsen) Date: Mon, 25 Mar 1996 15:55:10 +0800 Subject: LIST OF SHAME VOLUNTEERS Message-ID: <2.2.32.19960325072712.0090d5b4@mail.teleport.com> -----BEGIN PGP SIGNED MESSAGE----- At 06:51 PM 3/24/96 -0800, Sandy Sandfort wrote: >As promised, below is the list of folks who have asked to be put >on Mr/Ms Anonymous' LIST OF SHAME. In addition, I am including >one volunteer who supports Mr/Ms Anonymous...sort of. [List deleted] Add me to the list as well. As someone put it, you do not abandon those you admire just becuase you do not agree with them. (Or something like that...) The people who anon are ranting about have done real work for the cause of free crypto. I have not seen any such "good works" from Mr. Anon. I think that the Leahy bill is very flawed. It has some strong room for abuse by the government. it will also bring the issues into the public eye and maybe even get them to think about some of the issues revolving around the sillyness of ITAR. (Or at least one can hope.) But then, I think we are about to move into a new dark ages of the net anyways... The net has become an officially government recognised buzzword, thus ensuring its doom. (But I am a pessimist... So there!) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMVZIxOQCP3v30CeZAQEVYgf/RWTsRTVikFXHhTUiRxxmoj8yoIitPeOu 7O7q9VkrZ2S6Jc9IBffGxa53N/gtXDKvUkdLN8VE2lx1DjYsGI1eMcVTZ/mRS269 ceRuEWZ1hikJlak221mEbw5jgpSsvx7Ib72LLGaOtKx8UitEymdkFQ2nQHH1jGZr 1aldARW2yH9YtgUdHWplVMJaxrcArzKCMPMYyJyU4hrI6HB2RIMDMSj6vivjhm8U prey01OJxJiR0+6ZFjPmTVPFTXBdenubVS/OGHsaIe+ex5ogJLNMe5uIsiVKaReC t+K0o3T3PQj2R9ytOjnIT/6Cq22Ye7kfkmOS3Oovk6skkF2pB/z7Hw== =n7km -----END PGP SIGNATURE----- --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From mjr at clark.net Mon Mar 25 14:04:41 1996 From: mjr at clark.net (Marcus J. Ranum) Date: Mon, 25 Mar 1996 17:04:41 -0500 (EST) Subject: firewalls and CKE Message-ID: <199603252204.RAA01115@clark.net> Brian W. McKenney writes: >I missed the jist of the original message The gist of the first message was that software key escrow is here, and it is the greatest thing since the discovery of fire. :) Granted, it's nice that someone has found a way of convincing the government to let them export good crypto, but in this particular application it makes no sense. >For the firewall-to-firewall encryption >scenario, the data recovery component (DRC) may be a machine that >intercepts (in real-time) the traffic and then decrypts the data (recovers >the data). The interception of encrypted data makes sense for this type of >communication since the data is not really stored on the firewall (it is >wrapped/unwrapped quickly). [the intercepted packet may be copied and then >decrypted] That's completely brain-damaged if you think about it for a second. Let's suppose I have a file and it is unencrypted. I FTP it through my SKE-equipped firewall to the Paris office. My file gets transparently encrypted as it is broken into packets and sent across the 'net. Then - what - someday I need the file back so I get the escrowed key and reassemble the file from raw packets? That's dumb! I dunno about you but I'd just recover the clear file from a backup tape. :) Firewall-to-firewall encryption is a link-layer security technology. It encrypts data in transit: before it leaves and after it arrives you *already* have a clear-text un-escrowed version of the data. If I have a corporate requirement to "escrow" my telnet sessions then I'll use a version of telnet that logs keystrokes. But I can't see any reason (unless I'm a spook) to de-archive, de-escrow, and reassemble a telnet session for archival purposes. It gets worse since all the "escrowed" packets will be mishmoshed in with DNS queries (all "escrowed") and NFS packets and lordy knows what else. If it came to having packet records, why not simply log all packets *before* they get encrypted at the firewall, while they are still in the clear? Easier, no? At least LOTUS' "key escrow" approach is openly designed for the spooks and doesn't pretend to add value to the end user. I appreciate that TIS has made a successful deal with the devil to export some strong encryption, but it's unfortunate that they're showcasing it in a way which makes absolutely no sense at all. It's a shame, because basically we're seeing smart people doing technically goofy things in order to comply with some ridiculous laws. mjr. ----- End of forwarded message from Marcus J. Ranum ----- From perry at piermont.com Mon Mar 25 01:27:56 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 25 Mar 1996 17:27:56 +0800 Subject: RISKS: Princeton discovers another Netscape security flaw In-Reply-To: Message-ID: <199603250448.XAA29939@jekyll.piermont.com> Steven Weller writes: > > Posted on RISKS: > > From: Ed Felten > > We have discovered another serious security flaw in the Java programming > language, There is only one way to fix Java -- which is to turn it off. The hubris of the people who created it truly astounds me. After the current flurry of obvious holes gets patched is the point when I'm really going to worry, because thats when people are going to get complacent until the one day when the big flaw is found by the good guys, months after the bad guys found it. Java security depends on 1) Perfect security model 2) Perfect implementation of the perfect security model 3) Nothing else in the surrounding system somehow undermining the perfect implementation of the perfect security model. I don't believe humans are perfect. When you design a system on the basis that humans are imperfect, and you cut out functionality until you can fully understand the system (say, because the sources are down to a single page of C) and you try to restrict the damage that any possible failure mode could provide, you will still sometimes make mistakes, but at least they won't be too bad or too frequent. When you build something large and complex, and you require that the entire thing work for you to be secure, there are just too many failure modes. Perry From bholiday at trader.tlx.net Mon Mar 25 01:28:02 1996 From: bholiday at trader.tlx.net (Bholiday) Date: Mon, 25 Mar 1996 17:28:02 +0800 Subject: Crypto CD UpDate Message-ID: Well given the somewhat enthusiastic response to my last post, I think I'll be safe enough in going ahead with plans for the CryptoCD. Thanks to everyone who responded, and I apologize that I can't address each of you individually. Some points... Copyrights: Obviously care will need to be taken to avoid publishing copyrighted materials, or publishing materials in violation of their distribution agreements. More later. Size/Contents/Etc: The media and cost of writing the disks is the same for 50megs as for 500. If I/We can put together 500 megs of content, I will gladly put 500 megs on a CD, however this will honestly require some assistance by the crypto community. Authors: OK, I had a number of authors suggest inclusion of their package on any forthcoming CD. I intend to have several machines hitting the net for aprox. 8-10hours a day over the next few weeks to gather up files for inclusion; however to speed things along it would be really great if authors could MIME or UUE their package and mail it to me, along with a return email address, and preferably a snail-mail address also. If you do send something for inclusion PLEASE include a breif note stating that you give permision to distribute the package as part of the CryptoCD package. If there is a license included in the package already (GNU, etc) you can just state that the package can be distributed according to the included license. I will include ANY package sent to me by an author, provided that space is available, however if the program(s) seem unfamiliar or questionable, I may put them in a Contrib directory with a strong disclaimer. If you ARE NOT a software author, but you think something should be included, send me email (privately, not to the list). Include a URL for the file, or better yet, include the file in MIME or UUE format. Or be really nice and snail-mail it. The first person to send me any particular file or group of files (not a URL) will be duly thanked in a CREDITS file on the CD. This is your chance to be famous for absolutely no reason at all. If you don't want to be famous just say so and I'll forget I ever got email from you. Errata: I'll be putting up a web page in the next few days which will have daily status updates (oh boy) including an LS-lr of the CD-so-far. Once the page is up, you'll want to check it if you are thinking of sending something for inclusion. I NEED URLS! If you know of a great FTP site, Please, send the address to me. I'd like to be able to offer a really comprehensive archive of as much material as possible, at a break-even price. The amount of assistance the people reading this list are willing to provide will be directly impact the quality and quantity of content on the CD, and also how quickly I am able to have the CD available. Any assistance would be truly appreciated. Ben ------------------------------------------------------------------------------ Send Mail To: bholiday at trader.tlx.net (prefered) bholiday at apollo.tlx.net (prefered) ncognito at gate.net (bad idea -- remailer and list mail could cause mail to be deleted without being viewed) Gate net has an absolute quota of around 12 megs, so mail sent there may bounce if I get bombarded. Apollo and Trader allow me unlimited space, and are prefered. If you want to be really nice to me, put it on floppy and mail it to me - My Snailmail address is available on request. If you snail-mail materials for inclusion, I'll pay shipping for any CD's you buy. From wlkngowl at unix.asb.com Mon Mar 25 01:28:21 1996 From: wlkngowl at unix.asb.com (Mutatis Mutantdis) Date: Mon, 25 Mar 1996 17:28:21 +0800 Subject: Noise Sphere Plotter in C++ (was Re: Noise sphere graphical tests of randomness) Message-ID: <199603250551.AAA22514@unix.asb.com> On Sat, 23 Mar 1996 22:29:52 GMT, I wrote: >I've got a short program for the PC (w/TPascal source) that plots a >noise sphere from a file of (pseudo) random data, if anyone is >interested. Requires a VGA card that handles mode 5Fh (640 x 480, [..] >The source has a brief explanation of what noise spheres are and a >reference to the Pickover article the program was based on. >The source code is not copyrighted, and it would be nice to see it ported to >other systems, or maybe a portable C version that writes the output to a >PCX file in RBG(?). [I'm not that fluent in C to write one...] [..] BTW, check the ftp.funet.fi site... Somebody sent me a C++ conversion of it. It compiles fine with BCC 4.02. Enclosed here (thanks to "James Pate Williams, Jr." ) /* NOISESPH.PAS, A Noise Sphere plotter written in Turbo Pascal (23-Mar-96) Robert Rothenburg Walking-Owl No copyright is claimed. No guarantees made. Usage: noisesph file This program reads a file of random or pseudo-random data and plots a noise sphere of the data. Poor RNGs or sampling methods will show clear patterns (definite splotches or spirals). The theory behind this is to get a set of 3D polar coordinates from the RNG and plot them. An array is kept of the values, which is rotated each time a new byte is read (see the code in the main procedure). Rather than plot one sphere which can be rotated around any axis, it was easier to plot the sphere from three different angles. This program is based on a description from the article below. It was proposed as a means of testing pseudo-RNGs: Pickover, Clifford A. 1995. "Random number generators: pretty good ones are easy to find." The Visual Computer (1005) 11:369-377. */ #include #include #include #include #include #include struct Cartesian { double x, y, z; unsigned Color; }; struct Polar { double r, theta, phi; }; int MidA, MidB, MidC, MidY, Scale; double ByteToReal(unsigned char b) { /*note that there will be some gaps since we're only using the equivalent of an 8-bit decimal here*/ return b / 256.0; } //Initialize the graphics screen int InitScreen(void) { int GraphMode, GraphDriver; GraphDriver = VGA; GraphMode = VGAHI; detectgraph(&GraphDriver, &GraphMode); initgraph(&GraphDriver, &GraphMode, ""); Scale = getmaxx() / 6; MidA = Scale, MidB = 3 * Scale, MidC = 5 * Scale; MidY = getmaxy() / 2; if (MidY < Scale) Scale = MidY; return graphresult(); } unsigned int ScaleColor(double) { return LIGHTGRAY; } int Round(double x) { return (int) (x + 0.5); } void Plot(struct Cartesian& C) { putpixel(MidA + Round(Scale * C.y), MidY - Round(Scale * C.z), C.Color); putpixel(MidB + Round(Scale * C.x), MidY - Round(Scale * C.y), C.Color); putpixel(MidC + Round(Scale * C.z), MidY - Round(Scale * C.x), C.Color); } void PolarToCartesian(struct Polar P, struct Cartesian& C) { //No rotation was added. Instead we plot from three angles... C.x = P.r * sin(P.phi) * cos(P.theta); C.y = P.r * sin(P.phi) * sin(P.theta); C.z = P.r * cos(P.phi); //We can assign colors based on x, y, z, r, theta / pi or phi / (2 * pi) C.Color = ScaleColor(C.y); } void main(int argc, char* argv[]) { double X[3]; int error, i, n = 0; unsigned char byte; fstream inp; Cartesian C; Polar P; if (argc != 2) { cout << "usage: noisesph filename" << endl; exit(1); } inp.open(argv[1], ios::binary | ios::in); if (!inp) { cout << "*error*\could not open input file" << endl; exit(1); } error = InitScreen(); if (error != grOk) { cout << grapherrormsg(error) << endl; exit(1); } for (i = 0; i < 3; i++) { inp.get(byte); X[i] = ByteToReal(byte); } do { P.r = sqrt(X[(n + 2) % 3]); P.theta = M_PI * X[(n + 1) % 3]; P.phi = 2 * M_PI * X[n]; PolarToCartesian(P, C); Plot(C); inp.get(byte); X[n] = ByteToReal(byte); n = (n + 1) % 3; } while (!kbhit() && inp); getch(); closegraph(); } From unicorn at schloss.li Mon Mar 25 03:08:17 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 25 Mar 1996 19:08:17 +0800 Subject: Why and how people work for free on "challenges" In-Reply-To: Message-ID: On Sun, 24 Mar 1996, Timothy C. May wrote: > At 12:56 AM 3/25/96, Black Unicorn wrote: [...] > >I think, however, that if you know your stuff, and you release the source > >code to the list, many people here will be open minded enough to take a > >good look, give you some pointers, perhaps even improve your work. > > While I'm certainly no expert in cryptanalysis, the situation with "Can you > break this?" challenges is a special case--and an important one--of > challenges in general. > > To cut to the chase, why do challenges work at all? And under what > circumstances? [...] > * the challenge should come from a reputable group or individual (casual > challenges of the "I dare you" sort thus get winnowed out) > * the challenge should involve something "interesting"....first solo flight > across the Atlantic, first human-powered flight, etc. > * the challenge needs to come at the right time. There would be little > interest, for example, in a challenge about the first fusion-powered flight > (excluding solar-powered, which was a challenge). [...] Points well taken. At the risk of "me too"ing, I concur. Challenges to indeed serve an important role, and I hardly meant to discourage those which have been the subject of careful pre-planning and forethought. > --Tim May --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From pgp-announce-owner at LSD.com Mon Mar 25 03:35:27 1996 From: pgp-announce-owner at LSD.com (Dave Del Torto) Date: Mon, 25 Mar 1996 19:35:27 +0800 Subject: [ADMIN] PGP Announce List Update Message-ID: >>>>>>>>>>>>>>> Calling All PGP Fanatics! (of varying degrees) <<<<<<<<<<<<<<< ADMINISTRIVIA: The signed message below is what someone sending mail to would eventually see. Please pass it on to your significant others, so to speak. FYI, I'll be in Boston at CFP96 from 26 Mar - 2 Apr, so no list-admin-business will likely get done during that period. Expect more news soon after my return about PGP 3.0 and other exciting developments. [ cue music: "Jaws" theme ] USUAL SUSPECTS WITH PGP ANECDOTES SOUGHT: Anyone who has an anus-clenching anecdote, an amusing remembrance or just an aprocryphal Jonah+Whale-tale about their experiences with PGP is encouraged to send it to for inclusion in an upcoming anthology (authors will be credited). Now's your chance to recount for all Posterity the adventurous days gone by when you were dropped behind enemy lines (Vienna, VA?) with only a laptop, your trusty educational PGP freeware and your McGyver-esque ingenuity. Do it soon, though if you want your name up in electrons: disk space is limited. ;) dave -----BEGIN PGP SIGNED MESSAGE----- "The Official PGP Announce List" Greetings. The PGP Announce List is a special-interest mailing list established to distribute first-line, official news and information about PGP (Pretty Good Privacy [tm]) from the development team led by Philip Zimmermann to interested parties worldwide (no cryptographic code is included in any of the posts). Please read the instructions below to join the list. The list is hand-maintained to help ensure that the list is received _only_ by those persons who specifically ask for it and that it contains official information only. All posting is moderated, and includes items about new PGP releases, legal developments, policy and legislative news, related software add-ons and scripts, co-development projects, software updates, domestic (USA/Canada) distribution notes, worldwide developments, etc. If you have an item to submit, do not send it to Phil: send it to Forwarding of pgp-announce is encouraged and appreciated, but you *must* copy the entire message (including any PGP signature blocks) or we'll send lawyers to your door with rubber hoses and bad attitudes. ;) To obtain PGP for your platform (and from your geographic location worldwide) and see what all this darn excitement's about, point your web broswer at this page: . When obtaining your copy of PGP, please respect all applicable export restrictions for your safety and the safety of others. For generic PGP questions or help using the software, mail the smiling PGP Help Team volunteers at: with a well-documented question in something approximating the English language AFTER consulting the documentation that _always_ accompanies a valid PGP release archive. The Help Team will answer any level of PGP question, ranging from crypto-beginners on up to super-paranoid-cypherpunk-developer types. dave PS: Feel free to redirect the instructions below (including the PGP signature) to anyone you know who is interested in news about PGP. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Verbum sapienti satis est. iQCVAwUBMVXBmaHBOF9KrwDlAQERlQQAuob5u5pTYPD/X786hivrZSIzhiYlGLZw Z7hkzXAnRJkvYTcGskq6CFBGVPFjVpM4TvYY0Lkk5nCAHWVosbZH/yfx9qeSfSn7 WscppurpHHPd3CFRGGyROjqttDPl8zTZL4xMZtLCx04yMl5D8bfuHbHvG0tneaju y6xPAddXFv8= =j80g -----END PGP SIGNATURE----- INSTRUCTIONS ................................... cut here .................................. -----BEGIN PGP SIGNED MESSAGE----- .................... "How to get ON the PGP Announce List" .................... [1] [2] SUBJECT: Your Name / \ UNquoted (") Full name \ Address in please, NOT parentheses. The Body should be left EMPTY (as in nothing, zero, null, void). Please don't put the word "subscribe" anywhere in your msg (killfile fodder). People who can't manage to follow these instructions probably shouldn't be trusted with crypto stuff anyway, right? Once a *correctly-formatted* request makes it past the evolutionary-check-filters, the actual subscription process is higher-primate-managed and list membership is updated when announcements are mailed. This list aspires to be the lowest-volume mailing list on the entire Internet, so you will NOT receive instant verification of your subscription (except for the exquisitely rare admin/test msgs and the announcements themselves). If you follow the instructions above EXACTLY, you're subscribed (and if you don't, you're not). Variations (eg. leaving out the on the address or letting your auto-signature mechanism get out of control) will cause the bozo-filters to bit-bucket a request automagically. Sending multiple requests accomplishes nothing other than irritating the cage-cleaners. Send banana peels and/or complaints to . SUMMARY: (GOOD/YES/CAN-FOLLOW-DIRECTIONS) TO: pgp-announce-request at lsd.com SUBJ: Your Name BODY: (BAD/NO/CLUELESS) TO: pgp-announce-request at lsd.com SUBJ: Joe Billy Bob Bozo [jbbb at cant.read.directions.com} BODY: Howdy! Kin yew SUBSCRIBE me to yer list? I also has a question... .................... "How to get OFF the PGP Announce List" ................... If you wish to REMOVE yourself from the distribution list, or to CHANGE your listed address (which netiquette is greatly appreciated by the minions who shovel the bits and watch the mail-bounce errors collect, BTW), please format your request as follows: (ADDRESS REMOVAL) TO: pgp-announce-request at lsd.com SUBJ: REMOVE Your Name BODY: (ADDRESS CHANGE) TO: pgp-announce-request at lsd.com SUBJ: CHANGE Your_Name = BODY: ............................................................................... -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Verbum sapienti satis est. iQCVAwUBMVXBZqHBOF9KrwDlAQGvXgP+ISnuRfAvTIrev2EC5ro+8TNIwDMKg2rh 5U+NyHBx8JWESco15phTDm/f7Cm6rVjuzalWrKogfdV/UZCXuMDaYzoYz0IXcm0F Ax4PS6+Yt9cMojV87PP0Y0IVlMn7/s1cQx6em7WqjWeXdII0uZ8Sn3dZL+X4/cAH ECH31ZJ+ceA= =8Y9c -----END PGP SIGNATURE----- From jya at pipeline.com Mon Mar 25 05:58:23 1996 From: jya at pipeline.com (John Young) Date: Mon, 25 Mar 1996 21:58:23 +0800 Subject: NYT on Crypto Issue Message-ID: <199603251143.GAA14247@pipe1.nyc.pipeline.com> The New York Times, March 25, 1996, p. D5. The key issue for the Net is not smut, it is the use of encryption Growing fears that Big Brother might decide to read your E-mail. By Denise Caruso The current uproar over the Internet is about smut and what can be made public on the global computer network. But the next public-policy tangle will be about what we're allowed to keep secret. Earlier this month, a bipartisan group from both houses of Congress introduced versions of legislation called the Encrypted Communications Privacy Act of 1996. This bill, which outlines the proper use of encryption technologies for privacy and security, is by far the most critical piece of Internet legislation yet introduced. Encryption uses a mathematical key to scramble and unscramble digital messages so they can be read only by their intended recipients and not by human or electronic snoopers. Legislation about this powerful technology is especially important when viewed in light of two laws already on the books. One of these, the Digital Telephony Act, signed into law in 1994, allows Federal law-enforcement agencies to update the telephone network with the most pervasive surveillance equipment in history. The other, the freshly signed Communications Decency Act, bans "indecent" material from the Internet. It is a law that many legislators seemed to feel was on shaky ground even as Congress was passing it. A constitutional challenge to the law is currently being heard in Federal District Court in Philadelphia. Though the encryption bill as written is receiving qualified support from industry and civil libertarians, some worry that changes made in committee could make the bill too restrictive, completing a triumvirate of Big Brother legislation that would give law enforcement the ability and rationale to monitor all the electronic messages of citizens, leaving little or no recourse for private or secure communication. Such restrictions threaten to suffocate the Internet. As new users and businesses flock daily to the Internet, their need to protect confidential business data and messages becomes a key issue in making the Net safe enough to be useful. Computer security experts say that many of today's problems on the Net -- minors getting access to pornography, security breaches of corporate data, the need to prove one's identity -- could be solved by using encryption. Today, using encryption of any kind is still perfectly legal inside the United States. Historically, it was mostly used to protect secret military communications, so the technology is still classified as munitions -- the same threat to national security as a boatload of artillery shells. Thus any products containing encryption are subject to strict export controls. Law-enforcement and national security officials say that widespread use of strong encryption would enable terrorists and organized-crime syndicates to communicate with impunity. They say export control is the only way to keep this genie in its bottle, at least when it comes to foreign, not domestic crime. In addition, security experts have persuaded the Clinton Administration to propose an encryption method called "key escrow" that would give the Government access to information even after it had been encrypted. Key-escrow systems generate a decrypting key that is held by a trusted third party. When law-enforcement agents show up with a court warrant, the trustee hands over the key to unlock the message. So far, the Clinton Administration's proposals, which include a key-escrow system called Clipper have been universally reviled by both civil libertarians and the computer industry, which claims it stands to be deprived of up to $60 billion annually by the year 2000 because of export controls. They argue that any country today can make and sell encryption products stronger than what can be legally exported from the United States and that people won't use a system like key escrow because it has a built-in security compromise. One defender of key-escrow policy is Dorothy Denning, a professor of computer science at Georgetown University and a consultant to the military industry. She argued in a letter to Senator Patrick J. Leahy Democrat of Vermont -- one of the sponsors of the new legislation -- that such a system was vital to public safety and security. James Barksdale, president of the Netscape Communications Corporation, whose popular Web-browser software has built-in encryption capabilities, called Ms. Denning's solution a "stopgap measure." "Key escrow is an unworkable idea, and we do not support it," Mr. Barksdale said. "Key escrow will be defeated just like Prohibition was defeated by bathtub gin -- all it took was a big bag of sugar and a long weekend." Policy watchdogs like the Center for Democracy and Technology and the Electronic Frontier Foundation, both outspoken advocates for privacy rights and due process, agree that the bill is headed in the right direction. It does not dictate the use of a key escrow system, eases export controls for "mass market" products (like Netscape's), prohibits any restriction on the domestic use or sale of encryption, and provides a "personal use" policy for American travelers who use encryption while outside the country. But the bill is sure to face a fight as it moves through the House and the Senate, and the key-escrow and export-control proponents marshal their experts. David Farber, a professor of computer science at the University of Pennsylvania and a board member of the Electronic Frontier Foundation, says encryption policy always turns into "a religious discussion" between those who fear terrorism and those who want to live without fear of constant surveillance. But, he adds, if you take privacy discussions to the people, their attitudes are pretty clear. " If you ask the American public what they think of national I.D. cards, for example, a huge percentage are opposed to them," he said. "Why? They're not hiding anything. They just don't want the Government to have that type of power." [End] From raph at CS.Berkeley.EDU Mon Mar 25 07:41:41 1996 From: raph at CS.Berkeley.EDU (Raph Levien) Date: Mon, 25 Mar 1996 23:41:41 +0800 Subject: List of reliable remailers Message-ID: <199603251450.GAA04021@kiwi.cs.berkeley.edu> I operate a remailer pinging service which collects detailed information about remailer features and reliability. To use it, just finger remailer-list at kiwi.cs.berkeley.edu There is also a Web version of the same information, plus lots of interesting links to remailer-related resources, at: http://www.cs.berkeley.edu/~raph/remailer-list.html This information is used by premail, a remailer chaining and PGP encrypting client for outgoing mail. For more information, see: http://www.c2.org/~raph/premail.html For the PGP public keys of the remailers, finger pgpkeys at kiwi.cs.berkeley.edu This is the current info: REMAILER LIST This is an automatically generated listing of remailers. The first part of the listing shows the remailers along with configuration options and special features for each of the remailers. The second part shows the 12-day history, and average latency and uptime for each remailer. You can also get this list by fingering remailer-list at kiwi.cs.berkeley.edu. $remailer{"extropia"} = " cpunk pgp special"; $remailer{"portal"} = " cpunk pgp hash"; $remailer{"alumni"} = " cpunk pgp hash"; $remailer{"bsu-cs"} = " cpunk hash ksub"; $remailer{"c2"} = " eric pgp hash reord"; $remailer{"penet"} = " penet post"; $remailer{"hacktic"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"flame"} = " cpunk mix pgp. hash latent cut post reord"; $remailer{"rahul"} = " cpunk pgp hash filter"; $remailer{"mix"} = " cpunk mix pgp hash latent cut ek ksub reord ?"; $remailer{"ford"} = " cpunk pgp hash ksub ek"; $remailer{"vishnu"} = " cpunk mix pgp hash latent cut ek ksub reord"; $remailer{"robo"} = " cpunk hash mix"; $remailer{"replay"} = " cpunk mix pgp hash latent cut post ek"; $remailer{"spook"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"rmadillo"} = " mix cpunk pgp hash latent cut ek"; $remailer{"ecafe"} = " cpunk mix"; $remailer{"wmono"} = " cpunk mix pgp. hash latent cut"; $remailer{"shinobi"} = " cpunk mix hash latent cut ek reord"; $remailer{"amnesia"} = " cpunk mix pgp hash latent cut ksub"; $remailer{"gondolin"} = " cpunk mix pgp hash latent cut ek reord"; $remailer{"tjava"} = " cpunk mix pgp hash latent cut"; $remailer{"pamphlet"} = " cpunk pgp hash latent cut ?"; $remailer{'alpha'} = ' alpha pgp'; $remailer{'gondonym'} = ' alpha pgp'; $remailer{'nymrod'} = ' alpha pgp'; $remailer{"lead"} = " cpunk pgp hash latent cut ek"; $remailer{"treehole"} = " cpunk pgp hash latent cut ek"; $remailer{"nemesis"} = " cpunk pgp hash latent cut"; $remailer{"exon"} = " cpunk pgp hash latent cut ek"; $remailer{"vegas"} = " cpunk pgp hash latent cut"; $remailer{"haystack"} = " cpunk pgp hash latent cut ek"; $remailer{"ncognito"} = " mix cpunk latent"; catalyst at netcom.com is _not_ a remailer. lmccarth at ducie.cs.umass.edu is _not_ a remailer. usura at replay.com is _not_ a remailer. Groups of remailers sharing a machine or operator: (c2 robo alpha) (gondolin gondonym) (flame hacktic replay) (alumni portal) (vishnu spook wmono nymrod) Use "premail -getkeys pgpkeys at kiwi.cs.berkeley.edu" to get PGP keys for the remailers. Fingering this address works too. Note: The remailer list now includes information for the alpha nymserver. Last update: Mon 25 Mar 96 6:46:51 PST remailer email address history latency uptime ----------------------------------------------------------------------- replay remailer at replay.com *+***-*++*** 8:38 100.00% ecafe cpunk at remail.ecafe.org #####*#-*#*# 2:14 100.00% hacktic remailer at utopia.hacktic.nl ************ 9:26 99.99% portal hfinney at shell.portal.com #-**###*#-## 5:13 99.99% pamphlet pamphlet at idiom.com ---+++++++++ 2:25:16 99.99% haystack haystack at holy.cow.net ##***+**-### 5:03 99.98% exon remailer at remailer.nl.com ++**+++--*** 29:20 99.98% c2 remail at c2.org -++++******* 22:36 99.97% nemesis remailer at meaning.com +********++* 24:47 99.97% shinobi remailer at shinobi.alias.net -+#++*-#*### 3:46 99.88% lead mix at zifi.genetics.utah.edu +*++++**++++ 34:01 99.86% tjava remailer at tjava.com ####*###* *# 1:08 99.73% extropia remail at extropia.wimsey.com ----------- 6:14:43 99.64% alpha alias at alpha.c2.org +++++ +++++ 51:14 99.64% nymrod nymrod at nym.alias.net ***++*++++- 31:12 99.56% gondolin mix at remail.gondolin.org --.-_____.- 45:37:44 99.50% gondonym alias at nym.gondolin.org --.._____.- 45:54:23 99.49% flame remailer at flame.alias.net -------.--- 5:31:19 99.38% penet anon at anon.penet.fi _.._._.._ 45:39:57 99.03% alumni hal at alumni.caltech.edu *-+##* * ## 24:59 98.83% vishnu mixmaster at vishnu.alias.net *--++++++- - 3:51:29 98.62% treehole remailer at mockingbird.alias.net -++-- ---+++ 4:35:40 98.58% spook remailer at spook.alias.net *- ++++**** 29:38 98.48% ncognito ncognito at gate.net ##* +*#*# # 1:37 98.08% vegas remailer at vegas.gateway.com * **___.-* 19:25:45 97.30% amnesia amnesia at chardos.connix.com --- ----- - 2:17:13 96.25% mix mixmaster at remail.obscura.com ...+-+--+- 8:02:48 94.13% History key * # response in less than 5 minutes. * * response in less than 1 hour. * + response in less than 4 hours. * - response in less than 24 hours. * . response in more than 1 day. * _ response came back too late (more than 2 days). cpunk A major class of remailers. Supports Request-Remailing-To: field. eric A variant of the cpunk style. Uses Anon-Send-To: instead. penet The third class of remailers (at least for right now). Uses X-Anon-To: in the header. pgp Remailer supports encryption with PGP. A period after the keyword means that the short name, rather than the full email address, should be used as the encryption key ID. hash Supports ## pasting, so anything can be put into the headers of outgoing messages. ksub Remailer always kills subject header, even in non-pgp mode. nsub Remailer always preserves subject header, even in pgp mode. latent Supports Matt Ghio's Latent-Time: option. cut Supports Matt Ghio's Cutmarks: option. post Post to Usenet using Post-To: or Anon-Post-To: header. ek Encrypt responses in reply blocks using Encrypt-Key: header. special Accepts only pgp encrypted messages. mix Can accept messages in Mixmaster format. reord Attempts to foil traffic analysis by reordering messages. Note: I'm relying on the word of the remailer operator here, and haven't verified the reord info myself. mon Remailer has been known to monitor contents of private email. filter Remailer has been known to filter messages based on content. If not listed in conjunction with mon, then only messages destined for public forums are subject to filtering. Raph Levien From declan+ at CMU.EDU Mon Mar 25 08:16:00 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 26 Mar 1996 00:16:00 +0800 Subject: LIST OF SHAME VOLUNTEERS In-Reply-To: Message-ID: <8lJfDXO00YUv87Z3A8@andrew.cmu.edu> Excerpts from internet.cypherpunks: 25-Mar-96 Re: LIST OF SHAME VOLUNTEERS by Black Unicorn at schloss.li > I did a little weekend poking, I can confirm this. If the Leahy bill > passes, it will be a surprise (putting it mildly). Especially since there are only -- how many? -- 40 or 50 days left in this legislative session. > > After DT and Clipper, it's our chance to put Clinton and the DoJ on the > > defensive for a change. > > I suggest instead that everyone be nice and quiet. If they get busy > enough, this issue might not rear its ugly head for a few terms. It's too late, I fear. Today's article in the NYT, for instance, doesn't exactly help keep this issue quiet. -Declan From vince at offshore.com.ai Mon Mar 25 08:16:01 1996 From: vince at offshore.com.ai (Vincent Cate) Date: Tue, 26 Mar 1996 00:16:01 +0800 Subject: CDA Court Challenge: Day #2 (fwd) Message-ID: Declan: > I suggested to our attorney, Chris Hansen from the ACLU, that he > clarify what percentage of newsgroups were moderated. On redirect, > Hansen posed that question to Donna Hoffman of Vanderbilt University. > She replied that most newsgroups are unmoderated. Later, Bradner of > Harvard University added that moderated newsgroups amount to less > than 10 percent of the total. Another point is that the readers decide which moderated groups and mailing lists they like. If a moderator is no good people read other groups. A good question might be "Is it the free market, or a government commission, or Internet authority, that determines who gets to be a moderator?" And then maybe, "Could anyone just make a newsgroup or mailing list and be a moderator?" And maybe, "In the future when it is easier to pay for information on the Internet, is it reasonable to expect the amount of effort that goes into editing and moderating to increase?" The key point that the free market provides editing when needed. The several companies that provide browsers that censor things for kids is the free market "supply" to the "demand" of parents not wanting their kids to see things. If the government really just must get involved, it could subsidize these companies or this type of product. :-) - Vince vince at offshore.com.ai PS Some of us even go through the trouble to write a check and mail it in order to get an edited version of cypherpunks called cp-lite. :-) From ses at tipper.oit.unc.edu Mon Mar 25 09:20:46 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Tue, 26 Mar 1996 01:20:46 +0800 Subject: RISKS: Princeton discovers another Netscape security flaw In-Reply-To: Message-ID: A pound to a bucket of ferrets this is another visit from our good friends Capt. Overrun and the static buffers, in which case it's more an indictment of C Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From suyama at open.tjsys.co.jp Mon Mar 25 09:23:20 1996 From: suyama at open.tjsys.co.jp (=?ISO-2022-JP?B?GyRAP1w7MxsoQg==?= =?ISO-2022-JP?B?GyRASVJDSxsoQg==?=) Date: Tue, 26 Mar 1996 01:23:20 +0800 Subject: DESCRIBE Message-ID: <19963251754.11078@suyama.kirin> undescribe cypherpunks at toad.com suyama at open.tjsys.co.jp --- $@"!(B $@ElpJs%7%9%F%`!J3t!K%*!<%W%s%7%9%F%`K\It(B $@"!(B $@%*!<%W%s%M%C%H;v6HIt(B $@%*!<%W%s%M%C%H;Y1g5;=QIt(B $@"!(B $@"!(B $@?\;3(B $@IRCK(B $@!J(BE-Mail:suyama at open.tjsys.co.jp$@!K(B $@"!(B $@"!(B TEL 044-246-8477 FAX 044-246-8134 From ses at tipper.oit.unc.edu Mon Mar 25 12:15:40 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Tue, 26 Mar 1996 04:15:40 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , shame) In-Reply-To: <8lJfDXO00YUv87Z3A8@andrew.cmu.edu> Message-ID: If the Leahy bill is unacceptable, what legistlation is necessary? I can't see how the use of cryptography in the commission of a crime needs to be a separate offence, but I could see how it could be treated as a special circumstance - that doesn't really needed a new law though. I do feel that it should be possible for courts to sub poena crypto keys, but that doesn't really need new law either (4th and 5th ammendments become _really_ important though (hmmm- there advantages to writing down a constitution after all :) Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From tcmay at got.net Mon Mar 25 12:26:34 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 26 Mar 1996 04:26:34 +0800 Subject: Why and how people work for free on "challenges" Message-ID: At 12:56 AM 3/25/96, Black Unicorn wrote: >I think, should you have the right attitude, many people here will be >happy to review your source code, given some pre-conditions. Mr. May >summed these up quite well only days ago in the IDG (or whatever) >snakeoil thread. I would suggest you take a gander at his post on the >subject. Briefly, (and I hope I'm not butchering his points to >bitterly), he indicated that unless you had hit on most of the basic >source material to begin with (applied cryptography for example), and >really knew a bit about the subject, most people wouldn't much care to >pay attention to you. > >I think, however, that if you know your stuff, and you release the source >code to the list, many people here will be open minded enough to take a >good look, give you some pointers, perhaps even improve your work. While I'm certainly no expert in cryptanalysis, the situation with "Can you break this?" challenges is a special case--and an important one--of challenges in general. To cut to the chase, why do challenges work at all? And under what circumstances? A challenge that grabs the attention of key people can result in vastly more effort being put into a task than could be effectively marshalled almost any other way. An example will make this clearer: human-powered flight. A challenge prize was offered for the first human-powered flight around some particular set of pylons...I don't recall the details, but it was heavily publicized some years back. Vast amounts of effort were put into this. Flight, like cryptanalysis, has long been a fairly ideal area for such challenges. But, like crypto, there are some things that work for such challenges (and some things that don't). * the challenge should come from a reputable group or individual (casual challenges of the "I dare you" sort thus get winnowed out) * the challenge should involve something "interesting"....first solo flight across the Atlantic, first human-powered flight, etc. * the challenge needs to come at the right time. There would be little interest, for example, in a challenge about the first fusion-powered flight (excluding solar-powered, which was a challenge). There is, for example, likely to be little or no interest if I pose this challenge: "I challenge any of you to fly from San Francisco to Canberra to Taipei and back to San Francisco without once saying a single word." The challenge needs to arouse wide interest. In crypto, there have been _many_ challenges which basically meet the sorts of criteria I listed. Ralph Merkle offered a prize for anyone who could break the knapsack algorithm (iterated, or somesuch...cf. Schneier etc. for details). This was already an important issue, so the challenge was taken seriously. Shamir ultimately claimed the prize. Later prizes followed a similar trend. And there were challenges by Rivest, involving RSA, which an MIT team ultimately broke (RSA-129). Our own Derek Atkins was involved (and he may be able to say more about why RSA challenges are more interesting to students and faculty than are mere "Here's my new cipher" challenges. And the CIA even has a challenge involving a statue or seal outside its Langley headquarters building. Not to mention the Beale Cipher. So, a reasonable challenge will likely generate a lot of free effort. Even a $1000 prize, if combined with other factors, will draw attention. The prize itself is not important; it is the defining of precise conditions for success that is important and interesting. The recent "I challenge Cypherpunks to break our unbreakable system" challenge from Snake Oil Associates failed on several grounds. There was no real evidence the algorithm was "interesting," there was no evidence the folks at SOA were competent and worth going up against, the conditions of the challenge were suspect, and there was no substantive prize making effort potentially rewarding. (The offered to sell the company for $1 to whomever broke their system, but now seem to have reneged, predictably enough.) Even so, a couple of Cypherpunks analyzed their system (parts of which were secret, usually another killer for effective challenges!). In less than a day, a crack was reported. (The motive here was yet another one, not listed above. Namely, the desire to go "gunning" for the incompetent newbies and cretins.) So, well-planned challenges can be effective. Naive and puerile challenges of the sort "I dare you to break this! I double-dog dare you to!" are rarely treated seriously. Not too surprising. Bayesian statistics says that someone we've never heard from before is unlikely to be producing a new cipher which is interesing enough to try to break. A new cipher from Rivest or the like would of course be somewhat more likely to be analyzed (though even these ciphers are rarely analyzed directly). >Take a look at Mr. May's cyphermonicon, (anyone have the URL/FTP handy >for our new friend?) The URL I like is http://www.oberlin.edu/~brchkind/cyphernomicon/. Though, as I have noted in other threads, I have very little if anything on "cryptanalysis" per se. Modern ciphers are just not very amenable to attacks via conventional cryptanalysis. (And symmetric-key ciphers are really, really old news.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com Mon Mar 25 12:56:43 1996 From: Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com (Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com) Date: Tue, 26 Mar 1996 04:56:43 +0800 Subject: RISKS: Princeton discovers another Netscape security flaw Message-ID: <9603251947.AA0350@smtp1.chipcom.com> ses @ tipper.oit.unc.edu (Simon Spero wrote: >A pound to a bucket of ferrets this is another visit from our good friends >Capt. Overrun and the static buffers, in which case it's more an indictment >of C So? I agree that it's essentially impossible to write reliable code in C, just as in assembly language. Actually, it's easier in assembly language because then you KNOW you have to do all the work yourself, while C misleads you into thinking it does some of the work for you when in fact it does not. That doesn't affect the point at all, though. The job of doing something like what Java claims to do correctly is basically equivalent to the job of creating an A2 grade operating system. (Don't bother looking for any, as far as I know the designation A2 doesn't even exist anymore because it is still beyond the state of the art. It means "verified implementation", i.e., the implementation -- not just the design as in in A1 -- is provably correct. Note that a strict interpretation of this would involve holding not just the code itself but also the tools that act on it -- like compilers, and microcode in machines that have it -- to A2 standards. If you wonder why, consider the famous Unix login hack from many years ago that involved a hack in the C compiler.) paul !----------------------------------------------------------------------- ! Paul Koning, NI1D, C-24183 ! 3Com Corporation, 1-3A, 118 Turnpike Road, Southborough MA 01772 USA ! phone: +1 508 229 1695, fax: +1 508 490 5873 ! email: paul_koning at isd.3com.com or paul_koning at 3mail.3com.com ! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75 !----------------------------------------------------------------------- ! "The only purpose for which power can be rightfully exercised over ! any member of a civilized community, against his will, is to prevent ! harm to others. His own good, either physical or moral, is not ! a sufficient warrant." -- John Stuart Mill, "On Liberty" 1859 From nelson at crynwr.com Mon Mar 25 12:58:10 1996 From: nelson at crynwr.com (nelson at crynwr.com) Date: Tue, 26 Mar 1996 04:58:10 +0800 Subject: signing && emacs? Message-ID: <19960325162536.21380.qmail@ns.crynwr.com> Has anyone considered adding a PGP signature to emacs local ``eval'' or hook variables? It'd sure be nice to have Emacs just load up a file without asking me if I trust the author. -russ http://www.crynwr.com/~nelson Crynwr Software | Crynwr Software sells packet driver support | PGP ok 11 Grant St. | +1 315 268 1925 voice | If you would seek peace, Potsdam, NY 13676 | +1 315 268 9201 FAX | first seek freedom From llurch at networking.stanford.edu Mon Mar 25 13:40:27 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 26 Mar 1996 05:40:27 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O', shame) In-Reply-To: Message-ID: On Mon, 25 Mar 1996, Declan B. McCullagh wrote: > Leahy's bill will not pass. Period. However, with the introduction of > this legislation comes a chance to get _our side_ heard by the unwired. Hear hear. But I'm afraid that last should have been written in the past tense. There it goes... It would have been nice to have someone in the Congressional Record saying something like, "While I don't agree with the implementation of this specific bill, it is arguably less totalitarian than the current arbitrary and unconstitutional policy." -rich From declan+ at CMU.EDU Mon Mar 25 13:43:27 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Tue, 26 Mar 1996 05:43:27 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , shame) In-Reply-To: Message-ID: Excerpts from mail: 25-Mar-96 So, what crypto legislation.. by Simon Spero at tipper.oit.u > If the Leahy bill is unacceptable, what legistlation is necessary? I > can't see how the use of cryptography in the commission of a crime needs > to be a separate offence, but I could see how it could be treated as a > special circumstance - that doesn't really needed a new law though. Leahy's bill will not pass. Period. However, with the introduction of this legislation comes a chance to get _our side_ heard by the unwired. -Declan From unicorn at schloss.li Mon Mar 25 15:47:29 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 26 Mar 1996 07:47:29 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , shame) In-Reply-To: Message-ID: On Mon, 25 Mar 1996, Simon Spero wrote: > > If the Leahy bill is unacceptable, what legistlation is necessary? I > can't see how the use of cryptography in the commission of a crime needs > to be a separate offence, but I could see how it could be treated as a > special circumstance - that doesn't really needed a new law though. This kind of legislation would be painfully unenforceable. How do you know if crypto was used in the commission of a crime unless you can offer the plaintext to show that the content was criminal or in furtherance of a criminal act or conspiracy, >and< that the content was encrypted? This kind of statute nearly requires escrowed encryption or the old standby, stupid crooks. I'd be happy to see this pass alone because I think it would placate some of the screaming crypto-frady-cats on the hill much the way the cosmetic assualt "looking" weapons ban did, but I think this unlikely. It's like criminalizing the destruction of bodies in furtherance of murder. What's the point? Just use obstruction of justice. > I do feel that it should be possible for courts to sub poena crypto keys, > but that doesn't really need new law either (4th and 5th ammendments > become _really_ important though (hmmm- there advantages to writing down a > constitution after all :) After doing some work in a somewhat related area (I'm about to release the workproduct to the list), I am more and more dubious as to the protections the 4th and 5th amendments will provide in these instances. I think many people on the list here had the right idea generally. No legislation is good legislation for crypto. Really the ITAR applications are beseiged right now, and will probably fizzle out of their own accord, not to mention the fact that they are de facto moot. In practice it is trivial to subvert ITAR for the purposes of worldwide crypto availability. Someone just needs to get a foreign entity producing strong hardware encryption in Estonia (hardware IDEA would be nice) to capitalize on the markets in the U.S. and non-escrow jurisdictions in Europe and Asia. If we have no-legislation and a foreign producer of strong crypto soft and hardware for the next 3 years, I think we are way ahead of the game. Unfortunately, I think some version of crypto legislation is going to see passage in the next pair of years. Leahy certainly isn't going to give up, and he may have a bit more momentum after an election year runs its course. Whoever wins the election, I think you can expect to see even more aggressive bills from congress on the subject. All it would take is one anti-trust case with encryption as a concealing method and people would be busting down doors at night looking for PGP. > Simon > > --- > They say in online country So which side are you on boys > There is no middle way Which side are you on > You'll either be a Usenet man Which side are you on boys > Or a thug for the CDA Which side are you on? > National Union of Computer Operatives; Hackers, local 37 APL-CPIO > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jimbell at pacifier.com Mon Mar 25 15:47:54 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 26 Mar 1996 07:47:54 +0800 Subject: LIST OF SHAME VOLUNTEERS Message-ID: At 01:22 AM 3/25/96 -0500, Declan B. McCullagh wrote: >E. Clark writes: >> I neither like nor trust the bill and, after the Digital Telephony >> Bill and its manner of passage, my trust in the good senator is zero. > >I spoke to a couple folks about this at the CDA hearings in Philadelphia >last week. Word on the streets from those who would know is that the >Leahy Bill has NOT A CHANCE IN HELL of passing, and so is worth >supporting to raise awareness of crypto. This is a dangerous position to take. Many people have killed themselves, accidentally, thinking "the gun isn't loaded!" This said, I see nothing wrong with fixing and improving the bill and only then supporting it. >After DT and Clipper, it's our chance to put Clinton and the DoJ on the >defensive for a change. If the Leahy bill "has not a chance in hell" of passing, then what's wrong with CORRECTING it. Given this assessment,I doubt whether such changes would reduce its chances. BTW, remember that one of the reasons its chances are rated as "not a chance in hell" is that the two constituencies who might normally support this bill, the crypto/software businesses and ourselves, see its promises as being weak and its negatives as being large. Without them, who else is there to support it? Jim Bell jimbell at pacifier.com From CA20007 at aol.com Mon Mar 25 16:41:54 1996 From: CA20007 at aol.com (CA20007 at aol.com) Date: Tue, 26 Mar 1996 08:41:54 +0800 Subject: signature appl tested by IRS / PR today Message-ID: <960325141609_454384469@emout08.mail.aol.com> Today, on Monday, March 25th, in New York, a British company, Peripheral Vision Ltd., is demonstrating their technology for recording signatures electronically. The company is also launching a subsidiary called PenOp Inc. today. Their product is a plug-in for Netscape. users use a wacom board or its equivalent for writing actual signatures. IRS is testing the system for verifying signatures at a number of test sites. From sameer at c2.org Mon Mar 25 16:42:36 1996 From: sameer at c2.org (sameer) Date: Tue, 26 Mar 1996 08:42:36 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , shame) In-Reply-To: Message-ID: <199603251937.LAA03810@infinity.c2.org> > I think many people on the list here had the right idea generally. No > legislation is good legislation for crypto. Really the ITAR > applications are beseiged right now, and will probably fizzle out of > their own accord, not to mention the fact that they are de facto moot. > > In practice it is trivial to subvert ITAR for the purposes of > worldwide crypto availability. You've obviously never brought a crypto product to market before. Granted, worldwide *personal* use of crypto availability is trivial, but not corporate. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From ses at tipper.oit.unc.edu Mon Mar 25 16:42:44 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Tue, 26 Mar 1996 08:42:44 +0800 Subject: RISKS: Princeton discovers another Netscape security flaw In-Reply-To: <9603251947.AA0350@smtp1.chipcom.com> Message-ID: On 25 Mar 1996 Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com wrote: > The job of doing something like what Java claims to do correctly > is basically equivalent to the job of creating an A2 grade operating > system. I'm not totally convinced that creating an A* implementation of the java VM is impossible; the vm instructions are simple enough to define the necessary abstract interpretations over, and denotational semantics of,with a reasonable degree of confidence. I'd definitely rather right a trusted application in java than in C Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From karn at qualcomm.com Mon Mar 25 18:57:18 1996 From: karn at qualcomm.com (Phil Karn) Date: Tue, 26 Mar 1996 10:57:18 +0800 Subject: Bad news from Judge Richey Message-ID: <199603252221.OAA24684@servo.qualcomm.com> Last Friday, Judge Richey issued a 36-page opinion dismissing my suit against the State Dept. I am waiting for a copy of the opinion, which should arrive in paper form tomorrow. I'll post it on my web site when it's available in electronic form. (http://www.qualcomm.com/people/pkarn/export) I'll be meeting my attorneys next Monday to plan an appeal strategy. Phil From unicorn at schloss.li Mon Mar 25 19:07:19 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 26 Mar 1996 11:07:19 +0800 Subject: LIST OF SHAME VOLUNTEERS In-Reply-To: Message-ID: On Mon, 25 Mar 1996, jim bell wrote: > At 01:22 AM 3/25/96 -0500, Declan B. McCullagh wrote: > >I spoke to a couple folks about this at the CDA hearings in Philadelphia > >last week. Word on the streets from those who would know is that the > >Leahy Bill has NOT A CHANCE IN HELL of passing, and so is worth > >supporting to raise awareness of crypto. > > This is a dangerous position to take. Many people have killed > themselves, accidentally, thinking "the gun isn't loaded!" Let's put this to bed. The bill isn't going to pass. Let's PRETEND it gets sent to the Select Committee on Intelligence, which would be it's most favorable Committee speed wise (I seem to remember it got sent to commerce instead?), they have about 30 days to hash it through and spit it out. That leaves 10 or so days to work out the bugs and pass the bill and then some 5 days to rectify with the house version? Puhleeeease. > This said, I see nothing wrong with fixing and improving the bill and > only then supporting it. Except that no one is going to fix it, and no one is going to support it if fixed in the way that Mr. Bell proposes. In other words, everything is wrong with 'fixing it.' Leahy is about as far left on technology as they come. (One of 4-5 (I forget) who actually opposed Exon). I spoke with legislative counsel today and brought up the issue. The bill is dead. Even Dole, who's on as a sponsor, has no idea what's in the text. He signed on to look connected and on the cutting edge for the upcoming election. The slightest pressure from Specter and the Powerful Intelligence Committee (which you can count on), will send Dole running for cover quite quickly. (Dole then will be able to claim techno-savvy as well as law and order headcracking). > >After DT and Clipper, it's our chance to put Clinton and the DoJ on the > >defensive for a change. > > If the Leahy bill "has not a chance in hell" of passing, then what's > wrong with CORRECTING it. Given this assessment,I doubt whether such > changes would reduce its chances. Your tax dollars at work. More useless legislative rambling to make Mr. Bell happy. If the bill isn't adopted this session, nothing but a full rewrite is likely to revive it. That rewrite is going to be next session and go to the right, not the left. Mr. Bell persists in demanding a politically unviable re-write. To Mr. Bell I say: "Write your Senator. > BTW, remember that one of the reasons its chances are rated as "not a > chance in hell" is that the two constituencies who might normally > support this bill, the crypto/software businesses and ourselves, see its > promises as being weak and its negatives as being large. Without them, > who else is there to support it? I've now answered this question 3 times. Maybe Mr. Bell finally killfiled me. > Jim Bell > jimbell at pacifier.com --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From frantz at netcom.com Mon Mar 25 20:16:45 1996 From: frantz at netcom.com (Bill Frantz) Date: Tue, 26 Mar 1996 12:16:45 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <199603252350.PAA08751@netcom5.netcom.com> At 12:23 PM 3/25/96 -0800, Timothy C. May wrote: >Obviously things get more complicated when a private key or set of keys "is >one's identity." That is, at some future time, when a key or set of keys is >literally the key to one's identity, then this document is no longer "just >another document." A law enforcement agency or court that obtains these >keys could do much damage, beyond just the matter being investigated or >tried in court. The release of the key cannot be undone. A thorny problem. This is precisely the problem Certificate Revocation Lists and Certificate Expiration Dates address. There seems very little reason to subpoena a persons signing key, only decryption keys. If future software uses separate keys for these two functions, then there may be minimal danger. (With PGP, it should be sufficient to provide the IDEA keys for the messages in question, leaving the secret key still secret.) Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From furballs at netcom.com Mon Mar 25 21:18:37 1996 From: furballs at netcom.com (Paul S. Penrod) Date: Tue, 26 Mar 1996 13:18:37 +0800 Subject: RISKS: Princeton discovers another Netscape security flaw In-Reply-To: <9603251947.AA0350@smtp1.chipcom.com> Message-ID: On 25 Mar 1996 Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com wrote: > ses @ tipper.oit.unc.edu (Simon Spero wrote: > >A pound to a bucket of ferrets this is another visit from our good friends > >Capt. Overrun and the static buffers, in which case it's more an indictment > >of C > > So? I agree that it's essentially impossible to write reliable code > in C, just as in assembly language. Actually, it's easier in assembly > language because then you KNOW you have to do all the work > yourself, while C misleads you into thinking it does some of the > work for you when in fact it does not. Well, what would you suggest then ? Some mental masturbation like C++ ? :-) I have found over the years, that C, just like anything other language, has it's quirks and foibles. malloc() calloc() alloc() and realloc() are known problems that go way back to the early days on the DEC; not to mention odd sized structure members can cause phase errors during compilation that never show until runtime. > > That doesn't affect the point at all, though. > > The job of doing something like what Java claims to do correctly > is basically equivalent to the job of creating an A2 grade operating > system. (Don't bother looking for any, as far as I know the designation > A2 doesn't even exist anymore because it is still beyond the state > of the art. It means "verified implementation", i.e., the implementation > -- not just the design as in in A1 -- is provably correct. Note that > a strict interpretation of this would involve holding not just the code > itself but also the tools that act on it -- like compilers, and microcode > in machines that have it -- to A2 standards. If you wonder why, consider > the famous Unix login hack from many years ago that involved > a hack in the C compiler.) > > paul > I will agree with you here. What I mildly take issue with is that the C compiler shoulders the blame for faults that lie in the libraries and OS - just to start pointing fingers. DOS is famous for it's lack of system integrity when it comes to file and memory management - yet the standard library can do no more than what the target OS allows to take place. Thus the language get's blamed for shortcommings in an environment. Also, consider that many applications these days are built using third part support. Now we have the added dimension of someone else's code on top of our own, plus the compiler, plus the libraries, plus the OS. It's not a pretty picture, especially since we trust "packaged goods" too much. C itself is only composed of some 28 keywords, plus some extensions and a simple grammer. I personally will trust the the compiler first before I would trust the libraries linked, just based upon the simplicity of the language - failing some glaring error in the parser. > !----------------------------------------------------------------------- > ! Paul Koning, NI1D, C-24183 > ! 3Com Corporation, 1-3A, 118 Turnpike Road, Southborough MA 01772 USA > ! phone: +1 508 229 1695, fax: +1 508 490 5873 > ! email: paul_koning at isd.3com.com or paul_koning at 3mail.3com.com > ! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75 > !----------------------------------------------------------------------- > ! "The only purpose for which power can be rightfully exercised over > ! any member of a civilized community, against his will, is to prevent > ! harm to others. His own good, either physical or moral, is not > ! a sufficient warrant." -- John Stuart Mill, "On Liberty" 1859 > ...Paul ------------------------------------------------------------------------- "Faced with the choice between changing one's mind and proving that there is no need to do so, almost everybody gets busy on the proof" -- John Kenneth Galbraith "Success is attending a funeral as a spectator" -- E. BonAnno ------------------------------------------------------------------------- From llurch at networking.stanford.edu Mon Mar 25 21:45:40 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Tue, 26 Mar 1996 13:45:40 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: On Mon, 25 Mar 1996, Timothy C. May wrote: [Damn... I can't find anythig I disagree with... oh, how about this] > Obviously things get more complicated when a private key or set of keys "is > one's identity." That is, at some future time, when a key or set of keys is > literally the key to one's identity, then this document is no longer "just > another document." A law enforcement agency or court that obtains these > keys could do much damage, beyond just the matter being investigated or > tried in court. The release of the key cannot be undone. A thorny problem. IMO this is why maintaining separate keys for identity and encryption, as is done by both the MS CryptoAPIVapor and Espionage-Enabled Notes, is such a good idea. The two (or more) keys would sign each other, but they can't take the place of each other. I sorta wish PGP had this feature. Of course you can embed comments into your key ID to specify usage, but it's not quite the same thing. But anyway, just as a tactical matter, I think getting behind the Leahy bill, precisely because it had no chance of passing, would have been the right thing to do (written in past tense because I'm sure it is). The good guys would have had a better chance to appear reasonable and to get their views on the record. -rich From sameer at c2.org Mon Mar 25 21:52:19 1996 From: sameer at c2.org (sameer at c2.org) Date: Tue, 26 Mar 1996 13:52:19 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , shame) In-Reply-To: Message-ID: <199603252051.MAA09766@atropos.c2.org> > > Yes, I concede, there are significant logistical hurdles confronting the > multi-jurisdictional crypto project. One assumes, however, that the > initial capital investment will be somewhat offset by the first in market > advantage of the position. Yes, I would hope so. > > Further, a entirely foreign production, say for chip manufacture, would > probably make things easier. I had specifically contemplated hardware > applications. Indeed, there are problems with both, but they don't stem > from ITAR. I see, yes. > > Are you talking specific licensing provisions, or implementation. I > don't follow. (Though I'm fairly sure I'm missing something obvious). Well there are certain applications which personal users don't really want to use. SSL webservers for example. Most individuals don't have a need for an SSL webserver. RSA-in-hardware is also not needed for most individuals, but high-traffic server applications which do RSA operations really should start using RSA in hardware. Encrypted database applications (something I'm working on with a friend) are another application which personal users don't really care about, but corporate IS finds valuable. (Well, I hope they find it valuable, otherwise our product won't sell.. the database guy says he knows them well enough that they'll buy it though.) -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From jeffb at sware.com Mon Mar 25 21:54:23 1996 From: jeffb at sware.com (Jeff Barber) Date: Tue, 26 Mar 1996 13:54:23 +0800 Subject: NT's C2 rating In-Reply-To: Message-ID: <199603252239.RAA06963@jafar.sware.com> Mark Aldrich writes: > > On Sat, 23 Mar 1996, Bill Frantz wrote: > > > At 5:11 PM 3/22/96 -0600, Rick Smith wrote: > > >The big deal is that few vendors have tried to get NCSC evaluations. > > > > We walked KeyKOS a long way down the path to a B2 rating. Our investors > > refused to fund the estimated $1 million it would cost to do all the > > paperwork. They felt there was no market for NCSC secure systems. Perhaps > > others felt the same way. > > Hopefully, with the Common Criteria replacing the Orange Book (pray, this > year), you'll now be able to evaluate against a profile for a lot less > money. And, believe it or not, customers will actually get security > products they need instead of another instance of the Bell-LaPadula model > crafted to military specs. Well, I haven't exactly been "plugged in" to the development of the CC but given the sheer size of the criteria (I just downloaded it, killing a small tree to print its more than 1000 pages), I'm curious to know why you think evaluations will be so much less expensive. At first glance, some of the requirements seem a little more specific and the evaluation process a bit more flexible, but evaluating an entire OS, for example, is still going to take many man-years (excuse me, person-years) of engineering labor. And then, when you're done, still nobody will want what you've got since it will inevitably be two releases behind the "non-secure" version and you will have thrown out some pieces where it was too much trouble to make them work "securely". It appears to me that the main difference is that your system will be unwanted in several different countries at once. :-) -- Jeff From unicorn at schloss.li Mon Mar 25 22:00:15 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 26 Mar 1996 14:00:15 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , shame) In-Reply-To: <199603252030.MAA09782@infinity.c2.org> Message-ID: On Mon, 25 Mar 1996, sameer wrote: > > > > No, in fact, I have not. > > > > What are the impediments to corporate marketing of crypto where the > > marketing and distrubting entity is foreign? (I honestly don't know) > > As a US entity, Community ConneXion is marketing an > SSL-encrypting webserver based on the Apache-SSL developed by the > Apache Group (worldwide) and Ben Laurie (in the UK). [Legitimate logistical obsticles deleted] > It's doable. It's not trivial though. Phew. I thought for a moment you meant legal problems. Yes, I concede, there are significant logistical hurdles confronting the multi-jurisdictional crypto project. One assumes, however, that the initial capital investment will be somewhat offset by the first in market advantage of the position. Further, a entirely foreign production, say for chip manufacture, would probably make things easier. I had specifically contemplated hardware applications. Indeed, there are problems with both, but they don't stem from ITAR. > ITAR does help, in that if Ben decides to commercialize his > product, we have a very convenient line which stops us from competing > with each other. He can't sell inside the US because of RSA patents. I > can't sell outside the US because of ITAR. ;-) > > > > Granted, worldwide *personal* use of crypto availability is > > > trivial, but not corporate. > > > > Sufficently entrench personal use of crypto, and the personal/corporate > > use distinction ceases to exist. > > Not if some applications don't apply to personal use. Are you talking specific licensing provisions, or implementation. I don't follow. (Though I'm fairly sure I'm missing something obvious). > > -- > Sameer Parekh Voice: 510-601-9777x3 > Community ConneXion, Inc. FAX: 510-601-9734 > The Internet Privacy Provider Dialin: 510-658-6376 > http://www.c2.org/ (or login as "guest") sameer at c2.org > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From vznuri at netcom.com Mon Mar 25 22:02:59 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Tue, 26 Mar 1996 14:02:59 +0800 Subject: NSA/ITAR In-Reply-To: Message-ID: <199603252143.NAA01149@netcom17.netcom.com> TCM: >* EXPORT OF CRYPTO BEYOND U.S.: This is indeed a thorn in the sides of U.S. >companies, but is not _per se_ an issue I worry about. So long as I have >strong crypto, I don't really care too much about export. It would be nice >to get the ITARs modified, but not at the risk of adding language (such as >Leahy did) making use of encryption a possible crime (we've debated this, >so I won't elaborate here). Besides, I think the best way to overturn the >ITARs is through a court challenge; as I have noted, even the NSA's lawyers >felt that the ITARs would not withstand court scrutiny. hmmmm, I don't recall you saying that. would love to hear more about "NSA's lawyers feeling the ITAR cannot withstand court scrutiny". I have been ranting at a lot of people in the companies that are showing no spine and adhering to the odious NSA laws (thereby increasing their legitimacy) to just SUE THE GOVERNMENT. but of course they all retort that "gosh, we are just following the laws, we don't really have any choice, we are doing the best we can, blah blah blah". (this as they have armies of lawyers that they don't hesitate to unleash on their competitors) frankly I think the lack of a legal challenge to the ITAR crypto laws by a large company by this date is very suspicious. I am starting to wonder if whenever something like this starts to suggest itself, the NSA agents hurriedly run to a company and make some deals & promises. (note I am aware of the Bernstein case-- this is just too tiny to ever have any significance imho). if big software companies think the ITAR is not acceptable and is costing them bigtime, let's see them put their lawyers where their mouths are. I fully agree with the above that the ITAR is unlikely to withstand a *serious* court challenge, assuming the courts have not gone totally comatose. the ITAR amounts to the following: a legitimate law that says, "munitions cannot be exported. the list of munitions is maintained by the DoJ" (or somebody-or-other). now, somebody-or-other (obviously the NSA, through their various front agencies, the @#%^&^*& spooks love this kind of subterfuge to circumvent the law and pretend they are doing things legitimate) could add "twinkies" to the list of "export controlled items". in fact, I wish they would. they have come pretty darn close. it turns out that MS has been convinced that mere "export" of digital SIGNATURES is prohibited. I can't believe there is not more uproar here or elsewhere about this outrageousness. frankly, I think the american public & software companies are getting exactly what they have earned. "eternal vigilance is the price of freedom". instead we have endless spinelessness as the response to increasing tyranny. From thecrow at iconn.net Mon Mar 25 22:12:14 1996 From: thecrow at iconn.net (Jack Mott) Date: Tue, 26 Mar 1996 14:12:14 +0800 Subject: Mentor request - ISEF/Westinghouse science fair project Message-ID: <3157569C.3BC@iconn.net> Hello cypherpunks, My name is Jack Mott, and I'm the junior in highschool who posted the c++ source code a while ago, and as you can see it is pretty bad. ( self taught over 9 months ) Anyway for a science fair project this year, I would like to either create a new, or implement an existing encryption algorithm from scratch. I need someone who has some experience programming in C/C++ and with crypto to get advice from and consult with from time to time. I have done well in science fairs in the past, and I could definitely win states with some help. If anyone is interested let me know. p.s. - there is another interesting twist to my project, but I don't want to give the idea away just yet. -- thecrow at iconn.net "It can't rain all the time" From froomkin at law.miami.edu Mon Mar 25 22:35:36 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Tue, 26 Mar 1996 14:35:36 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: On Mon, 25 Mar 1996, Timothy C. May wrote: [...many things including...] > > (Michael Froomkin speculated in one of his articles, I don't recall which, > that there might need to be certain guidelines or laws if a key escrow > protocol were to invoke the U.S. court system. Maybe. But I think ordinary It's my clipper article, see the link from my homepage. The claim (disputed, BTW, by many experts) is that it's not obvious that the constitution allows judges to hold keys in the absence of an onging judicial proceeding involving the owner of the key because the separation of powers would classify this action as "executive". > contract law, about what a contract says and what it means, is adequate. If > I pay Joe's Key Warehouse a fee to store my key and it loses it, or gives > it to another party, then damages can be collected.) > I agree that absent a statute all that is involved is contract law. [...] > IMPORTANT NOTE: It is often said, in a correct interpretation I think, that > a third party holding a key (Joe's Key Warehouse) is _not_ covered by the > 5th Amendment's protections against self-incrimination, and so must honor a > subpoena. Sounds accurate to me. However, what if Joe is _also_ one's > lawyer? Does attorney-client privilege apply here? Perhaps. A better NO IT DOES NOT. Basic rule of thumb: your lawyer can't be used to hide papers someone else can't hide. Ok, at the margin it gets tricky, but bascially the privilege is not going to stretch to your key. > solution is also fully legal at this time: use only offshore key storage. A > U.S. subpoena to Vince's Offshore Key Repository will carry no weight in > Anguilla. (Can I be compelled to ask Vince to send my key? Sure. But Vince > and I could have a stipulation that such "duress requests" will not be > honored, no matter how loudly I squawk.) An interesting issue, likely to be addressed in future judicial assistence treaties... [...] A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From froomkin at law.miami.edu Mon Mar 25 23:02:36 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Tue, 26 Mar 1996 15:02:36 +0800 Subject: signature appl tested by IRS / PR today In-Reply-To: <960325141609_454384469@emout08.mail.aol.com> Message-ID: can someone explain to me how this device protects against replay attacks? On Mon, 25 Mar 1996 CA20007 at aol.com wrote: > Today, on Monday, March 25th, in New York, a British company, Peripheral > Vision Ltd., is demonstrating their technology for recording signatures > electronically. > > The company is also launching a subsidiary called PenOp Inc. today. > > Their product is a plug-in for Netscape. > > users use a wacom board or its equivalent for writing actual signatures. > > IRS is testing the system for verifying signatures at a number of test sites. > > [The above may have been dictated with Dragon Dictate/Win 2.0 voice recognition. Be alert for unintentional strange word substitutions.] A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From tcmay at got.net Mon Mar 25 23:47:28 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 26 Mar 1996 15:47:28 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 1:21 AM 3/26/96, jim bell wrote: >While this may end up looking like another of Jim Bell's odd Yes, you got this part right. >interpretations, the only section in the US Constitution that I see as >potentially REQUIRING a person's testimony is the section (can't recall >which) which says that a defendant must have a process to compel the >appearance of witnesses in his favor. The Constitution, as far as I see, >says nothing about requiring people to appear for the PROSECUTION. IANACS (I am not a Constitutional scholar), but it is clear that the Constitution, being a relatively short document, is a _framework_, a kind of "generator," for establishing additional legislation. This is, obviously enough, why there is _legislative branch_, after all. Jim's argument (?) could be turned in all sorts of ways: "Your Honor, there is nothing I can find in the Constitution that says I can't drive on the left side of the road at 125 miles per hour." Indeed, there is nothing laying out detailed traffic laws. And so on. That the Fifth Amendment attempts to make it clear that a defendant shall not be compelled to give testimony which may tend toincriminate himself (lotsa gotchas, as expected) clearly--to me if not to Jim Bell--implies that a "legal system" involving testimony, search warrants, subpoenas, juries, verdicts, appeals, etc., is implied by various parts of the Constitution. (I could search one of the many online copies of the Big C for details, but I'm sure you all, except perhaps Jim, get it.) I'm no apologist for Big Government, of course, so I think we have vastly too many laws in the U.S. But I don't think naive arguments saying that a court cannot call witnesses by due process because the Constitution does not specifically have a clause saying this is the case is going to be very helpful or persuasive. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jamesd at echeque.com Tue Mar 26 01:38:57 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Tue, 26 Mar 1996 17:38:57 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <199603260516.VAA06327@dns2.noc.best.net> At 12:23 PM 3/25/96 -0800, Timothy C. May wrote: > Besides, I think the best way to overturn the > ITARs is through a court challenge; as I have noted, even the NSA's lawyers > felt that the ITARs would not withstand court scrutiny. Note that the spooks have carefully avoided a full bore court showdown. They harassed Phil until the statute of limitations caught up with them, but never brought it to trial. If we had no further legislation, and the courts broke ITAR, we would be home free. No plausible legislation could give us that. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From perry at piermont.com Tue Mar 26 02:06:19 1996 From: perry at piermont.com (Perry E. Metzger) Date: Tue, 26 Mar 1996 18:06:19 +0800 Subject: signature appl tested by IRS / PR today In-Reply-To: Message-ID: <199603260414.XAA10730@jekyll.piermont.com> Michael Froomkin writes: > can someone explain to me how this device protects against replay attacks? There is an assumption contained in your question. It may not be warranted. > > On Mon, 25 Mar 1996 CA20007 at aol.com wrote: > > > Today, on Monday, March 25th, in New York, a British company, Peripheral > > Vision Ltd., is demonstrating their technology for recording signatures > > electronically. > > > > The company is also launching a subsidiary called PenOp Inc. today. > > > > Their product is a plug-in for Netscape. > > > > users use a wacom board or its equivalent for writing actual signatures. > > > > IRS is testing the system for verifying signatures at a number of test site s. > > > > > > [The above may have been dictated with Dragon Dictate/Win 2.0 voice > recognition. Be alert for unintentional strange word substitutions.] > > A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) > Associate Professor of Law | > U. Miami School of Law | froomkin at law.miami.edu > P.O. Box 248087 | http://www.law.miami.edu/~froomkin > Coral Gables, FL 33124 USA | It's warm here. > > From jrichard at slonet.org Tue Mar 26 02:10:43 1996 From: jrichard at slonet.org (Josh Richards) Date: Tue, 26 Mar 1996 18:10:43 +0800 Subject: signature appl tested by IRS / PR today In-Reply-To: <960325141609_454384469@emout08.mail.aol.com> Message-ID: On Mon, 25 Mar 1996 CA20007 at aol.com wrote: > Today, on Monday, March 25th, in New York, a British company, Peripheral > Vision Ltd., is demonstrating their technology for recording signatures > electronically. > > The company is also launching a subsidiary called PenOp Inc. today. > > Their product is a plug-in for Netscape. > > users use a wacom board or its equivalent for writing actual signatures. > > IRS is testing the system for verifying signatures at a number of test sites. > If anybody is interested in this signature technology: PenOp, Inc. has a web site, see . Josh Richards (jrichard at slonet.org) SLONET Regional Information Access, Inc., Development Team SLO Street Tech Development (Computer Services) ------------------------------------------------------------------------ | ATTENTION: I'm in search of a job as a WebMaster, Internet Consultant, | | Programmer, or other(?). Please e-mail me for further details. | ------------------------------------------------------------------------ From cmca at alpha.c2.org Tue Mar 26 02:15:16 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Tue, 26 Mar 1996 18:15:16 +0800 Subject: Why and how people work for free on "challenges" In-Reply-To: Message-ID: <199603260534.VAA08360@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: Alan Horowitz ] [cc: cypherpunks at toad.com] [Subject: Re: Why and how people work for free on "challenges" ] [In-reply-to: Your message of Mon, 25 Mar 96 21:47:17 EST.] >I think the "challenges" thing has gotten too ridiculous. Didn't some guys >try to recently walk across Antarctica? Ended up eating some of their dogs >before the Norwegian Coast Guard bailed out their ass, if I recall >correctly? Wow, those Norwegians must be pretty keen to go all the way to Antarctica... Seasoned (ant)arctic explorers consider dogs to be stored food anyway. You just don't eat them till the sleds get lighter, that is all. Chris McAuliffe (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCUAwUBMVd2zIHskC9sh/+lAQFcTQP3Ud6xD/5mMEStL4KB8yZKhOOTIgE5/mgb LZPX6irUZsh4+xVSshF3xU6k1FxnBNISx4fJHYBbX9rzeZbacQ6iMuD5nT22ENSf 5KZUjdGDKiqmkN1qtxFpB6TDql0Tm92Y40L+VUtytyjw3bHaVtNrNKKNxfwu5phJ Zkb3Lod8gA== =Fz6J -----END PGP SIGNATURE----- From tcmay at got.net Tue Mar 26 02:23:12 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 26 Mar 1996 18:23:12 +0800 Subject: Let's *NOT* "Raise their Awareness" Message-ID: At 3:15 AM 3/26/96, jamesd at echeque.com wrote: >At 01:22 AM 3/25/96 -0500, Declan B. McCullagh wrote: >> Leahy Bill has NOT A CHANCE IN HELL of passing, and so is worth >> supporting to raise awareness of crypto. > >Washington is the last place where we wish to raise awareness of >crypto I try to avoid "me too" echoes, but this is worth concurring with, strongly. Nothing good can come out of "raising awareness," especially of an issue where the Consitution is already pretty clearly on the side of the right to speak in whatever language one chooses, to keep diaries in code if one wishes, to whisper to others, to place curtains on windows, to lock doors, and so on. (I suppose Jim Bell will point out that the Constitution contains no explicit language about placement of curtains....) Whenever Congress gets "exercised" about some subject, laws are often the result. And often the seemingly minor things thrown in to satisfy some interest end up ensnaring us in a new set of regulations. No thanks. We already can freely encrypt. We already can use any strength of cipher we can get. We already can deposit a spare key with our mother-in-law or with a friend in Lichtenstein. What more do we need? Free export of crypto products would be nice. But not if the quid pro quo for this is giving up some of the freedoms we already have. And "raising awareness" also increases the chances for _international treaty_ discussions. Frankly, the U.S. will be the instigator of any such treaty discussions, so the more ignorant the diplomats and legislators are, the better. Then they'll be less likely to broach the subject with their Italian, German, French, and Russian counterparts...the more of an "urgent issue" crypto is, the more it is being publically debated, the greater will be the likelihood that diplomats and legislators will "do something!" Remember the First Rule of Politics: "Look important and pass laws." --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From ses at tipper.oit.unc.edu Tue Mar 26 05:49:12 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Tue, 26 Mar 1996 21:49:12 +0800 Subject: Why and how people work for free on "challenges" In-Reply-To: Message-ID: On Mon, 25 Mar 1996, Alan Horowitz wrote: > Why does the news media think I care if someone has succeeded in > ballooning across the Atlantic Ocean? Because it's a cool thing to do? And why isn't he using his own airline :-) (Love those Masseusses in "Upper Class") --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From ses at tipper.oit.unc.edu Tue Mar 26 05:52:34 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Tue, 26 Mar 1996 21:52:34 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , shame) In-Reply-To: <199603252350.PAA08745@netcom5.netcom.com> Message-ID: On Mon, 25 Mar 1996, Bill Frantz wrote: > At 1:32 PM 3/25/96 -0500, Black Unicorn wrote: > to type them. Since storage was limited, and old messages were purged from > the system it also had the effect that anti-trust discovery would have > nothing to discover. Hmmm - that's another issue; what about diffie hellman with ephemeral keys? Once the transaction is complete, unless you keep a copy of the key, even you can't decrypt that session. Would a law requiring you to keep a copy of the keys be important. It would have the advantage of allowing a sub-poena to be more restrictive than "just hand over your private key", but it's a pretty heavy (undue?) burden. Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From alanh at mailhost.infi.net Tue Mar 26 06:10:03 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Tue, 26 Mar 1996 22:10:03 +0800 Subject: Why and how people work for free on "challenges" In-Reply-To: Message-ID: I think the "challenges" thing has gotten too ridiculous. Didn't some guys try to recently walk across Antarctica? Ended up eating some of their dogs before the Norwegian Coast Guard bailed out their ass, if I recall correctly? Why does the news media think I care if someone has succeeded in ballooning across the Atlantic Ocean? I there any assinine project that some fool won't attempt? From jimbell at pacifier.com Tue Mar 26 06:12:52 1996 From: jimbell at pacifier.com (jim bell) Date: Tue, 26 Mar 1996 22:12:52 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 12:23 PM 3/25/96 -0800, Timothy C. May wrote: >I don't see any compelling need for U.S. legislation. And given the >pressures to attach all sorts of language to bills, I think it best that no >legislation happen. [stuff deleted] >IMPORTANT NOTE: It is often said, in a correct interpretation I think, that >a third party holding a key (Joe's Key Warehouse) is _not_ covered by the >5th Amendment's protections against self-incrimination, and so must honor a >subpoena. Sounds accurate to me. While this may end up looking like another of Jim Bell's odd interpretations, the only section in the US Constitution that I see as potentially REQUIRING a person's testimony is the section (can't recall which) which says that a defendant must have a process to compel the appearance of witnesses in his favor. The Constitution, as far as I see, says nothing about requiring people to appear for the PROSECUTION. I know that plenty of judges just automatically assume that this requirement is somehow in there, but a literal reading of the Constitution doesn't provide it. If that's the case, the government has and should have no mechanism to force any key escrow agent to reveal a key. >However, what if Joe is _also_ one's >lawyer? Does attorney-client privilege apply here? Perhaps. A better >solution is also fully legal at this time: use only offshore key storage. A >U.S. subpoena to Vince's Offshore Key Repository will carry no weight in >Anguilla. (Can I be compelled to ask Vince to send my key? Sure. But Vince >and I could have a stipulation that such "duress requests" will not be >honored, no matter how loudly I squawk.) I've always been astonished at the assumption that the government seems to be making that key escrow (which is fundamentally done for the benefit of the key holder) will be implemented in a way that could possibly help the cops out, in a way done to the detriment of the key holder. >>I do feel that it should be possible for courts to sub poena crypto keys, >>but that doesn't really need new law either (4th and 5th ammendments >>become _really_ important though (hmmm- there advantages to writing down a >>constitution after all :) > >I agree that subpoenas for keys are legit. While I may dislike giving up my >key, in a criminal matter it seems like "just another document." If they >can subpoena my diary, my phone records, my dentist bills, why not another >this document? Nothing in the Constitution giving it special status. But are subpoenas _really_ constitutional? In any case, one of the effects of the widespread availability of good encryption might be that suddenly the documents that cops have historically thought were subpoena-able will no longer be. That's life, although they won't like it. Jim Bell jimbell at pacifier.com From abc at gateway.com Tue Mar 26 06:17:45 1996 From: abc at gateway.com (Alan B. Clegg) Date: Tue, 26 Mar 1996 22:17:45 +0800 Subject: Mailing lists down for 48hrs, now coming back up. Message-ID: The bsdi-isps, bsdi-users, bsdi-users-d, xconq, humor, cheapnet, and cypherpunks-d mailing lists have been down since Saturday night at about 8:00pm Eastern. The systems handling these mailing lists are now trying to get out from under the load, and normal operation should resume within 24 hours (I hope). (The primary mail machine for gateway.com is currently running at a load average of 19.8 and still puffing) -abc \ Alan B. Clegg Just because I can \ Network Technologist does not mean I will. \ gateway.com, inc. \ From merriman at arn.net Tue Mar 26 06:50:52 1996 From: merriman at arn.net (David K. Merriman) Date: Tue, 26 Mar 1996 22:50:52 +0800 Subject: shellback.com remailer PGP test Message-ID: <2.2.32.19960325184739.0067c330@arn.net> -----BEGIN PGP SIGNED MESSAGE----- I've gotten PGP functionality added (I *think*!) to the RemailerBot software, and would like to ask folks to send a PGP-encrypted message or two to remailer at shellback.com Here's the public key for it... - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzE0kfEAAAEEALf5sIOqMfEAFi3geJ6aofyaCRy1ZJt8D91QBqPPeU1X3ond BoIcEcfaMf7s3cOBaiEl7rKFMYqEpL08G7FFelQxc1WRvsR5XtTN+xFB3j0RPNON vMxju5j6anjPVb2RMnowSYqNKUWIEYd4Soa7L+ZWpaHgLSGkhb6Ex2tu6LdpAAUR tCFSZW1haWxlciA8cmVtYWlsZXJAc2hlbGxiYWNrLmNvbT6JAJUDBRAxNJK/xWtO /Jg7MBkBAfiVBACk6dDtebwemmY2+nxK+WD46a0Uj/lwpXLGzJvixdYGo4mwYG2/ LUw/23xBNxLIvPCFR8Qvt9zguyPdMWAp07I64ZlL6yv9Co3DETtTLB8wBdPce6Wx CLswIWAQ3MSLOmgVB35TzOYrYf5RzYtNKktCl3YDa9mxV4sug9xAx5uxvw== =9EvL - -----END PGP PUBLIC KEY BLOCK----- Many thanks..... Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVbN2MVrTvyYOzAZAQHi6QP+L+weAV1HrfNRNYgBjbcsSpcFpxa2yXoY hXvzgooGJHFNT3CfqaDt68InoF58Y4CrMTpsg7YgL5SqKTLqm9gqNk5bT9krN+K8 KonCbd4uH4MVo2HQOhQdCMTyoVu6oCXVbBWO8Q3ltl5q+o4rxgG5BDs0IBrGWd8J yIdjYPNjPVo= =dbJR -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From tcmay at got.net Tue Mar 26 07:37:17 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 26 Mar 1996 23:37:17 +0800 Subject: ITAR double standards? Message-ID: At 6:54 AM 3/26/96, blanc wrote: >From: Timothy C. May > >>You're a felon? For real? >> > >Yes. >................................................................. > >Ah, yes - Tim the Indecent, vis-a-vis X-onomous signatures. >Sheut. I thought maybe you'd done something really interesting. > Oh, I may have done some pretty juicy things that are felonies in some states (maybe even states I was living in at the time)...plus I know a whole lot of folks who feloniously violate our nation's "dietary laws" nearly every day (eating the wrong things seems to be the common denominator). Similarly, various popular sexual practices--even some mentioned favorably in the Bible--are felonies in many U.S. states. I've kept the CP list copied on my replies to Blanc because it makes a larger point: every time the nation felonizes a new set of common behaviors, it risks making more and more people felons and thus reduces respect for the law (the real law, about real crimes). This happened during Prohibition (for you foreigners, this was America's experiment with outlawing alcohol consumption), when the law was flouted by even cops and elected officials (in "speakeasies") and when the La Cosa Nostra really got its big boost. Not being one who worries about his standing amongst "the neighbors," I casually mentioned to one of them that I doubted I'd have to serve on jury duty, due to being a felon. He looked appropriately surprised; I haven't bothered to tell him that while I'm indeed a felon under the Communications Decency Act (Fuck Exon), I haven't yet been charged nor have I been convicted. (One is a felon when one has committed a felony....look it up. One is a _convicted_ felon when one has been convicted. But the felony has still happened.) The dictionary doesn't make it clear what happens to the status of a felony when the law is changed and the act is no longer a felony. (If the CDA is overturned, then I guess my actions in saying "Fuck Exon" will no longer be felonies. But as it stands now, they are indeed felony vioations of the CDA. Hence, I am a felon.) --Tim May THE X-ON CONGRESS: INDECENT COMMENT ON AN INDECENT SUBJECT, by Steve Russell, American Reporter Correspondent....You motherfuckers in Congress have dropped over the edge of the earth this time... "the sorriest bunch of cocksuckers ever to sell out the First Amendment" or suggesting that "the only reason to run for Congress these days is to suck the lobbyists' dicks and fuck the people who sent you there," ....any more than I care for the language you shitheads have forced me to use in this essay...Let's talk about this fucking indecent language bullshit. From unicorn at schloss.li Tue Mar 26 07:53:54 1996 From: unicorn at schloss.li (Black Unicorn) Date: Tue, 26 Mar 1996 23:53:54 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , shame) In-Reply-To: Message-ID: On Mon, 25 Mar 1996, Declan B. McCullagh wrote: > Excerpts from mail: 25-Mar-96 So, what crypto legislation.. by Simon > Spero at tipper.oit.u > > If the Leahy bill is unacceptable, what legistlation is necessary? I > > can't see how the use of cryptography in the commission of a crime needs > > to be a separate offence, but I could see how it could be treated as a > > special circumstance - that doesn't really needed a new law though. > > Leahy's bill will not pass. Period. However, with the introduction of > this legislation comes a chance to get _our side_ heard by the unwired. I know I sound like a FUDer, but I really don't think this is going to make much difference. The key is going to be industry and business. Yell at netscape. No congressperson is going to listen to whinings from the public about the bill of rights in the face of the fanatic anti-crime temper of the United States when such an obscure subjection as encryption is at issue. > > -Declan > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From tcmay at got.net Tue Mar 26 07:55:54 1996 From: tcmay at got.net (Timothy C. May) Date: Tue, 26 Mar 1996 23:55:54 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 4:14 PM 3/25/96, Simon Spero wrote: >If the Leahy bill is unacceptable, what legistlation is necessary? I >can't see how the use of cryptography in the commission of a crime needs >to be a separate offence, but I could see how it could be treated as a >special circumstance - that doesn't really needed a new law though. I don't see any compelling need for U.S. legislation. And given the pressures to attach all sorts of language to bills, I think it best that no legislation happen. Consider a few areas in turn: * DOMESTIC USE OF ENCRYPTION: Currently, no restrictions whatsoever. No laws saying messages can't be encrypted, no laws saying keys must be escrowed, no laws about permissable strength of ciphers, no special laws covering disclosure of keys. Just silence, blessed silence. The Constitution says there shall be no laws about permissable speech (what language one speaks in, or writes in), and other provisions about compelled testimony seem adequate. * EXPORT OF CRYPTO BEYOND U.S.: This is indeed a thorn in the sides of U.S. companies, but is not _per se_ an issue I worry about. So long as I have strong crypto, I don't really care too much about export. It would be nice to get the ITARs modified, but not at the risk of adding language (such as Leahy did) making use of encryption a possible crime (we've debated this, so I won't elaborate here). Besides, I think the best way to overturn the ITARs is through a court challenge; as I have noted, even the NSA's lawyers felt that the ITARs would not withstand court scrutiny. * KEY ESCROW: A matter of contract law, nothing more. If I want to give a copy of my key to my lawyer, fine. If I want to give a copy to Vince's Offshore Key Repository, no current U.S. laws stops me from doing so, and I can even get it to him securely without violating any ITARs by using the cipher that _he_ uses and then importing it here! (Michael Froomkin speculated in one of his articles, I don't recall which, that there might need to be certain guidelines or laws if a key escrow protocol were to invoke the U.S. court system. Maybe. But I think ordinary contract law, about what a contract says and what it means, is adequate. If I pay Joe's Key Warehouse a fee to store my key and it loses it, or gives it to another party, then damages can be collected.) IMPORTANT NOTE: It is often said, in a correct interpretation I think, that a third party holding a key (Joe's Key Warehouse) is _not_ covered by the 5th Amendment's protections against self-incrimination, and so must honor a subpoena. Sounds accurate to me. However, what if Joe is _also_ one's lawyer? Does attorney-client privilege apply here? Perhaps. A better solution is also fully legal at this time: use only offshore key storage. A U.S. subpoena to Vince's Offshore Key Repository will carry no weight in Anguilla. (Can I be compelled to ask Vince to send my key? Sure. But Vince and I could have a stipulation that such "duress requests" will not be honored, no matter how loudly I squawk.) * DIGITAL MONEY. Well, this is such a confusing muddle of competing systems, unclear interpretations, and hyped claims, that I won't address it. Nor do any of the current bills being considered address it. In conclusion, things are fine as they are. I see no compelling need to write a special law confirming the rights we already are enjoying. If the Congress wants to relax the ITARs (fat chance), they can direct that the language of specific sections be redrafted. (I'm not even sure when and how the original language was crafted, though it is part, I believe, of the ancient Munitions Act and/or Trading with the Enemy Act. The enabling legislation for the ITARs, and especially for the specific items actually ON the "Munitions List" could be trivially changed. Were this Leahy's intent, an easy thing to write a bill for. I doubt this was his intent, however. Last point: >I do feel that it should be possible for courts to sub poena crypto keys, >but that doesn't really need new law either (4th and 5th ammendments >become _really_ important though (hmmm- there advantages to writing down a >constitution after all :) I agree that subpoenas for keys are legit. While I may dislike giving up my key, in a criminal matter it seems like "just another document." If they can subpoena my diary, my phone records, my dentist bills, why not another this document? Nothing in the Constitution giving it special status. Still, one can store spare copies of keys with one's lawyer, which _may_ protect it against retrieval by subpoena, and one can store spare copies of keys in foreign jurisdictions, which almost certainly will protect against the retrieval (unless an international treaty on such things is passed!). Obviously things get more complicated when a private key or set of keys "is one's identity." That is, at some future time, when a key or set of keys is literally the key to one's identity, then this document is no longer "just another document." A law enforcement agency or court that obtains these keys could do much damage, beyond just the matter being investigated or tried in court. The release of the key cannot be undone. A thorny problem. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From declan+ at CMU.EDU Tue Mar 26 08:21:21 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 27 Mar 1996 00:21:21 +0800 Subject: LIST OF SHAME VOLUNTEERS In-Reply-To: <199603260346.TAA29765@mail1.best.com> Message-ID: Excerpts from mail: 25-Mar-96 Re: LIST OF SHAME VOLUNTEERS by jamesd at echeque.com > > Leahy Bill has NOT A CHANCE IN HELL of passing, and so is worth > > supporting to raise awareness of crypto. > > Washington is the last place where we wish to raise awareness of > crypto I disagree. We can let our opponents exclusively dictate the terms of the debate, or we can let our view (and the truth) be heard. -Declan From gnu at toad.com Tue Mar 26 10:03:58 1996 From: gnu at toad.com (John Gilmore) Date: Wed, 27 Mar 1996 02:03:58 +0800 Subject: MUSE (Mail Ubiquitous Security Extensions) discussion starting Message-ID: <9603260842.AA07183@toad.com> Don Eastlake has written an internet-draft proposing to add signatures and encryption to the Internet mail-delivery system. The two big differences between his proposal and past proposals are: * They work at the "sendmail" level, not at the "mail reader" level. This doesn't give your mail complete end-to-end protection (unless you use "mail reader" encryption like S/MIME or PGP). But it's a lot easier to install and maintain; your sysadmin can do it for your whole site, instead of having to retrain every user. * They use the Domain Name System to keep the keys. Since DNS is going to distribute keys for its own authentication, these can also be used to provide authenticated public keys for remote host machines, so that email destined for those machines can be encrypted. With existing systems, getting and validating keys is a big problem. I encourage cypherpunks to read his draft and to participate in the discussion and/or implementation that results. The general MUSE web page is at http://www.imc.org/ietf-muse/. You can find the hypermail'd mailing list archives there, as well as the Internet-Draft (draft-eastlake-muse-00.txt). I hope that soon the Web page will tell you how to join or exit the mailing list, too! One initial technical question I have about MUSE is why to bother encapsulating email messages while in transit in more layers of MIME glop? Why not just run IP Security between the sendmail daemons involved, and have the receiving sendmail daemon note in the Received header that the message arrived over an authenticated connection? IPSEC provides your choice of authentication and/or encryption, and already uses the keys from the Domain Name System. IPSEC solves many other problems as well as the particular secure/private email delivery problem. And deploying a Real Application (sendmail) that uses IPSEC would shake it out and get it widely used. John Gilmore From bplib at wat.hookup.net Tue Mar 26 10:25:44 1996 From: bplib at wat.hookup.net (Tim Philp) Date: Wed, 27 Mar 1996 02:25:44 +0800 Subject: Instant Internet Message-ID: Has anyone had any experience with Instant Internt - a networking/firewall program? I have a client who is interested in this software and is concerned about security. I have little info other than sales noise and I would like an opinion from someone who has actually used it. Thanks Tim Philp =================================== For PGP Public Key, Send E-mail to: pgp-public-keys at swissnet.ai.mit.edu In Subject line type: GET PHILP =================================== From frissell at panix.com Tue Mar 26 10:29:33 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 27 Mar 1996 02:29:33 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <2.2.32.19960326112653.00c3850c@panix.com> At 09:46 PM 3/25/96 -0500, Michael Froomkin wrote: >An interesting issue, likely to be addressed in future judicial >assistence treaties... > However, future judicial assistance treaties are meaningless if you store your keys anonymously (domestically or internationally) so that even the keeper doesn't know he has them or exactly where they are in his pile of keys. In general, I think that we should attack government key escrow on economic efficiency grounds by pointing out that it is unlikely that "socialized key escrow" would do as good a job as private enterprise key escrow. The Stalinist method of industrial production, is well known for its inefficiencies and similar inefficiencies attach to government key escrow. In fact, I suppose that government operation of the identification system (drivers' licenses, passports, etc.) in general is also horribly inefficient and should be attacked on efficiency grounds. DCF From unicorn at schloss.li Tue Mar 26 10:33:59 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 27 Mar 1996 02:33:59 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , shame) In-Reply-To: <199603251937.LAA03810@infinity.c2.org> Message-ID: On Mon, 25 Mar 1996, sameer wrote: > > I think many people on the list here had the right idea generally. No > > legislation is good legislation for crypto. Really the ITAR > > applications are beseiged right now, and will probably fizzle out of > > their own accord, not to mention the fact that they are de facto moot. > > > > In practice it is trivial to subvert ITAR for the purposes of > > worldwide crypto availability. > > You've obviously never brought a crypto product to market > before. No, in fact, I have not. What are the impediments to corporate marketing of crypto where the marketing and distrubting entity is foreign? (I honestly don't know) Granted, worldwide *personal* use of crypto availability is > trivial, but not corporate. Sufficently entrench personal use of crypto, and the personal/corporate use distinction ceases to exist. > -- > Sameer Parekh Voice: 510-601-9777x3 > Community ConneXion, Inc. FAX: 510-601-9734 > The Internet Privacy Provider Dialin: 510-658-6376 > http://www.c2.org/ (or login as "guest") sameer at c2.org > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From sameer at c2.org Tue Mar 26 10:40:20 1996 From: sameer at c2.org (sameer) Date: Wed, 27 Mar 1996 02:40:20 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , shame) In-Reply-To: Message-ID: <199603252030.MAA09782@infinity.c2.org> > > No, in fact, I have not. > > What are the impediments to corporate marketing of crypto where the > marketing and distrubting entity is foreign? (I honestly don't know) As a US entity, Community ConneXion is marketing an SSL-encrypting webserver based on the Apache-SSL developed by the Apache Group (worldwide) and Ben Laurie (in the UK). As both Ben and I would like to maintain a similar product both for domestic and international use, such that international corporations may deploy the application worldwide within their organization without compatibility problems, Ben has to write all the code, because I can't send him anything. (I've written code to incorporate new features, but once Ben writes code to incorporate those features, I will end up using his code, in order to maintain a stable codebase. -- duplicating effort.) As most OS vendors are located within the United States, it requires a significant effort for an OS vendor to include the product worldwide, because they need to contract out an outside US cd-pressing and product build facility in order to build the international version of their OS (or other application.. right now I'm concentrating on getting OS vendors to bunlde the prodcut) which bundles our product. It's doable. It's not trivial though. ITAR does help, in that if Ben decides to commercialize his product, we have a very convenient line which stops us from competing with each other. He can't sell inside the US because of RSA patents. I can't sell outside the US because of ITAR. ;-) > > Granted, worldwide *personal* use of crypto availability is > > trivial, but not corporate. > > Sufficently entrench personal use of crypto, and the personal/corporate > use distinction ceases to exist. Not if some applications don't apply to personal use. -- Sameer Parekh Voice: 510-601-9777x3 Community ConneXion, Inc. FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org/ (or login as "guest") sameer at c2.org From NED at INNOSOFT.COM Tue Mar 26 11:30:06 1996 From: NED at INNOSOFT.COM (Ned Freed) Date: Wed, 27 Mar 1996 03:30:06 +0800 Subject: MUSE (Mail Ubiquitous Security Extensions) discussion starting In-Reply-To: <9603260842.AA07183@toad.com> Message-ID: <01I2S0UBDAI0A8CRXS@INNOSOFT.COM> > One initial technical question I have about MUSE is why to bother > encapsulating email messages while in transit in more layers of MIME > glop? Why not just run IP Security between the sendmail daemons > involved, and have the receiving sendmail daemon note in the Received > header that the message arrived over an authenticated connection? Because this gives you a point-to-point solution. MUSE is still end-to-end; the only difference is that the ends have moved slightly away from the user in the interests of deployment expediency. > IPSEC provides your choice of authentication and/or encryption, and > already uses the keys from the Domain Name System. IPSEC solves many > other problems as well as the particular secure/private email delivery > problem. And deploying a Real Application (sendmail) that uses IPSEC > would shake it out and get it widely used. IPSEC does indeed solve many problems. Unfortunatly secure email end-to-end email isn't one of them. Ned From liberty at gate.net Tue Mar 26 11:30:32 1996 From: liberty at gate.net (Jim Ray) Date: Wed, 27 Mar 1996 03:30:32 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <199603261412.JAA45884@osceola.gate.net> -----BEGIN PGP SIGNED MESSAGE----- Tim May wrote: [...] >> However, what if Joe is _also_ one's >> lawyer? Does attorney-client privilege apply here? Perhaps.... and Professor Froomkin responded: >NO IT DOES NOT. Basic rule of thumb: your lawyer can't be used to hide >papers someone else can't hide. Ok, at the margin it gets tricky, but >bascially the privilege is not going to stretch to your key. Professor Froomkin is right (IMO) but I think that the way he puts this understates the size of the margin when it comes to cryptokeys. If I were a US Attorney, I would bide my time and pick a hard case, involving lots of potentially incriminating (and therefore tempting) encrypted files, an available key, and (at least) two horsemen. The unavailability of the key can then be presented as a "technicality," allowing a bad guy to possibly get off. After I get some precedent it can then be streched over those inconvenient provisions in the Bill of Rights. This is how "hard cases make bad law." >> solution is also fully legal at this time: use only offshore key storage. >> A >> U.S. subpoena to Vince's Offshore Key Repository will carry no weight in >> Anguilla. (Can I be compelled to ask Vince to send my key? Sure. But Vince >> and I could have a stipulation that such "duress requests" will not be >> honored, no matter how loudly I squawk.) > >An interesting issue, likely to be addressed in future judicial >assistence treaties... I agree, but if I were sitting at Anguilla's side of the table (I won't be, and I have no idea what they will do) this point would be a *very* expensive one. Anguilla and other tax-haven countries have little to gain and much to lose by becoming less friendly to the financial privacy of the Vince Cates of this world. JMR Regards, Jim Ray "Isn't it true that the exponential and incredible growth of the Internet came about because the government kept their hands off of it?" -- Judge Stewart Dalzell. _______________________________________________________________________ PGP key Fingerprint 51 5D A2 C3 92 2C 56 BE 53 2D 9C A1 B3 50 C9 C8 Public Key id. # E9BD6D35 -- http://www.shopmiami.com/prs/jimray _______________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Freedom isn't Freeh. iQCVAwUBMVf2321lp8bpvW01AQGJnQP8DAhTpnU2memnJta0muU1K2d0N7nhgCwK FCR0R5N6VCJbYu4rXovTlSXevWOkCOPasbZ6DKCzDGHFzQc9KUyc1FCbB4tlYqCr taGXcNKkYafQYF9VBGxUcuOhCb04TvOV1r3+QGqQ7OFvNJppF1YEsUBaO3MclFGW nDetMEwEtJI= =Mu5a -----END PGP SIGNATURE----- From unicorn at schloss.li Tue Mar 26 11:35:12 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 27 Mar 1996 03:35:12 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: On Mon, 25 Mar 1996, jim bell wrote: > At 12:23 PM 3/25/96 -0800, Timothy C. May wrote: > > >I don't see any compelling need for U.S. legislation. And given the > >pressures to attach all sorts of language to bills, I think it best that no > >legislation happen. > > [stuff deleted] > > >IMPORTANT NOTE: It is often said, in a correct interpretation I think, that > >a third party holding a key (Joe's Key Warehouse) is _not_ covered by the > >5th Amendment's protections against self-incrimination, and so must honor a > >subpoena. Sounds accurate to me. > > While this may end up looking like another of Jim Bell's odd > interpretations, the only section in the US Constitution that I see as > potentially REQUIRING a person's testimony is the section (can't recall > which) which says that a defendant must have a process to compel the > appearance of witnesses in his favor. The Constitution, as far as I see, > says nothing about requiring people to appear for the PROSECUTION. You're talking about the 6th amendment confrontation clause. Really, that's unrelated to requests for production of documents via the subpoena process, which is more related to the due process clause. Like I said in a related message, I have seen fines of $75,000 a day leveled against "bad faith" third parties for not complying with grand jury subpoenas for documents. > I know that plenty of judges just automatically assume that this requirement > is somehow in there, but a literal reading of the Constitution doesn't > provide it. If that's the case, the government has and should have no > mechanism to force any key escrow agent to reveal a key. Unfortunately, this is incorrect. Subpoena power is immensely potent in the United States, and is arguably the most violent extraterratorial exercise of American sovreignty there is. > >However, what if Joe is _also_ one's > >lawyer? Does attorney-client privilege apply here? Perhaps. A better > >solution is also fully legal at this time: use only offshore key storage. A > >U.S. subpoena to Vince's Offshore Key Repository will carry no weight in > >Anguilla. (Can I be compelled to ask Vince to send my key? Sure. But Vince > >and I could have a stipulation that such "duress requests" will not be > >honored, no matter how loudly I squawk.) > > I've always been astonished at the assumption that the government seems to > be making that key escrow (which is fundamentally done for the benefit of > the key holder) will be implemented in a way that could possibly help the > cops out, in a way done to the detriment of the key holder. It's no different than a safety deposit box. The bank is hardly going to endure prosecution and significant for withholding lawful access to a defendant's safety deposit box. > > >>I do feel that it should be possible for courts to sub poena crypto keys, > >>but that doesn't really need new law either (4th and 5th ammendments > >>become _really_ important though (hmmm- there advantages to writing down a > >>constitution after all :) > > > >I agree that subpoenas for keys are legit. While I may dislike giving up my > >key, in a criminal matter it seems like "just another document." If they > >can subpoena my diary, my phone records, my dentist bills, why not another > >this document? Nothing in the Constitution giving it special status. > > But are subpoenas _really_ constitutional? In any case, one of the effects > of the widespread availability of good encryption might be that suddenly the > documents that cops have historically thought were subpoena-able will no > longer be. That's life, although they won't like it. And Ohio never joined the union and thus is a tax haven, yadda, yadda, yadda. Please. They are as "subpoena-able" as the escrow agent is unwilling to bear the burden of multi-million dollar fines and the defendant unwilling to bear the burden of incarceration. You know, I didn't know who was writing this message until I got down here and my screen scrolled, but I had my suspicions. > Jim Bell > jimbell at pacifier.com --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From kermie at paonline.com Tue Mar 26 11:40:02 1996 From: kermie at paonline.com (Dan Ringley) Date: Wed, 27 Mar 1996 03:40:02 +0800 Subject: DESCRIBE Message-ID: Take me off of the God Forbidden list already! Now! From perobich at ingr.com Tue Mar 26 11:41:12 1996 From: perobich at ingr.com (Robichaux, Paul E) Date: Wed, 27 Mar 1996 03:41:12 +0800 Subject: Remailer restrictions: coming soon to your burg? Message-ID: Josh Quitter recounts the sorry tale of a small-town city councilman whose phone number got attached to one of those phone-sex ads in alt.binaries.*. See for full details. So, what does the councilman do? From the article: >On Feb. 6, at Suponcic's urging, the Willowick city council passed a resolution asking the state >and federal governments to close the "loopholes" that allowed anonymous remailers to operate >outside the authority of U.S. law-enforcement officials. "Once you've achieved one of these >anonymous identities, you're dangerous, and there's no way law enforcement can track it," >Suponcic says. "The animal's out of control." Just like with "communications decency", watch out at the local level. -Paul From nelson at crynwr.com Tue Mar 26 11:52:51 1996 From: nelson at crynwr.com (nelson at crynwr.com) Date: Wed, 27 Mar 1996 03:52:51 +0800 Subject: DESCRIBE In-Reply-To: Message-ID: <19960326143045.26906.qmail@ns.crynwr.com> Dan Ringley writes: > Take me off of the God Forbidden list already! Now! Sorry, Dan, I can't do that. Fortunately for you, however, cypherpunks-request at toad.com can. Mailing list requests NEVER go to the list, always to the list manager, be it the LIST-request address or majordomo or listserv. -russ http://www.crynwr.com/~nelson Crynwr Software | Crynwr Software sells packet driver support | PGP ok 11 Grant St. | +1 315 268 1925 voice | If you would seek peace, Potsdam, NY 13676 | +1 315 268 9201 FAX | first seek freedom From unicorn at schloss.li Tue Mar 26 12:06:49 1996 From: unicorn at schloss.li (Black Unicorn) Date: Wed, 27 Mar 1996 04:06:49 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: On Mon, 25 Mar 1996, Michael Froomkin wrote: > On Mon, 25 Mar 1996, Timothy C. May wrote: > > [...many things including...] > > > > (Michael Froomkin speculated in one of his articles, I don't recall which, > > that there might need to be certain guidelines or laws if a key escrow > > protocol were to invoke the U.S. court system. Maybe. But I think ordinary > > It's my clipper article, see the link from my homepage. The claim > (disputed, BTW, by many experts) is that it's not obvious that the > constitution allows judges to hold keys in the absence of an onging > judicial proceeding involving the owner of the key because the separation > of powers would classify this action as "executive". > > > contract law, about what a contract says and what it means, is adequate. If > > I pay Joe's Key Warehouse a fee to store my key and it loses it, or gives > > it to another party, then damages can be collected.) > > > I agree that absent a statute all that is involved is contract law. > > [...] > > > IMPORTANT NOTE: It is often said, in a correct interpretation I think, that > > a third party holding a key (Joe's Key Warehouse) is _not_ covered by the > > 5th Amendment's protections against self-incrimination, and so must honor a > > subpoena. Sounds accurate to me. However, what if Joe is _also_ one's > > lawyer? Does attorney-client privilege apply here? Perhaps. A better > > NO IT DOES NOT. Basic rule of thumb: your lawyer can't be used to hide > papers someone else can't hide. Ok, at the margin it gets tricky, but > bascially the privilege is not going to stretch to your key. > > > solution is also fully legal at this time: use only offshore key storage. A > > U.S. subpoena to Vince's Offshore Key Repository will carry no weight in > > Anguilla. (Can I be compelled to ask Vince to send my key? Sure. But Vince > > and I could have a stipulation that such "duress requests" will not be > > honored, no matter how loudly I squawk.) > > An interesting issue, likely to be addressed in future judicial > assistence treaties... Practally speaking, this is incorrect. While most nations complain about the application of U.S. law abroad in discovery, unless the foreign entity has no U.S. presence what so ever, they are highly vulnerable to subpoenas. Either today or tommorow I'll post a massive article on asset protection to the list which discusses many aspects of international subpoena powers and jurisprudence in relation to bank documents, and in some cases, computer disks and information. It may answer this question more completely. > > [...] > > A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) > Associate Professor of Law | > U. Miami School of Law | froomkin at law.miami.edu > P.O. Box 248087 | http://www.law.miami.edu/~froomkin > Coral Gables, FL 33124 USA | It's warm here. > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From adam at lighthouse.homeport.org Tue Mar 26 13:18:40 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Wed, 27 Mar 1996 05:18:40 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: <199603261611.LAA04815@homeport.org> Timothy C. May wrote: | My point is that I see no compelling legislation that is needed. If enough | people in Washington really want increased length in _exported products_ | (remember the "exported" part), the Congress and the President should find | it easy enough to get said products on to the Approved List. (I note that | the Leahy Bill really doesn't change this system anyway...some products go | on the list, some don't...the law only seems to say that when the horse has | already left the barn, i.e., when "comparable" products are already in | fairly wide use outside the U.S., then the products should be put on the | approved list. Big deal. Tim, I'm forced to disagree on this point. I think that the comparable product has the potential to be a very big deal; it means that any product using IDEA or 3DES may become exportable, because such products are available outside the US. It may be that wide use will be quibbled over, but DES, weak as it is, is widely used outside the US, and IDEA and 3DES will be. Thats why this legistlation will fail to pass. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From frissell at panix.com Tue Mar 26 18:31:14 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 27 Mar 1996 10:31:14 +0800 Subject: Weapons & Hope Message-ID: <2.2.32.19960326164226.00681648@panix.com> With all of the folderol about the repeal of the Assault Rifle non Ban and the risks to the polity from Assault Encryption, it is important to note that this is Much Ado About Nothing. If these gals are worried about a few AK's, what's going to become of their peace of mind when confronted with nanotechnology. It is not technologically feasibly to develop a pile of advanced technologies that do not contain weapons or defenses of some kind. Technology gives one the power to do things. The power to "do things" is a superset of the power to attack or defend (the power of weaponry). A weapon is basically an instrument for projecting force or (in the case of defenses) blocking that projection. As technology advances, more and more powerful instrumentalities are placed in individual hands. This is particularly the case with modern machines and markets. Whereas past practice involved mass production of identical products from very specialized production machinery, the current trend is moving towards custom products produced by "general" machines. While it might be barely possible in the mass production age to control weapons by blocking the flow of these specific products (a Streetsweeper, say) into the marketplace, it will clearly not be possible in the age of custom production. General machines will be available to produce specialized products (often under the direct control of the customer, himself). Some of this custom production will be weapons. DCF "Gee, I never knew Chuck Schumer was brave enough to attack another military force armed only with an 'Assault Handgun.' He must be because if he ain't then it ain't (an assault handgun, that is) because no one else would be that crazy." From merriman at arn.net Tue Mar 26 19:36:10 1996 From: merriman at arn.net (David K. Merriman) Date: Wed, 27 Mar 1996 11:36:10 +0800 Subject: Let's *NOT* "Raise their Awareness" Message-ID: <2.2.32.19960325205224.006866dc@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 11:25 PM 03/25/96 -0800, tcmay at got.net (Timothy C. May) wrote: > >I try to avoid "me too" echoes, but this is worth concurring with, strongly. > >Nothing good can come out of "raising awareness," especially of an issue >where the Consitution is already pretty clearly on the side of the right to >speak in whatever language one chooses, to keep diaries in code if one >wishes, to whisper to others, to place curtains on windows, to lock doors, >and so on. (I suppose Jim Bell will point out that the Constitution >contains no explicit language about placement of curtains....) Regrettably, I must disagree with Mr. May on the matter of speaking in whatever language one chooses. It seems that here in Texas (specifically, here in Amarillo), a local judge informed a Hispanic family that they were prohibited from speaking _only_ Spanish to their child at home. The rationale was that since English is the (ostensibly, in this area) Public Language of the school system here, failure to encourage use of English would adversely impact the child's education, and was thus a form of child abuse. If need be, I can provide excerpts from the local snoozepapers coverage of the issue. *sigh* One Freedom at a time...... Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVbp7cVrTvyYOzAZAQHuTwP8DbhSO4PuMKl8/W/pNHCc2UsRCLSCADW3 JV5wJqh0H+z959tGx6zcB+WTjHSXMz/ZKsQFxGnJ40fKDj4YXOclRZraqgVPngHh nrBzPNs0eZMJujecIE9v+JHJdIGmLKlkH9XQgmA4eqUF0ivGz9yLD4aVVyOjew45 f/okXaXbjeA= =UUyW -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From tcmay at got.net Tue Mar 26 20:08:29 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 27 Mar 1996 12:08:29 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 4:11 PM 3/26/96, Adam Shostack wrote: >Timothy C. May wrote: > >| My point is that I see no compelling legislation that is needed. If enough >| people in Washington really want increased length in _exported products_ >| (remember the "exported" part), the Congress and the President should find >| it easy enough to get said products on to the Approved List. (I note that >| the Leahy Bill really doesn't change this system anyway...some products go >| on the list, some don't...the law only seems to say that when the horse has >| already left the barn, i.e., when "comparable" products are already in >| fairly wide use outside the U.S., then the products should be put on the >| approved list. Big deal. > > Tim, > > I'm forced to disagree on this point. I think that the >comparable product has the potential to be a very big deal; it means >that any product using IDEA or 3DES may become exportable, because >such products are available outside the US. I certainly don't disagree that if Leahy is passed, which is unlikely, then conventional ciphers like 3DES will become exportable. (And I am forced to add, "Big deal.") What I'm more interested in are not the ciphers which had their genesis in the crypto work of the 70s, but in the new and exciting applications to come. Things such as this list often discusses. I believe Leahy could stall export of these new items until eventually there are offshore equivalents of sufficiently wide deployment that the Leahy clause would get invoked. Leahy does little to confirm basic Constitutional rights, and offers a sop to the export control advocates. And the criminalization of use of crypto in furtherance of a felony (any of the 14,662 felonies now on the books), according to the reading of several analysts who have studied Leahy, is disturbing. Whether it can be used to prosecute operators of anonymous remailers remains unclear, but associating cryptography with criminality more directly and statutorily than it is now is NOT a step in the direction we want to see! --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From frantz at netcom.com Tue Mar 26 21:29:46 1996 From: frantz at netcom.com (Bill Frantz) Date: Wed, 27 Mar 1996 13:29:46 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , shame) Message-ID: <199603260757.XAA27985@netcom5.netcom.com> At 9:20 PM 3/25/96 -0800, Simon Spero wrote: >On Mon, 25 Mar 1996, Bill Frantz wrote: > >> At 1:32 PM 3/25/96 -0500, Black Unicorn wrote: >> to type them. Since storage was limited, and old messages were purged from >> the system it also had the effect that anti-trust discovery would have >> nothing to discover. > >Hmmm - that's another issue; what about diffie hellman with ephemeral >keys? Once the transaction is complete, unless you keep a copy of the key, >even you can't decrypt that session. Would a law requiring you to keep a >copy of the keys be important. It would have the advantage of allowing >a sub-poena to be more restrictive than "just hand over your private >key", but it's a pretty heavy (undue?) burden. With PGP at least, it should be possible to hand over the IDEA key required to decrypt each message in question without having to hand over your private key. Since the court would have your public key, they could verify that the IDEA key you gave them was indeed the correct key. Of course if they are using the subpoena to intimidate you, then they will insist on the private key. N.B. The IBM voice system mentioned above (and the attribution should be to me, and not Black Unicorn) did not use any crypto. Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From peponmc at Fe3.rust.net Tue Mar 26 22:46:35 1996 From: peponmc at Fe3.rust.net (Michael C. Peponis) Date: Wed, 27 Mar 1996 14:46:35 +0800 Subject: Let's *NOT* "Raise their Awareness" Message-ID: <199603262308.SAA27360@Fe3.rust.net> On Tue, 26 Mar 1996 , David K. Merriman wrote: >Regrettably, I must disagree with Mr. May on the matter of speaking >in whatever language one chooses. It seems that here in Texas >(specifically, here in Amarillo), a local judge informed a Hispanic >family that they were prohibited from speaking _only_ Spanish to >their child at home. The rationale was that since English is the >(ostensibly, in this area) Public Language of the school system here, >failure to encourage use of English would adversely impact the >child's education, and was thus a form of child abuse. If need be, I >can provide excerpts from the local snoozepapers coverage of the >issue. The judge is correct in this matter, most people view it from the rights of the parents, but what about the child who, because of his/her parents egotism and ignorance, grows up not being able to compete effectivly? My rights, even parental rights, end when their exersize directly impact someone else(the child) in a negative way. Regards, Michael Peponis PGP Key Available for MIT KeyServer From EALLENSMITH at ocelot.Rutgers.EDU Tue Mar 26 22:48:02 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Wed, 27 Mar 1996 14:48:02 +0800 Subject: Call for Papers: Internet Privacy and Security Message-ID: <01I2SPYPHUVS8ZDZ7I@mbcl.rutgers.edu> Sorry if this has been on here before. -Allen From: Phil Agre =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Tue, 19 Mar 96 12:09:20 PST From: RISKS List Owner Subject: RISKS DIGEST 17.91 RISKS-LIST: Risks-Forum Digest Tuesday 19 March 1996 Volume 17 : Issue 91 ---------------------------------------------------------------------- Date: Fri, 15 Mar 1996 12:17:23 -0500 From: "Joseph M. Reagle Jr." Subject: Internet Privacy and Security, Call for Papers CALL FOR PAPERS INTERNET PRIVACY AND SECURITY WORKSHOP Haystack Observatory, MA May 20-21, 1996 Privacy and Security Working Group Federal Networking Council Research Program on Communications Policy Center for Technology, Policy, and Industrial Development Massachusetts Institute of Technology INVITATION The Privacy and Security Working Group (PSWG) of the Federal Networking Council (FNC) and the Research Program on Communications Policy of the Center for Technology, Policy, and Industrial Development at the Massachusetts Institute of Technology will hold an invitational workshop at the Haystack Observatory outside of Boston, MA, on May 20-21, 1996. This workshop is intended to bring Federal, academic and private sector participants together in collaboration to develop strategies and potential solutions related to Internet privacy and security. Though a principal focus of the workshop will be on the Federal portion of the Internet, the FNC recognizes that the Federal Internet is tightly coupled with the Global Internet, whose security policies, practices, and goals are complementary to those of the Federal Government. To define those practices, procedures and goals, the PSWG has undertaken two major initiatives: - The Federal Internet Security Plan (FISP), which was developed as a scalable, continual improvement process, based on common principles and mechanisms compatible with Internet community values and needs; and - The Collaborations in Internet Security (CIS) project, an effort aimed at testing the strength of agency approaches to security and moving these technologies beyond individual agency networking environments and into both inter-agency and agency-commercial sector communications. The CIS will result in the development of a new and sustainable process for developing, integrating, and deploying security technologies that are interoperable at all levels of the Federal government and within the commercial and academic sectors. These initiatives are intended to highlight the critical interface between Federal and commercial users and developers of Internet services and technologies. OBJECTIVES This workshop will bring together principal players in the Federal and overall Internet community to discuss the problems and challenges of privacy and security on the Internet, and will: - Identify critical issues, requirements, and recommendations related to future Internet privacy and security research and development efforts; - Describe "best practice" approaches to Internet privacy and security; - Develop specific strategies for implementing Internet Security programs involving all sectors of the Internet community; - Extend the Federal Internet Security Plan (FISP) by defining specific implementations; and finally, - Develop specific strategies for the migration of technologies from the individual RFC unit test stage to the integration of a complete functional managed system in the CIS test/demonstration/pilot projects. SUBMISSIONS Abstracts or complete paper drafts related to the topics listed above are welcome. Accepted papers will be a part of the published record of the workshop. All points of view on Federal policies affecting Internet privacy and security are welcome. Please make all electronic submissions in ASCII format. For further information or to submit an abstract or paper contact: Internet Security and Privacy Workshop c/o Joseph Reagle Research Program on Communications Policy Massachusetts Institute of Technology One Amherst St. (E40-218) Cambridge, MA 02139 Voice: (617) 253-4138. Fax: (617) 253-7326 papers at rpcp.mit.edu SCHEDULE and DEADLINES Call for papers - March 14, 1996 Abstracts Due - April 14, 1996 Invitations to Participants - April 20, 1996 Revised/Completed papers due - May 19, 1996 Workshop - May 20-21, 1996 PARTICIPANTS Participation in the workshop is by invitation, based primarily on submitted papers and abstracts. Additional individuals may be invited to ensure that participation reflects a broad cross-section of the Internet community. PROGRAM COMMITTEE Dennis Branstad - Trusted Information Systems (TIS) Rich Pethia - Computer Emergency Response Team (CERT) Jeffrey Schiller - Massachusetts Institute of Technology (MIT) Richard Solomon - Massachusetts Institute of Technology (MIT) Rick Stevens - Department of Energy /Argonne National Labs (DOE) STEERING COMMITTEE Stephen Squires, DARPA (FNC/PSWG Co-Chair) Dennis Steinauer, NIST (FNC/PSWG Co-Chair) Tice DeYoung, NASA Phillip Dykstra, Army Research Laboratory (ARL) Mike Green, NSA George Seweryniak, Department of Energy (DOE) Walter Wiebe, Federal Networking Council (FNC) BACKGROUND Federal Internet Security Plan: In September 1995, the PSWG published the draft Federal Internet Security Plan (FISP). The FISP is oriented toward a scalable, continual improvement process, based on common principles and mechanisms compatible with Internet community values and needs. See . The plan addresses Internet security requirements, including interoperability, from the perspective of the goals and objectives outlined in the National Performance Review (NPR), http://www.npr.gov/. The Federal Networking Council developed this framework in conjunction with its Advisory Committee which represents industry, academia, and non-profit sectors. Action Items, from the FISP, to be addressed during the Workshop: Internet Security Policy and Policy Support Activities * Establish overall Internet security policies * Address security in all Federally supported NII pilots * Coordinate Internet community involvement * Establish an ongoing Internet threat database and assessment capability * Identify legal and law enforcement issues Internet Security and Technology Development * Develop an Internet security maturity model * Develop Internet security architecture * Enhance Internet security services and protocols * Develop a "Secure-Out-of-the-Box" endorsement * Enhance application security Internet Security Infrastructure * Establish a set of Internet security interoperability testbeds * Support privacy, authentication, certificate, and security services pilots * Establish Internet security testing and evaluation capabilities * Improve security incident handling capabilities * Develop security self-assessment capabilities * Establish effective secure software and document distribution mechanisms Education and Awareness * Compile Internet user and site profiles * Encourage use of available security technologies * Establish an Internet security information server * Establish an Internet security symposium/workshop series * Establish an Internet security fellowship program Collaborations in Internet Security: With the Federal government's ever-increasing dependency on computers and distributed systems, there is great urgency for it to develop and employ enhanced information system security technologies and practices. At the same time, these Federal technologies must interoperate with those of the broader Internet community (encompassing the private and academic sectors, along with the Federal sector). In recognition of these needs, the Federal Networking Council's Privacy & Security Working Group (FNC/PSWG) has been awarded a National Performance Review (NPR) Innovation Fund grant to compare and validate agency approaches to security. This Collaborations in Internet Security (CIS) project aims to test the strength of these technologies beyond individual agency networking environments, emphasizing the inter-agency and agency-commercial sector communications. The CIS will result in the development of a new and sustainable process for developing, integrating, and deploying security technology that is interoperable at all levels of the Federal Government and within the commercial and academic sectors. The governing principles behind the Security Testbeds include: employment of an open process (with the activities and results open to participation and comment by both public and private sector participants); a focus on multivendor technologies; an emphasis on testing and experimentally deploying security technologies emerging from research and private sectors as well as security technologies currently in use in the commercial environment; and an underlying objective to ensure interoperability among the broad Internet community (federal, private, and academic). Initial tests will include demonstrations of Kerberos v.5, testing of single-use passwords, and digital signatures. For more information, please see (http://www.fnc.gov/cis_page.html) From aguilar at servidor.dgsca.unam.mx Tue Mar 26 22:48:46 1996 From: aguilar at servidor.dgsca.unam.mx (Victor Ramon Aguilar Ocampo) Date: Wed, 27 Mar 1996 14:48:46 +0800 Subject: About Triple DES ...... Message-ID: Hello: Please let me know if TRIPLE DES is regulated by the same rules than the others criptography systems in USA. We want to use it here in National Autonomous University of Mexico, so we don't want to get jailed. In case we can use it somebody knows where can i get the source code ?? I have searched this already in WWW, archie and Veronica. Thanks in advance. ---------------------------------------------------------------- Academic Computing Services National Autonomus University of Mexico Victor Ramon Aguilar Ocampo Coordinacion de Servicios de Computo DGSCA - UNAM E-mail: aguilar at servidor.unam.mx " Solo tienes dos cosas en tu hacer, las Razones y los Resultados. Las Razones no cuentan ". ---------------------------------------------------------------- From vznuri at netcom.com Tue Mar 26 22:50:27 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Wed, 27 Mar 1996 14:50:27 +0800 Subject: Why NSA is afraid that ITARs will be thrown out in court In-Reply-To: Message-ID: <199603262136.NAA17319@netcom18.netcom.com> TCM >Whether this NSA paranoia has anything to do with the final decision on the >Zimmermann et. al. matter is unclear, but it is likely that a very strong >challenge to the ITARs--maybe the appeal by Phil Karn is such a challenge, >maybe the Bernstein case--will result in big chunks of the ITARs being >thrown out. regarding these discussions about challenging the ITAR, I think it would have to be done by some really daring lawyers. there are some precedents for judges slapping secrecy orders on various aspects of the trial whenever the NSA is involved-- just another way the NSA loves to manipulate our government system via a technique that might be called "shadow puppetry" the case then dies a slow painful death of attrition in the dark. anyway, one would have to somehow intersect with a judge that is not easily intimiated by "national security" issues. I am dead serious- -the first thing NSA or "intelligence agency" lawyers do is try to impress the judge that this is an unusual case that requires strict secrecy in the interests of national security. having brave lawyers might mean they are willing to defy secrecy orders about the trial to publicize it in the open to win public attention and support. I think this would be difficult. but one has to try. there is a simple formula to fighting the NSA and their horrible tactics: disclosure can be a powerful weapon in our favor. the NSA will usually back down from a confrontation instead of escalating it. public exposure is their absolute worst nightmare. there are a lot of spooks in the NSA who cringe every time those initials are used. well, NSA NSA NSA NSA NSA NSA NSA NSA!!! (maybe I can actually get a few of them to have heart attacks by saying that) again, I continue to believe that the main problem with the NSA/ITAR is not so much that either exists, but that everyone in our country is following both as if they are the rule of law. you get more of what you roll over for. From aba at atlas.ex.ac.uk Tue Mar 26 23:04:19 1996 From: aba at atlas.ex.ac.uk (aba at atlas.ex.ac.uk) Date: Wed, 27 Mar 1996 15:04:19 +0800 Subject: Crypto CD UpDate Message-ID: <21443.9603262216@sirius.dcs.exeter.ac.uk> The idea of putting together a CD with crypto stuff is an excellent IDEA, and one which I very much welcome. However a question .. are you (Ben) located in the US? If so... that rules out overseas buyers unless you fancy messing with ITAR... Is it possible that you could come to some arrangement with some one outside the ITAR fence who has a CD writer (any one reading have one?) put together the same CD for those outside the US? Adam From RUSSELLDH at aol.com Tue Mar 26 23:04:38 1996 From: RUSSELLDH at aol.com (by way of "David E. Smith" ) Date: Wed, 27 Mar 1996 15:04:38 +0800 Subject: Phil Zimmermann Interview online... Message-ID: <2.2.32.19960326202110.006a53c0@204.248.40.2> I don't recall seeing this previously on the list. The interview itself is pretty lightweight - intended for a rather broad audience - but it's the sort of thing we could use more of (that is, good positive pro-crypto publicity). original message goes here ---> Hi! On February 2nd, 1996 I interviewed Phil Zimmermann and have transcribed that interview and placed it on the Web. It is located at: http://www.animatedsoftware.com/hightech/philspgp.htm I hope you find it interesting. If you would like to add a link to it please let us know. By the way, I enjoyed visiting your home page, where I got your email address. Thanks, Russell Hoffman http://www.animatedsoftware.com --- David Smith, Intellecutal Terrorist http://www.midwest.net/scribers/dsmith/ From alano at teleport.com Tue Mar 26 23:04:57 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 27 Mar 1996 15:04:57 +0800 Subject: Pepsi World - Gotta Have It! Message-ID: <2.2.32.19960326230523.0095a474@mail.teleport.com> At 09:14 AM 3/26/96 -0800, geeman at best.com wrote: >hoax, I presume? Not a hoax. On occasion people signup on various web sites requiring a username and password with this list name as the e-mail contact and the user ID and password as "cypherpunk". Because of that, occasionally spam from such accounts shows up here, adding to the noise level. I find it annoying, but I just filter it and go on with my life. --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From jimbell at pacifier.com Tue Mar 26 23:05:57 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 27 Mar 1996 15:05:57 +0800 Subject: Bad news from Judge Richey Message-ID: At 12:16 PM 3/26/96 -0800, Timothy C. May wrote: >At 6:29 PM 3/26/96, jim bell wrote: > >>Now now, Tim. You know me better than that. You know that I would never be >>so restrained as to call for the killing of ONLY ONE federal judge. > >Your sense of humor is also called "digging your own grave." Better hope >your words don't get to prosecutors anxious to set an example.... I don't think they'd be stupid enough to do that. Even a fool knows that what I really want is publicity, and that is exactly what the government would be best advised NOT to give me. If they decided to press the issue, it would turn into one of the purest 1st amendment cases that has ever existed. Worse for them, it would automatically publicize my AP idea to an audience of millions, which I believe would cook their goose but good. They know this, and they know that harassing me will not stop the fundamental idea. >>Seriously, however, I think you slightly mis-read my letter. The implied >>"threat", if you are inclined to call it that, would simply be that if >>domestic >>software writers are prohibited from exporting encryption software, they >>might be inclined (and have time for) writing the entire AsPol system into >... > >I read your article as essentially saying: > >"Judges ought to remember that a box of shells costs a lot less than an appeal." Good line! But what I really meant was, "Jim Bell is advocating building an ammunition factory." Jim Bell jimbell at pacifier.com From pgut001 at cs.auckland.ac.nz Tue Mar 26 23:06:22 1996 From: pgut001 at cs.auckland.ac.nz (pgut001 at cs.auckland.ac.nz) Date: Wed, 27 Mar 1996 15:06:22 +0800 Subject: Test case for RSA t-shirts Message-ID: <199603262347.LAA09880@cs26.cs.auckland.ac.nz> [I posted this to comp.org.eff.talk but got virtually no response, maybe someone here can make use of it] In July I'll be going to the US for a conference. I have one of Adam Backs RSA-in-perl t-shirts and am prepared to wear it into (and possibly back out of) the country if anyone feels it would do any good (for example to act as a test case for exportability). If anyone thinks this would be useful or wants to offer a legal opinion, let me know. For something less trivial, I can also carry in a disk of crypto code or something similar (say, 20 pages of DES bar codes) and see if I'm allowed to take it back with me. Peter. From llurch at networking.stanford.edu Tue Mar 26 23:22:17 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Wed, 27 Mar 1996 15:22:17 +0800 Subject: About Triple DES ...... In-Reply-To: Message-ID: Victor Ramon Aguilar Ocampo escribe: > Please let me know if TRIPLE DES is regulated by the same rules than > the others criptography systems in USA. Yes. Apparently there's even a standard place on the export request forms to check off "please resubmit without triple-DES support." If this is something you want to be able to take across the border, you need to get it from a non-US source. > We want to use it here in National Autonomous University of Mexico, so > we don't want to get jailed. You wouldn't be jailed, since as far as I know, it's perfectly legal for you to use DES. It's just illegal for anyone in the US or Canada to give it to you. It's possible that some NAFTA working group has written regulations to make Mexico answerable for ITAR violations, but I seriously doubt it. -rich From olmur at dwarf.bb.bawue.de Tue Mar 26 23:43:02 1996 From: olmur at dwarf.bb.bawue.de (Olmur) Date: Wed, 27 Mar 1996 15:43:02 +0800 Subject: ITAR double standards? In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- >>>>> "TCM" == Timothy C May writes: [much deleted] TCM> Now when I was with Intel, we made many of our chips in plants in TCM> Ireland, Israel, and other locales outside the U.S. Some of these TCM> chips were forbidden for export by the ITARs. And certainly the TCM> knowledge of the engineers sent overseas was comparable to the TCM> knowledge of RSA programmers.... Don't know about Intel, but IBM has an agreement with US-legislation, that we can ship code, hardware and knowledge freely between all of our locations. An export-licence is only required when code/hardware leaves the IBM-corporation. Technically IBM-Germany is a _German_ company, so that ITAR would not effect IBM-Germany. However, the agreement between IBM-corporation and US-legislation does have the desired effect (desired by US-legislation). This seems to be the way how ITAR is enforced with multinational corporations: they allow the very valuable exchange of knowledge, for the prize of the corporation as a whole `voluntarily' obeying ITAR. Of course all the usual disclaimers apply, ie I'm not a lawyer, don't speak for IBM and the weather is not my fault either.... Have a nice day! Olmur -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: latin1 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBMVhkfg9NARnYm1I1AQGuGAP/XXDIIwrm/a0MRe5DgTtPcoo1Z2nJvSjj KbmP0khSSv/5ekfmGlIVe4tOakCQo5Sp1GUfkxxnQdkuM2oTNCTU1nCFP3pj+J69 LX8Jjz1Z8c1UGyAWhBGYrKHbcdbeWoWfeanzx2uwVex0Nm1R3xN+et8Q/pmVKQTE 3FmGqOmHLk0= =RZEo -----END PGP SIGNATURE----- From tcmay at got.net Wed Mar 27 00:05:20 1996 From: tcmay at got.net (Timothy C. May) Date: Wed, 27 Mar 1996 16:05:20 +0800 Subject: Let's *NOT* "Raise their Awareness" Message-ID: At 8:52 PM 3/25/96, David K. Merriman wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >At 11:25 PM 03/25/96 -0800, tcmay at got.net (Timothy C. May) wrote: >> >>I try to avoid "me too" echoes, but this is worth concurring with, strongly. >> >>Nothing good can come out of "raising awareness," especially of an issue >>where the Consitution is already pretty clearly on the side of the right to >>speak in whatever language one chooses, to keep diaries in code if one >>wishes, to whisper to others, to place curtains on windows, to lock doors, >>and so on. (I suppose Jim Bell will point out that the Constitution >>contains no explicit language about placement of curtains....) > >Regrettably, I must disagree with Mr. May on the matter of speaking in >whatever language one chooses. It seems that here in Texas (specifically, >here in Amarillo), a local judge informed a Hispanic family that they were >prohibited from speaking _only_ Spanish to their child at home. The >rationale was that since English is the (ostensibly, in this area) Public >Language of the school system here, failure to encourage use of English >would adversely impact the child's education, and was thus a form of child >abuse. If need be, I can provide excerpts from the local snoozepapers >coverage of the issue. Right, and I've cited this "family law" case recently here in Cyphepunks as an example of an aberrant, unconstitutional law (family law has a lot of such things...it may come from the hard-to-untangle situation of a family). I don't take specific statutes or interpretations, such as this example, as being the same as what the Constitution says. Though it may come to the point where what's in the Constitution is buried under a blizzard of such exceptions and special cases. In any case, I think the First Amendment is a better protection of cryptographic rights than is some putative (and arguably nonexistent) "right to privacy." --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From perry at piermont.com Wed Mar 27 00:22:37 1996 From: perry at piermont.com (Perry E. Metzger) Date: Wed, 27 Mar 1996 16:22:37 +0800 Subject: About Triple DES ...... In-Reply-To: Message-ID: <199603262114.QAA13464@jekyll.piermont.com> Victor Ramon Aguilar Ocampo writes: > Please let me know if TRIPLE DES is regulated by the same rules than > the others criptography systems in USA. Yes. > We want to use it here in National Autonomous University of Mexico, so > we don't want to get jailed. You are in Mexico. You aren't required to follow U.S. law. > In case we can use it somebody knows where can i get the source code ?? Try the International Cryptography Home page to help you find a copy from outside the U.S. http://www.cs.hut.fi/crypto/ Perry From cmcmanis at netcom.com Wed Mar 27 00:57:37 1996 From: cmcmanis at netcom.com (Chuck McManis) Date: Wed, 27 Mar 1996 16:57:37 +0800 Subject: Noise Sphere in Java Message-ID: <01BB1B40.136EB560@Inverness> Thanks to the post in C++ we now have a version of the Noise Sphere program in Java. You can see it at: http://www.golfweb.com/cmcmanis/noise.html The source is online as well. It currently plots the randomness of the java.util.Random class. Modification for other classes that generate random data should be easy, as long as the class has a method nextInt() which returns a new random number. Other hacks are possible, feel free to hack away at your leisure. --Chuck McManis cmcmanis at golfweb.com From anon-remailer at utopia.hacktic.nl Wed Mar 27 01:16:50 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Wed, 27 Mar 1996 17:16:50 +0800 Subject: No Subject Message-ID: <199603270220.DAA24963@utopia.hacktic.nl> Subject: HP ships full DCE internationally As I sit, somewhere not in North America, I can see a CD-Rom from Hewlett-Packard, which I've had since last year. Recently I received the following letter. I've attempted to retype its contents accurately. ---------8<--------8<--------8<--------8<--------8<--------8<--------8< [HP Logo] Hewlett-Packard Company Software and Information Delivery Operation, SST 690 East Middlefield Road Mountain View, California 94043 415/968-9200 Dear HP-UX Support Customer, Hewlett-Packard has uncovered a bundling problem in the DCE-Core fileset that is on the October HP-UX Application Release 10.0 s700/800 Application CDs. These products were bundled such that they are not compliant with U.S. Government export regulations. The part numbers for the affected CDs and products are listed below. If you have updated your systems using these CDs or for the products listed on the October HP-UX Application Release Media, please update your system with the enclosed January HP-UX Application Release 10.0 s700/800 Application media, and destroy the October media. If you have not updated your systems with this media, please just destroy the October Application Release media and use the new enclosed Application media. If you require a replacement for the October HP-UX 10.0 s700/800 Application CD that has this bundling problem corrected, please contact your local support office to request shipment of the new CD. Hewlett-Packard apologises for any inconvenience you may experience due to this bundling issue. Sincerely [signed] Charles Henderson Software Information and Delivery Operations CD PART NUMBERS --------------- 24998-11710 SE application s700 10/95 24998-11711 SE application s800 10/95 B3782-10054 Trade application s700 10/95 B3920-13614 Trade application s800 10/95 PRODUCT NUMBERS --------------- 10.01 800 B3191A DCE CORE SRV MEDIA/DOCU INTL 10.01 800 B5162AA DCE 9000 Executive Client 10.01 800 B3519AA DCE QUICK START KIT INTL S800 10.01 800 B3923AA CICS/9000 Bundle Media & Manuals, Int'l 10.01 700 B2921A DCE Core Services International 10.01 700 B5162AA DCE 9000 Executive Client S700 10.01 700 B3519AA DCE Quickstart 700 Bndl Int'l Document P/N: 5964-5231 ---------8<--------8<--------8<--------8<--------8<--------8<--------8< Excuse me, I just have to go and destroy that CD :-) From jamesd at echeque.com Wed Mar 27 01:19:16 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Wed, 27 Mar 1996 17:19:16 +0800 Subject: LIST OF SHAME VOLUNTEERS Message-ID: <199603260346.TAA29765@mail1.best.com> At 01:22 AM 3/25/96 -0500, Declan B. McCullagh wrote: > Leahy Bill has NOT A CHANCE IN HELL of passing, and so is worth > supporting to raise awareness of crypto. Washington is the last place where we wish to raise awareness of crypto --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jimbell at pacifier.com Wed Mar 27 01:27:49 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 27 Mar 1996 17:27:49 +0800 Subject: Bad news from Judge Richey Message-ID: At 02:21 PM 3/25/96 -0800, Phil Karn wrote: >Last Friday, Judge Richey issued a 36-page opinion dismissing my suit >against the State Dept. > >I am waiting for a copy of the opinion, which should arrive in paper >form tomorrow. I'll post it on my web site when it's available in >electronic form. (http://www.qualcomm.com/people/pkarn/export) > >I'll be meeting my attorneys next Monday to plan an appeal strategy. I realize that this may appear to be a rather disrespectful tactic, but have you considered reminding the judge that if you are not allowed to profit by exporting encryption that the government doesn't want to see exported, you'll just have to make money in some other way, and this may lead you to talk to Jim Bell about implementing a program using encryption that doesn't _need_ to be exported...legally anyway. Jim Bell jimbell at pacifier.com From thecrow at iconn.net Wed Mar 27 02:08:04 1996 From: thecrow at iconn.net (Jack Mott) Date: Wed, 27 Mar 1996 18:08:04 +0800 Subject: trouble with idea.c from cryptl99.zip Message-ID: <3158BD34.2AD8@iconn.net> Hey, I downloaded the crypto lib 'cryptl99.zip' from one of the crypto web sites, I got IDEA.C to compile, but it doesn't seem to encrypt. The test code that comes with it shows the sub-key groupings, then it does this X 0 1 2 3 4 5 6 7 Y 0 1 2 3 4 5 6 7 Z 0 1 2 3 4 5 6 7 It looks like X should be the plaintext, Y the ciphertext, then Z the plaintext again from the code, but it isn't working. If anyone knows the source code I am talking about let me know what is wrong. Here is what the main piece looks like: printf("\n Encrypting %d bytes (%ld blocks)...", BLOCKS*16, BLOCKS); fflush(stdout); start = clock(); memcpy(YY, XX, 8); for (l = 0; l < BLOCKS; l++) ideaCipher(YY, YY, EK); /* repeated encryption */ memcpy(ZZ, YY, 8); for (l = 0; l < BLOCKS; l++) ideaCipher(ZZ, ZZ, DK); /* repeated decryption */ end = clock() - start; l = end / (CLOCKS_PER_SEC/1000) + 1; i = l/1000; j = l%1000; l = 4; // (16 * BLOCKS * (CLOCKS_PER_SEC/1000)) / (end/1000); printf("%d.%03d seconds = %ld bytes per second\n", i, j, l); printf("\nX %3u %3u %3u %3u %3u %3u %3u %3u\n", XX[0], XX[1], XX[2], XX[3], XX[4], XX[5], XX[6], XX[7]); printf("\nY %3u %3u %3u %3u %3u %3u %3u %3u\n", YY[0], YY[1], YY[2], YY[3], YY[4], YY[5], YY[6], YY[7]); printf("\nZ %3u %3u %3u %3u %3u %3u %3u %3u\n", ZZ[0], ZZ[1], ZZ[2], ZZ[3], ZZ[4], ZZ[5], ZZ[6], ZZ[7]); from this, Y should be encrypted, but it isn't! Thanks in advance for any help. -- thecrow at iconn.net "It can't rain all the time" From herbs at connobj.com Wed Mar 27 02:38:25 1996 From: herbs at connobj.com (Herb Sutter) Date: Wed, 27 Mar 1996 18:38:25 +0800 Subject: Let's *NOT* "Raise their Awareness" Message-ID: <2.2.32.19960327042730.00737020@mail.interlog.com> At 18:07 03.26.1996 -5:00, Michael C. Peponis wrote: >On Tue, 26 Mar 1996 , David K. Merriman wrote: >>Regrettably, I must disagree with Mr. May on the matter of speaking >>in whatever language one chooses. It seems that here in Texas >>(specifically, here in Amarillo), a local judge informed a Hispanic >>family that they were prohibited from speaking _only_ Spanish to >>their child at home. The rationale was that since English is the >>(ostensibly, in this area) Public Language of the school system here, >>failure to encourage use of English would adversely impact the >>child's education, and was thus a form of child abuse. If need be, I >>can provide excerpts from the local snoozepapers coverage of the >>issue. > >The judge is correct in this matter, most people view it from the >rights of the parents, but what about the child who, because of >his/her parents egotism and ignorance, grows up not being able to >compete effectivly? > >My rights, even parental rights, end when their exersize directly >impact someone else(the child) in a negative way. Gee, that's funny. I grew up in a household where we always spoke only German, and not only that but I had to write one page of German daily to keep my writing skills up; I was fluent in it at three. I grew up in a neighbourhood where we always spoke English; I was fluent in it at four. I grew up in a school system that offered me French immersion for about six years, so for several years most of my classes were in French only; I was fluent in it at fifteen. I now speak and write all three languages (though I'm most fluent in English and the French is rusty). I was born in Canada and have lived here all my life; I don't see the problem. PMFJI the middle of this, but assuming the above account wasn't taken out of context it seems awfully ludicrous to me. Just MHO, of course. I've never yet seen a child who can't pick up a language common in the area just by being around people who speak it... especially if it's the language used and taught in school! I have friends who've come from countries in Africa where there are many tribal groups in addition to the widely-used official French and English languages, and I was impressed when I saw these teenagers come over here already fluent in five or six languages... until I was told that's normal where they come from and everyone knows at least four just to get around from day to day. It boggles the mind to think that speaking one language at home exclusively would have any sort of impact on a child's development, AFAICS. To state a REALLY controversial opinion: I've always felt one reason many kids are so bored with school is that our school systems just plain don't challenge them, and I'm afraid I see the above as a perfect example of swaddling and coddling. Kids are amazing and are guaranteed to surprise you, when someone takes the time to work with them and set them achievable goals. If you'll excuse a European joke: "Q: What does a European call someone who speaks four languages? A: Gifted. Q: Three languages? A: Bright. Q: Two languages? A: Normal. Q: One language? A: American." :-) (No, this isn't a snub, it's just meant in good humour; it applies to a lot of us Canucks too even though we do have two official languages. Heck, I apply it to myself; my French is rusty, I haven't used it in over 12 years.) --- Herb P. Sutter Current Network Technologies Corp. Senior Architect, Distributed Computing 2655 Benedet, Mississauga ON Canada Cell 416-618-0184 Tel 416-805-9088 Fax 905-855-7194 From alano at teleport.com Wed Mar 27 03:34:28 1996 From: alano at teleport.com (Alan Olsen) Date: Wed, 27 Mar 1996 19:34:28 +0800 Subject: ViaCrypt PGP 4.0 for Windows shipping Message-ID: <2.2.32.19960327060017.0090a994@mail.teleport.com> I have not seen this here yet, so sorry if you have seen it... ViaCrypt is claiming that they are now shipping the Windows version of their PGP 4.0. (I tend to not believe marketing claims until I hear from people who actually have it.) Does anyone know if there are plans for this version to be interoperable with PGP 3.0? Furthermore, has anyone tried the new version? --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From declan+ at CMU.EDU Wed Mar 27 03:38:53 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Wed, 27 Mar 1996 19:38:53 +0800 Subject: More on ACTA petition to FCC urging regulation of the Internet In-Reply-To: Message-ID: As soon as we challenged the Communications Decency Act in Federal court, another threat to the Net has arisen. This one is a petition a group of long-distance companies has filed with the FCC, urging the commission to extend its jurisdiction to the Internet and regulate "the use of the Internet for providing telecommunications services." The America's Carrier's Telecommunications Association (ACTA) is whining about voice-over-the-Net, and equating the Internet to telephone and cable TV services. Some excerpts from the petition, filed by ACTA on March 4: ACTA submits that the providers of this software are telecommunications carriers and, as such, should be subject to FCC regulation like all telecommunications cations carriers. ACTA also submits that the FCC has the authority to regulate the Internet. [...] ACTA asks the Commission to institute rulemaking to govern the use of the Internet for providing telecommunications services. [...] ACTA submits that it is incumbent upon the Commission to exercise jurisdiction over the use of the Internet for unregulated interstate and international telecommunications services. As a first step, ACTA submits that the Commission may deem it appropriate to issue a declaratory ruling officially establishing its interest in and authority over interstate and international telecommunications services using the Internet. [...] Ignored, such unregulated operations will rapidly grow and create a far more significant and difficult to control "private" operational enclave of telecommunications providers and users. [...] The Commission should take the same action in 1996 with regard to the new technology of long distance calling via Internet as it did thirty years ago in 1966 with regard to the then-new technology of cable television: grant special relief to maintain the status quo so that it might carefully consider what rules are required to best protect the public interest and to carry out Its statutory duties. [...] Absent action by the Commission, the new technology could be used to circumvent restrictions traditionally found in tariffs concerning unlawful uses, such as gambling, obscenity, prostitution, drug traffic, and other illegal acts. (Note how ACTA not-too-subtly raises the spectre of the four horsemen!) The deadline to file comments with the FCC in response to the ACTA petition has been extended to May 8, 1996, the FCC announced yesterday in its Daily Digest. A relevant back fight-censorship message about the original petition is at: http://fight-censorship.dementia.org/fight-censorship/dl?num=1876 For more information, check out: http://www.cais.net/cannon/acta.htm -Declan ---------- Forwarded message ---------- Date: Mon, 25 Mar 1996 20:46:24 -0500 From: Robert Cannon To: Multiple recipients of list Subject: ACTA Resource Page In conjunction with Henry Crawford, Craig Johnson, Andy Oram and other members of Computer Professionals for Social Responsibility (CPSR), I have uploaded an "ACTA Petition Resource Page." It can be found at http://www.cais.net/cannon/acta.htm On that page I have posted the lively and informative discussion of ACTA from Cyberia-L (I was careful to search for anyone who did not give permission to have their message reposted - a comment usually found in people's signature - if you object to having your message posted, please let me know). There is also a draft of a comment by CPSR, an article from the American Reporter, the relevant Supreme Court case, and, of course, the petition itself. ************************************************************ Robert Cannon, Esq. | || Leashes! Online and Interactive | \ @@==+ We Dont Need No Telecommunications Law | ====== Stinkin' Leashes! Washington, D.C. | || || -Pancho Villa http://www.cais.net/cannon ************************************************************ From jya at pipeline.com Wed Mar 27 03:46:38 1996 From: jya at pipeline.com (John Young) Date: Wed, 27 Mar 1996 19:46:38 +0800 Subject: SEC_oil Message-ID: <199603261600.LAA25885@pipe1.nyc.pipeline.com> 3-26-96. WSJ: "SEC Says Brewery May Use Internet to Offer Its Stock." The episode is extraordinary in that it shows the power of the Internet to free companies from their traditional market limitations, says Spring Street President Andrew Klein, who says. "My phone's been ringing off the hook from companies that want to know how they can sell a piece of their companies to the public using this technology, without paying underwriters or brokers and without having to give the company away to venture capitalists." SEC_oil From jamesd at echeque.com Wed Mar 27 04:06:47 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Wed, 27 Mar 1996 20:06:47 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <199603270702.XAA03401@dns2.noc.best.net> At 11:06 PM 3/26/96 GMT, aba at atlas.ex.ac.uk wrote: > ie I would have thought that getting rid of ITAR would be beneficial > to internet commerce in general, and likely advance uptake of > electronic cash (by several years?) For whatever reasons (best known > to themselves) even big fish like netscape, and microsoft don't seem > to have any stomach for taking on the USG in any meaningful way over > the issue. If the Leahy bill got rid of ITAR, then that would be a very great advance. It is far from clear that it does get rid of ITAR. If it was interpreted in a reasonable manner, then indeed it would get rid of ITAR. But if ITAR was interpreted in a reasonable manner, then that also would get rid of ITAR --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jamesd at echeque.com Wed Mar 27 04:07:12 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Wed, 27 Mar 1996 20:07:12 +0800 Subject: Bad news from Judge Richey Message-ID: <199603270702.XAA03403@dns2.noc.best.net> At 12:16 PM 3/26/96 -0800, Timothy C. May wrote: >I read your article as essentially saying: > >"Judges ought to remember that a box of shells costs a lot less than an appeal." In a family law case a few years ago, (I am afraid I cannot give the citation) a man with a well known tendency to violence suffered some remarkably unjust decisions. Some people involved in these cases met violent deaths. Their cars exploded, etc. Suddenly it became impossible to enforce previous family court judgements against this man because judges refused to hear the case. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jimbell at pacifier.com Wed Mar 27 04:54:32 1996 From: jimbell at pacifier.com (jim bell) Date: Wed, 27 Mar 1996 20:54:32 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 09:26 PM 3/25/96 -0800, Timothy C. May wrote: >At 1:21 AM 3/26/96, jim bell wrote: >IANACS (I am not a Constitutional scholar), but it is clear that the >Constitution, being a relatively short document, is a _framework_, a kind >of "generator," for establishing additional legislation. This is, obviously >enough, why there is _legislative branch_, after all. > >Jim's argument (?) could be turned in all sorts of ways: "Your Honor, there >is nothing I can find in the Constitution that says I can't drive on the >left side of the road at 125 miles per hour." Indeed, there is nothing >laying out detailed traffic laws. And so on. OTOH, there is much precedent for being able to conclude that a long-established practice is simply unconstitutional. To name just a single example, suffragist Susan B. Anthony insisted in 1872 on the right to vote, arguing that the Constitution guaranteed all citizens that right, and women were citizens too. Both premises were correct; In hindsight, the issue was whether or not they were considered together or merely separately. Nevertheless, it took the 19th amendment passed in 1920 to "grant" this right to women. Although my MCP (male chauvenist pig) credentials are at least as good as most, but not only did she have a point, she was absolutely correct. Despite 80+ years of contrary history, nothing within the Constitution could be interpreted as excluding women from voting. It was merely the practice of the day to do so. That practice COULD HAVE been changed without itself violating the Constitution; at least in theory the 20th amendment wasn't necessary. The fact that an amendment was the way the practice was changed shows that people will attempt to use the Constitution to justify practices which can't genuinely be supported there. The lesson to be learned from this is that "our" government does some things entirely without regard to the wording of the Constitution, which may later be recognized as wrong by later, more civilized times. For an example that has not yet been legally recognized, the Constitution prohibits "involuntary servitude," but until a couple of decades ago the military draft was in force. Challenges to the draft on that basis have never been recognized, despite the fact that the draft is one of the most obvious examples of "involuntary servitude" that there is. >That the Fifth Amendment attempts to make it clear that a defendant shall >not be compelled to give testimony which may tend toincriminate himself >(lotsa gotchas, as expected) clearly--to me if not to Jim Bell--implies >that a "legal system" involving testimony, search warrants, subpoenas, >juries, verdicts, appeals, etc., is implied by various parts of the >Constitution. It is, however, far more strongly "implied" by current practice than by any black-letter Constitutional provisions. The difficulty is separating _Constitutional_ justification from "Well, that's the way we've always done it, so it MUST be okay!" It's too bad that many people can't see the difference. >(I could search one of the many online copies of the Big C for details, but >I'm sure you all, except perhaps Jim, get it.) > >I'm no apologist for Big Government, of course, so I think we have vastly >too many laws in the U.S. But I don't think naive arguments saying that a >court cannot call witnesses by due process because the Constitution does >not specifically have a clause saying this is the case is going to be very >helpful or persuasive. They just recently repealed the national 55 MPH speed limit. Even though it was repealed by law, in the same way it was passed, plenty of people have argued that the Federal government has no jurisdiction in this area. Those arguments are absolutely valid, even if they were ignored. The danger in giving the government implicit authority in areas not mentioned in the Constitution is that it is not clear how far such justification extends. If the government can limit us to 55, then why can't they limit us to 40-bit keys? Jim Bell jimbell at pacifier.com From stewarts at ix.netcom.com Wed Mar 27 04:59:47 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Wed, 27 Mar 1996 20:59:47 +0800 Subject: About Triple DES ...... Message-ID: <199603270836.AAA20254@dfw-ix12.ix.netcom.com> At 02:24 PM 3/26/96 -0600, you wrote: > Please let me know if TRIPLE DES is regulated by the same rules than >the others criptography systems in USA. > We want to use it here in National Autonomous University of Mexico, so >we don't want to get jailed. I don't know about Mexican law. US persons are not supposed to export it without government permission, but that's not very relevant. Mexican law may or may not restrict import or use of crypto; better check with someone local. (I haven't heard anything saying that it _does_ restrict it - I just don't know either way.) > In case we can use it somebody knows where can i get the source code ?? That part's easy - DES source is available on ftp.ox.ac.uk, and also on ftp.dsi.unimi.it and ftp.funet.fi. There may be specific triple-DES code there, but if not, triple DES is just Encrypt(Key1, Decrypt(Key2, Encrypt(Key3, Message))) so you can easily write a subroutine to do that. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 1995: Chat rooms, espresso, and Linux 1996: Exon, melatonin, and Java. From jsw at netscape.com Wed Mar 27 05:35:34 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Wed, 27 Mar 1996 21:35:34 +0800 Subject: Edited Edupage, 24 March 1996 In-Reply-To: <01I2T0RRDGQO8ZDZIP@mbcl.rutgers.edu> Message-ID: <315908B5.72DA@netscape.com> E. ALLEN SMITH wrote: > >NETSCAPE TO GET IN ON THE PHONE-BY-INTERNET ACTION > >Netscape co-founder Mark Andreessen says that within six months the company > >will build into its Navigator program voice software (which it calls Insoft) > >for making low-cost long distance calls via the Internet into its Navigator > >program and that long-distance phone companies increasingly won't be able to > >justify their rates for telephone service. (Sydney Morning Herald 13 Mar 96 > >via Individual Inc.) > > Any possibility that Netscape might build in some form of cryptography? > I realize ITAR rules would make this problematic, but perhaps some sort of > out-of-country deal for putting in the hooks for PGPhone could be done. The internet phone software is coming from one of the companies that we are acquiring. This is one obvious application of SSL that I will be looking into after the merger is complete. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From anon-remailer at utopia.hacktic.nl Wed Mar 27 05:35:40 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Wed, 27 Mar 1996 21:35:40 +0800 Subject: Black Unicorn attempts computer break in Message-ID: <199603270945.KAA13203@utopia.hacktic.nl> Date: Wed, 27 Mar 1996 16:58:14 +1100 Reply-To: Linux Servers mailing list Sender: Linux Servers mailing list From: Steve Gibson Subject: Strange things afoot at my SMTP port... To: Multiple recipients of list SERVER-LINUX I just found these while going through my messages file... do I have any need to be concerned??? (unicorn.it.wsu.edu is now in my /etc/hosts.deny...) Mar 23 20:39:25 aries sendmail[7469]: setsender: "|/bin/mail rblack at unicorn.it.wsu.edu < /etc/passwd": invalid or unparseable, received from unicorn.it.wsu.edu [1 Mar 23 20:39:25 aries sendmail[7469]: UAA07469: from="|/bin/mail rblack at unicorn.it.wsu.edu < /etc/passwd", size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=uni There were also attempts at connecting to my tftp port, although at the time, in.tftpd wasn't on the system (it is now, and is also in my hosts.deny to all except for local) Thanks... Interspace Australia Pty Ltd Steve Gibson - System Administrator From wlkngowl at unix.asb.com Wed Mar 27 06:30:48 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Wed, 27 Mar 1996 22:30:48 +0800 Subject: WSJ on Big Java Flaw In-Reply-To: <199603261558.KAA25648@pipe1.nyc.pipeline.com> Message-ID: <31591D05.5998@unix.asb.com> John Young wrote: > Wall Street Journal, March 26, 1996, p. B4. > Researchers Find Big Security Flaw In Java Language > By Don Clark > > A team of Princeton University researchers said they > discovered the most serious security flaw yet in the widely > used Java programming language from Sun Microsystems Inc. > > The flaw could make it possible for unscrupulous hackers to > destroy files or cause other types of damage on any > personal computer that uses Netscape Communications Corp.'s > Navigator program, said Edward Felten, a Princeton > assistant professor of computer science who helped discover > the flaw.[..] > Mr. Felten said that unscrupulous people who discovered the > flaw could boobytrap a Web page on the Internet, > essentially seizing control of the browser software of any > PC that tapped into that page. At that point, the hackers > could read or delete an entire hard disk of data files. > "The consequences of this flaw are as bad as they can be," > he said.[..] The generalized halting problem comes to mind... Since it can be proved that there's no complete set of heuristics to tell if a given program has a characteristic (such as "secureness") then sooner or later someone will discover another security flaw. A question is whether a simple patch is made or if the set of heuristics is widened (ie, learn from mistakes) so that similar flaws can be found based on knowledge of that one flaw. From wlkngowl at unix.asb.com Wed Mar 27 06:45:02 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Wed, 27 Mar 1996 22:45:02 +0800 Subject: Crypto CD UpDate In-Reply-To: Message-ID: <31592105.23B9@unix.asb.com> Timothy C. May wrote: > It pains me to often be the one who throws cold water on what seems to be a > good idea, and what comes from a well-intentioned person. But I have to > call 'em as I see 'em. And maybe I'm wrong. But here are my thoughts.[..] > 1. The CD-ROM "freezes" the various programs, archives, etc. at the moment > the files are finalized and the CD-ROMs are pressed (or burned individually > on a CD-R, at somewhat higher per-copy price). If the author of the CD-ROM > is not committed to updating the CD-ROM at frequent intervals--say, every > few months--then the programs will exhibit "version decay" and be nearly > useless. A very good point... But that depends on the crypto put on the CD-ROM. Some files aren't as liable to version-decay, especially source codes and papers (which IMO is more useful than fully-implemented crypto programs). A CD-ROM that contains source codes (in various languages) and descriprions for ciphers, hashes, cryptanalysis methods, and even some cultural-political screeds would be more useful than one that contains 'the latest version of PGP'. And actually version-decay isn't that bad an issue. Put a warning file in the CD-ROM about that, with pointers to crypto ftp- and web sites. The publisher being comitted to putting out a new CD-ROM every year is probably often enough in most cases. A nice advantage of CD-ROMs is that many BBSs that aren't plugged into the net use them. I rememebr showing threads about a similar C'punks CD-ROM discussion a couple of years ago to some local BBS-sysops asking about new CD-ROMs (bored of the usual Pier and NightOwl fair)... they were really into the idea, if nothing else than it was "hip" with a nice plitical edge but also had a utility and education value that surpassed the usual gobbleware CDs. An reference sources for hashes or ciphers and papers about them, plus some papers about general crypto principles necessary for all newsbies and even gurus to (re)read would be really useful. From wlkngowl at unix.asb.com Wed Mar 27 06:55:11 1996 From: wlkngowl at unix.asb.com (Mutant Rob) Date: Wed, 27 Mar 1996 22:55:11 +0800 Subject: About Triple DES ...... In-Reply-To: Message-ID: <315923E1.3D3B@unix.asb.com> Rich Graves wrote: [..] > At some point in this exercise, though, we might be "raising awareness" > among the wrong people, to cite Tim May. I wouldn't want NAFTA, the WTO, > and so on enforcing ITAR. It's conceivable that companies could appeal to those organizations to repeal ITAR crypto limits (unless an international crypto treaty is set up... uh ohh), since the limit unfairly disadvantages North American companies, and to some extent even foreign companies that might manufacture software in the US. From frissell at panix.com Wed Mar 27 07:56:05 1996 From: frissell at panix.com (Duncan Frissell) Date: Wed, 27 Mar 1996 23:56:05 +0800 Subject: How to enter the US without a visa? Message-ID: <2.2.32.19960327112937.00c4c2dc@panix.com> At 10:31 PM 3/26/96 -0800, jamesd at echeque.com wrote: >This is somewhat off topic for cypherpunks, but alt.forgery is dead, so >cypherpunks is probably the nearest group. > >Suppose (hypothetically) an American resident cypherpunk had a >hypothetical friend who is most unlikely to obtain an American visa. > >Now the standard way of dealing with situation is for an American >friend to get a certified birth certificate of someone born in >America, concoct some photo ID, send it to the out-of-America friend, >and then the out-of-America friend comes in through Montego Bay or >some similar point where there is lots of tourist traffic. The NYT had an article last year about coming in via the "day boats" to the Bahamas. No confrontation with US officials at all. The publicity may have caused changes but it might be worth checking out. Friend gets a round trip tickets from Ft. Lauderdale(?) to the Bahamas. Meets smugglee in the Bahamas gives him the return half of one ticket (maybe this could be done via Fedex). Traveler boards boat back. Ignores PA announcement for all non US residents to report to the INS table "A" Deck. DCF From jimbell at pacifier.com Wed Mar 27 08:12:40 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 28 Mar 1996 00:12:40 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , shame) Message-ID: At 08:14 AM 3/25/96 -0800, Simon Spero wrote: > >If the Leahy bill is unacceptable, what legistlation is necessary? I >can't see how the use of cryptography in the commission of a crime needs >to be a separate offence, but I could see how it could be treated as a >special circumstance - that doesn't really needed a new law though. > >I do feel that it should be possible for courts to sub poena crypto keys, >but that doesn't really need new law either If you really believe that, then what happens when "they" argue that crypto keys MUST be kept, because if they are not kept they can't be subpoenaed? If a manufacturer proposes building a crypto telephone where no keys are kept after they call ends, then it seems to me that he'd be accused of thwarting some "right" to courts' access to keys. If you disagree with this line of reasoning, then why did you say that last line above? Read it carefully; remember, you wrote it. Jim Bell jimbell at pacifier.com From blancw at accessone.com Wed Mar 27 08:15:42 1996 From: blancw at accessone.com (blanc) Date: Thu, 28 Mar 1996 00:15:42 +0800 Subject: ITAR double standards? Message-ID: <01BB1A99.C81728A0@blancw.accessone.com> From: Timothy C. May I think there's been ample evidence that the ITARs are often used to harass U.S. companies that "won't play ball," that refuse to go along with certain governmental policies. (Part of the think we libertarians hate about Big Government and Lots of Laws is that government can use selective enforcement an another lever of power. As a felon, I am acutely aware of this power.) ............................................................................ You're a felon? For real? .. Blanc From tcmay at got.net Wed Mar 27 08:18:24 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 28 Mar 1996 00:18:24 +0800 Subject: Bad news from Judge Richey Message-ID: At 3:28 AM 3/26/96, jim bell wrote: >I realize that this may appear to be a rather disrespectful tactic, but have >you considered reminding the judge that if you are not allowed to profit by >exporting encryption that the government doesn't want to see exported, >you'll just have to make money in some other way, and this may lead you to >talk to Jim Bell about implementing a program using encryption that doesn't >_need_ to be exported...legally anyway. Whoahh! Hold on there, Jimbo! You're crossing the line. You're coming perilously close to actually calling for the killing of a federal judge. My recollection is that a couple of folks have been arrested and charged for calling for the killing of judges. You can skirt the issue by saying, in your "literal reading" mode, that you have not called for any such thing. However, we have read your "assassination politics" stuff ad nauseum, and it is clear from your language above that you are suggesting that this judge be made the target of one of your "betting pools." This is a plausible reading of your words. What may save your bacon, if any law enforcement or district attorney types are reading this, is that you are sort of the "neighborhood whacko" and your ramblings are unlikely to be acted upon by anyone, including yourself. Still, it does your "idea" no good to be talking about using your "assassination politics" scheme to have a judge whacked. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Wed Mar 27 08:23:27 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 28 Mar 1996 00:23:27 +0800 Subject: ITAR double standards? Message-ID: At 6:13 AM 3/26/96, blanc wrote: >From: Timothy C. May > >I think there's been ample evidence that the ITARs are often used to harass >U.S. companies that "won't play ball," that refuse to go along with certain >governmental policies. (Part of the think we libertarians hate about Big >Government and Lots of Laws is that government can use selective >enforcement an another lever of power. As a felon, I am acutely aware of >this power.) >............................................................................ > >You're a felon? For real? > Yes. --Tim THE X-ON CONGRESS: INDECENT COMMENT ON AN INDECENT SUBJECT, by Steve Russell, American Reporter Correspondent....You motherfuckers in Congress have dropped over the edge of the earth this time... "the sorriest bunch of cocksuckers ever to sell out the First Amendment" or suggesting that "the only reason to run for Congress these days is to suck the lobbyists' dicks and fuck the people who sent you there," ....any more than I care for the language you shitheads have forced me to use in this essay...Let's talk about this fucking indecent language bullshit. From stewarts at ix.netcom.com Wed Mar 27 08:32:08 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 28 Mar 1996 00:32:08 +0800 Subject: LIST OF SHAME VOLUNTEERS Message-ID: <199603260621.WAA13869@dfw-ix8.ix.netcom.com> At 09:55 AM 3/25/96 -0500, "Declan B. McCullagh" wrote: >Excerpts from internet.cypherpunks: 25-Mar-96 Re: LIST OF SHAME >VOLUNTEERS by Black Unicorn at schloss.li >> I did a little weekend poking, I can confirm this. If the Leahy bill >> passes, it will be a surprise (putting it mildly). > >Especially since there are only -- how many? -- 40 or 50 days left in >this legislative session. It might almost be nice to have the legislative session go out on a note of "We were working on a bill to re-emphasize the Constitutional right to private speech" rather than a note of "We came for the pornographers, and you narco-terrorist child-porn-hiding cryptographers* are next on our List**!" ...especially if it gives us some slack time to improve the (serious) weakness of the positive-sounding parts of the bill. Is Senator Leahy up for re-election this round? ==== content-downsized material follows ==== [**It's especially critical not to be Next on the List during the first few months of the Buchanan administration....] [*and your little dog, too!] ====== #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissible." - US government statement on China... "SigFiles of Unusual Size? I don't believe they exist!" From jya at pipeline.com Wed Mar 27 08:36:09 1996 From: jya at pipeline.com (John Young) Date: Thu, 28 Mar 1996 00:36:09 +0800 Subject: FRE_mad Message-ID: <199603271157.GAA23525@pipe1.nyc.pipeline.com> 3-27-96 NYT has two stories on the FBI siege of the Freemen tax protestors in Montana. One compares Waco and Ruby Ridge slaughter to this Freeh-mad cow prion. FRE_mad From jya at pipeline.com Wed Mar 27 08:42:14 1996 From: jya at pipeline.com (John Young) Date: Thu, 28 Mar 1996 00:42:14 +0800 Subject: WSJ on Big Java Flaw Message-ID: <199603261558.KAA25648@pipe1.nyc.pipeline.com> Wall Street Journal, March 26, 1996, p. B4. Researchers Find Big Security Flaw In Java Language By Don Clark A team of Princeton University researchers said they discovered the most serious security flaw yet in the widely used Java programming language from Sun Microsystems Inc. The flaw could make it possible for unscrupulous hackers to destroy files or cause other types of damage on any personal computer that uses Netscape Communications Corp.'s Navigator program, said Edward Felten, a Princeton assistant professor of computer science who helped discover the flaw. Netscape Navigator, which uses Java, is the most popular software for browsing the Internet's World Wide Web. Java enables the creation of tiny programs, called applets, that are transferred from a Web site on the Internet to a PC running Netscape Navigator. Mr. Felten said that unscrupulous people who discovered the flaw could boobytrap a Web page on the Internet, essentially seizing control of the browser software of any PC that tapped into that page. At that point, the hackers could read or delete an entire hard disk of data files. "The consequences of this flaw are as bad as they can be," he said. Sun, a computer maker based in Mountain View, Calif., acknowledged the problem. "This one is a serious bug," said Marianne Mueller, a senior Sun engineer specializing in security issues. The company, alerted by Princeton on Friday, is already testing a software fix it has developed for the program and hopes to distribute it to Netscape and other users in about two days. Those companies are then expected to distribute updated versions of their Web browsers or other products to users. "We plan to fix it and get it out to our customers as fast as we can," said Jeff Treuhaft, a Netscape product manager. Java was originally touted by Sun as a secure language. But at least two other flaws have already been discovered in the technology, including a less-serious problem uncovered by the Princeton team last month. Sun's Ms. Mueller said the problems have been correctable details in the way the Java code is written, not problems with its basic design. [End] From richieb at teleport.com Wed Mar 27 09:13:39 1996 From: richieb at teleport.com (Rich Burroughs) Date: Thu, 28 Mar 1996 01:13:39 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , , shame) In-Reply-To: Message-ID: On Mon, 25 Mar 1996, Simon Spero wrote: > > If the Leahy bill is unacceptable, what legistlation is necessary? I > can't see how the use of cryptography in the commission of a crime needs > to be a separate offence, but I could see how it could be treated as a > special circumstance - that doesn't really needed a new law though. [snip] Good question. Along this line -- what are the penalties for withholding other types of possible evidence from investigating officers? It seems that often the penalites for "computer crimes" are more harsh than for the "normal" version of the crime. Is that the case with the penalties in Leahy's bill? ______________________________________________________________________ Rich Burroughs -- richieb at teleport.com -- psu07973 at odin.cc.pdx.edu http://www.teleport.com/~richieb --- Opinions are mine, not Teleport's PGP key fingerprint: 1F A1 40 72 92 02 DE 7A 80 D0 5A 57 D3 1C 87 86 From dlv at bwalk.dm.com Thu Mar 28 04:21:55 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Thu, 28 Mar 96 04:21:55 PST Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: <31595F37.2781@cs.strath.ac.uk> Message-ID: <8BZHLD14w165w@bwalk.dm.com> os writes: > >There is not a single foreign language I can think of it that would help me > >in my goals or help anyone I know. > > I have never known anyone being disadvantaged by knowing another language tha > tongue. Tim (and others) miss out the pleasure of using an exotic language in the presense of people who won't understand it. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From anonymous-remailer at shell.portal.com Thu Mar 28 04:43:33 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Thu, 28 Mar 96 04:43:33 PST Subject: No Subject Message-ID: <199603281242.EAA13933@jobe.shell.portal.com> At 12:21 AM 3/28/96, Syed Yusuf wrote: >If a person who speaks three languages is tri-lingual >If a person who speaks two languages is bi-lingual > >What do you call a person who only speaks one language? > >---------------------answer follows: > >An American. Or our version: What do you call a person who has to learn English as a second language in order to compete in the world? A foreigner. (Sorry for the insult, but it seems that this thread is bringing out insults from foreigners of all sorts.) --Tim Dont be sorry! Foreigner can atleast speak broken English. Can American speak broken foreign language? From r3506010 at cml11.csie.ntu.edu.tw Thu Mar 28 05:19:10 1996 From: r3506010 at cml11.csie.ntu.edu.tw (Chein-hsinLiu) Date: Thu, 28 Mar 96 05:19:10 PST Subject: Question about Blind Signature Message-ID: <199603281310.VAA23754@cml11.csie.ntu.edu.tw> Hi! I have some stupid question about how to implement blind signature. I Know it works as follows: If A wants B to sign X but donot know it is X, A can send X*PK(random) : PK is public key of B Then B signs on message: SK(X*PK(random)) ==> SK(X)*random Then A can obtain SK(X) by SK(X)*random/random My question is when I see how RSA encrypts using PKCS The PKCS block is like this 00 01 FF FF FF FF ... 00 input Then SK(00 01 FF FF FF .. 00 input) . If the input = X*PK(random) then SK(00 01 FF FF FF .. 00 X*PK(random)) will not produce SK(X)*random How to solve this?? Thanks!! From moen at cyberspace.com Wed Mar 27 13:32:44 1996 From: moen at cyberspace.com (Bruce Moen) Date: Thu, 28 Mar 1996 05:32:44 +0800 Subject: ViaCrypt PGP 4.0 for Windows shipping In-Reply-To: <2.2.32.19960327060017.0090a994@mail.teleport.com> Message-ID: And I am new here, so doubly sorry for the same reason. But I was corresponding with Via Crypt on this same point and here is a copy of what they sent me. >From barnhart at viacrypt.comWed Mar 27 05:22:25 1996 Date: Tue, 26 Mar 1996 12:08:49 -0700 From: "Dave Barnhart, ViaCrypt Product Manager" To: moen at cyberspace.com -----BEGIN PGP SIGNED MESSAGE----- Dear Sir: Eric Nesson here at ViaCrypt has shared your email inquiry with me, and I thought I should contact you to provide you with some clarification and more information. The post you read on alt.security.pgp is in reference to *new types of keys* that ViaCrypt PGP can create. This means that, in addition to the PGP keys that we have all been using for a long time now, ViaCrypt PGP can also create keys with some special attributes.It is these *new types of keys* that are not recognized by the existing freeware PGP. You can continue to use your existing keys with ViaCrypt PGP 4.0. And you can create new keys that are fully interoperable with all the older PGP's out there. It is only when you generate a new key and turn on one of these special attributes that it becomes unrecognizable by the existing freeware PGP. These special attributes I refer to are: 1. "This key can be used for encryption/decryption only. It cannot be used for digital signatures." 2. "This key can be used for digital signatures only. It cannot be used for encryption/decryption." We call keys with this special attributes 'single-function keys'. I hope this answers your questions. If not please do not hesitate to ask. Best Regards, David Barnhart ViaCrypt Product Manager -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQEVAwUBMVg4u3hUuWjy7vyrAQEG9ggAnfOGI9tkYa8/W66UvTb+7TBmzHbiPPYw 1J8iBOp+Uj75hxUhr9gY45IUZtcqYHLHCECVpoqcLU2iJsVqMKhv5ohmiTYHEW4Z xYzbO5lpWqL3rkSMRZK/pXnlumfZTuS94jY9bKyn0dDCqeZ2p7UtAE7/HD7DoAIj 4tMnyNxZxvo0IoxPOCxOTKgdrSB3/KxJWZSAWUPvzNBU+XTpfXu4LvI0sZKOS9Nr 0jEUUwmmrawldei31w916Zc20hmHsP6rOfSaiC5n/03ZXgW976q1sBViDAdwuuPP ktsCrAB5A2MxuYve1XVVRXwPc7rLN4T4RHqUcKgw4nvnbiKmGYcliA== =OFTV -----END PGP SIGNATURE----- On Tue, 26 Mar 1996, Alan Olsen wrote: > I have not seen this here yet, so sorry if you have seen it... > > ViaCrypt is claiming that they are now shipping the Windows version of their > PGP 4.0. (I tend to not believe marketing claims until I hear from people > who actually have it.) > > Does anyone know if there are plans for this version to be interoperable > with PGP 3.0? > > Furthermore, has anyone tried the new version? > --- > Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction > `finger -l alano at teleport.com` for PGP 2.6.2 key > http://www.teleport.com/~alano/ > "We had to destroy the Internet in order to save it." - Sen. Exon > > > From perry at piermont.com Wed Mar 27 15:09:45 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 28 Mar 1996 07:09:45 +0800 Subject: DESCRIBE In-Reply-To: Message-ID: <199603261927.OAA13236@jekyll.piermont.com> Dan Ringley writes: > Take me off of the God Forbidden list already! Now! Unfortunately for us, we are not in a position to do so, as we are subscribers to the list, not the management. Doubtless, being a mentally challenged person, you will continue to harrass us, post obnoxious messages, and do other things in spite of the fact that none of your victims will be in a position to help you out. If you had an ounce of intelligence, of course, you would simply use the automated unsubscription instructions you got when you subscribed. Sadly for the rest of us, who will now have to deal with your whining indefinately, intelligence is a commodity in precious supply around this planet. Perry From EALLENSMITH at ocelot.Rutgers.EDU Wed Mar 27 15:11:42 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 28 Mar 1996 07:11:42 +0800 Subject: Yeo, Pea-brained Imbecile Message-ID: <01I2SRJHG8U28ZDZ7I@mbcl.rutgers.edu> From: IN%"peponmc at fe3.rust.net" "Michael Peponis" 19-MAR-1996 10:17:59.06 >Given the plethera of reports like this, I will start maintaining a list of >country that will not be given access to my site, no FTP, no HTTP, no nothing, >on top of that, I will hard code into all the new versions of my network aware >programs to check for a domain subfix, if it is on of the black list, the >software will not function. I would suggest making an exception for material that the country in question _doesn't_ want available... you don't want to do their work for them. Of course, if that it's from a .gov-type site in that country (kind of hard to tell without the domain, but...), that's another story. >Filtering works both ways, they filter out the political and sex groups on >their end, we filter out the technical information on ours, I hope they enjoy >what is left, which is not much. This brings up the related topic of filtering mail lists the other way around. There have been times that I've wanted to email everyone on a mailing list _except_ one or two people. It's massively inconvenient to try to do this without automated software, for a large mailing list. Therefore, I'd be interested in majordomo/listserv/whatever modifications that would enable doing so. Of course, for anything significant having seperately encrypted messages to each person (as per that thread a bit back on encrypted mailing lists) would be necessary. -Allen From jimbell at pacifier.com Wed Mar 27 15:12:04 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 28 Mar 1996 07:12:04 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 11:11 AM 3/26/96 -0500, Adam Shostack wrote: >Timothy C. May wrote: > >| My point is that I see no compelling legislation that is needed. If enough >| people in Washington really want increased length in _exported products_ >| (remember the "exported" part), the Congress and the President should find >| it easy enough to get said products on to the Approved List. (I note that >| the Leahy Bill really doesn't change this system anyway...some products go >| on the list, some don't...the law only seems to say that when the horse has >| already left the barn, i.e., when "comparable" products are already in >| fairly wide use outside the U.S., then the products should be put on the >| approved list. Big deal. > I'm forced to disagree on this point. I think that the >comparable product has the potential to be a very big deal; it means >that any product using IDEA or 3DES may become exportable, because >such products are available outside the US. > > It may be that wide use will be quibbled over, but DES, weak >as it is, is widely used outside the US, and IDEA and 3DES will be. >Thats why this legistlation will fail to pass. I think Tim already pointed out that the danger in this kind of conditional approval is that it would be used to restrict export of new _usages_ for cryptography based on their "political correctness" quotient, rather than simply on the basis of level of security (length of codes.) In other words, just because a program used 3DES or IDEA would not automatically make it exportable. This may sound pessimistic, but unfortunately pessimistic turns into "accurate" far too often. Far more acceptable (and useful to us) would be a rule which would mandate the government's allowing the export of any program that had, say, the key security provided by IDEA or less, regardless of what it did with that encryption. (Not that I want _any_ restrictions; it's just that such a limit would make it impractically large to attempt to crack.) Jim Bell jimbell at pacifier.com From aba at atlas.ex.ac.uk Wed Mar 27 15:12:17 1996 From: aba at atlas.ex.ac.uk (aba at atlas.ex.ac.uk) Date: Thu, 28 Mar 1996 07:12:17 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <21485.9603262306@sirius.dcs.exeter.ac.uk> At 4:11 PM 3/26/96, Adam Shostack wrote: >Timothy C. May wrote: > > I'm forced to disagree on this point. I think that the > >comparable product has the potential to be a very big deal; it means > >that any product using IDEA or 3DES may become exportable, because > >such products are available outside the US. > > I certainly don't disagree that if Leahy is passed, which is unlikely, then > conventional ciphers like 3DES will become exportable. (And I am forced to > add, "Big deal.") > > What I'm more interested in are not the ciphers which had their genesis in > the crypto work of the 70s, but in the new and exciting applications to > come. Things such as this list often discusses. I believe Leahy could stall > export of these new items until eventually there are offshore equivalents > of sufficiently wide deployment that the Leahy clause would get invoked. On the ITAR issue, and whether this is a big deal for someone living in the US, it seems to me that the major annoyance of ITAR is that it slows down development, and commercial uptake of crypto because the internet is a worldwide market place. ie I would have thought that getting rid of ITAR would be beneficial to internet commerce in general, and likely advance uptake of electronic cash (by several years?) For whatever reasons (best known to themselves) even big fish like netscape, and microsoft don't seem to have any stomach for taking on the USG in any meaningful way over the issue. I'd view widely deployed electronic cash to be a step in the right direction opening the way for more interesting crypto applications. What's your analysis on this? Do you think I am over-rating the negative effects of ITAR on furtherment of electronic cash? What say about electronic cash as a catalyst for uptake of other crypto applications? (my use of "electronic cash" above refers to payee and payer anonymous, not electronic cheques or credit card transactions over the internet) Adam From shamrock at netcom.com Wed Mar 27 15:12:24 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 28 Mar 1996 07:12:24 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 2:08 3/26/96, Shabbir J. Safdar wrote: >We have to wake up and learn from the fight against the net censorship >legislation. This is realpolitik. Congress will legislate crypto, >whether we want them to or not. This is not news anyone wants to hear, >but we have to face up to it. IMHO, Congress *will* outlaw non-GAK strong crypto. It is only a matter of time. >This is actually very important. The Leahy bill forces Joe's Key >Warehouse to only divulge your key when they've been presented with a >warrant that's on par with whatever they used to get your original >communication. That means that Louis Freeh can't issue an >administrative subpoena to get your key, after he's got a judge to >allow the FBI to search your house. They have to get a judge involved >for both parts. It is a widespread myth that wiretaps require warrants. Court ordered warrants are not required for a wiretap. They have not been required since the Digital Telephony Bill passed. That the net, the media, and even attorneys are so blissfully unaware of this, even years after the provision doing away with requiring warrants became law, is one of the finest examples of cognitive dissonance you are ever likely to find. It is too disturbing to believe it, so the mind ignores the facts. Excerpt from the Digital Telephony Bill quote SEC. 103. ASSISTANCE CAPABILITY REQUIREMENTS. (a) Capability Requirements: [...] a telecommunications carrier shall ensure that its equipment, facilities, or services, that provide a customer or subscriber with the ability to originate, terminate, or direct communications are capable of-- (1) expeditiously isolating and enabling the government, pursuant to a court order or other form of authorization, to intercept, [...] all wire and electronic communications [...]. end quote *Other forms of authorization*, other than a court ordered warrant that is, are explicitly allowed. Nowhere in the bill, or anywhere else AFIK, is stated what form these other forms of authorization can take. No limits whatsoever as to what the government can do. "My supervisor approved it" may well suffice. -- Lucky Green PGP encrypted mail preferred. From EALLENSMITH at ocelot.Rutgers.EDU Wed Mar 27 15:12:47 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 28 Mar 1996 07:12:47 +0800 Subject: Traffic Jams on the Internet Message-ID: <01I2SQ2FUST88ZDZ7I@mbcl.rutgers.edu> It occurs to me that it would be good if people sent in some non-governmental/hierarchial solutions to this problem, such as ones using digital cash as "postage" for prioritized mail. -Allen From: Phil Agre =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" command. For information on RRE, including instructions for (un)subscribing, send an empty message to rre-help at weber.ucsd.edu =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Fri, 15 Mar 1996 05:34:50 -0500 (EST) From: Automated Mailer To: STSFUL-L Mailing List Subject: [Press Release] TRAFFIC JAMS ON THE INTERNET The file "pr968.txt" has been added to the STIS system. This file is a NEW file. Reference material is located at the end of this message. ----------------------------------------------------------------------- Title : TRAFFIC JAMS ON THE INTERNET Type : Press Release NSF Org: OD / LPA Date : March 14, 1996 File : pr968 Media only contact: Beth Gaston March 14, 1996 (703) 306-1070/egaston at nsf.gov NSF PR 96-8 All others contact: Mark Luker (703) 306-1950/mluker at nsf.gov TRAFFIC JAMS ON THE INTERNET: New Connections Program to force Internet Technology While the Internet grows in popularity, a related problem is growing: traffic jams. The increased demand of more people on-line using increasingly sophisticated tools has caused delays in transmission unacceptable for some scientific uses. The National Science Foundation has introduced a new twist to its connections program: emphasizing innovative solutions that may have broad implications for all Internet users. The program will look for meritorious applications that require high performance networking, and will then fund development by university and college campus network service providers. Technology developed for this program will likely affect future operation of the Internet. The technology will introduce the idea of prioritization to Internet traffic. For example, if planning to use the U.S. Postal Service to send a package, you have options: overnight mail, first-class service, or third-class service. The rate of the package delivery is contingent on how it is designated. Freeways around major cities often have either express toll roads or high-occupancy-vehicle lanes to bypass congested areas. Similarly, NSF's connections program is expected to spur the development of switches and routers to help alleviate bottlenecks of information. "There is no single solution. We hope this grant program will stimulate the development of a technological option for the Internet, to introduce prioritization and provide a new style of connection that gives a guaranteed level of service at a national level," said Mark Luker, manager of NSF's connections program. Currently on the Internet, all packets of information are treated alike. While this worked fine before the popularization of the Internet, it now interferes with some uses that require high performance service. One example is to use high performance connections of multiple small computers to create a large workstation cluster distributed across the nation. The Internet is currently too congested for such a system. Teleconferencing or videoconferencing also places too great a need on the current capacity. And, some scientific instrumentation requires specific fast connections, though not necessarily high bandwidth. Interruptions or delays caused by Internet congestion could be fatal to experiments. One solution might include prioritization of traffic on the Internet. Another solution might involve diverting specially coded traffic to high performance, special use networks, such as NSF's vBNS (very high speed Backbone Network Service). -end- NSF was created as an independent federal agency in 1950, uniquely charged with promoting the progress of all fields of science and engineering. Today, as a leader and steward of the nation's science research base, NSF supports both research and education through competitive grants to about 2,000 universities and other institutions. NSF receives some 60,000 research proposals each year and funds about one-third of them. ** News releases and tipsheets are available electronically on NSFnews. To subscribe, send an e-mail message to listmanager at nsf.gov. In the body of the message, type "subscribe nsfnews" and then type your name. For more guidance, send a "help" message to listmanager at nsf.gov. Also see the NSF Home Page (http:// www.nsf.gov), under News of Interest. ----------------------------------------------------------------------- End of pr968.txt ----------------------------------------------------------------------- ** FOR YOUR REFERENCE ** This message was mailed to the STIS mailing list "STSFUL-L". To get off the list, send the following message to "ListProc at stis.nsf.gov": unsubscribe STSFUL-L If you receive an error message, send the following message for more information: help unsubscribe If, after 24 hours, you haven't received *any* response from ListProc send a message to "stis at nsf.gov". A human will read your message. ------- End of forwarded message ------- From shabbir at vtw.org Wed Mar 27 15:13:11 1996 From: shabbir at vtw.org (Shabbir J. Safdar) Date: Thu, 28 Mar 1996 07:13:11 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <199603260852.DAA24892@panix4.panix.com> I read Tim's comments with enthusiasm, as I think we agree on many things. I, as well, wish for a world where there is crypto so heavily proliferated that all the regulations in the world cannot either hinder or help get it into the hands of the public. In the meantime, Tim advocates putting good code out there for people to use, racing to the point of no return. I don't disagree, but that's not where my talents lie. Mine lies in keeping Congress from doing damage today, a strategy which Tim may call very short term (getting good code out and well-deployed is long term) but hey, it's what we do. Let's hope we both arrive at that end in time to retrospect about strategy. I must agree though, watching legislation is a lot like watching sausage being made... -Shabbir J. Safdar * Online Representative * Voters Telecomm. Watch (VTW) http://www.vtw.org/ * Defending Your Rights In Cyberspace PS If you're going to be at CFP, stop me and say hi. Timothy C. May writes: >At 7:08 AM 3/26/96, Shabbir J. Safdar wrote: >>Timothy C. May writes: > >>>I don't see any compelling need for U.S. legislation. And given the >>>pressures to attach all sorts of language to bills, I think it best that no >>>legislation happen. >> >>Unfortunately, this is not an option. Legislation will happen, with our >>endorsement or without it. One good example is the Grassley computer >>crime bill earlier in 1995. Nobody advised him on this, as far as I can >>tell, he just went out and drafted it. Lo and behold, he drafted a >>provision that basically criminalized all crypto, including rot13. > >Of course I am not saying everyone should just be silent. Various >organizations, including Shabbir's own very able VTW, do a good job in >challenging bad laws and helping to make the "political sausage" which is >so very disgusting to watch being made. > >My point is that I see no compelling legislation that is needed. If enough >people in Washington really want increased length in _exported products_ >(remember the "exported" part), the Congress and the President should find >it easy enough to get said products on to the Approved List. (I note that >the Leahy Bill really doesn't change this system anyway...some products go >on the list, some don't...the law only seems to say that when the horse has >already left the barn, i.e., when "comparable" products are already in >fairly wide use outside the U.S., then the products should be put on the >approved list. Big deal. > >And my meta-point, repeated in several recent posts, is that compromising >on very basic liberties for the sake of a "deal" to let Lotus or Microsoft >or RSADSI have one uniform, "world" product is a very bad deal. > >(Key length alone is not an answer, anyway. Domestically we can have >arbitrary key lengths, with no limits on strength. So, will a "world >version" be limited to 64 bits (at best)? Will I, as an American, be forced >to limit myself to this "world" length? This is a compromise of my >liberties, just for the sake of simplifying the inventory control problems >of Lotus and Microsoft! And it still doesn't address the many points we've >discussed over the years about superencryption, rogue programs, and access >by foreign LEAs.) > >Granted, the Leahy Bill does not explicitly mandate key escrow, whether >TIS' CKE/SKE or Lotus' "40+24" crypto-with-two-heads scheme. But it >includes language that suggests a role for government in key escrow and >even says escrow holders may not notify the subject of a subpoena that his >key has been snarfed by the Feds. (Superficially, this resembles wiretaps, >except that one's escrow agent may be one's lawyer, or mother, or business >partner....it makes for messy situations.) > >I'll have to move on to Shabbir's other comments. > >>We have to wake up and learn from the fight against the net censorship >>legislation. This is realpolitik. Congress will legislate crypto, >>whether we want them to or not. This is not news anyone wants to hear, >>but we have to face up to it. > >Be my guest. You're in Washington, you're connected, you're in a position >to lobby. I only speak for myself, and my views. I am 3000 miles away from >D.C., and have no intention of visiting that mosquito pit (I grew up >outside of D.C.). > >I put my argument efforts into this mailing list (and Cyberia, until >recently). If people want to read my arguements, they can subscribe, or get >the occasional article forwarded. Frankly, I don't think my brand of >political philosophy fits, and I'm not going to change my political >philosophy just to help Lotus or Microsoft get approval to export a 64-bit >version of "Lotus Notes" or "Bob." > >>Congress has discovered the net, and partly though the widespread fame >>of this list, they have also discovered crypto. Simply saying, "we don't >>want any laws that address crypto" may be the ideal solution, but that won't >>stop them from passing laws that govern the domestic use of crypto. > >Well, this is when things will get exciting. This is the Real Battle (tm) >we've all been anticipating: laws on domestic use of encryption. Maybe I'll >share a cell with that guy who was caught writing in an unapproved >diary...Winston Smith, I think his name was (CNN carried a report on his >conviction..."Escrow is Freedom"). > >Until then, the more Congress learns about the Potential Dangers of Crypto, >the worse for us. (I had a noted lobbyist approach me about speaking before >a committee...when it became clear to him that I wasn't interested in >giving a "See Dick read, see Jane encrypt" PR blurb for crypto, he realized >I was not the right person. Frankly, the ACLU and that sort can do a >perfectly fine job on the "basics" of crypto, the 10-minute version (that >still leaves the Congressfolks in a haze). > >Aside: My hunch is that crypto legislation will languish. Until, maybe next >year, maybe the year after, some major event occurs. Could be a new >bombing. Could be a terrorist cell raided. But they will be found to be >using PGP or somesuch (80% likely to be PGP), with anonymous remailers used >for breaking traffic analysis. The media will go into a feeding frenzy. >John Holliman of CNN will be taken off his usual space shuttle duties and >assigned to figure out what this crypto stuff is all about. Cathy Cleaver >and Donna Rice will tie it into pornography. Ralph Reed will mutter about >the Number of the Beast. And drastic legislation will be proposed and >passed. Don't forget that Clinton's Anti-Terrorism Bill, which predated OKC >by a few months, came very close to passing (and may still...as of a few >days ago it was still pending, though parts of it had been gutted). > >And what effect will Leahy's Bromide ("bromide: a soothing concoction") >Bill have if such a crypto-facillitated incident occurs? None. It will be >swept away as a sand castle is swept away by the incoming tide. > >So why bother? Why not instead "race to the point of no return"? (For a >fuller description of this "point of return," the point at which >sufficiently strong crypto has been sufficiently widely deployed so that it >cannot be recalled, cf. my Cyphernomicon. The crypto anarchist point of >view is that the genie is out of the bottle, Pandora's Box has been opened, >for the good, the bad, and the ugly, and that legislation will matter >little in the long run. > >To be sure, for people who live near Washington, whose interest is >primarily in the political (the conventional political), then I can see why >their interest is in helping Congress to craft better laws. But for the >rest of us, we have our own work to do. > > >>>* EXPORT OF CRYPTO BEYOND U.S.: This is indeed a thorn in the sides of U.S. >>>companies, but is not _per se_ an issue I worry about. So long as I have >>>strong crypto, I don't really care too much about export. It would be nice >>>to get the ITARs modified, but not at the risk of adding language (such as >>>Leahy did) making use of encryption a possible crime (we've debated this, >>>so I won't elaborate here). Besides, I think the best way to overturn the >>>ITARs is through a court challenge; as I have noted, even the NSA's lawyers >>>felt that the ITARs would not withstand court scrutiny. >> >>Unfortunately, many U.S. software companies don't agree with you. > >This is fine. I don't expect them to agree with me. When one of them begins >paying me a salary or sending me shares of their company's stock, then >perhaps I will argue for their positions. (Not that I'm a sellout, just >noting the obvious. They're looking to sell more products, at lower cost, >which if not surprising. But if the price for "getting" approval for 64-bit >export is some flavor of key escrow or limitations on domestic use, then >why should we help them push for this?) > >>While I agree with you (I've got PGP, what's the problem?), several of >>these companies are working through their trade organizations to introduce >>and push crypto legislation to allow them to raise the key length in their >>products. >> >>Put ourselves in their shoes for a minute. They're sitting there, with >>their 40 bit products, knowing that it blows chunks. They want to >>produce stronger crypto, but know they won't be able to export it. >>They talk to the company's attorneys, who speak to speak to the >>lobbyists, and poof, a crypto bill. > >I outline the answer to this during the Netscape--Jim Clarke situation >several months ago. The simple solution: have two versions. > >Version 1 has unlimited-strength crypto, no mandatory key escrow. It ships >to domestic customers only, and can only be downloaded domestically (a la >the PGP distributions). > >Version 2 is crippled. 40 bits, 45 bits, whatever. Maybe it has a set of >hooks for attaching "local regulations" hooks (e.g., all versions of >Netscape entering France must have no crypto, all versions entering The >Islamic People's Republic must automatically cc: the secret police on all >e-mail, etc.). > >These versions may or may not intercommunicate easily. > >The "added inventory" problems that a vendor faces are real, but he faces >problems already with multiple languages (English, French, Spanish, German, >Japanese, etc.), with multiple platforms, etc. > >Also--and this is seldom mentioned!--the inclusion of U.S.-mandated crypto >restrictions may end up "opening the flood gates" for various other >countries to demand their own versions (as noted above in the examples). If >the U.S. stands firm and takes no stand, it will be very hard for Iraq or >Singapore to demand special versions. But if the U.S. insists that packages >have NSA-friendly provisions, so, too, might the other countries demand the same. (A vendor may refuse to comply, but his hand has already been >weakened by his acquiescence to the U.S. demands for a special version.) > >Thus, it is possible that the crypto provisions will actually _worsen_ the >inventory problem. (As noted by so many others, what are the chances that >France or Singapore or Iran will go along with the inclusion of NSA >trapdoors in products their citizen-units and corporations will be using? >Does anyone imagine that France will tolerate a version of Netscape being >used by its corporations that the NSA can trivially break? Get with it.) > >But the issue raised by Shabbir is still this: corporations really want to >ship stronger products and they'd like to be able to only have to develop >and stock one version. So should we accept a weaker domestic encryption >standard to let RSA and Lotus achieve this goal? > >(One can imagine many parallels with other products. Perhaps some countries >only allow citizen-units to have access to .22 caliber firearms. Gun >companies would like a single world standard. Does this mean gun >enthusiasts in the U.S. should then lobby for the .22 as the allowable >standard? Interestingly, at least some gun companies (names excised to >avoid lawsuits) have exactly this position, that gun control laws are fine >with them if it means they can ship more products and face less regulation. >I am not equating Jim Bidzos, Ray Ozzie, or Jim Clarke to these folks, but >am pointing out that the "interests of industry" are not always coterminous >with the interests of citizens, or users, or free men.) > >There are in fact many situations where a corporation will gladly welcome >government regulation. They can cement their own positions and keep out >upstart competitors. There's a lot of evidence that some large electronics >companies actually _like_ regulatory burdens, as it tends to make it very >tough for a small company these days to start a production fab. I can thus >see that some crypto and software companies would potentially make a deal >with the devil if it increased sales and strengthened their "franchise." > >I've written more than enough, so I'll have to stop here. > >I believe what I have read from others, that the Leahy Bill is going >nowhere. As to other legislation, I've never said people should do nothing. >What I've said is that I place more faith in technology: the development of >anonymous remailers, for example, does more to disperse unstoppable >communication than any bill I've seen come out of Congress. > >And, frankly and bluntly, while I am not as extreme (in some ways) as, say, >Jim Bell, in other ways I and many others of us are quite extreme. (I >usually vote Libertarian, but even they are recognizing that they have no >effect on Congress because the goals of Congress and of themselves are so >far apart.) > >Were I closer to Washington, maybe I'd be more interested. But I'm not. I'm >even too far from San Francisco to drive the 100 miles over mountain roads >to stand in the rain with a placard being a spear carrier for some cause. > >Life is tough. > > >--Tim May > > >Boycott "Big Brother Inside" software! >We got computers, we're tapping phone lines, we know that that ain't allowed. >---------:---------:---------:---------:---------:---------:---------:---- >Timothy C. May | Crypto Anarchy: encryption, digital money, >tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero >W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, >Higher Power: 2^756839 - 1 | black markets, collapse of governments. >"National borders aren't even speed bumps on the information superhighway." > > > > From tcmay at got.net Wed Mar 27 15:13:14 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 28 Mar 1996 07:13:14 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 7:08 AM 3/26/96, Shabbir J. Safdar wrote: >Timothy C. May writes: >>I don't see any compelling need for U.S. legislation. And given the >>pressures to attach all sorts of language to bills, I think it best that no >>legislation happen. > >Unfortunately, this is not an option. Legislation will happen, with our >endorsement or without it. One good example is the Grassley computer >crime bill earlier in 1995. Nobody advised him on this, as far as I can >tell, he just went out and drafted it. Lo and behold, he drafted a >provision that basically criminalized all crypto, including rot13. Of course I am not saying everyone should just be silent. Various organizations, including Shabbir's own very able VTW, do a good job in challenging bad laws and helping to make the "political sausage" which is so very disgusting to watch being made. My point is that I see no compelling legislation that is needed. If enough people in Washington really want increased length in _exported products_ (remember the "exported" part), the Congress and the President should find it easy enough to get said products on to the Approved List. (I note that the Leahy Bill really doesn't change this system anyway...some products go on the list, some don't...the law only seems to say that when the horse has already left the barn, i.e., when "comparable" products are already in fairly wide use outside the U.S., then the products should be put on the approved list. Big deal. And my meta-point, repeated in several recent posts, is that compromising on very basic liberties for the sake of a "deal" to let Lotus or Microsoft or RSADSI have one uniform, "world" product is a very bad deal. (Key length alone is not an answer, anyway. Domestically we can have arbitrary key lengths, with no limits on strength. So, will a "world version" be limited to 64 bits (at best)? Will I, as an American, be forced to limit myself to this "world" length? This is a compromise of my liberties, just for the sake of simplifying the inventory control problems of Lotus and Microsoft! And it still doesn't address the many points we've discussed over the years about superencryption, rogue programs, and access by foreign LEAs.) Granted, the Leahy Bill does not explicitly mandate key escrow, whether TIS' CKE/SKE or Lotus' "40+24" crypto-with-two-heads scheme. But it includes language that suggests a role for government in key escrow and even says escrow holders may not notify the subject of a subpoena that his key has been snarfed by the Feds. (Superficially, this resembles wiretaps, except that one's escrow agent may be one's lawyer, or mother, or business partner....it makes for messy situations.) I'll have to move on to Shabbir's other comments. >We have to wake up and learn from the fight against the net censorship >legislation. This is realpolitik. Congress will legislate crypto, >whether we want them to or not. This is not news anyone wants to hear, >but we have to face up to it. Be my guest. You're in Washington, you're connected, you're in a position to lobby. I only speak for myself, and my views. I am 3000 miles away from D.C., and have no intention of visiting that mosquito pit (I grew up outside of D.C.). I put my argument efforts into this mailing list (and Cyberia, until recently). If people want to read my arguements, they can subscribe, or get the occasional article forwarded. Frankly, I don't think my brand of political philosophy fits, and I'm not going to change my political philosophy just to help Lotus or Microsoft get approval to export a 64-bit version of "Lotus Notes" or "Bob." >Congress has discovered the net, and partly though the widespread fame >of this list, they have also discovered crypto. Simply saying, "we don't >want any laws that address crypto" may be the ideal solution, but that won't >stop them from passing laws that govern the domestic use of crypto. Well, this is when things will get exciting. This is the Real Battle (tm) we've all been anticipating: laws on domestic use of encryption. Maybe I'll share a cell with that guy who was caught writing in an unapproved diary...Winston Smith, I think his name was (CNN carried a report on his conviction..."Escrow is Freedom"). Until then, the more Congress learns about the Potential Dangers of Crypto, the worse for us. (I had a noted lobbyist approach me about speaking before a committee...when it became clear to him that I wasn't interested in giving a "See Dick read, see Jane encrypt" PR blurb for crypto, he realized I was not the right person. Frankly, the ACLU and that sort can do a perfectly fine job on the "basics" of crypto, the 10-minute version (that still leaves the Congressfolks in a haze). Aside: My hunch is that crypto legislation will languish. Until, maybe next year, maybe the year after, some major event occurs. Could be a new bombing. Could be a terrorist cell raided. But they will be found to be using PGP or somesuch (80% likely to be PGP), with anonymous remailers used for breaking traffic analysis. The media will go into a feeding frenzy. John Holliman of CNN will be taken off his usual space shuttle duties and assigned to figure out what this crypto stuff is all about. Cathy Cleaver and Donna Rice will tie it into pornography. Ralph Reed will mutter about the Number of the Beast. And drastic legislation will be proposed and passed. Don't forget that Clinton's Anti-Terrorism Bill, which predated OKC by a few months, came very close to passing (and may still...as of a few days ago it was still pending, though parts of it had been gutted). And what effect will Leahy's Bromide ("bromide: a soothing concoction") Bill have if such a crypto-facillitated incident occurs? None. It will be swept away as a sand castle is swept away by the incoming tide. So why bother? Why not instead "race to the point of no return"? (For a fuller description of this "point of return," the point at which sufficiently strong crypto has been sufficiently widely deployed so that it cannot be recalled, cf. my Cyphernomicon. The crypto anarchist point of view is that the genie is out of the bottle, Pandora's Box has been opened, for the good, the bad, and the ugly, and that legislation will matter little in the long run. To be sure, for people who live near Washington, whose interest is primarily in the political (the conventional political), then I can see why their interest is in helping Congress to craft better laws. But for the rest of us, we have our own work to do. >>* EXPORT OF CRYPTO BEYOND U.S.: This is indeed a thorn in the sides of U.S. >>companies, but is not _per se_ an issue I worry about. So long as I have >>strong crypto, I don't really care too much about export. It would be nice >>to get the ITARs modified, but not at the risk of adding language (such as >>Leahy did) making use of encryption a possible crime (we've debated this, >>so I won't elaborate here). Besides, I think the best way to overturn the >>ITARs is through a court challenge; as I have noted, even the NSA's lawyers >>felt that the ITARs would not withstand court scrutiny. > >Unfortunately, many U.S. software companies don't agree with you. This is fine. I don't expect them to agree with me. When one of them begins paying me a salary or sending me shares of their company's stock, then perhaps I will argue for their positions. (Not that I'm a sellout, just noting the obvious. They're looking to sell more products, at lower cost, which if not surprising. But if the price for "getting" approval for 64-bit export is some flavor of key escrow or limitations on domestic use, then why should we help them push for this?) >While I agree with you (I've got PGP, what's the problem?), several of >these companies are working through their trade organizations to introduce >and push crypto legislation to allow them to raise the key length in their >products. > >Put ourselves in their shoes for a minute. They're sitting there, with >their 40 bit products, knowing that it blows chunks. They want to >produce stronger crypto, but know they won't be able to export it. >They talk to the company's attorneys, who speak to speak to the >lobbyists, and poof, a crypto bill. I outline the answer to this during the Netscape--Jim Clarke situation several months ago. The simple solution: have two versions. Version 1 has unlimited-strength crypto, no mandatory key escrow. It ships to domestic customers only, and can only be downloaded domestically (a la the PGP distributions). Version 2 is crippled. 40 bits, 45 bits, whatever. Maybe it has a set of hooks for attaching "local regulations" hooks (e.g., all versions of Netscape entering France must have no crypto, all versions entering The Islamic People's Republic must automatically cc: the secret police on all e-mail, etc.). These versions may or may not intercommunicate easily. The "added inventory" problems that a vendor faces are real, but he faces problems already with multiple languages (English, French, Spanish, German, Japanese, etc.), with multiple platforms, etc. Also--and this is seldom mentioned!--the inclusion of U.S.-mandated crypto restrictions may end up "opening the flood gates" for various other countries to demand their own versions (as noted above in the examples). If the U.S. stands firm and takes no stand, it will be very hard for Iraq or Singapore to demand special versions. But if the U.S. insists that packages have NSA-friendly provisions, so, too, might the other countries demand the same. (A vendor may refuse to comply, but his hand has already been weakened by his acquiescence to the U.S. demands for a special version.) Thus, it is possible that the crypto provisions will actually _worsen_ the inventory problem. (As noted by so many others, what are the chances that France or Singapore or Iran will go along with the inclusion of NSA trapdoors in products their citizen-units and corporations will be using? Does anyone imagine that France will tolerate a version of Netscape being used by its corporations that the NSA can trivially break? Get with it.) But the issue raised by Shabbir is still this: corporations really want to ship stronger products and they'd like to be able to only have to develop and stock one version. So should we accept a weaker domestic encryption standard to let RSA and Lotus achieve this goal? (One can imagine many parallels with other products. Perhaps some countries only allow citizen-units to have access to .22 caliber firearms. Gun companies would like a single world standard. Does this mean gun enthusiasts in the U.S. should then lobby for the .22 as the allowable standard? Interestingly, at least some gun companies (names excised to avoid lawsuits) have exactly this position, that gun control laws are fine with them if it means they can ship more products and face less regulation. I am not equating Jim Bidzos, Ray Ozzie, or Jim Clarke to these folks, but am pointing out that the "interests of industry" are not always coterminous with the interests of citizens, or users, or free men.) There are in fact many situations where a corporation will gladly welcome government regulation. They can cement their own positions and keep out upstart competitors. There's a lot of evidence that some large electronics companies actually _like_ regulatory burdens, as it tends to make it very tough for a small company these days to start a production fab. I can thus see that some crypto and software companies would potentially make a deal with the devil if it increased sales and strengthened their "franchise." I've written more than enough, so I'll have to stop here. I believe what I have read from others, that the Leahy Bill is going nowhere. As to other legislation, I've never said people should do nothing. What I've said is that I place more faith in technology: the development of anonymous remailers, for example, does more to disperse unstoppable communication than any bill I've seen come out of Congress. And, frankly and bluntly, while I am not as extreme (in some ways) as, say, Jim Bell, in other ways I and many others of us are quite extreme. (I usually vote Libertarian, but even they are recognizing that they have no effect on Congress because the goals of Congress and of themselves are so far apart.) Were I closer to Washington, maybe I'd be more interested. But I'm not. I'm even too far from San Francisco to drive the 100 miles over mountain roads to stand in the rain with a placard being a spear carrier for some cause. Life is tough. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Wed Mar 27 15:16:33 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 28 Mar 1996 07:16:33 +0800 Subject: Bad news from Judge Richey Message-ID: At 6:29 PM 3/26/96, jim bell wrote: >Now now, Tim. You know me better than that. You know that I would never be >so restrained as to call for the killing of ONLY ONE federal judge. Your sense of humor is also called "digging your own grave." Better hope your words don't get to prosecutors anxious to set an example.... >Seriously, however, I think you slightly mis-read my letter. The implied >"threat", if you are inclined to call it that, would simply be that if >domestic >software writers are prohibited from exporting encryption software, they >might be inclined (and have time for) writing the entire AsPol system into ... I read your article as essentially saying: "Judges ought to remember that a box of shells costs a lot less than an appeal." --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From jeffb at sware.com Thu Mar 28 07:32:31 1996 From: jeffb at sware.com (Jeff Barber) Date: Thu, 28 Mar 96 07:32:31 PST Subject: Noise sphere plotter in C for X Windows In-Reply-To: <199603250551.AAA22514@unix.asb.com> Message-ID: <199603281506.KAA10317@jafar.sware.com> Mutatis Mutantdis writes: > >I've got a short program for the PC (w/TPascal source) that plots a > >noise sphere from a file of (pseudo) random data, if anyone is > >interested. Requires a VGA card that handles mode 5Fh (640 x 480, > [..] > >The source has a brief explanation of what noise spheres are and a > >reference to the Pickover article the program was based on. > Somebody sent me a C++ conversion of it. It compiles fine with BCC 4.02. > > Enclosed here (thanks to "James Pate Williams, Jr." ) Here's a version of it for X Windows, translated into plain-old C. -- Jeff oo -----------------------------cut /\ here------------------------------ /* xnoisesph.c Compiled on Linux with: cc -o xnoisesph xnoisesph.c -L /usr/X11R6/lib -lX11 -lm Usage: xnoisesph file Or: xnoisesph No copyright is claimed. No guarantees made. Usage: noisesph file This program reads a file of random or pseudo-random data and plots a noise sphere of the data. Poor RNGs or sampling methods will show clear patterns (definite splotches or spirals). The theory behind this is to get a set of 3D polar coordinates from the RNG and plot them. An array is kept of the values, which is rotated each time a new byte is read (see the code in the main procedure). Rather than plot one sphere which can be rotated around any axis, it was easier to plot the sphere from three different angles. This program is based on a description from the article below. It was proposed as a means of testing pseudo-RNGs: Pickover, Clifford A. 1995. "Random number generators: pretty good ones are easy to find." The Visual Computer (1005) 11:369-377. */ #include #include #include #include #include typedef struct _Cartesian { double x, y, z; unsigned Color; } Cartesian; typedef struct _Polar { double r, theta, phi; } Polar; double ByteToReal(unsigned char); unsigned int ScaleColor(double); int Round(double); void Plot(Cartesian *); void PolarToCartesian(Polar *, Cartesian *); int MidA, MidB, MidC, MidY, Scale; char *pgm; Window w; Display *d; GC gc; void main(int ac, char **av) { int i; char *fname; FILE *inp; XEvent event; XExposeEvent *ee = (XExposeEvent *)&event; int width, height, bwidth, depth, wx, wy; Window root; pgm = basename(*av); if (ac > 2) { fprintf(stderr, "Usage: %s [file]\n", pgm); exit(1); } if (ac == 2) { fname = av[1]; if ((inp = fopen(fname, "rb")) == NULL) { fprintf(stderr, "%s: Can't open %s - %s\n", pgm, av[1], strerror(errno)); exit(1); } } else { inp = stdin; fname = "(stdin)"; } if (!(d = XOpenDisplay(NULL))) { fprintf(stderr, "%s: Can't open display\n", pgm); exit(1); } w = XCreateSimpleWindow(d, RootWindow(d, DefaultScreen(d)), 0, 0, 640, 480, 0, BlackPixel(d, DefaultScreen(d)), BlackPixel(d, DefaultScreen(d))); XSelectInput(d, w, ExposureMask); gc = XCreateGC(d, w, 0L, NULL); XSetBackground(d, gc, BlackPixel(d, DefaultScreen(d))); XSetForeground(d, gc, WhitePixel(d, DefaultScreen(d))); XMapRaised(d, w); while (XNextEvent(d, &event), event.type != Expose) ; /* * Get the window's actual width and height. */ XGetGeometry(d, w, &root, &wx, &wy, &width, &height, &bwidth, &depth); /* * Initialization done, window on screen; time for real work. */ { double X[3]; int i, n = 0; int byte; Cartesian C; Polar P; Scale = width / 6; MidA = Scale; MidB = 3 * Scale; MidC = 5 * Scale; MidY = height / 2; if (MidY < Scale) Scale = MidY; for (i = 0; i < 3; i++) { if ((byte = getc(inp)) == EOF) { fprintf(stderr, "%s: Early EOF on %s\n", pgm, fname); exit(1); } X[i] = ByteToReal((unsigned char) byte); } while (1) { P.r = sqrt(X[(n + 2) % 3]); P.theta = M_PI * X[(n + 1) % 3]; P.phi = 2 * M_PI * X[n]; PolarToCartesian(&P, &C); Plot(&C); if ((byte = getc(inp)) == EOF) break; X[n] = ByteToReal((unsigned char) byte); n = (n + 1) % 3; } } /* * Now hang out. Let the window manager kill us. */ while (1) XNextEvent(d, &event); exit(0); } double ByteToReal(unsigned char b) { /*note that there will be some gaps since we're only using the equivalent of an 8-bit decimal here*/ return b / 256.0; } unsigned int ScaleColor(double x) { return 0; } int Round(double x) { return (int) (x + 0.5); } void Plot(Cartesian *C) { XDrawPoint(d, w, gc, MidA + Round(Scale * C->y), MidY - Round(Scale * C->z)); XDrawPoint(d, w, gc, MidB + Round(Scale * C->x), MidY - Round(Scale * C->y)); XDrawPoint(d, w, gc, MidC + Round(Scale * C->z), MidY - Round(Scale * C->x)); } void PolarToCartesian(Polar *P, Cartesian *C) { /* No rotation was added. Instead we plot from three angles... */ C->x = P->r * sin(P->phi) * cos(P->theta); C->y = P->r * sin(P->phi) * sin(P->theta); C->z = P->r * cos(P->phi); /* We can assign colors based on x, y, z, r, theta / pi or phi / (2 * pi) */ C->Color = ScaleColor(C->y); } From melman at osf.org Thu Mar 28 07:46:18 1996 From: melman at osf.org (Howard Melman) Date: Thu, 28 Mar 96 07:46:18 PST Subject: HP & Export of DCE In-Reply-To: <199603271619.LAA08716@homeport.org> Message-ID: <9603281542.AA05950@absolut.osf.org.osf.org> On Wed Mar 27, 1996, Martin Janzen wrote: > Another "RPC" comes from the Open Software Foundation, who unfortunately > chose the same acronym for the remote procedure calling mechanism in their > Distributed Computing Environment (DCE). This DCE is a part of the OSF/1 > operating system, but implementations are available for many versions of > UNIX, often as a separate product or option. The DCE Security Services > are discussed a bit in the DCE FAQ [4], and O'Reilly has an entire book > on the subject [5]. The product is called DCE RPC and the RPC is used generically as you stated in the beginning of your note. There are many RPCs in the world, aside from the ones you listed. DCE RPC is also known as ISO RPC as the standard is based on DCE. MS RPC is also based on DCE RPC as you stated. DCE is not part of OSF/1 but is middleware supporting distributed computing which is available on virtually all platforms: (Unixes, Windows, Cray, MVS, VMS, Mac is in beta, etc.) Yes, one of the reference ports was OSF/1. We sell the source code separately. We are now seeing OSs bundled with DCE client software. The most recent versions of HP/UX and AIX for example. For more info on DCE see http://www.osf.org/dce/ Howard -- Howard R. Melman ___ ___ ___ Voice: 617-621-8989 Open Software Foundation / / /__ /__ Fax: 617-621-2782 11 Cambridge Center /__/ ___/ / mailto:melman at osf.org Cambridge, MA 02142 http://www.osf.org/~melman/ From adam at lighthouse.homeport.org Wed Mar 27 15:58:55 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Thu, 28 Mar 1996 07:58:55 +0800 Subject: HP & Export of DCE In-Reply-To: <199603271607.LAA02400@jekyll.piermont.com> Message-ID: <199603271619.LAA08716@homeport.org> Perry E. Metzger wrote: | Adam Shostack writes: | > Well, if Leahy passes, DCE is exportable. Anyone know if the | > 'SecureRPC' in DCE is the one BAL broke years back? | | No, they broke Sun's Secure RPC, which is different. I wasn't aware there were multiple things masquerading under the name Secure RPC. In any event, does the crypto in DCE stand up to the LaMacchia/Odlyzko attacks? (And did Sun ever upgrade what they ship?) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From jbugden at alis.com Wed Mar 27 16:07:31 1996 From: jbugden at alis.com (James Bugden) Date: Thu, 28 Mar 1996 08:07:31 +0800 Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: <01BB1BD8.8B6BBC00@jbugden.alis.com> Wednesday, March 27, 1996 9:55 AM, Tim May wrote >For Europeans, knowing the language of one's immediate neighbors (probably >only a hundred kilometers away), and knowing English, accounts for much of >their language facility. >Americans are typically thousands of miles away from those speaking >Japanese, Mandarin, Tagalog, Polish, Italian, Dutch, Spanish, Hindi, >Talegu, and the hundreds of other languages. It is not at all clear what >language Americans should pick as a "second language" to study. >Europeans who look down on Americans for not studying the language of their >neigbors simply aren't familiar with a map. >There is not a single foreign language I can think of it that would help me >in my goals or help anyone I know. This is the reality of a world dominated >by English-speaking persons and in which all technical people learn >English. If I can paraphrase, you argue as follows: 1) People learn languages of those they may interact with. 2) Americans do not interact with (enough) non-English speakers. 3) Therefore, learning another language does not help the goals of Americans. While your phrase refers to geographical proximity, I think we could agree that the essential factor is that you interact with those that are close. If you never talk to your neighbours, you don't need to understand their language. So my question: Do you not see the irony of writing this on the internet? Plus ca change, plus c'est pareil. Many threads within Cypherpunks have stated the irrelevancy of national boundaries in this age of global communications. I would suggest that geographical proximity is irrelevant for similar reasons. But the ability to communicate requires the ability to comprehend. While it may be true that "it is not at all clear what language Americans should pick as a 'second language'", it does not follow that you would not benefit from knowing one. Of course, this may be a chicken and egg problem in which your benefit is unclear before you learn a second language, but your motivation is zero unless you see the benefit. If we choose to be unilingual, it is not because we would lack opportunity to use another language, but because we choose to decline such opportunity. James Bugden jbugden at alis.com From warlord at MIT.EDU Thu Mar 28 08:09:37 1996 From: warlord at MIT.EDU (Derek Atkins) Date: Thu, 28 Mar 96 08:09:37 PST Subject: Question about Blind Signature In-Reply-To: <199603281310.VAA23754@cml11.csie.ntu.edu.tw> Message-ID: <199603281608.LAA08842@toxicwaste.media.mit.edu> > My question is when I see how RSA encrypts using PKCS > [desc. deleted] > How to solve this?? You don't. Blind signatures only work with "pure" RSA. You cannot use PKCS encoding to perform blind signatures. PKCS nullifies the multiplicity that is required for these blinding techniques to work. -derek From mike at fionn.lbl.gov Thu Mar 28 08:20:45 1996 From: mike at fionn.lbl.gov (Michael Helm) Date: Thu, 28 Mar 96 08:20:45 PST Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: <199603281620.IAA05171@fionn.lbl.gov> On Mar 28, 2:13am, Timothy C. May wrote: > communicate with his neighbor, nor do I deny Michael Helm's point that by > not studying Talegu we are denying ourselves access to the world's culture. > In my next 25 lifetimes, with the advent of Nanocryonic Revitalization, I Anyone who can read, should not have any problem figuring out that I never made anything resembling the "point" ascribed to me. There is certainly no point in carrying on a discussion with someone who makes false attributions like this. I could care less what language the people around me speak, but it would be a more civilized world if they took care to tone up their reasoning. And when they need to resort to lies like this to shore up their arguments, tar & feather 'em. From asgaard at sos.sll.se Wed Mar 27 16:30:14 1996 From: asgaard at sos.sll.se (Asgaard) Date: Thu, 28 Mar 1996 08:30:14 +0800 Subject: ITAR double standards? In-Reply-To: Message-ID: On Wed, 27 Mar 1996, Richard K. Moore wrote: > velocity from terrestial anachronisms. While Barlow's critics, it seems, > demolished _that_ thesis as wishful thinking, there's a parallel thesis > that may actually be true: that _corporate environments_ have achieved > escape velocity from civil jurisdiction, and now live in a world where > rules & ethics are relative only to corporate culture, and "parochial" > national laws are to be quietly ignored, knowing there's a highly-paid > legal staff to deal with occasional embarrasments. I believe in this parallel thesis. As was reported from the dec -95 OECD meeting in Paris: >The statement from SHELL International is interesting. >They can accept 'a trustworthy international key escrow >infrastructure based on X.509 certificates' but they also >need to 'protect their assets against Government intelligence >gathering, organised crime, civil unrest and data privacy >legislation obligations'. Asgaard From asgaard at sos.sll.se Wed Mar 27 16:41:47 1996 From: asgaard at sos.sll.se (Asgaard) Date: Thu, 28 Mar 1996 08:41:47 +0800 Subject: Crypto CD UpDate In-Reply-To: <31592105.23B9@unix.asb.com> Message-ID: > A nice advantage of CD-ROMs is that many BBSs that aren't plugged into > the net use them. I rememebr showing threads about a similar C'punks Suppose strong crypto is outlawed in all OECD countries by dec -96. The known international sites with more or less complete coverage today amount to a handful. They will be shut down pronto. Of course lots of private persons have a lot of crypto files hanging around, but a widely distributed CD-ROM, easily put up as a BBS partition, wouldn't make the situation worse. Asgaard From jlasser at rwd.goucher.edu Wed Mar 27 16:52:42 1996 From: jlasser at rwd.goucher.edu (Bruce Zambini) Date: Thu, 28 Mar 1996 08:52:42 +0800 Subject: Councilman/Usenet porn case... Message-ID: What's most interesting about this is that whoever forged the email headers forged anon.penet.fi in there... Other than that, I'm not sure what the point is.... but that caught my eye. Jon Lasser ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. ---------- Forwarded message ---------- Date: Wed, 27 Mar 1996 12:16:01 -0500 From: Bruce Zambini To: jlasser at goucher.edu Subject: web.html TIME Magazine April 1, 1996 Volume 147, No. 14 _________________________________________________________________ Return to Contents page _________________________________________________________________ WAY WRONG NUMBER HELL HATH NO FURY LIKE A CITY COUNCILMAN PORNED JOSHUA QUITTNER This is a tale about how an online prank grows into an international incident. It also goes a long way toward explaining the fear many non-Internet people have about this out-of-control thing called cyberspace. Our story begins on the banks of Lake Erie, in Willowick, Ohio (pop. 15,469). It is the last Monday night in January, about 9 o'clock. City councilman Frank Suponcic is home with his wife Linda when the phone rings. Linda answers. "Hi, this is Mike," says the man at the other end, politely enough. Linda chats with Mike, figuring he must be a constituent. (As Willowick's longest-serving ward councilman, Suponcic has lots of voters calling him at home.) After a while, Mike asks for Annette. Linda tells him he has the wrong number. Mike apologizes and hangs up. The phone rings again at 11:30 p.m. And again. And again. Wrong numbers until 4:30 a.m. A weary Suponcic wonders what's up and checks the Caller-ID logs on his phone. The first call was from British Columbia. The next was from Connecticut. There was one from Indianapolis and a few from California. Clearly these are not constituents. But who are they? Suponcic calls the Canadian back--it is now 5:30 a.m. in that time zone, and he is only too happy to wake the dude up--and he demands to know what is going on. The guy explains, vaguely, that he was merely answering an "ad on the Internet. You know, the one about horny housewives..." So now we have a problem. Suponcic, like a lot of people, has a new computer. But like most people, he hardly knows what the Internet is. Now, somewhere there's an ad on it. For horny housewives. With his home phone number. That night, when the next wrong number came in, Suponcic interrogated the caller and learned that the councilman's phone number was printed at the bottom of some pictures of naked women that had been posted to a Usenet newsgroup called alt.binaries.pictures.erotica, which, naturally, Suponcic had never heard of. But he had a friend in Cleveland who was something of a computer buff. So the next day the two of them jacked into Usenet and spent three hours sifting through about 7,400 files on alt. binaries.etc. Eventually, they found two with Suponcic's phone number. One featured a topless brunet wearing only a string of pearls and offering phone calls for "as low as 87 [cents] per minute." The other showed a blond woman advertising "hot amateur wives ready for you from there [sic] own bed." Yikes. Over the next week, Suponcic received more than 75 calls a day from lusty Netizens. "You just could not make phone calls," says the exasperated councilman. "And when you went to bed, you had to take your phone off the hook." It was the sorcerer's apprentice scenario, and there was no way to stop it. Suponcic, being a public official, knew his way around the local police department, and soon a detective started pounding the Net. By tracing the header information on the Usenet postings, the detective determined--O.K., this part is murky, we admit--that the messages had originated in Ohio, passed through Florida Online, an Internet provider in the Sunshine State, and then through anon.penet.fi, a free E-mail remailer service based in Finland that allows Internet users to post messages anonymously. The identity of the poster was, and is, unknown, though Suponcic has his suspicions. "It's my personal belief that the root of this is political," says the councilman, who had to get an unlisted telephone number and whose wife now wants to move. On Feb. 6, at Suponcic's urging, the Willowick city council passed a resolution asking the state and federal governments to close the "loopholes" that allowed anonymous remailers to operate outside the authority of U.S. law-enforcement officials. "Once you've achieved one of these anonymous identities, you're dangerous, and there's no way law enforcement can track it," Suponcic says. "The animal's out of control." Still not content, Suponcic contacted Steven LaTourette, the U.S. Congressman who represents his district. LaTourette's staff suspects that the problem lies with Julf Helsingius, the Finn who runs the anonymous remailer. They wrote a letter to the Finnish ambassador and sent copies to the Secretary of State and the chairman of the House Committee on International Relations. The State Department agreed last week to look into the complaint. But here's a reality check. The Finnish remailer could not have been used, since anon.penet.fi no longer transmits binary image files. Jerry Russell, who runs Florida Online and who looked into the case, says he figures the whole thing was a relatively simple prank called a sendmail spoof, in which the prankster posts a message with a phony return address. He says the Willowick police never produced a copy of the posting for him so that he could unravel the tangle for them. Indeed, when the policeman called, "he didn't really understand what he was trying to tell me," says Russell. "The average Joe Blow police detective doesn't know flip about the Internet." Neither does the average public official. And that, friends, is why stuff like the Communications Decency Act--the Christian Coalition's attempt to remove pornography from the Internet--sails through Congress. --With reporting by Noah Robischon/New York _________________________________________________________________ [IMAGE] Text Only From strombrg at hydra.acs.uci.edu Thu Mar 28 08:54:59 1996 From: strombrg at hydra.acs.uci.edu (Dan Stromberg) Date: Thu, 28 Mar 96 08:54:59 PST Subject: LACC: Sun patch pulled (was Re: HP & Export of DCE) In-Reply-To: <199603272316.XAA13429@pangaea.hypereality.co.uk> Message-ID: <315AC451.7D69@hydra.acs.uci.edu> The syslog problem is fixed in baseline SunOS 5.5. Sun and HP are apparently doing what the stupid law mandates - and they should do so, whether someone at NSA (or whatever) is on their case or not. :) They should also have someone in their respective legal departments bucking ITAR very hard. "tres-dangerous" must have been typed with a snear, no? ECafe Anonymous Remailer wrote: > > I noticed that Sun's latest libc patch (101759-04) is empty. Previous > versions contained the complete U.S. version of libc, including the > tres-dangerous DES and crypt functions. In the current rev only the > README remains, presumably because: > EXPORT INFORMATION: This patch includes code which performs > cryptographic functions, which are subject to U.S. export > control, and must not be exported outside the U.S. without > prior approval of the U.S. government. Prior export approval > must be obtained by the user of this patch. > > So, you might ask, what fixes is Sun not distributing??? > (Rev 04) > 1190985 gethostbyname() can trash an existing open file descriptor. > 1182835 portmapper silently fails with version mismatch by PC-NFS > client > 1219835 Syslog(3) can be abused to gain root access on 4.X systems. > > Yup, that's right. The syslog hole that was so well publicized by > CERT will remain open indefinitely because the ITAR makes it illegal > for Sun to distribute the fix! > > So did HP and Sun spontaneously, simultaneously develop crypto awareness, > or is some gummint dweeb whispering threats in their ear? From perry at piermont.com Wed Mar 27 16:55:22 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 28 Mar 1996 08:55:22 +0800 Subject: HP & Export of DCE In-Reply-To: <199603271619.LAA08716@homeport.org> Message-ID: <199603271621.LAA02453@jekyll.piermont.com> Adam Shostack writes: > | Adam Shostack writes: > | > Well, if Leahy passes, DCE is exportable. Anyone know if the > | > 'SecureRPC' in DCE is the one BAL broke years back? > | > | No, they broke Sun's Secure RPC, which is different. > > I wasn't aware there were multiple things masquerading under the name > Secure RPC. In any event, does the crypto in DCE stand up to the > LaMacchia/Odlyzko attacks? They are attacks against Diffie-Hellman. I don't know if DCE uses D-H in a similar manner. The main problem was too small a (fixed) modulus. > (And did Sun ever upgrade what they ship?) I don't believe so. Perry From hwh6k at fulton.seas.virginia.edu Wed Mar 27 17:26:23 1996 From: hwh6k at fulton.seas.virginia.edu (Henry Huang) Date: Thu, 28 Mar 1996 09:26:23 +0800 Subject: Crypto CD UpDate Message-ID: <199603271810.NAA75303@fulton.seas.Virginia.EDU> On Mar 26, 21:18, Timothy C. May wrote: > At 10:16 PM 3/26/96, aba at atlas.ex.ac.uk wrote: > >The idea of putting together a CD with crypto stuff is an excellent > >IDEA, and one which I very much welcome. > > > >However a question .. are you (Ben) located in the US? If so... > > > >that rules out overseas buyers unless you fancy messing with ITAR... > >Is it possible that you could come to some arrangement with some one > >outside the ITAR fence who has a CD writer (any one reading have one?) > >put together the same CD for those outside the US? ITAR is going to be a mess either way. If the CD is put together outside the U.S., you'd have to only use non-U.S. executables/source (or else put site owners at risk of violating the anti-export language in the ITAR). Of course, a lot of people don't take this seriously, so pick your poison ... > 1. The CD-ROM "freezes" the various programs, archives, etc. at the moment > the files are finalized and the CD-ROMs are pressed (or burned individually > on a CD-R, at somewhat higher per-copy price). If the author of the CD-ROM > is not committed to updating the CD-ROM at frequent intervals--say, every > few months--then the programs will exhibit "version decay" and be nearly > useless. > The next point is the reason. > > 2. The Web does a better job at making the latest versions instantly > accessible. True, a CD-ROM will generally have faster access, but I care > more about getting the _latest_ version of PGP, even if takes a minute or > two to snarf off the Web. That I could get an _older_ version of PGP in > fractions of a second off this CD-ROM is not compelling to me. I'd argue that having a slightly out-of-date CD-ROM is better than nothing, because: - It gives you an idea of what sorts of crypto applications are out there, - It gives you working versions of programs without having to crawl all over the Net hunting for one, - If the authors are smart they'll include URL's to an update site in the documentation (or the CD-ROM producer can do it), - Not everyone out there is Net-savvy, or has the time to go trudging around looking for the latest cutting-edge versions of software. Time *IS* money. I'd almost argue that Tim's emphasis on using the Web to get crypto assumes a sort of Net-centric view of how the crypto is going to be used -- similar to reported provisions in the Leahy bill. The idea that people who just want to encrypt personal data might not need the latest versions of everything out there is reasonable -- as long as the latest versions aren't BUG FIXES. In that case, Tim's argument about stale versions would carry some merit. But this is the case for ALL non-Net distributed software; you don't see companies refusing to cut CD-ROMs simply because they're worried their users won't be able to get the latest bug fixes. In the ideal case, they'd do the best they can to make sure that people did, but you have to be realistic. (Of course, if you're cynical, and believe that software companies care more about money than about helping their customers, then it doesn't matter. ;) > (And fractions of a second is too charitable: in actuality, I'd have > to locate the CD-ROM, dismount anything already mounted, mount the > CD-ROM, search it for "PGP," etc. Probably not even faster than > using Alta Vista and downloading.) Um, whatever. If you have a CD-ROM, you'll at least have SOME idea of what software is available on it. Not so with the Web (unless somebody wants to do the equivalent of this CD-ROM and put together a page with a HUGE number of links to crypto programs -- not to mention the protections necessary to avoid violating ITAR, e.g. the anti-export measures built into the PGP distribution site) Plus, comparing the speed of a CD-ROM to a modem is like comparing the speed of a station wagon to a skateboard. CD-ROMs aren't exactly fast, but they sure as hell aren't anywhere near as slow as the water-torture speeds of your average v.42bis modem. > 3. Where CD-ROMs really shine over modem alternatives is, of course, for > very large files. Images, MPEG or Quicktime movies, etc. "Multimedia" being > the operative term. For crypto, this is not an issue. (Except for list > archives, where having a few hundred megabytes of articles might be nice. > However, the absolute KILLER of this idea is the staleness problem mentione > in Point #1: if the archives on CD-ROM lack the most recent month or two, > their usefullness drops precipitously. If the CD-ROM is a year old, and no > updates have appeared, then its archives are useful only to list > historians. I don't buy this. Many of the well-known/widely-used Net-distributed crypto apps haven't put out updates for a LONG time. Even if it was the case that they were throwing out bug fixes every two weeks, my previous comments still hold. (And anyhow, you probably wouldn't WANT to have software THAT unstable in your collection anyway. ;) I'm starting to think that the question of whether this CD-ROM is useful depends on who you're selling it to. People who hang out on Coderpunks, or are "in the loop" as to version updates and crypto sites won't want this. People who want to buy the CD just to be "cool" aren't an issue. The SOHO market (i.e. people who don't normally use the Net, and who ordinarily wouldn't care too much about crypto) seems to be the ideal target. But how do you sell a piece of software to an audience that doesn't know it needs it? Perhaps this could be a chance to spread the gospel, so to speak. However, that would mean the CD would have to be designed around these people -- i.e. for ease of use, etc. These issues have probably been beaten to death a long time ago (e.g. PGP shells), and shouldn't be too difficult to resolve. The multi-platform stuff (DOS/Mac/**IX on one disc) will be harder; you'll need to code a different interface to the CD for each platform. > (In other words, I will almost always go to up-to-date archives on a Web > site rather than dusting off a CD-ROM that was issued several months ago. As would I. But we're "in the loop". Many people aren't. And the real issue being addressed here (getting easy-to-digest crypto to the masses) is a lot more difficult than just pressing a CD-ROM. Ben may need to rethink his strategy on this, in terms of how to most effectively promote this CD to that market. > 4. The Web approach allows powerful search engines, links from other pages, > and--importantly--multiple jurisdictions. The PGP could come from the U.S., > the Digital Postage code from Sweden, and so on. And, again as noted in # > 1, the developers could keep improving and iterating the code. Hmm, do I hear a volunteer for writing that Crypto Software Web page? ;) -H From stoll at as200.zi-mannheim.de Thu Mar 28 09:28:44 1996 From: stoll at as200.zi-mannheim.de (stoll at as200.zi-mannheim.de) Date: Thu, 28 Mar 96 09:28:44 PST Subject: Cypher of former eastern intelligence agency broken? Message-ID: <9603281728.AA30292@as200.zi-mannheim.de> Here is an abstract of a report the German newsmagazine Focus published on March 11, 1996 (p. 16) - "Spaete Ermittlungen gegen Techno-Spione" (late/belated investigations against technology spies). I do not include a translation of the whole original text for copyright reasons. "Specialists of the German Federal Police Agency (BKA) have decrypted 44 floppy disks from the former [East German] Ministry for State Security" (MfS). A defector had handed over the floppies to the German Federal Intelligence Agency (BND) in spring 1990. The disks contain information on East German spies in former West Germany. Judicial inquiries against 29 suspects have started now. Apparently, the BKA got the data no sooner than 1994. This is because the BND did not tell law authorities about the floppy disks. German federal DAs learned about the data in late summer 1994 by chance. The article does not say whether the defector came over with the keys. - Probably not, otherwise prosecution should have started much earlier. It is likely that the extremely paranoic MfS used a cipher and a key length it believed to be sufficiently strong. According to Bruce Schneier's Applied Cryptography East Germany was quite aware of DES, it even produced DES chips. Another possibly strong algorithm used in the former Soviet block is GOST (a block cipher derived from the concepts of DES, also described by Schneier). Let us assume BKA specialists have broken the code using a combination of cryptoanalysis, brute force and good luck. They are policemen, not espionage professionals. Further, the BKA is much smaller than the FBI. Imagine what code breaking capabilities a well-funded, big intelligence agency should have then! From geeman at best.com Wed Mar 27 17:34:49 1996 From: geeman at best.com (geeman at best.com) Date: Thu, 28 Mar 1996 09:34:49 +0800 Subject: Pepsi World - Gotta Have It! Message-ID: <199603261714.JAA21353@mail1.best.com> hoax, I presume? At 06:46 PM 3/20/96 -0600, you wrote: >Hey Squatter! > >Don't forget to cruise back by Pepsi World! > > >We're gonna keep showing ya the coolest, hippest stuff out there, including: > >- Shaq/Pepsi World's Slammin' Techno Dream Contest >- The Bev-o-Matic Contest >- An exciting, original Shockwave game >- Chat Rooms >- And basically, more entertainment than you can shake a stick at! > > > >Don't forget your squatter id 'cypherpunk' and password >'cypherpunk', you'll need them to maintain your Squatter's >rights in Pepsi World. > > From jamesd at echeque.com Wed Mar 27 17:34:56 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Thu, 28 Mar 1996 09:34:56 +0800 Subject: Let's *NOT* "Raise their Awareness" Message-ID: <199603270703.XAA03440@dns2.noc.best.net> At 06:07 PM 3/26/96 -5:00, Michael C. Peponis wrote: >On Tue, 26 Mar 1996 , David K. Merriman wrote: > The judge is correct in this matter, most people view it from the > rights of the parents, but what about the child who, because of > his/her parents egotism and ignorance, grows up not being able to > compete effectivly? I am sure the judge is right in this matter, but is in any of his damned business. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jamesd at echeque.com Wed Mar 27 17:35:46 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Thu, 28 Mar 1996 09:35:46 +0800 Subject: (X:x)e$ 's other use Message-ID: <199603270702.XAA03398@dns2.noc.best.net> At 04:05 PM 3/26/96 EDT, E. ALLEN SMITH wrote: > The > Fed has done an actually rather admirable job of standing up to the pressure Every couple of years the politicians start leaning on Greenspan. Greenspan lets it be known they are leaning on him, the money markets mark the dollar down and the politicians stop leaning on him. The Greenspan standard is not a good as a gold standard, but its not bad. Only trouble is he is mortal, unlike gold. Come to think of it, there is actually some crypto relevance here: Internet currencies will be necessarily non physical and it will be difficult to go after the issuer in the event of default, so the best currency will have a value that depends on peoples belief that the issuer will defend the value of the currency. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From unicorn at schloss.li Thu Mar 28 09:35:57 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 28 Mar 96 09:35:57 PST Subject: The Law Loft: Surviving the Biometric I.D. Card In-Reply-To: <199603280946.BAA08787@you.got.net> Message-ID: --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jamesd at echeque.com Wed Mar 27 17:36:19 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Thu, 28 Mar 1996 09:36:19 +0800 Subject: How to enter the US without a visa? Message-ID: <199603270702.XAA03414@dns2.noc.best.net> This is somewhat off topic for cypherpunks, but alt.forgery is dead, so cypherpunks is probably the nearest group. Suppose (hypothetically) an American resident cypherpunk had a hypothetical friend who is most unlikely to obtain an American visa. Now the standard way of dealing with situation is for an American friend to get a certified birth certificate of someone born in America, concoct some photo ID, send it to the out-of-America friend, and then the out-of-America friend comes in through Montego Bay or some similar point where there is lots of tourist traffic. But the thought struck me that this might not work for some one who hypothetically has a foreign appearance and a truly terrible accent. Now a fake greencard would probably work, but greencards have age and sex etc encoded on them, and conceivably they check them against a database, in which case it would be necessary to obtain the greencard number of a real person of the right age and sex, which is not easy. Any suggestions? Surely lots of people have dealt with this problem already. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From anon-remailer at utopia.hacktic.nl Wed Mar 27 17:37:32 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Thu, 28 Mar 1996 09:37:32 +0800 Subject: vogon punk haiku Message-ID: <199603270455.FAA01748@utopia.hacktic.nl> looking down his nose, Senator Exon banned it Haiku's not a crime Rights groups lobbying politicians waffl"ing Cypherpunks write code At First Virtual tense hot alien in barn encrypts no message Later releases in some communications there are signatures digicash tokens no one knows what you're buying follow the money Senator Exon! Imminent Death of the Net! GIFs at eleven! what they cannot read they don't want to let you say you must encrypt it Crypto power tools cannot be exported yet? how can they stop them? Freeh is watching you Big Brother is watching you NSA listens #ifdef crypto you cannot export this code #endif crypto if code is outlawed bhgynjf jvyy unir cevinpl talking to their friends Beating a dead horse idle thoughts typed on a train need more ideas Senator Exon And the horse he rode in on ******* indecent #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 # "At year's end, however, new government limits on Internet access threatened # to halt the growth of Internet use. [...] Government control of news media # generally continues to depend on self-censorship to regulate political and # social content, but the authorities also consistently penalize those who # exceed the permissible." - US government statement on China... "SigFiles of Unusual Size? I don't believe they exist!" From jimbell at pacifier.com Wed Mar 27 17:37:57 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 28 Mar 1996 09:37:57 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 01:59 AM 3/26/96 -0800, Timothy C. May wrote: >At 7:08 AM 3/26/96, Shabbir J. Safdar wrote: >My point is that I see no compelling legislation that is needed. If enough >people in Washington really want increased length in _exported products_ >(remember the "exported" part), the Congress and the President should find >it easy enough to get said products on to the Approved List. (I note that >the Leahy Bill really doesn't change this system anyway...some products go >on the list, some don't...the law only seems to say that when the horse has >already left the barn, i.e., when "comparable" products are already in >fairly wide use outside the U.S., then the products should be put on the >approved list. Big deal. There is, however, a slightly different way of looking at this. For centuries, there was a saying "Nature abhors a vacuum." While not scientifically correct, from the standpoint of people living below an ocean of atmosphere it seemed to be true. Likewise, the political system seems to abhor a situation where there is neither law, nor a proposed law. The best tactic might be to insist on modifications to the Leahy bill, most of which are quite justified, but cumulatively will be seen by "the enemy" as being so extreme as to be unacceptable. At that point, the enemy may actually agree with our assessment that no law is better than the corrected Leahy bill, and we'll both walk away satisified with the "no law" option. Think of it like pouring sugar into a gas tank. [stuff deleted] > >And, frankly and bluntly, while I am not as extreme (in some ways) as, say, >Jim Bell, in other ways I and many others of us are quite extreme. Hey, see, I'm useful! I make you look more, uh, "reasonable", right? Jim Bell jimbell at pacifier.com From shabbir at vtw.org Wed Mar 27 17:38:02 1996 From: shabbir at vtw.org (Shabbir J. Safdar) Date: Thu, 28 Mar 1996 09:38:02 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <199603260708.CAA21623@panix4.panix.com> I think this is a very important area to consider, and I thank Tim for putting his thoughts into this very organized form. My replies: Timothy C. May writes: >>If the Leahy bill is unacceptable, what legistlation is necessary? I >>can't see how the use of cryptography in the commission of a crime needs >>to be a separate offence, but I could see how it could be treated as a >>special circumstance - that doesn't really needed a new law though. > >I don't see any compelling need for U.S. legislation. And given the >pressures to attach all sorts of language to bills, I think it best that no >legislation happen. Unfortunately, this is not an option. Legislation will happen, with our endorsement or without it. One good example is the Grassley computer crime bill earlier in 1995. Nobody advised him on this, as far as I can tell, he just went out and drafted it. Lo and behold, he drafted a provision that basically criminalized all crypto, including rot13. We have to wake up and learn from the fight against the net censorship legislation. This is realpolitik. Congress will legislate crypto, whether we want them to or not. This is not news anyone wants to hear, but we have to face up to it. >* DOMESTIC USE OF ENCRYPTION: Currently, no restrictions whatsoever. No >laws saying messages can't be encrypted, no laws saying keys must be >escrowed, no laws about permissable strength of ciphers, no special laws >covering disclosure of keys. Just silence, blessed silence. The >Constitution says there shall be no laws about permissable speech (what >language one speaks in, or writes in), and other provisions about compelled >testimony seem adequate. Congress has discovered the net, and partly though the widespread fame of this list, they have also discovered crypto. Simply saying, "we don't want any laws that address crypto" may be the ideal solution, but that won't stop them from passing laws that govern the domestic use of crypto. >* EXPORT OF CRYPTO BEYOND U.S.: This is indeed a thorn in the sides of U.S. >companies, but is not _per se_ an issue I worry about. So long as I have >strong crypto, I don't really care too much about export. It would be nice >to get the ITARs modified, but not at the risk of adding language (such as >Leahy did) making use of encryption a possible crime (we've debated this, >so I won't elaborate here). Besides, I think the best way to overturn the >ITARs is through a court challenge; as I have noted, even the NSA's lawyers >felt that the ITARs would not withstand court scrutiny. Unfortunately, many U.S. software companies don't agree with you. While I agree with you (I've got PGP, what's the problem?), several of these companies are working through their trade organizations to introduce and push crypto legislation to allow them to raise the key length in their products. Put ourselves in their shoes for a minute. They're sitting there, with their 40 bit products, knowing that it blows chunks. They want to produce stronger crypto, but know they won't be able to export it. They talk to the company's attorneys, who speak to speak to the lobbyists, and poof, a crypto bill. >* KEY ESCROW: A matter of contract law, nothing more. If I want to give a >copy of my key to my lawyer, fine. If I want to give a copy to Vince's >Offshore Key Repository, no current U.S. laws stops me from doing so, and I >can even get it to him securely without violating any ITARs by using the >cipher that _he_ uses and then importing it here! > >IMPORTANT NOTE: It is often said, in a correct interpretation I think, that >a third party holding a key (Joe's Key Warehouse) is _not_ covered by the >5th Amendment's protections against self-incrimination, and so must honor a >subpoena. Sounds accurate to me. However, what if Joe is _also_ one's >lawyer? Does attorney-client privilege apply here? Perhaps. A better >solution is also fully legal at this time: use only offshore key storage. A >U.S. subpoena to Vince's Offshore Key Repository will carry no weight in >Anguilla. (Can I be compelled to ask Vince to send my key? Sure. But Vince >and I could have a stipulation that such "duress requests" will not be >honored, no matter how loudly I squawk.) This is actually very important. The Leahy bill forces Joe's Key Warehouse to only divulge your key when they've been presented with a warrant that's on par with whatever they used to get your original communication. That means that Louis Freeh can't issue an administrative subpoena to get your key, after he's got a judge to allow the FBI to search your house. They have to get a judge involved for both parts. It's better than where we are today, where Joe's Key Warehouse is vulnerable to every law enforcement joker that can write an administrative subpoena. We haven't yet had an incident that demonstrates this, but we will. Of course, if you're the sort of person who thinks that the FBI and the Department of Justice are involved in a big criminal conspiracy to begin with, we shouldn't even be talking about due process, as you don't believe it exists... >In conclusion, things are fine as they are. I see no compelling need to >write a special law confirming the rights we already are enjoying. If the >Congress wants to relax the ITARs (fat chance), they can direct that the >language of specific sections be redrafted. (I'm not even sure when and how >the original language was crafted, though it is part, I believe, of the >ancient Munitions Act and/or Trading with the Enemy Act. The enabling >legislation for the ITARs, and especially for the specific items actually >ON the "Munitions List" could be trivially changed. Were this Leahy's >intent, an easy thing to write a bill for. I doubt this was his intent, >however. I think this indeed is what Leahy was aiming for. A quick glance at the bill will prove this out. The approach that "things are fine as they are" is like saying "I'm on a freight train, heading for a cliff, but they're still serving me caviar so it's OK". Sure, it feels ok, but the train's still moving, no matter how far you are into your denial. I can't say this enough: the net has moved into realpolitik. Congress has found us, and their first step is to regulate us. Then, they'll outlaw us. Let's hope we convert enough legislators to netizens before they outlaw us. -Shabbir J. Safdar co-founder, Voters Telecommunications Watch From jimbell at pacifier.com Wed Mar 27 17:39:15 1996 From: jimbell at pacifier.com (jim bell) Date: Thu, 28 Mar 1996 09:39:15 +0800 Subject: Bad news from Judge Richey Message-ID: At 11:33 PM 3/25/96 -0800, Timothy C. May wrote: >At 3:28 AM 3/26/96, jim bell wrote: > >>I realize that this may appear to be a rather disrespectful tactic, but have >>you considered reminding the judge that if you are not allowed to profit by >>exporting encryption that the government doesn't want to see exported, >>you'll just have to make money in some other way, and this may lead you to >>talk to Jim Bell about implementing a program using encryption that doesn't >>_need_ to be exported...legally anyway. > >Whoahh! Hold on there, Jimbo! You're crossing the line. > >You're coming perilously close to actually calling for the killing of a >federal judge. My recollection is that a couple of folks have been arrested >and charged for calling for the killing of judges. Now now, Tim. You know me better than that. You know that I would never be so restrained as to call for the killing of ONLY ONE federal judge. Seriously, however, I think you slightly mis-read my letter. The implied "threat", if you are inclined to call it that, would simply be that if domestic software writers are prohibited from exporting encryption software, they might be inclined (and have time for) writing the entire AsPol system into software. Once that happens, we won't have to worry about ITARs or any other governmental impediment. At that point, the danger is not to one specific federal judge, and not even just to all of them, but every government employee at every level, working for every jurisdiction. Judges, I presume, are quite familiar with accepting a sense of personal danger for the consequences of their bad decisions. It would be an entirely different situation, I suggest, if it were made clear to them that the fallout from their misbehavior would ultimately be visited on a few million people. And it would shock them to the core if it were explained that this could be done entirely legally, with the obvious exception of a few unidentifiable people who actually do the anonymous work. Jim Bell jimbell at pacifier.com From steve at aztech.net Wed Mar 27 17:39:26 1996 From: steve at aztech.net (Steve Gibbons) Date: Thu, 28 Mar 1996 09:39:26 +0800 Subject: WSJ on Big Java Flaw Message-ID: <0099FEF9.CAF81C60.361@aztech.net> In Article: <199603261814.KAA23974 at netcom5.netcom.com>, frantz at netcom.com (Bill Frantz) wrote: # At 10:58 AM 3/26/96 -0500, John Young wrote: # > Java was originally touted by Sun as a secure language. But # > at least two other flaws have already been discovered in # > the technology, including a less-serious problem uncovered # > by the Princeton team last month. Sun's Ms. Mueller said # > the problems have been correctable details in the way the # > Java code is written, not problems with its basic design. Actually, I suspected and reported the same bug some weeks before the group at Princeton. . That said... # Having worked on a secure OS, with a small security kernel etc. etc. etc. I # realize that even those systems have bugs. The Java people will work out # their bugs. Others will read their code and find more bugs. (It is to # Sun's GREAT credit that they are releasing their source under a not very # restrictive license.) Eventually, in several years, Java security will be # ready for prime time. This is exactly what I would say. Sun has released source code for what that they label as "Beta Software." I agree with their labeling, and don't fault them for having buglets in beta software. I commend them for releasing souce code. My biggest gripe is with other companies (no names mentioned) who are shipping Java, integrated and "turned on" by default in their "production-level" products. # Of course, for really valuable things, or the really paranoid, you # shouldn't connect your computer to a network. The top dog certificate key # in SET is handled this way. Generally good advice. (SET is an "Alpha Specification" and has its own problems, that I won't go into here, but again, I commend the principals involved for allowing "outsiders" to view and comment.) I'd also add that running uncertified (by the local CA) applications is bad voodoo, and should be avoided, but that's an issue that most admins don't have much real control over in most environments. -- Steve at AZTech.Net [ I thought about adding a P.S., but most of you probably don't care what I do for a living, who I work for, nor what I work on, and why. Send email if you're curious. ] From ravage at ssz.com Wed Mar 27 17:39:43 1996 From: ravage at ssz.com (Jim Choate) Date: Thu, 28 Mar 1996 09:39:43 +0800 Subject: Crypto CD UpDate (fwd) Message-ID: <199603270547.XAA10979@einstein.ssz.com> Forwarded message: > It pains me to often be the one who throws cold water on what seems to be a > good idea, and what comes from a well-intentioned person. But I have to > call 'em as I see 'em. And maybe I'm wrong. But here are my thoughts. You know you love it...;) > 1. The CD-ROM "freezes" the various programs, archives, etc. at the moment > the files are finalized and the CD-ROMs are pressed (or burned individually > on a CD-R, at somewhat higher per-copy price). If the author of the CD-ROM > is not committed to updating the CD-ROM at frequent intervals--say, every > few months--then the programs will exhibit "version decay" and be nearly > useless. > The next point is the reason. I do soho consulting and I help provide several of my customers with software of various nature. One thing I have come to realize is that they are not interested in being in the fast lane. They are secure in knowing that the software behaves in a predicible way (not necessarily designed that way either). A large part of this attitude is based in their not being computer anything sorts. I find CD's a great way to keep libraries of old software that sometimes comes in handy. > 2. The Web does a better job at making the latest versions instantly > accessible. True, a CD-ROM will generally have faster access, but I care > more about getting the _latest_ version of PGP, even if takes a minute or > two to snarf off the Web. That I could get an _older_ version of PGP in > fractions of a second off this CD-ROM is not compelling to me. (And > fractions of a second is too charitable: in actuality, I'd have to locate > the CD-ROM, dismount anything already mounted, mount the CD-ROM, search it > for "PGP," etc. Probably not even faster than using Alta Vista and > downloading.) Yes, except it is much easier to track my access to the web than my CD-Rom. > 4. The Web approach allows powerful search engines, links from other pages, > and--importantly--multiple jurisdictions. The PGP could come from the U.S., > the Digital Postage code from Sweden, and so on. And, again as noted in # > 1, the developers could keep improving and iterating the code. CD's are great advertising. From ravage at ssz.com Wed Mar 27 17:40:16 1996 From: ravage at ssz.com (Jim Choate) Date: Thu, 28 Mar 1996 09:40:16 +0800 Subject: Random Number Testing (fwd) Message-ID: <199603270644.AAA11029@einstein.ssz.com> Hi Fred, Forwarded message: > Subject: Random Number Testing > Date: Tue, 26 Mar 1996 18:00:26 -0800 (PST) > From: Fred > > The limitation seems to be in the testing process. > > An inviolable rule of test and measurement is that the testing process > must have a higher degree of accuracy and precision than is expected from > the item under test. If all you have is a non-graduated stick one meter > long, you can't measure increments of less than one meter unless you add > some additional resolution to the system (such as a human's judgment > that the object is four sticks, plus about another third of a stick, > long). Not if I am allowed geometry. I believe such situations are a test of lateral thinking more than any fundamental insite into nature. > > Our ability to synthesize pseudo-random data, and the degree to which > it approaches true random data, is limited by our ability to discern > between the two. If the best testing process available yields the > same results for the output of a true RNG and a particular PRNG, what > can be done to improve the randomness of the PRNG? How could we tell > the difference based on the data itself? What are you defining as random? The definition I use in practice is basicly that if I am given 100% intelligence on a stream of numbers the odds of my succesfully choosing the next number is never higher than chance. All data is random (by definition) until the pattern(s) can be discerned. In this context pseudo-random has a definite meaning, namely that it takes a long time to amass enough information about the data stream to break the chance boundary. The question quickly becomes, how do you test various sequences against one another for robustness? It seems to me that it has to be done statisticaly. One aspect of this is what I call the 'ghost' pattern. In short, in the process of analyzing some random data a pattern is found. Is it possible that there could be more than one pattern (ie interpretation) of the data? Is it possible for a data stream to contain two (or more) messages coherently? If a message does contain two or more coherent messages, how does this affect the size of the data? Can this occur only on messages above a certain size? From merriman at arn.net Thu Mar 28 09:44:59 1996 From: merriman at arn.net (David K. Merriman) Date: Thu, 28 Mar 96 09:44:59 PST Subject: Message-ID: <2.2.32.19960328054447.006cfbec@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 04:42 AM 03/28/96 -0800, Anonymous wrote: >At 12:21 AM 3/28/96, Syed Yusuf wrote: >>If a person who speaks three languages is tri-lingual >>If a person who speaks two languages is bi-lingual >> >>What do you call a person who only speaks one language? >> >>---------------------answer follows: >> >>An American. > >Or our version: > >What do you call a person who has to learn English as a second language in order to compete in the world? > >A foreigner. > >(Sorry for the insult, but it seems that this thread is bringing out insults from foreigners of all sorts.) > >--Tim > > >Dont be sorry! > >Foreigner can atleast speak broken English. Can American speak broken foreign language? As a matter of fact, I speak broken Tagalog, broken Japanese, pidgin Korean, and and can generally make myself understood in Chinese, Thai, Vietnamese, Spanish, and French. Oh, yes, I'm also fluent in Aussie :-) Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVoK/8VrTvyYOzAZAQHrXAP/ZMOgx+VkqHXCQHBFXIdVVHzlCcJIo3L6 2LyqMnY0cJ5ZFD8mCNsBTTe2DAXFpN1WV03JFym/JIxAuL0TQuN0WKZ2HFSuk997 AZPo21whZbXVQlRGrr6JjiR8p2nqHMMBpNC2bfr2r/rny7UmnGGp8C1e6crPtrQF PiyDbd20zbM= =Swae -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From merc at redrose.net Thu Mar 28 10:23:14 1996 From: merc at redrose.net (MeRC) Date: Thu, 28 Mar 96 10:23:14 PST Subject: DES or RSA on a PIC Message-ID: <2.2.32.19960328182333.0072ff10@redrose.net> Does anyone have ANY code for DES or RSA encryption for use on a PIC microcontroler? A friend and I are developing an ASCII terminal (dumb term) that encrypts data going to the serial port and decrypts data coming from the serial port, so you could successfully send a message over a modem and have it automatically encrypted\decrypted. We have all the hardware almost done, but we are having a hell of a time writing the code for the encryption... Thanx in advance... l8r, -MeRC merc at redrose.net -or- merc at success.net -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUAMUC05tnn3Dsf47p5AQE6AAP9E/JebLn1UtkOk41IGw/i4XHKckVcI6RH ptBMucqx01sSTxaR8tXPmmkKjz5f3xndxepbbs6nKfoNuSaODWSirOlNvt3i1DWL iUmB9+rUYmwwlpD7t6qyy2XzsAxO/M/nFT4ZxO8wi96nR/Rmp00LvCoK+YcjgQnj HReyQrIl4X+ZAI0DMUCzOgAAAQQAv6IH+OnLeP+chsgwymSVKqsXHO1xwJLxs657 Cf3miDM3mNBB/qmRziQ1zHeC/nXgaGhR7eAdidL6MngDXl6+cw4Z5xXvenu5MpEW zpZpwDK5/XwuvCIexQP2eHIb2Ms6vna7fUoaHGrrV4844KIVg+E36ZgWT1ZP2efc Ox/junkABRGwAYe0I01pY2hhZWwgRC4gV2hpdGUgPG1lcmNAc3VjY2Vzcy5uZXQ+ sAED =ZbPJ -----END PGP MESSAGE----- From shabbir at vtw.org Wed Mar 27 19:29:16 1996 From: shabbir at vtw.org (Shabbir J. Safdar) Date: Thu, 28 Mar 1996 11:29:16 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <199603272043.PAA01837@panix4.panix.com> Lucky Green writes: >At 2:08 3/26/96, Shabbir J. Safdar wrote: > >It is a widespread myth that wiretaps require warrants. Court ordered >warrants are not required for a wiretap. They have not been required since >the Digital Telephony Bill passed. (see below) >That the net, the media, and even >attorneys are so blissfully unaware of this, even years after the provision >doing away with requiring warrants became law, is one of the finest >examples of cognitive dissonance you are ever likely to find. It is too >disturbing to believe it, so the mind ignores the facts. When everyone in the world seems to disagree with you, isn't it a good idea to check the facts? >Excerpt from the Digital Telephony Bill (deleted) [..] >"My supervisor approved it" may well suffice. Your misunderstanding of how interceptions are done is dangerous to what is otherwise a rational, intelligent argument. Indeed, there are ways to conduct a wiretap without a judge. They require dispensations from people like the Attorney General, for example. And this is certainly not a normal practice. There are a lot of reasons to object to DT, but this is not one of them. -Shabbir J. Safdar * Online Representative * Voters Telecomm. Watch (VTW) http://www.vtw.org/ * Defending Your Rights In Cyberspace From merriman at arn.net Wed Mar 27 19:34:44 1996 From: merriman at arn.net (David K. Merriman) Date: Thu, 28 Mar 1996 11:34:44 +0800 Subject: Let's *NOT* "Raise their Awareness" Message-ID: <2.2.32.19960327094237.006943d0@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 12:23 AM 03/27/96 -0800, Charles Bell wrote: >On Tue, 26 Mar 1996, David K. Merriman wrote: > > >Yes, and some years ago a State legislature (I forget which) passed a >resolution setting the value of pi at exactly 3. I'm not sure how they >planned to enforce their will. Do you know how the Texas judge means to >enforce his? Frankly, no. I would suspect some kind of visits from Child Welfare, or somesuch - fruitless though it may be. Dave -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVjxCsVrTvyYOzAZAQFWfAP7BQTesPRwoK+ubvFxLg36tq634FdFAlue 5sMZO1D2yBfHEHsHyfpR7RBB2DrP8vqTjrcZjz9ctxg7ph5/sqYUWf37xkKbyLu2 byJMWfZhZDXIwDyhWU3RmJOUL+loisDzP7uNZtjoodJLro/QceSR4sqdgWa4xl59 eiPapVoaXdU= =1+fS -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From perry at piermont.com Thu Mar 28 11:34:44 1996 From: perry at piermont.com (Perry E. Metzger) Date: Thu, 28 Mar 96 11:34:44 PST Subject: What backs up digital money? In-Reply-To: Message-ID: <199603281933.OAA10926@jekyll.piermont.com> Blanc Weber writes: > Perry, here's a question for you, and I am seriously interested in your > answer: [...] > what, then, would you yourself consider proper for discussion here? > [in the context of digital cash discussion] I'd say that anything directly dealing with digital cash, its implications, deployment, and technical issues associated with it. General discussions of whether the Federal Reserve is a bunch of evil old men and the like are what are out of bounds. This means: "How does blinding work" and "Do you think that digital cash systems will hurt bank regulatory supervision" are fine things to talk about but "Do you think the Federal Reserve issues counterfeit money" are not. Perry From llurch at networking.stanford.edu Wed Mar 27 19:47:19 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 28 Mar 1996 11:47:19 +0800 Subject: About Triple DES ...... In-Reply-To: <19960327040302.536.qmail@ns.crynwr.com> Message-ID: On 27 Mar 1996 nelson at crynwr.com wrote: > Um, what if Victor and www.cs.hut.fi are only connected on a path that > traverses the United States? Can a person be convicted of ITAR > violations when they've never been in the U.S.? :) If neither endpoint includes US citizens or residents, or people working on the behalf of US citizens or residents, no. Very interesting hypothetical, though. I'm pretty sure that in this case, it's a fact, not a hypothetical. A more complicated hypothetical: if Victor told MCI/Sprint/whatever, the news media, and the US authorities of his intent to download triple-DES in this way, would MCI/Sprint/whatever be liable? Any cypherpunks in Latin America? How about from Asia to Finland -- what does that route look like? Something along the lines of that "Pastors for Peace" media hoax, which is a perennial show of an attempt to deliver US goods to embargoed Cuba, might be worth engineering. At some point in this exercise, though, we might be "raising awareness" among the wrong people, to cite Tim May. I wouldn't want NAFTA, the WTO, and so on enforcing ITAR. -rich From weisman at osf.org Wed Mar 27 19:49:17 1996 From: weisman at osf.org (David Weisman) Date: Thu, 28 Mar 1996 11:49:17 +0800 Subject: HP & Export of DCE In-Reply-To: <199603271619.LAA08716@homeport.org> Message-ID: <9603272147.AA19461@oberon.osf.org.osf.org> On Wed Mar 27, 1996, Perry E. Metzger wrote: Adam Shostack writes: > | Adam Shostack writes: > | > Well, if Leahy passes, DCE is exportable. DCE is exported today, although without the ability to encrypt application traffic. Authentication and message integrity are in the export version. They are attacks against Diffie-Hellman. I don't know if DCE uses D-H in a similar manner. The main problem was too small a (fixed) modulus. DCE RPC uses Kerberos V5 to establish DES session keys. Dave From karlton at netscape.com Wed Mar 27 19:49:18 1996 From: karlton at netscape.com (Phil Karlton) Date: Thu, 28 Mar 1996 11:49:18 +0800 Subject: Edited Edupage, 24 March 1996 In-Reply-To: <315908B5.72DA@netscape.com> Message-ID: <31598E35.1CFB@netscape.com> Perry E. Metzger wrote: > 2) I strongly hope that Netscape tries to move the product towards > standards based mechanisms like the IETF's RTP protocol, which are > in widespread use, rather than pushing yet more proprietary > systems. Proprietary is bad in this instance. Personally, I have some trouble with the work proprietary above. SSL 2 and SSL 3 protocols have been IETF drafts from the beginning. Discussion has been going on in a public forum since SSL 2 was first proposed. (Send a message to ssl-talk-request at netscape.com with "subscribe" in the Subject: to join the discussions. There is no trademark or copyright on the name. Netscape makes an SSL 2 implementation available with a no-cost license for non-commercial applications Other implementations done directly from the SSL 2 spec are also available. SSL 3 has been made available to the newly convened IETF Transport Level Security working group. If you want to be involved in the process send a message to ietf-tls-request at w3.com with "subscribe" in the Subject field. SSL does depend upon an underlying reliable bytestream. This means it is not the best choice for all applications. There are many for which it is more than adequate. PK -- Philip L. Karlton karlton at netscape.com Principal Curmudgeon http://home.netscape.com/people/karlton Netscape Communications They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin From rkmoore at iol.ie Wed Mar 27 19:50:49 1996 From: rkmoore at iol.ie (Richard K. Moore) Date: Thu, 28 Mar 1996 11:50:49 +0800 Subject: ITAR double standards? Message-ID: 3/26/96, Timothy C. May wrote: >So, did Intel have to apply to the State Department's office on munitions >exports in order to send engineers to Malaysia, Israel, Germany, Ireland, >etc., to do development work? Not that I ever heard. Engineers simply >hopped on planes and that was that. So true. When I worked in Silicon Valley firms, I noticed how International Air Courier services were used entirely like Interdepartmental Mail, with no concern for export laws or import duties, etc. If we travelled overseas, _of course_ we took our laptop with all it's software (including encryption), and _of course_ we'd leave software copies on colleagues hard disks, after doing demos and such. All with a sense of total righteousness -- we were tax-paying wage-earners just doing our job. There's a real irony here, if you think about the Barlow-expressed sentiment that cyberspace is a new free domain, having achieved escape velocity from terrestial anachronisms. While Barlow's critics, it seems, demolished _that_ thesis as wishful thinking, there's a parallel thesis that may actually be true: that _corporate environments_ have achieved escape velocity from civil jurisdiction, and now live in a world where rules & ethics are relative only to corporate culture, and "parochial" national laws are to be quietly ignored, knowing there's a highly-paid legal staff to deal with occasional embarrasments. We dream and they implement. Cheers, Richard rkmoore at iol.ie (not on cypherpunks) ~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~--~=-=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~ Posted by Richard K. Moore - rkmoore at iol.ie - Wexford, Ireland Cyberlib: www | ftp --> ftp://ftp.iol.ie/users/rkmoore/cyberlib ~=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~--~=-=-=-=-=-=-=-=-=~=-=-=-=-=-=-=-=-=~ From anonymous-remailer at shell.portal.com Wed Mar 27 19:51:17 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Thu, 28 Mar 1996 11:51:17 +0800 Subject: Bad news from Judge Richey Message-ID: <199603270201.SAA20273@jobe.shell.portal.com> At 11:33 PM 3/25/96 tcmay wrote: ------------------- jim bell: >talk to Jim Bell about implementing a program using encryption that doesn't >_need_ to be exported...legally anyway. tcmay: You're coming perilously close to actually calling for the killing of a federal judge. My recollection is that a couple of folks have been arrested and charged for calling for the killing of judges. ------------------- Any half-wit falling for Bell's agent provocateur setup will do hard time, or maybe get popped by his twitchy TLA watchers. The son-of-a-bitch's baiting with pigeons, no question. He's too myopic to see he's setting up falcons for gutting by high-circling eagles, who'll claw him too. Bell's going down blind-sided with his gulls, all easy prey. From tcmay at got.net Wed Mar 27 19:53:12 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 28 Mar 1996 11:53:12 +0800 Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: At 8:17 PM 3/27/96, Michael Helm wrote: >On Mar 27, 3:13am, Timothy C. May wrote: >> Americans are typically thousands of miles away from those speaking >> Japanese, Mandarin, Tagalog, Polish, Italian, Dutch, Spanish, Hindi, >> Talegu, and the hundreds of other languages. It is not at all clear what >> language Americans should pick as a "second language" to study. > >I don't really disagree with the conclusions drawn by this poster, or >with the quasi-economics argument he makes. However, I must say that >the above is completely wrong. MOST Americans live in large urban >areas, & as such are within seconds/footsteps of people whose native >languages are not English (or who don't have a single "native language", >but several!). There are probably _hundreds_ of languages spoken in the >San Francisco Bay Area. The school districts here routinely report double >digit languages in the school age population. And? Your point being? "All learning is economics," to paraphrase our noted saying about security. Because there are diverse groups within 100 miles away speaking a babel of languages, including a per cent or so each of Thai, Talegu, Mandarin, Vietnamese, and so on, do I understand your point that I should pick one of these languages and spend a year or so learning it well enough to say to one of these groups, "Hello, can you tell me which way to the train station?" My point is not against the learning of a foreign language, just that economic considerations _must_ play a role. (Of course, people are free to ignore economics and "follow their bliss." A friend of mine studied Sanskrit for several years, and I even spent some time studying some Old Icelandic a few decades ago.) My European friends usually study the language of their direct neighbors and important trading/scientific partners. English, German, French, typically. >There are 3 Spanish language channels (& another 2 ... "multiple >choice") on my tv cable system. That anglophones choose to tune them >out, or to not even notice the Noah's ark around them, says something >about this culture. "Says something about this culture." Insults aside, you are right. I will sign up with the local JC for a study of Vietnamese, just so I won't be ignoring this cornucopia of polyglotism. (One person communicated with me in private about this, saying that the international nature of the Internet is an ironic counterpoint to my point. So I promised this guy I would learn Hindi and Polish to better be able to use the Internet. Of course, this'll take me a few years, and then I'll no doubt find that I don't have any interest in talking to the people on the Net who speak in Hindi or Polish, but, what the hell, I will have reduced my "anglophone chauvinism quotient.") --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From EALLENSMITH at ocelot.Rutgers.EDU Wed Mar 27 19:53:47 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 28 Mar 1996 11:53:47 +0800 Subject: Tim's friend's mildly retarded son Message-ID: <01I2STD1A5SI8ZDZ7I@mbcl.rutgers.edu> From: IN%"tcmay at got.net" 22-MAR-1996 00:47:25.47 >At 11:17 PM 3/21/96, E. ALLEN SMITH wrote: >> This topic's relevance to Cypherpunks, aside from the confirmations >>that you mentioned, is low... aside from that it's of interest to Extropians >>such as myself and Tim May. >In recent months, a self-appointed group of list members have taken upon >themselves to argue that _anything_ that does not have to do with certain >topics they find appropriate is "not related to crypto, so take it >elsewhere." Regrettably, most reasonable people have grown quiet about >anything that smacks of politics or ideology, leaving the field clear for >certain ranting lunatics. Umm... I was referring to the discussion in regards to whether "smart drugs" work or not, not the discussion on the FDA. Sorry if I wasn't clear. Admittedly, some of my comments with regards to the FDA's ultraconservative/better-safe-than-sorry (depending on whose side you take) policy can be extended to an analysis of the NSA's behavior - putting the brakes on cryptography even after it becomes useless to do so, and after it becomes _necessary_ for America's future (commerce et al). -Allen From shamrock at netcom.com Wed Mar 27 19:58:17 1996 From: shamrock at netcom.com (Lucky Green) Date: Thu, 28 Mar 1996 11:58:17 +0800 Subject: [NOISE] Employers need pseudonymous off-shore remailers Message-ID: Today, I tried to find out what it takes to hire someone who is in the US on a student visa (F-1) as a consultant or part-time employee. The person is an expert in his field. I don't know anyone available with a similar proven track record. I thought, no problem, there are INS exceptions for foreign experts. So I set on a quest to find out what it takes to get the INS to grant that person a work permit. The process is simple. All I have to do is ask the California Employment Development Department for a labor certificate, give that to the INS together with an application and the required fees, after which they'll issue the permit. Getting the certificate takes usually eight months, processing the application about four months. So the whole process takes about *a year*. I was stunned. Here I am willing to hire someone to work on a product that will generate taxes in the US, and the bureaucrats are asking me to wait a year. These people have lost any touch with reality. Not that *I* would do such a thing, but an off-shore pseudonymous remailer, with payment in ecash might go a long way... [Disclaimer: Speaking only for myself, not for my employer] -- Lucky Green PGP encrypted mail preferred. From tcmay at got.net Wed Mar 27 19:58:21 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 28 Mar 1996 11:58:21 +0800 Subject: Why NSA is afraid that ITARs will be thrown out in court Message-ID: At 4:45 AM 3/26/96, jamesd at echeque.com wrote: >At 12:23 PM 3/25/96 -0800, Timothy C. May wrote: >> Besides, I think the best way to overturn the >> ITARs is through a court challenge; as I have noted, even the NSA's lawyers >> felt that the ITARs would not withstand court scrutiny. > >Note that the spooks have carefully avoided a full bore court >showdown. They harassed Phil until the statute of limitations >caught up with them, but never brought it to trial. If we had >no further legislation, and the courts broke ITAR, we would >be home free. No plausible legislation could give us that. Someone said he had missed my reference to this, and wanted to know more. So, I'll also pass it on here again. In the summer of 1994 I got a call from Carl Nicolai, the inventor of the "PhasorPhone," an audio-scrambling phone that was suppressed with a Patent Secrecy Order (ordered by the NSA). This was around 1980-81, and is covered in Bamford. He told me a bunch of things, including this: Carl and his lawyer got access to papers inside the NSA building, though they could not make copies. They found memos from NSA staffers saying that the ITARs had never been tested in court and would not likely survive a full Constitutional test and that it would thus be best if court cases were avoided. I passed this information along (if memory serves) to Lee Tien, representing Gilmore in various cases, and to Phil Karn. (One of them, I don't recall which, posted a message a while later saying that such documents had been found....I don't recall the details, but this was probably around fall of 1994.) Whether this NSA paranoia has anything to do with the final decision on the Zimmermann et. al. matter is unclear, but it is likely that a very strong challenge to the ITARs--maybe the appeal by Phil Karn is such a challenge, maybe the Bernstein case--will result in big chunks of the ITARs being thrown out. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From admin at dcwill.com Wed Mar 27 20:35:52 1996 From: admin at dcwill.com (Fred) Date: Thu, 28 Mar 1996 12:35:52 +0800 Subject: Random Number Testing Message-ID: <199603270200.SAA18549@python.ee.unr.edu> JonWienke at aol.com writes: > > The "randomness" of the output of my sieve is obviously not perfect. > > However, it will remove bytes from a data stream that "randomness" tests > > describe as "nonrandom". And Perry writes: > You are displaying a profound ignorance of the notion of "random" > here. An individual byte cannot be random or nonrandom. Random is a > statistical property, and therefore can only apply to a mass of > data. The limitation seems to be in the testing process. An inviolable rule of test and measurement is that the testing process must have a higher degree of accuracy and precision than is expected from the item under test. If all you have is a non-graduated stick one meter long, you can't measure increments of less than one meter unless you add some additional resolution to the system (such as a human's judgment that the object is four sticks, plus about another third of a stick, long). Our ability to synthesize pseudo-random data, and the degree to which it approaches true random data, is limited by our ability to discern between the two. If the best testing process available yields the same results for the output of a true RNG and a particular PRNG, what can be done to improve the randomness of the PRNG? How could we tell the difference based on the data itself? About all you could do would be to critique the PRNG or sieving process from an empirical perspective and hope that you weren't introducing some other non-random bias to the system. I'm sure that some perfectly random data would be discarded as being non-random, especially for a small sample size. The sequence HHHHTTTT doesn't look random, but this outcome of 8 flips is equally probable for a "perfect" coin. Do you keep this data or toss it because it doesn't "look" random? If you toss it, aren't you removing entropy from the sample? It may be (relatively) easy to say that radioactive decay is a truly random process and a sieve which discards certain re-occuring values is not. Improving the testing process, and increasing the size of the data used for that testing, will improve the sieve output. However, it looks like an asymptotic situation: the PRNG can approach, but never quite reach, the true RNG case. As long as human analysis and discretion is involved, there will always be a certain amount of non-randomness in the output of a PRNG. My question: if you don't know the source of the data, how can you _really_ determine if it's random enough for crypto use? Given any PRNG string of a certain length, does the fact that I might be able to find that exact same data string buried in a mountain of truly random data mean that it's suitable for crypto use? If you knew that I created the data from the clock of my workstation, then maybe not. But otherwise? Fred From EALLENSMITH at ocelot.Rutgers.EDU Wed Mar 27 20:37:29 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 28 Mar 1996 12:37:29 +0800 Subject: Edited Edupage, 24 March 1996 Message-ID: <01I2T0RRDGQO8ZDZIP@mbcl.rutgers.edu> From: IN%"educom at elanor.oit.unc.edu" 26-MAR-1996 19:24:26.78 To: IN%"edupage at elanor.oit.unc.edu" "EDUCOM Edupage Mailing List" CC: Subj: Edupage, 24 March 1996 ***************************************************************** Edupage, 24 March 1996. Edupage, a summary of news items on information technology, is provided three times each week as a service by Educom, a Washington, D.C.-based consortium of leading colleges and universities seeking to transform education through the use of information technology. ***************************************************************** >ONLINE TRADING >Lombard International Brokerage in San Francisco and Pawws Financial Network >in New Jersey are two brokerage houses that have opened Internet trading >services, allowing customers to monitor their portfolios and retrieve >corporate and financial information from brokerage databases or through >links to other Web sites. "You're seeing the culmination of the information >brokerage -- with customer service, advanced analytical tools, and news >available at one place and one time on the most incredibly productive medium >that ever existed, the Internet," says Lombard's CEO. By incorporating a >Java applet into their Web design, Lombard's Web site refreshes its >information every 30 seconds so that intra-day trading charts are >automatically updated. The Pawws trading system, a tailored version of the >Security APL cash-management system, is used by several other investment >houses to display their wares. "Why should we spend time and money to tell >people how to get a modem to work? We provide brokerage -- not technical -- >services," says one user. (Information Week 11 Mar 96 p64) And discount >broker Charles Schwab & Co. will begin this May to allow its customers to >trade listed and over-the-counter stocks, get real-time quotes, and access >account information using the Schwab site on the World Wide Web. (Atlanta >Journal-Constitution 22 Mar 96 F3) They're using _Java_ to do this? >PORN IS A GOLD MINE FOR IDT >Tiny IDT Corp. has found a way to differentiate itself from the >run-of-the-mill Internet access provider. It pitches its service to porn >aficionados, with ads like: "With IDT, I access *all* Internet services. I >said *all* Internet services -- get that smirk off your face." In fact, its >service and pricing are similar to everyone else's, but its subscriber base >has grown six-fold to 65,000 in the past six months using this approach. >"IDT is looking for a marketing niche, and given how we think the primary >Internet audience is -- lonely 20-something and 30-something males -- why >not aim that niche at them?" says Gary Arlen, an Internet consultant. (Wall >Street Journal 22 Mar 96 B4) An interesting way to differentiate oneself. I would suggest that anonymnity (i.e., C2) would be a logical add-on. >NETSCAPE TO GET IN ON THE PHONE-BY-INTERNET ACTION >Netscape co-founder Mark Andreessen says that within six months the company >will build into its Navigator program voice software (which it calls Insoft) >for making low-cost long distance calls via the Internet into its Navigator >program and that long-distance phone companies increasingly won't be able to >justify their rates for telephone service. (Sydney Morning Herald 13 Mar 96 >via Individual Inc.) Any possibility that Netscape might build in some form of cryptography? I realize ITAR rules would make this problematic, but perhaps some sort of out-of-country deal for putting in the hooks for PGPhone could be done. -Allen >Edupage is written by John Gehl (gehl at educom.edu) & Suzanne Douglas >(douglas at educom.edu). Voice: 404-371-1853, Fax: 404-371-8057. >Technical support is provided by the Office of Information Technology, >University of North Carolina at Chapel Hill. >*************************************************************** >EDUPAGE is what you've just finished reading. To subscribe to Edupage: send >a message to: listproc at educom.unc.edu and in the body of the message type: >subscribe edupage Graham Greene (assuming that your name is Graham Greene; >if it's not, substitute your own name). ... To cancel, send a message to: >listproc at educom.unc.edu and in the body of the message type: unsubscribe >edupage. (Subscription problems? Send mail to educom at educom.unc.edu.) From cpunk at remail.ecafe.org Wed Mar 27 21:01:23 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Thu, 28 Mar 1996 13:01:23 +0800 Subject: Sun patch pulled (was Re: HP & Export of DCE) Message-ID: <199603272316.XAA13429@pangaea.hypereality.co.uk> I noticed that Sun's latest libc patch (101759-04) is empty. Previous versions contained the complete U.S. version of libc, including the tres-dangerous DES and crypt functions. In the current rev only the README remains, presumably because: EXPORT INFORMATION: This patch includes code which performs cryptographic functions, which are subject to U.S. export control, and must not be exported outside the U.S. without prior approval of the U.S. government. Prior export approval must be obtained by the user of this patch. So, you might ask, what fixes is Sun not distributing??? (Rev 04) 1190985 gethostbyname() can trash an existing open file descriptor. 1182835 portmapper silently fails with version mismatch by PC-NFS client 1219835 Syslog(3) can be abused to gain root access on 4.X systems. Yup, that's right. The syslog hole that was so well publicized by CERT will remain open indefinitely because the ITAR makes it illegal for Sun to distribute the fix! So did HP and Sun spontaneously, simultaneously develop crypto awareness, or is some gummint dweeb whispering threats in their ear? From unicorn at schloss.li Thu Mar 28 13:10:31 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 28 Mar 96 13:10:31 PST Subject: What backs up digital money? In-Reply-To: <199603280239.SAA15391@netcom17.netcom.com> Message-ID: On Wed, 27 Mar 1996, Mike Duvos wrote: > tcmay at got.net (Timothy C. May) writes: > > > At 1:46 PM 3/27/96, Scott Schryvers wrote: > > >> Question. If e-cash were backed by gold would that make it > >> more reliable than say the dollar? > > Not necessarily. Historically, gold emerged as the primary > currency metal because [Excellent points about gold's practical use, good timing, and industrial value countered by the current lack of industrial value.] > Basically, one can create monetary value for any commodity whose > supply can be controlled, usually by the folks wishing to lend it > value, by simply making a stable market in it, and having the > reputation and power to control that market in perpetuity. > > The best example of this is probably the diamond market. Here we > have a rare but intrinsically worthless material, the gem quality > diamond, which has no useful industrial applications at all, > since non-gem quality diamonds and substitutes, both synthetic > and natural, are in abundance. I was with you until this. In fact diamonds are anything but rare. Their value is the result of the most exceptional marketing by DeBeers, and the very tight restrictions on supply. I might note that the restrictions on supply are even somewhat tangential. DeBeers has created one of the most historic, long standing and impressive market distortions anyone has ever seen. Of course this only goes to further the argument (which I think you are adopting) that it is fairly simple to estlablish a commodity of "value" regardless of intrinsic worth) > Gem quality diamonds are extremely valuable, because their supply > is carefully controlled, and because of clever marketing designed > to convince every male human in North America and most of Europe > that shelling out two months salary for one is the unique and > true symbol of everlasting love. Even gem quality stones are relatively abundant believe it or not. > The diamond industry has even made plans for the holographic > fingerprinting of every diamond they release, should synthetic > gem-quality diamonds ever hit the market, so that they may > continue their control of the supply of their "currency", even in > the face of a flood of absolutely identical "unsanctioned" gems. Again, even absent the intrinsic value of the substance it seems that marketing and perception will dictate "effective value." > I recall a very clever Science Fiction story I read a number of > years ago in which aliens completely destroyed human civilization > by manufacturing all the world's goods and services, and > accepting payment only in cowpies, which were subject to an > arbitrary and complicated grading system similar to that used by > modern gemologists. One day, the aliens simply left, and human > civilization, consisting mostly by then of PhD Cowflopologists > with expertise only in interpreting swirls on lumps of shit, > promptly folded. This is precisely the point, and why, while I agree with your comments about gold today, I think the most important issue is the long term solvency of a commodity. As you have noted, anyone can make a substance worth something in the short term. (Tulips) The challenge, and the goal in my view, is to create a currency based on a backing which endures the long term, and the unthinkable (collapse of a major government or some such). > Before I digress to far from your original question, let me state > the point I am trying to make here. If a entity, or group of > entities, with reputation and power to make a market, decide to > demoninate a currency using a rare commodity, it makes little > difference whether the rare commodity is near-perfect crystals of > carbon found only on land that they own, a vault filled with gold > bars, exponentiated random numbers modulo the product of two > large but closely guarded primes, or statistically unlikely > swirls in wads of digested plant material dropping from the butt > of a cow. > > In all these cases, the important thing is not the commodity, but > the entities guaranteeing the market, and the perception of their > reputation and ability to support said currency in perpetuity. > Absolute control over the supply of the commodity in question > doesn't hurt either. When the value of the intrinsic worth of a commodity in question does become apparent is in periods of transition, flux, disorder, or strife. The security of a currency is going to be a major factor, especially immediately following introduction, to its popularity- except in unusual circumstances (tulips, market distortions, etc.) > Indeed, US government backed e-cash would be a far more trusted > and reliable currency than gold backed currency printed by > DigiCash BV. I'm not sure this is precisely true. While gold itself might not be the best choice, the general principal that a commodity based currency is less secure or trustworthy than a government backed one (even a powerful and imposing government) is not one I'm prepared to endorse without reservation. > One good inflation-resistant indicator of whether gold is a good > value is the ratio between gold and silver prices. Both of these > metals are mined with similar difficulty, and have similar uses > for backing currency and as coinage metals. Historically, there > have been times when gold and silver prices were approximately > equal. > > I have no doubt that if the unwashed masses were sold the notion > that gold was the single reliable inflation-proof form of wealth > they could own, and the holdings of international bankers were > sold into the hands of millions of individual citizens, a > controlled devaluation would follow, together with much chortling > and uncorking of champagne, as gold and silver prices became > nearly equal again. I believe this correct. > As long as people who count have vaults full of the stuff, and > wish to carry it on their books as an expensive asset, it will of > course continue to have its current inflated value, and nothing > will be done to depress the market. In that sense gold is a > reliable asset, as long as most of the little people refrain from > jumping on the bandwagon. Just like diamonds. Again, while the commodity itself (gold) may not be appropriate, I don't believe this ends the argument. > > No form of digital money extant is an actual currency in > > the conventional sense. Nor does this seem likely. Nor > > necessary. Nor useful. Nor important. > > Actual currency can circulate forever in the economy without > eventual conversion into some other kind of money. The > requirements of current digital cash systems for centralized > clearing to eliminate double spending and to mint new coins tends > to preclude the kinds of perpetual peer-to-peer transactions we > think of when we conceptualize "currency." Which suggests that private currencys must utilize e-cash (if at all) merely as monetary instruments which continue to look much like what exists today. (e.g., drafts, checks, bonds...) > Real electronic currency could be invented, but would have to > live its life within a population of tamper-proof smart cards > communicating with each other through secure protocols. Whether > anyone will bother to implement such a system remains to be seen. I concur. > Until then, the "check" model of digital money is, as Tim points > out, the correct one. I concur again. > > The point being that talking about "what backs up digital > > cash?" is misleading. (What really backs it up is the > > reputation of the entities, but I digress.) > > "The reputation of the entities" is the only important > consideration regardless of what the cash is denominated in. In > most cases, the valued commodities, if they exist, are simply > pretty window-dressing for some unseen but powerful syndicate. Yet here I must differ. I'm still not convinced that a legitimate commodity somewhat resistant to the market distortions you cite does not exist. Don't ask me what it is yet, I'll have to give it some thought. > -- > Mike Duvos $ PGP 2.6 Public Key available $ > mpd at netcom.com $ via Finger. $ --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From cmca at alpha.c2.org Wed Mar 27 21:50:24 1996 From: cmca at alpha.c2.org (Chris McAuliffe) Date: Thu, 28 Mar 1996 13:50:24 +0800 Subject: HP & Export of DCE In-Reply-To: <199603271619.LAA08716@homeport.org> Message-ID: <199603272239.OAA07314@eternity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- [To: Adam Shostack ] [cc: perry at piermont.com, cypherpunks at toad.com] [Subject: Re: HP & Export of DCE ] [In-reply-to: Your message of Wed, 27 Mar 96 11:18:49 EST.] <199603271619.LAA08716 at homeport.org> Adam Shostack shaped the electrons to type: >I wasn't aware there were multiple things masquerading under the name >Secure RPC. In any event, does the crypto in DCE stand up to the >LaMacchia/Odlyzko attacks? (And did Sun ever upgrade what they ship?) DCE security (including RPC) is Kerberos based, somewhere between V4 and V5, and appears to be about as strong as DES lets it be. Chris McAuliffe (No, not that one.) -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMVm++YHskC9sh/+lAQE4JgP/dbXJoUnpx/RyiYTvRe6Zrek5j+h5B6QX nusogJioZdAts2SjEjIOVfEdAtoZ/MGVyn8p750np6UttvUCfFfiCZ7uIydMEQEm IZAZ1ep3MpyaAKgpGrqyDz47ic/Kk0iit2WwEXjvkN8c+PoXrvKPjkW7ugjHqQgf 4EkPBSlI+f8= =iZQA -----END PGP SIGNATURE----- From janzen at idacom.hp.com Wed Mar 27 21:58:54 1996 From: janzen at idacom.hp.com (Martin Janzen) Date: Thu, 28 Mar 1996 13:58:54 +0800 Subject: HP & Export of DCE In-Reply-To: <199603271619.LAA08716@homeport.org> Message-ID: <9603272138.AA03891@sabel.idacom.hp.com> -----BEGIN PGP SIGNED MESSAGE----- Adam Shostack writes: > | > Well, if Leahy passes, DCE is exportable. Anyone know if the > | > 'SecureRPC' in DCE is the one BAL broke years back? > | > | No, they broke Sun's Secure RPC, which is different. > > I wasn't aware there were multiple things masquerading under the name > Secure RPC. Yes, there are. The term "RPC" is sometimes used generically, to refer to any remote procedure calling mechanism, but also refers to at least two distinct implementations. The first "RPC" was produced by Sun's Open Network Computing group. This is still the most commonly used, as Sun made the source code available at no cost [1]. Many vendors (including HP) now provide it as a standard part of their UNIX distribution [2]. A transport-independent version, TI-RPC, was later produced, but this doesn't appear to be quite as widely used, though I think it is in Solaris. (Sorry, I don't know of an archive site for this; try Alta Vista et al.) Sun's version of "Secure RPC" includes Unix (uid-based) and (in North America) DES authentication. The basic mechanism can support other authentication schemes as well, though I've never actually heard of any alternative implementations. This is the "Secure RPC" whose key exchange was cryptanalyzed by LaMacchia and Odlyzko [3]. Another "RPC" comes from the Open Software Foundation, who unfortunately chose the same acronym for the remote procedure calling mechanism in their Distributed Computing Environment (DCE). This DCE is a part of the OSF/1 operating system, but implementations are available for many versions of UNIX, often as a separate product or option. The DCE Security Services are discussed a bit in the DCE FAQ [4], and O'Reilly has an entire book on the subject [5]. To confuse matters further, it now seems that Microsoft has added an "RPC" mechanism to Windows NT and 95. This is sort of compatible with OSF DCE RPC, but not entirely; see [4]. In short, it would help to avoid massive confusion if people were more specific: refer to "DCE RPC", "ONC RPC" (or "Sun RPC", if you must :), or "Microsoft RPC", not just to "RPC". - -- Martin Janzen janzen at idacom.hp.com Pegasus Systems Group c/o Hewlett-Packard, IDACOM Telecom Operation [1] Try ftp://bcm.tmc.edu/nfs or ftp://wuarchive.wustl.edu/systems/sun/ sun-exchange/rpc4.0, or a comp.sources.unix archive site. [2] To see if you have it, type "man rpc", or search your C library using something like "nm /lib/libc.a | grep clnt". If it's installed, you should see functions like "clnttcp_create", "clntudp_create", etc. If not, look for a separate librpc.a in /lib, /usr/lib, /usr/local/lib, or what have you -- or ftp it from the archive sites and build your own. [3] Here's the reference, courtesy of Matt Blaze: @article{nfscrack, author = {Brian A. LaMacchia and Andrew M. Odlyzko}, journal = {Designs, Codes, and Cryptography}, pages = {46--62}, title = {Computation of Discrete Logarithms in Prime Fields}, volume = {1}, year = {1991}, } Brian also has a home page, http://www.swiss.ai.mit.edu/~bal/bal-home.html but as my Net connection is flaky right now, I can't tell whether this article is available there. [4] The DCE FAQ is at http://www.osf.org/dce/faq-mauney.html or ftp://ftp.dstc.edu.au/pub/DCE/FAQ. [5] "DCE Security", Wei Hu, O'Reilly, ISBN 1-56592-134-8. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVm1GG3Fsi8cupgZAQHKkwP/QQaKNEuwuvNo5E+8Myu2P/Dv70Ha4p88 RhtEH11oBH4IjMksqL0J+o8qSOwiBA/bcciW6y8ef1gSgwFxmdbEqGmLftSGjYNU D6r8C5LmSkmmtQuLcXUE+QVEBLIXmnYC0tIwbqprGGm0soQpW0GbzZtgXtrECm0H Vi1bsJ+LEJQ= =3e3P -----END PGP SIGNATURE----- From anon-remailer at utopia.hacktic.nl Wed Mar 27 22:22:46 1996 From: anon-remailer at utopia.hacktic.nl (Anonymous) Date: Thu, 28 Mar 1996 14:22:46 +0800 Subject: No Subject Message-ID: <199603272255.XAA18678@utopia.hacktic.nl> :: Subject: HP ships full DCE internationally As I sit, somewhere not in North America, I can see a CD-Rom from Hewlett-Packard, which I've had since last year. Recently I received the following letter. I've attempted to retype its contents accurately. ---------8<--------8<--------8<--------8<--------8<--------8<--------8< [HP Logo] Hewlett-Packard Company Software and Information Delivery Operation, SST 690 East Middlefield Road Mountain View, California 94043 415/968-9200 Dear HP-UX Support Customer, Hewlett-Packard has uncovered a bundling problem in the DCE-Core fileset that is on the October HP-UX Application Release 10.0 s700/800 Application CDs. These products were bundled such that they are not compliant with U.S. Government export regulations. The part numbers for the affected CDs and products are listed below. If you have updated your systems using these CDs or for the products listed on the October HP-UX Application Release Media, please update your system with the enclosed January HP-UX Application Release 10.0 s700/800 Application media, and destroy the October media. If you have not updated your systems with this media, please just destroy the October Application Release media and use the new enclosed Application media. If you require a replacement for the October HP-UX 10.0 s700/800 Application CD that has this bundling problem corrected, please contact your local support office to request shipment of the new CD. Hewlett-Packard apologises for any inconvenience you may experience due to this bundling issue. Sincerely [signed] Charles Henderson Software Information and Delivery Operations CD PART NUMBERS --------------- 24998-11710 SE application s700 10/95 24998-11711 SE application s800 10/95 B3782-10054 Trade application s700 10/95 B3920-13614 Trade application s800 10/95 PRODUCT NUMBERS --------------- 10.01 800 B3191A DCE CORE SRV MEDIA/DOCU INTL 10.01 800 B5162AA DCE 9000 Executive Client 10.01 800 B3519AA DCE QUICK START KIT INTL S800 10.01 800 B3923AA CICS/9000 Bundle Media & Manuals, Int'l 10.01 700 B2921A DCE Core Services International 10.01 700 B5162AA DCE 9000 Executive Client S700 10.01 700 B3519AA DCE Quickstart 700 Bndl Int'l Document P/N: 5964-5231 ---------8<--------8<--------8<--------8<--------8<--------8<--------8< Excuse me, I just have to go and destroy that CD :-) From deven at ties.org Wed Mar 27 22:35:43 1996 From: deven at ties.org (Deven T. Corzine) Date: Thu, 28 Mar 1996 14:35:43 +0800 Subject: National speed limits and expansion of federal power... In-Reply-To: Message-ID: <199603272306.SAA13695@escher.ties.org> At 11:47 PM 3/26/96, Jim Bell wrote: >They just recently repealed the national 55 MPH speed limit. Even though it >was repealed by law, in the same way it was passed, plenty of people have >argued that the Federal government has no jurisdiction in this area. Those >arguments are absolutely valid, even if they were ignored. The danger in >giving the government implicit authority in areas not mentioned in the >Constitution is that it is not clear how far such justification extends. Actually, the national government didn't even *pretend* it had jurisdiction here. Instead, they used an indirect approach -- they passed laws which denied some of the existing highway funding to states with higher speed limits than 55 MPH. (Later this limit was raised to 65 MPH, given some additional restrictions such as proximity to population centers.) Any and all states were perfectly free (in theory) to ignore this "national speed limit" and set any limit or no limit at all. In practice, no states exercised this hypothetical freedom, because they had already grown dependent on highway funds provided by the national government. Thus, through indirect pressure exerted through the funding mechanisms, the national government was able to usurp perogatives which were clearly in the domain of the states. The national government has expanded greatly in size and powers in times of war and national crisis. In particular, FDR spearheaded the massive growth of the national government in response to the Great Depression, and it has continued to grow ever since. More and more often, the national government usurps traditional state's roles, even in situations of unquestionable state jurisdiction such as national speed limits. The elastic clause was one key tool used for this expansion. Another key tool is the commerce clause, which has been seriously abused to secure new powers for the national government. I don't think I'll go into it right now... >If the government can limit us to 55, then why can't they limit us to 40-bit >keys? The national government didn't impose 55 MPH speed limits on us, the states did it under national pressure. As for whether they can legitimately limit cryptography use and technology, we don't have any clear answer yet, in any legal precedent. Of course, most of us hold the opinion that cryptography should be considered Constitutionally protected as free speech, but politics get involved when these things get decided... Deven From EALLENSMITH at ocelot.Rutgers.EDU Wed Mar 27 22:42:53 1996 From: EALLENSMITH at ocelot.Rutgers.EDU (E. ALLEN SMITH) Date: Thu, 28 Mar 1996 14:42:53 +0800 Subject: (X:x)e$ 's other use Message-ID: <01I2STLT1O4C8ZDZ7I@mbcl.rutgers.edu> From: IN%"llurch at networking.stanford.edu" "Rich Graves" 22-MAR-1996 05:45:53.77 >Digital cash, if people can be convinced to trust it, will be a wonderful >thing because of its security, convenience, and anonymity features. I'm >sorry, but I just don't buy this "corrupt currency" schtick. While corrupt isn't quite the right word, the dollar is a politically-influencable currency. And the politicians tend to press for higher inflation and lower unemployment, because that gets them elected. The Fed has done an actually rather admirable job of standing up to the pressure (compared to how they might have behaved), but that we've got real inflation testifies to that they haven't been completely successful. Moreover, the banks that are in the Federal Reserve network have a motivation to have low interest rates for what _they_ get charged, despite this inflating the currency... thus, they've got some motivations to mismanage things. -Allen From unicorn at schloss.li Wed Mar 27 22:44:45 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 28 Mar 1996 14:44:45 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , , shame) In-Reply-To: Message-ID: On Mon, 25 Mar 1996, Rich Burroughs wrote: > On Mon, 25 Mar 1996, Simon Spero wrote: > > > > > If the Leahy bill is unacceptable, what legistlation is necessary? I > > can't see how the use of cryptography in the commission of a crime needs > > to be a separate offence, but I could see how it could be treated as a > > special circumstance - that doesn't really needed a new law though. > [snip] > > Good question. > > Along this line -- what are the penalties for withholding other types of > possible evidence from investigating officers? It seems that often the > penalites for "computer crimes" are more harsh than for the "normal" > version of the crime. Is that the case with the penalties in Leahy's bill? I have personally been involved in cases involving fines of $75,000 per day for noncompliance with a grand jury subpoena duces tecum calling for the surrender of banking documents. > > ______________________________________________________________________ > Rich Burroughs -- richieb at teleport.com -- psu07973 at odin.cc.pdx.edu > http://www.teleport.com/~richieb --- Opinions are mine, not Teleport's > PGP key fingerprint: 1F A1 40 72 92 02 DE 7A 80 D0 5A 57 D3 1C 87 86 > > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From frantz at netcom.com Wed Mar 27 22:45:48 1996 From: frantz at netcom.com (Bill Frantz) Date: Thu, 28 Mar 1996 14:45:48 +0800 Subject: WSJ on Big Java Flaw Message-ID: <199603261814.KAA23974@netcom5.netcom.com> At 10:58 AM 3/26/96 -0500, John Young wrote: > Java was originally touted by Sun as a secure language. But > at least two other flaws have already been discovered in > the technology, including a less-serious problem uncovered > by the Princeton team last month. Sun's Ms. Mueller said > the problems have been correctable details in the way the > Java code is written, not problems with its basic design. Having worked on a secure OS, with a small security kernel etc. etc. etc. I realize that even those systems have bugs. The Java people will work out their bugs. Others will read their code and find more bugs. (It is to Sun's GREAT credit that they are releasing their source under a not very restrictive license.) Eventually, in several years, Java security will be ready for prime time. Of course, for really valuable things, or the really paranoid, you shouldn't connect your computer to a network. The top dog certificate key in SET is handled this way. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From mike at fionn.lbl.gov Wed Mar 27 23:55:03 1996 From: mike at fionn.lbl.gov (Michael Helm) Date: Thu, 28 Mar 1996 15:55:03 +0800 Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: <199603272017.MAA09654@fionn.lbl.gov> On Mar 27, 3:13am, Timothy C. May wrote: > Americans are typically thousands of miles away from those speaking > Japanese, Mandarin, Tagalog, Polish, Italian, Dutch, Spanish, Hindi, > Talegu, and the hundreds of other languages. It is not at all clear what > language Americans should pick as a "second language" to study. I don't really disagree with the conclusions drawn by this poster, or with the quasi-economics argument he makes. However, I must say that the above is completely wrong. MOST Americans live in large urban areas, & as such are within seconds/footsteps of people whose native languages are not English (or who don't have a single "native language", but several!). There are probably _hundreds_ of languages spoken in the San Francisco Bay Area. The school districts here routinely report double digit languages in the school age population. There are 3 Spanish language channels (& another 2 ... "multiple choice") on my tv cable system. That anglophones choose to tune them out, or to not even notice the Noah's ark around them, says something about this culture. From richieb at teleport.com Wed Mar 27 23:55:45 1996 From: richieb at teleport.com (Rich Burroughs) Date: Thu, 28 Mar 1996 15:55:45 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <199603261745.JAA16303@desiree.teleport.com> tcmay at got.net (Timothy C. May) wrote: [snip] > Jim's argument (?) could be turned in all sorts of ways: "Your Honor, there > is nothing I can find in the Constitution that says I can't drive on the > left side of the road at 125 miles per hour." Indeed, there is nothing > laying out detailed traffic laws. And so on. [snip] Or a right to privacy, for that matter. It's not stated anywhere explicictly in the Bill of Rights -- the courts have patched together a legal framework for it. Rich ______________________________________________________________________ Rich Burroughs richieb at teleport.com http://www.teleport.com/~richieb Protest the CDA - Join the EFF's Blue Ribbon Anti-Censorship Campaign! See my Blue Ribbon Page at http://www.teleport.com/~richieb/blueribbon From nelson at crynwr.com Thu Mar 28 00:03:42 1996 From: nelson at crynwr.com (nelson at crynwr.com) Date: Thu, 28 Mar 1996 16:03:42 +0800 Subject: About Triple DES ...... In-Reply-To: Message-ID: <19960327040302.536.qmail@ns.crynwr.com> Perry E. Metzger writes: > > Try the International Cryptography Home page to help you find a copy > from outside the U.S. > > http://www.cs.hut.fi/crypto/ Um, what if Victor and www.cs.hut.fi are only connected on a path that traverses the United States? Can a person be convicted of ITAR violations when they've never been in the U.S.? :) -russ http://www.crynwr.com/~nelson Crynwr Software | Crynwr Software sells packet driver support | PGP ok 11 Grant St. | +1 315 268 1925 voice | If you would seek peace, Potsdam, NY 13676 | +1 315 268 9201 FAX | first seek freedom From unicorn at schloss.li Thu Mar 28 00:42:20 1996 From: unicorn at schloss.li (Black Unicorn) Date: Thu, 28 Mar 1996 16:42:20 +0800 Subject: Black Unicorn attempts computer break in In-Reply-To: <199603270945.KAA13203@utopia.hacktic.nl> Message-ID: On Wed, 27 Mar 1996, Anonymous wrote: > Date: Wed, 27 Mar 1996 16:58:14 +1100 > Reply-To: Linux Servers mailing list > Sender: Linux Servers mailing list > From: Steve Gibson > Subject: Strange things afoot at my SMTP port... > To: Multiple recipients of list SERVER-LINUX > > > I just found these while going through my messages file... do I > have any need to be concerned??? > (unicorn.it.wsu.edu is now in my /etc/hosts.deny...) > > Mar 23 20:39:25 aries sendmail[7469]: setsender: "|/bin/mail > rblack at unicorn.it.wsu.edu < /etc/passwd": invalid or unparseable, > received from unicorn.it.wsu.edu [1 > Mar 23 20:39:25 aries sendmail[7469]: UAA07469: from="|/bin/mail > rblack at unicorn.it.wsu.edu < /etc/passwd", size=0, class=0, pri=0, > nrcpts=0, proto=SMTP, relay=uni > > There were also attempts at connecting to my tftp port, although > at the time, in.tftpd wasn't on the system (it is now, and is also > in my hosts.deny to all except for local) > > Thanks... You should be deeply concerned. It's clear that I have been having blackouts again. > > Interspace Australia Pty Ltd > Steve Gibson - System Administrator > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From tcmay at got.net Thu Mar 28 01:49:10 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 28 Mar 1996 17:49:10 +0800 Subject: Why Americans feel no compulsion ... Message-ID: At 12:21 AM 3/28/96, Syed Yusuf wrote: >If a person who speaks three languages is tri-lingual >If a person who speaks two languages is bi-lingual > >What do you call a person who only speaks one language? > >---------------------answer follows: > >An American. Or our version: What do you call a person who has to learn English as a second language in order to compete in the world? A foreigner. (Sorry for the insult, but it seems that this thread is bringing out insults from foreigners of all sorts.) --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From eay at mincom.oz.au Thu Mar 28 02:27:23 1996 From: eay at mincom.oz.au (Eric Young) Date: Thu, 28 Mar 1996 18:27:23 +0800 Subject: About Triple DES ...... In-Reply-To: <199603270836.AAA20254@dfw-ix12.ix.netcom.com> Message-ID: On Wed, 27 Mar 1996, Bill Stewart wrote: > That part's easy - DES source is available on ftp.ox.ac.uk, and also on > ftp.dsi.unimi.it and ftp.funet.fi. There may be specific triple-DES > code there, but if not, triple DES is just > Encrypt(Key1, Decrypt(Key2, Encrypt(Key3, Message))) > so you can easily write a subroutine to do that. I got carried away with adding triple DES to libdes v 3.21+ (listed at most of the above mentioned sites) back in november. It has routines for triple DES in ecb, cbc, cfb64 and ofb64 modes. The SSLeay package builds a utility called 'enc' which can encrypt/decrypt with optional base64 conversion in any of the above mentioned modes (plus more). Infact, SSLeay has much nicer higher level 'by parts' finctions for the ciphers that are much easier to use. eric -- Eric Young | Signature removed since it was generating AARNet: eay at mincom.oz.au | more followups than the message contents :-) From pcw at access.digex.net Thu Mar 28 02:29:35 1996 From: pcw at access.digex.net (Peter Wayner) Date: Thu, 28 Mar 1996 18:29:35 +0800 Subject: WSJ on Big Java Flaw Message-ID: >John Young wrote: >> Wall Street Journal, March 26, 1996, p. B4. >> Researchers Find Big Security Flaw In Java Language >> By Don Clark >> >> A team of Princeton University researchers said they >> discovered the most serious security flaw yet in the widely >> used Java programming language from Sun Microsystems Inc. >> >> he said.[..] > >The generalized halting problem comes to mind... > >Since it can be proved that there's no complete set of heuristics >to tell if a given program has a characteristic (such as >"secureness") >then sooner or later someone will discover another security flaw. > >A question is whether a simple patch is made or if the set of >heuristics >is widened (ie, learn from mistakes) so that similar flaws can >be found >based on knowledge of that one flaw. Well, actually, the halting problem doesn't really apply here. Imagine you've got a two tape Turing machine. Then go into the control function and block out all calls that either write or read tape 2. I contend it is trivial to prove that no program that runs on tape 1 will ever read or write tape 2. It is quite possible to prove that certain mathematical feats can't be done. You can use algebra to prove that there is no way to trisect an angle with just a compass and a straight-edge. Godel's theorem and its corollary work on Turing machines, only shows that you can't come up with a general mathematical procedure for proving or disproving all statements all of the time. I think it is quite possible for Sun to build a secure version of Java. It might take many iterations and they might make some subtle mistakes, but time should allow them to plug these holes. They're simply trying to make sure that all of their various doo-dads and extras don't write tape 2. Their abstract model is much more complex than a Turing machine, but it is much simpler than C code or the UNIX OS. -Peter From mpd at netcom.com Thu Mar 28 02:39:28 1996 From: mpd at netcom.com (Mike Duvos) Date: Thu, 28 Mar 1996 18:39:28 +0800 Subject: What backs up digital money? In-Reply-To: Message-ID: <199603280239.SAA15391@netcom17.netcom.com> tcmay at got.net (Timothy C. May) writes: > At 1:46 PM 3/27/96, Scott Schryvers wrote: >> Question. If e-cash were backed by gold would that make it >> more reliable than say the dollar? Not necessarily. Historically, gold emerged as the primary currency metal because it could be processed using simple technology, didn't wear out, and the world supply from mining it increased at approximately 2% per year, which was a good match to the growth rate of most economies. The current price of gold could hardly be supported by legitimate industrial uses of the metal, and banks in Europe have tons of the stuff in their vaults freed up from the mass departure of the world's currencies from the gold standard a number of years ago. Basically, one can create monetary value for any commodity whose supply can be controlled, usually by the folks wishing to lend it value, by simply making a stable market in it, and having the reputation and power to control that market in perpetuity. The best example of this is probably the diamond market. Here we have a rare but intrinsically worthless material, the gem quality diamond, which has no useful industrial applications at all, since non-gem quality diamonds and substitutes, both synthetic and natural, are in abundance. Gem quality diamonds are extremely valuable, because their supply is carefully controlled, and because of clever marketing designed to convince every male human in North America and most of Europe that shelling out two months salary for one is the unique and true symbol of everlasting love. The diamond industry has even made plans for the holographic fingerprinting of every diamond they release, should synthetic gem-quality diamonds ever hit the market, so that they may continue their control of the supply of their "currency", even in the face of a flood of absolutely identical "unsanctioned" gems. I recall a very clever Science Fiction story I read a number of years ago in which aliens completely destroyed human civilization by manufacturing all the world's goods and services, and accepting payment only in cowpies, which were subject to an arbitrary and complicated grading system similar to that used by modern gemologists. One day, the aliens simply left, and human civilization, consisting mostly by then of PhD Cowflopologists with expertise only in interpreting swirls on lumps of shit, promptly folded. Before I digress to far from your original question, let me state the point I am trying to make here. If a entity, or group of entities, with reputation and power to make a market, decide to demoninate a currency using a rare commodity, it makes little difference whether the rare commodity is near-perfect crystals of carbon found only on land that they own, a vault filled with gold bars, exponentiated random numbers modulo the product of two large but closely guarded primes, or statistically unlikely swirls in wads of digested plant material dropping from the butt of a cow. In all these cases, the important thing is not the commodity, but the entities guaranteeing the market, and the perception of their reputation and ability to support said currency in perpetuity. Absolute control over the supply of the commodity in question doesn't hurt either. Indeed, US government backed e-cash would be a far more trusted and reliable currency than gold backed currency printed by DigiCash BV. One good inflation-resistant indicator of whether gold is a good value is the ratio between gold and silver prices. Both of these metals are mined with similar difficulty, and have similar uses for backing currency and as coinage metals. Historically, there have been times when gold and silver prices were approximately equal. I have no doubt that if the unwashed masses were sold the notion that gold was the single reliable inflation-proof form of wealth they could own, and the holdings of international bankers were sold into the hands of millions of individual citizens, a controlled devaluation would follow, together with much chortling and uncorking of champagne, as gold and silver prices became nearly equal again. As long as people who count have vaults full of the stuff, and wish to carry it on their books as an expensive asset, it will of course continue to have its current inflated value, and nothing will be done to depress the market. In that sense gold is a reliable asset, as long as most of the little people refrain from jumping on the bandwagon. > No form of digital money extant is an actual currency in > the conventional sense. Nor does this seem likely. Nor > necessary. Nor useful. Nor important. Actual currency can circulate forever in the economy without eventual conversion into some other kind of money. The requirements of current digital cash systems for centralized clearing to eliminate double spending and to mint new coins tends to preclude the kinds of perpetual peer-to-peer transactions we think of when we conceptualize "currency." Real electronic currency could be invented, but would have to live its life within a population of tamper-proof smart cards communicating with each other through secure protocols. Whether anyone will bother to implement such a system remains to be seen. Until then, the "check" model of digital money is, as Tim points out, the correct one. > The point being that talking about "what backs up digital > cash?" is misleading. (What really backs it up is the > reputation of the entities, but I digress.) "The reputation of the entities" is the only important consideration regardless of what the cash is denominated in. In most cases, the valued commodities, if they exist, are simply pretty window-dressing for some unseen but powerful syndicate. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From tcmay at got.net Thu Mar 28 02:48:27 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 28 Mar 1996 18:48:27 +0800 Subject: More on "Raised Awareness" Message-ID: At 6:30 AM 3/27/96, Rich Graves wrote: >At some point in this exercise, though, we might be "raising awareness" >among the wrong people, to cite Tim May. I wouldn't want NAFTA, the WTO, >and so on enforcing ITAR. I'm glad to see that some people are internalizing this point about how "raised awareness" almost always results in new legislation. And new legislation, even if seemingly well-intentioned, almost always extends the tendrils of government into what were once ignored or private areas. There are many examples outside of crypto. Health care reform was the latest case of "raised awareness." Pornography access on the Net was another. The systemic reasons for this are clear. "Leaving well enough alone" and "Don't make waves" are old aphorisms that capture this sentiment. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From blancw at accessone.com Thu Mar 28 02:48:28 1996 From: blancw at accessone.com (blanc) Date: Thu, 28 Mar 1996 18:48:28 +0800 Subject: What backs up digital money? Message-ID: <01BB1C0E.90D4B6C0@blancw.accessone.com> From: Hal So I view dcash as a circulating currency, where the act of transfer in some implementations requires some technical assistance from an agent of the bank able to make digital signatures on its behalf. It is more than simply a mechanism for transferring funds from one account to another (unless you think of government currency in those terms). I view it as possessing real value, as being a genuine asset in the same sense as other forms of cash. .................................................................................. Real money may need to be actually in existence somewhere in the form of metallic bars or coins, but I was thinking about how most of the time for me it is just a lot of abstract Money Mumbers: . I get automatic deposits of Money Numbers in my bank account; . I go to the ATM and enter a few Money Numbers and get some representative notes, as well as a slip of paper telling me how many Money Numbers I have left in my account; . I go to the store and use a card which debits my account with a certain quantity of Money Numbers; . I promise to work for a certain quantity of Money Numbers; . I request loans in terms of a certain quantity of Money Numbers, etc. Except for when I have metallic coins in my hand, t's mostly abstract and becoming more-so, so that at the accelerating speed of the circulation of Money Numbers, only the banks must be concerned over whether these are really attached to anything solid and physically meaningful. For me and others, it's based mostly on the supposition of value (itself an abstract concept which must be learned and understood in its relation to symbolism). .. Blanc From mpd at netcom.com Thu Mar 28 03:26:03 1996 From: mpd at netcom.com (Mike Duvos) Date: Thu, 28 Mar 1996 19:26:03 +0800 Subject: WSJ on Big Java Flaw In-Reply-To: <31591D05.5998@unix.asb.com> Message-ID: <199603271731.JAA07252@netcom8.netcom.com> Mutant Rob writes: > The generalized halting problem comes to mind... While it can be demonstrated that no algorithm exists to determine whether an arbitrary Turing machine will halt, good programs generally belong to a class somewhat less expansive than the totality of possible Turing machines. By imposing perfectly reasonable constraints on program structure, it is trivial to guarantee program termination with almost no loss in the functionality of the typical programming language. Indeed, any computer program which executes only forward branches, and in which the iteration counts of all loops are known at the time they are entered, is guaranteed to terminate. Many people would even consider such things to be good programming practice. In general, the types of computer program characteristics which make determination of halting impossible are precisely the characteristics one does not want in trusted code, because they make understanding the code and debugging the code intractable. > Since it can be proved that there's no complete set of > heuristics to tell if a given program has a characteristic > (such as "secureness") then sooner or later someone will > discover another security flaw. Again, a statement which applies to Turing machines, but not to Java. Java has been carefully restricted to ensure that a complete analysis of proper program behavior is possible with a combination of runtime checks and pre-execution scanning of imported bytecode files. This was designed into Java from the start. While the abstract Java machine is provably secure, real world implementations may suffer from the usual plethora of ills, such as creeping damage from overflowed buffers on the stack. This in no way implies any faults with Java itself, and such bugs in Java implementations will be corrected in the usual way with the passage of time. > A question is whether a simple patch is made or if the set > of heuristics is widened (ie, learn from mistakes) so that > similar flaws can be found based on knowledge of that one > flaw. Again, there are no known security flaws in the abstract Java machine. Once all bugs and oversights in existing Java interpreters are corrected, all Java programs will be rendered incapable of causing damage to the platforms they are run on, unless explicitly permitted to do so by an authorized person. Some patience while the Java support in packages like Netscape Navigator undergoes the normal process of evolution is to be encouraged. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From alanh at mailhost.infi.net Thu Mar 28 03:36:41 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Thu, 28 Mar 1996 19:36:41 +0800 Subject: What backs up digital money? In-Reply-To: <199603272304.PAA26037@jobe.shell.portal.com> Message-ID: I will put forth the proposition that Federal Reserve "Notes" are not notes. A note is a promise to (a) pay (b) a certain amount (c) at a certain time (d) to a certain person. As in the phrase that *used to* appear on United States Currency: "will pay the Bearer One Dollar in Silver upon Demand". The only extant legal definition of a dollar is a Federal statute of 1792, defining it as a certain weight of pure silver. From llurch at networking.stanford.edu Thu Mar 28 03:54:24 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 28 Mar 1996 19:54:24 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: <199603272017.MAA09654@fionn.lbl.gov> Message-ID: On Wed, 27 Mar 1996, Michael Helm wrote: > On Mar 27, 3:13am, Timothy C. May wrote: > > Americans are typically thousands of miles away from those speaking > > Japanese, Mandarin, Tagalog, Polish, Italian, Dutch, Spanish, Hindi, > [...] > I don't really disagree with the conclusions drawn by this poster, or > with the quasi-economics argument he makes. However, I must say that > the above is completely wrong. MOST Americans live in large urban > areas, & as such are within seconds/footsteps of people whose native > languages are not English (or who don't have a single "native language", > but several!). Undeniably true. I think Tim's point was more, "Who cares? Everyone *I* want to talk to speaks English." One may quibble with the wisdom or morality of such a statement, but if the second statement is true in your case, then there is no reason you should have to learn another language. Most upper-income Americans have no need for esoteric languages. Almost all upper-income Americans have a need for English. For example, *I* only really need to speak English, TCP, Spanish, HTML, AppleTalk, and occasionally French and Perl. Most of the time, I have no need to know C++, IPX, Tagalog, higher mathematics, German, or Java; I've got "people" for that. I'm probably wrong to put my faith in y'all to write the code I use, but hey, we can't all do everything. I don't write crypto code, and I don't haul my trash to the dump or tend to the landscaping around my apartment. Why should I? Then again, I do find it worthwile to be on the cypherpunks list, and I will say hola to the gardener. -rich From tbyfield at panix.com Thu Mar 28 04:14:44 1996 From: tbyfield at panix.com (t byfield) Date: Thu, 28 Mar 1996 20:14:44 +0800 Subject: unsubscrive Message-ID: 8:28 PM 3/27/96, Timothy C. May: > The penalty for not paying attention being continued receipt of 50 mail > messages a day! And either a practical reason for the many to learn English or for programmers to watch how English melts in the mouths of people not fluent in it: "describe" and "unsubscrive" being pretty predictable Latinate mutations. Ted From merriman at arn.net Thu Mar 28 04:20:24 1996 From: merriman at arn.net (David K. Merriman) Date: Thu, 28 Mar 1996 20:20:24 +0800 Subject: unsubscrive Message-ID: <2.2.32.19960327182004.00687d90@arn.net> >X-Sender: tcmay at mail.got.net >To: cypherpunks at toad.com >From: tcmay at got.net (Timothy C. May) >Subject: Re: unsubscrive >Sender: owner-cypherpunks at toad.com > >At 7:13 PM 3/27/96, Maurizio wrote: >>unsubscrive cypherpunks > >Ah, a new spelling to be added to the archives. So far, we've got: > >undescribe > >unscribe > >unsubbscribe > >The penalty for not paying attention being continued receipt of 50 mail >messages a day! > Well, at least this one is *vaguely* forgiveable - the 'b' and 'v' keys *are* next to each other on a keyboard.... Dave Merriman ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From stewarts at ix.netcom.com Thu Mar 28 04:25:56 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Thu, 28 Mar 1996 20:25:56 +0800 Subject: Test case for RSA t-shirts Message-ID: <199603270836.AAA20251@dfw-ix12.ix.netcom.com> There was a certain amount of international arms dealing at the Palo Alto Quaker meeting this week. Aside from the folks with the anti-assault-rifle petition, there was one person with an RSA sweatshirt (the Joel Furr flavor) and a woman from Eastern Europe (Slovenia?) who was probably not an Official US Person :-) My general guess about reception you'll get in the airports is that nobody will notice. It's worked for me domestically, anyway. #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 1995: Chat rooms, espresso, and Linux 1996: Exon, melatonin, and Java. From llurch at networking.stanford.edu Thu Mar 28 04:29:48 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Thu, 28 Mar 1996 20:29:48 +0800 Subject: How to enter the US without a visa? In-Reply-To: <199603270702.XAA03414@dns2.noc.best.net> Message-ID: On Tue, 26 Mar 1996 jamesd at echeque.com wrote: > This is somewhat off topic for cypherpunks, but alt.forgery is dead, so > cypherpunks is probably the nearest group. On the contrary, I think (undermining) the idea of state-defined identity is pretty essential. > But the thought struck me that this might not work for some one > who hypothetically has a foreign appearance and a truly terrible > accent. > > Now a fake greencard would probably work, but greencards have > age and sex etc encoded on them, and conceivably they check them > against a database, in which case it would be necessary to obtain > the greencard number of a real person of the right age and sex, > which is not easy. Note that the original-style green cards are all going to become invalid any day now. Don't remember exactly when. Hurry! Still, you can get a very good forgery of the new style in, say, New York, Los Angeles, or Redwood City for $100. The problem is, you need to be a part of the community already to be able to find out, in a reasonable amount of time, where to get the good forgeries without getting arrested. If you have the right friends, like if you're a member of certain extended families in Matamoros or New York's ChinaTown, then you can arrange to *borrow* a *real* green card with a similar picture. If this friend could pass for Latin American, you have it easy -- just have him or her fly into Mexico and walk across the border. Unless something major has changed in the last six months, there's such high traffic, and there's so many people with no or *terrible* forgeries, that people with passable forgeries can walk right through without a technological verification. Very low risk, but very high potential cost. Another option, much less commonly forged and somewhat less suspicious than green cards, is a "stateless person travel document." These were given mostly to refugees from the Communist Bloc. They look a lot like a US Passport, are just as easy to forge, do not require a current picture (in fact, they're probably more credible with a 4-year-old picture), and in theory are accepted as equivalent to a US passport. An ex-girlfriend from Czechoslovakia had one. The problem is, most line immigration officials have never seen one, so you're likely to get bumped to a supervisor; but if you have an acceptable ethnic background and decent bullshitting skills in any language, you're in. My ex never had any trouble getting into or out of Mexico, but she finally got fed up with the incompetence of the line officers and became a citizen, which despite her thirteen years in the US, perfect English, a degree in political science from an Ivy-League school, and an internship with the foreign service in DC one summer, was a two-year comedy of incredible errors and incompetence at the INS. Example: once she sent them some forms filled out in duplicate. The INS sent them back two months later, requesting that she resubmit just one copy. They were later proven wrong -- they did need two copies. Understand that these are the people you're dealing with. Finally, I assume your friend can swim. I would recommend avoiding Pacific locales where chumming is commonly practiced. -rich From tbyfield at panix.com Thu Mar 28 04:42:15 1996 From: tbyfield at panix.com (t byfield) Date: Thu, 28 Mar 1996 20:42:15 +0800 Subject: [NOISE] crypto in the Racing Form Message-ID: Vaguely apropos the "let's not raise their awareness" thread, a few weeks back I noticed in the Racing Form a full-page ad for a horse named "Cryptoclearance." It raced well enough, but its owners getting a lot more mileage out of studding it--"the 13th leading sire." Its offspring: Cryptogram, Code of Love, Crypto Lady, Denied Access, Cryptodynamite, and--I can't tell if my scrawl deceives me--Cryptomay. (If it does, my apologies.) So those who're arguing for keeping a low profile crypto-wise had better hope that these horses are losers and that its other offspring (Denied Access, Final Clearance, Pinpoint Control, Mt. Bueran, Clearance Code) are winners. If there's another Seabiscuit or Secratariat in that Crypto- lineage (which is pretty doubtful)... Ted From firebrd123 at ns.interconnect.net Thu Mar 28 05:14:42 1996 From: firebrd123 at ns.interconnect.net (Dan Nikolai) Date: Thu, 28 Mar 1996 21:14:42 +0800 Subject: PPV Descrambler Message-ID: <3159ECA9.746F@mail.interconnect.net> I've been looking for a file on how to make PPV descramblers and havn't found any. Commercial descramblers cost around $200 base price. If anyone has a file on how to make them please e-mail me one. Thanks. captain_lee @mail.interconnect.net From love5683 at voicenet.com Thu Mar 28 05:40:09 1996 From: love5683 at voicenet.com (Chevelle) Date: Thu, 28 Mar 1996 21:40:09 +0800 Subject: National speed limits and expansion of federal power... Message-ID: <199603280812.DAA06739@mail.voicenet.com> It was only months ago that they passed a bill raising alot of speed limits to the 75mph range. Chevelle At 06:06 PM 3/27/96 -0500, Deven T. Corzine wrote: >At 11:47 PM 3/26/96, Jim Bell wrote: >>They just recently repealed the national 55 MPH speed limit. Even though it >>was repealed by law, in the same way it was passed, plenty of people have >>argued that the Federal government has no jurisdiction in this area. Those >>arguments are absolutely valid, even if they were ignored. The danger in >>giving the government implicit authority in areas not mentioned in the >>Constitution is that it is not clear how far such justification extends. > >Actually, the national government didn't even *pretend* it had jurisdiction >here. Instead, they used an indirect approach -- they passed laws which >denied some of the existing highway funding to states with higher speed >limits than 55 MPH. (Later this limit was raised to 65 MPH, given some >additional restrictions such as proximity to population centers.) > >Any and all states were perfectly free (in theory) to ignore this "national >speed limit" and set any limit or no limit at all. In practice, no states >exercised this hypothetical freedom, because they had already grown dependent >on highway funds provided by the national government. Thus, through indirect >pressure exerted through the funding mechanisms, the national government was >able to usurp perogatives which were clearly in the domain of the states. > >The national government has expanded greatly in size and powers in times of >war and national crisis. In particular, FDR spearheaded the massive growth >of the national government in response to the Great Depression, and it has >continued to grow ever since. More and more often, the national government >usurps traditional state's roles, even in situations of unquestionable state >jurisdiction such as national speed limits. The elastic clause was one key >tool used for this expansion. > >Another key tool is the commerce clause, which has been seriously abused to >secure new powers for the national government. I don't think I'll go into it >right now... > >>If the government can limit us to 55, then why can't they limit us to 40-bit >>keys? > >The national government didn't impose 55 MPH speed limits on us, the states >did it under national pressure. As for whether they can legitimately limit >cryptography use and technology, we don't have any clear answer yet, in any >legal precedent. Of course, most of us hold the opinion that cryptography >should be considered Constitutionally protected as free speech, but politics >get involved when these things get decided... > >Deven > > From tcmay at got.net Thu Mar 28 05:42:17 1996 From: tcmay at got.net (Tim May) Date: Thu, 28 Mar 1996 21:42:17 +0800 Subject: The Law Loft: Surviving the Biometric I.D. Card Message-ID: <199603280946.BAA08787@you.got.net> Though some will petulantly claim that this has "nothing to do with crypto," I think the report on legislation which may lead to new levels of national identification is very apropos to the themes of this list. A national ID card could be tied in to the CDA and other such legislation: the "Internet Driver's License" we are worried about. This would also facilitate the criminalization of anonymous remailers. (I noticed at a local night spot large posters announcing the city's "Zero Tolerance" policy for passing a drink to a minor. Imagine the same folks passing laws about the criminalization of giving access to a minor....) Here's the forwarded article: > Path: we.got.net!news.oz.net!newshub.internex.net!news.Stanford.EDU!agate!overload.lbl.gov!news.kreonet.re.kr!news.dacom.co.kr!nntp.coast.net!news.kei.com!news.texas.net!usenet > From: klynch at intrepid.net > Newsgroups: misc.survivalism > Subject: The Law Loft: Surviving the Biometric I.D. Card > Date: Thu, 21 Mar 1996 09:34:25 GMT > Organization: Texas Networking, Inc. > Lines: 148 > Message-ID: <4ir7hj$391 at nntp.texas.net> > NNTP-Posting-Host: klynch.intrepid.net > X-Newsreader: Forte Free Agent 1.0.82 > > -------------------------------- > Here is the latest Alert from The Law Loft. Sorry its > late. > > If you are benifitting by this information, please don't just > keep it to yourself - share it with someone immediately. And > perhaps you can Fax Suzanne and Pete a thank you and ask > them what you can do to help. > > This work is pretty lonely and grinding. And oh so few ever thank > you for it. Of course that's not why their doing it. > > Many of you could do the same thing I'm doing. You can listen to > 7.435 MHz at 8:00 pm EST and take notes from The Law Loft. You > can FAX them a request to send you information. You can then pass > it on to others. > > When you don't see anything from me out here, you can pitch in and do > it. This is late, because I had no other choice but to catch an early > train. > > Throw away the "boob" tube and stop wasting your precious little time > that we have left to learn and work together. Invest in a good > Short-Wave radio with a built in tape machine. I use the Radio Shack > DX-392 portable receiver. NO LICENSE REQUIRED TO LISTEN. > > Check out other fine alternative news programs on 5.065 between 6:00 > pm EST and 12:00 midnight week nights. > > Please help us - do your little part. > > For Freedom, > Kerry > http://www.intrepid.net/~klynch/uslaws.html > --------------------------------------------- > H.R. 2202 Immigration Bill > > Special Alert II > > March 19, 1996 [Please note this date when reading - Kerry] * * * * * > * * * > > H. RES. 384 bringing H.R. 2202 and 17 proposed amendments to the floor > passed today in the House. Debate on the bill and amendments > continues tomorrow. Vote on amendment number 4 is expected tomorrow: > > The picture in the House of Representatives grows darker. H.R. 384 > bringing H.R. 2202, the Immigration bill, to the floor for a vote > along with 17 proposed amendments passed easily by wide majority in > today's session. > > Work on amendments including Congressman McCullum's amendment no. 4 > will start up again tomorrow. We estimate that the vote on amendment > number 4 will occur about 3:00 pm EST. > > Both the House and Senate bills are intended to bring us some form of > universal biometric identifier i.d. card either in the form of a new > social security card or a passport linked to biometric identifier > birth certificates and drivers' licenses: > > The House bill, H.R. 2202, if passed will bring in the biometric > identifier slowly with greater subtlty than the Senate version. The > biometric identifier is clearly in the picture here. Here's why: > > 1) The report of the U.S. Commission on Immigration entitled U.S. > Immigration Policy: Restoring Credibility talks openly about the use > of biometric identifiers for driver's licenses on page 65. Key > language throughout the report dealing with fraudulent use of > identifying documents also leads to only one place - introduction of > the biometric identifier form of identification. > > 2) The NarcOfficer, official publication of international narcotics > enforcement officer association in its September/October 1995 issues > states point blank that a universal biometric identifier system is > intended for use by everyone on the planet. > > 3) The Senate bill formerly S. (unumbered) now split into S. 269 and > S. 1361 in sections 111-116 talks about birth certificates with > �fingerprint or other biometric data'. The same section talks about > new driver's licenses with �fingerprint or other item of biometric > data'. > > 4) The Hoke Amendment to H.R. 2202 added by the House Judiciary > Committee talks about a �demonstration pilot project with a reliable, > easy to use, confirmation mechanism'. > > > 5) The McCullum amendment, no.4 on the calendar of amendments to H.R. > 2202 talks about creating an official document that �offers the best > possible security against counterfeiting, forgery, alteration, and > misuse'. And provides for creating a new social security card that > would be �as secure against fraudulent use as United States passport'. > Part of the catch here is which version of the passport? The Senate > bill provides for the creation of anew fraud resistant passport. > > The McCullum amendment would make the new technology binding on all > social security cards issued after January 1, 1999. Beginning on > January 1, 2006, all employers would be required to verify employment > eligibility with the new social security card. > > Any way you cut it, this is too much authority to invest in any > government! > > Our founding fathers knew that only way to be free and remain free is > to constrain the power of the government. As John Dickinson said in > 1768 in Letters from a Farmer in Pennsylvania: "For who are a free > people? Not those, over whom government is reasonably and equitably > exercised, but those, who live under a government so constitutionally > checked and controlled that proper provision is made against it being > otherwise exercised". > > Creation of a mandatory, universal biometric identifier identification > system lets the genie out of the bottle. It would gut the 4th > Amendment's right of provacy and let the government surveil and > control us instead of vice versa. > > What to do now: > > We need at least 100,000 phone calls and faxes in Washington by > tomorrow. We may not win in the House but we have to try. Remember > if we build up steam now in the House our chances will be better later > in the Senate. > > Contact your congressman tonight by fax (best) or tomorroww by phone > (good). Argue with him, politely. He might think that just because > amendment 4 says it won't be used as a universal identifier, that > amendment 4 and the bill are okay. Remind him what happened to the > social security card. It was supposed to be voluntary too in the > beginning. > > As time permits, contact as many congressmen as you can in California, > New Mexico, Arizona, Florida, and Illinois. These congressmen are > going to be under especially heavy pressure to pass the bill no matter > what it says. You can use the toll-free numbers for your call: (800) > 962-3524, (800) 972-3524, or (800) 872-8513. > > Tell them we want to keep the 4th Amendment to the Constitution and > the only way to do that is to kill the 4th amendment to the bill. > Tell them that we are not at all amused by the hidden joke of using an > amendment 4 to kill the 4th Amendment to our Constitution. No, no, no > to any version of the biometric identifier! Vote no to H.R. 2202! > > Suzanne Harris > The Law Loft > Los Angelos, CA > (818)-305-7613 > 7.435 MHz (Short-Wave) 8:00 pm EST Week nights. From eay at mincom.oz.au Thu Mar 28 05:53:54 1996 From: eay at mincom.oz.au (Eric Young) Date: Thu, 28 Mar 1996 21:53:54 +0800 Subject: Edited Edupage, 24 March 1996 In-Reply-To: <3159926C.FF6@netscape.com> Message-ID: On Wed, 27 Mar 1996, Phil Karlton wrote: > Perry E. Metzger wrote: > > We aren't talking about SSL, Mr. Karlton. > My apologies for misunderstanding what you wrote. It could be that I am > oversensitive on the issue since SSL has been "accused" of being > proprietary in many forums. Just a quick comment on the openness of SSL. I have been able to implement SSL and support routines from internet available documentation. There is only one part that I have had trouble getting documentation for. This one part is a 'standard' but the only way I can get it is by either spending lots of money or by getting other people to send me their own online information. I'm talking about X509/ASN.1. I still am not sure of the format of the ASN.1 BOOLEAN type, and I have only just been able to get hold of the actual full specification of X509v3. The UNIVERSALSTRING type? Only found out about it's existance 3 days ago. Netscape has not been in anyway an impediment to implementing SSL. RSA inc and it's software patents are more of an issue. Mind you, I would not have gotten off the ground if it was not for RSA's PKCS documents. As some-one who started implementing SSL as a learning exercise with no money to spend, I have learnt to dislike the way some the 'standards' are not available (by which I mean available for the masses via the internet, ala rfc's). eric (venting some frustration that build up during the just completed 'quest for the X509v3 spec') -- Eric Young | Signature removed since it was generating AARNet: eay at mincom.oz.au | more followups than the message contents :-) From tcmay at got.net Thu Mar 28 06:00:35 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 28 Mar 1996 22:00:35 +0800 Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: At 12:41 AM 3/28/96, Charles Bell wrote: >On Wed, 27 Mar 1996, Timothy C. May wrote: >> >> There is not a single foreign language I can think of it that would help me >> in my goals or help anyone I know. This is the reality of a world dominated >> by English-speaking persons and in which all technical people learn >> English. >> > >I guess you don't know anyone who expects to do extensive business in >China during the 21st Century. Unpersuasive. And school systems are unpersuaded as well, as very few offer classes in Mandarin. A notoriously difficult language to learn, especially to write. (A friend of mine spent 8 years learning Japanese, a somewhat similar language, and made only moderate progress.) The "needed for business" is what sparked the mini-boomlet in Russian classes in the 70s, then the larger boomlet in Japanese classes in the 80s. Most of these lessons were wasted. In any case, the issue is not the classes taken by _some_ (the few percent who study Russian, Japanese, Mandarin, etc.), but the topic of this thread: "Why Americans feel no compulsion to learn foreign languages." Or do you think Mandarin should be taken by high school and college students so they can do business in China? Reality Check: I know the folks moving to the PRC to set up Intel's operations there. They are native speakers of Mandarin, of which there are already a vast number in U.S. electronics companies. The notion that Suzi T. Nelson should take Mandarin in high school to help prepare for the 21st century is absurd, and any guidance counselor who so advises her should be fired forthwith. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From nibiru at columbus.co.za Thu Mar 28 06:01:22 1996 From: nibiru at columbus.co.za (Nibiru) Date: Thu, 28 Mar 1996 22:01:22 +0800 Subject: unsubscrive Message-ID: <199603281249.KAA06158@intp1.columbus.co.za> unsubscrive cypherpunks ------------------------------------------------------------------- NIBIRU E-Mail : nibiru at columbus.co.za South-Africa -------------------------------------------------------------------- From melman at osf.org Thu Mar 28 06:18:01 1996 From: melman at osf.org (Howard Melman) Date: Thu, 28 Mar 1996 22:18:01 +0800 Subject: HP & Export of DCE In-Reply-To: <199603271619.LAA08716@homeport.org> Message-ID: <9603272129.AA03193@absolut.osf.org.osf.org> On Wed Mar 27, 1996, Perry E. Metzger wrote: > Adam Shostack writes: > > I wasn't aware there were multiple things masquerading under the name > > Secure RPC. In any event, does the crypto in DCE stand up to the > > LaMacchia/Odlyzko attacks? > > They are attacks against Diffie-Hellman. I don't know if DCE uses D-H > in a similar manner. The main problem was too small a (fixed) modulus. It doesn't. DCE uses Kerberos v5. Howard -- Howard R. Melman ___ ___ ___ Voice: 617-621-8989 Open Software Foundation / / /__ /__ Fax: 617-621-2782 11 Cambridge Center /__/ ___/ / mailto:melman at osf.org Cambridge, MA 02142 http://www.osf.org/~melman/ From tcmay at got.net Thu Mar 28 06:18:33 1996 From: tcmay at got.net (Timothy C. May) Date: Thu, 28 Mar 1996 22:18:33 +0800 Subject: What backs up digital money? Message-ID: I apologize for changing the thread name, but the existing name, "Re: (X:x)e$ 's other use," seems unrelated to these points. At 1:46 PM 3/27/96, Scott Schryvers wrote: >Question. >If e-cash were backed by gold would that make it more reliable than say the >dollar? This question, and much of the debate that appears here about digital money in its many and confusing forms (e-cash, digicash, bitmarks, e$, cypherfrancs, chaums, etc.), displays a "type error" in thinking about digital money. No form of digital money extant is an actual currency in the conventional sense. Nor does this seem likely. Nor necessary. Nor useful. Nor important. Rather, think in terms of _checks_ or _wire transfers_ and the like. An order to transfer funds from one account or place of holding to another. Eric Hughes was our local resident self-educated expert on commercial paper, notes, bank drafts, etc. Bob Hettinga has also written extensively on this. A nice little book I use is "The MIT Dictionary of Modern Economics," 4th, edited by David W. Pearce, 1992. Nothing yet on digital money and how various forms of it fit into the taxonomy of financial instruments. I expect by the 6th edition, in a few years, we'll see some stuff. But here are just a couple of definitions, to tell you all that an actual taxonomy does exist, that "money" is not the all-inclusive type. * "currency. Strictly, that component of a country's money stock that literally circulates from hand to hand, i.e., coin and banknotes...." * "cheque. A document, normally supplied in printed form by a bank, ordering the bank to transfer funds from the drawer's current account to a named payee...." (more wrinkles about negotiability, endorsements, counter checks, etc.) So, what are the classifications of the schemes offered by CyberCash, First Virtual, Digicash, Mark Twain Bank, and so on? A useful project for any of you out there with banking or finance interests. Most of these are currently variants of credit card transactions, and the best of these (in cryptographic terms) appears to be a variant of a straight bank. I might give instructions for Union Bank to transfer X amount of gold, or Swiss francs, or dollars from Account X to Account Y, where Account Y might be in the same bank, might be in another bank, or might be to anyone who showed up at the bank and produced the claim... The point being that talking about "what backs up digital cash?" is misleading. (What really backs it up is the reputation of the entities, but I digress.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From elran at pl.jaring.my Thu Mar 28 06:26:45 1996 From: elran at pl.jaring.my (elran at pl.jaring.my) Date: Thu, 28 Mar 1996 22:26:45 +0800 Subject: No Subject Message-ID: <199603280921.RAA04560@relay2.jaring.my> undescribe cypherpunks at toad.com elran at pl.jaring.my From thecrow at iconn.net Thu Mar 28 12:37:07 1996 From: thecrow at iconn.net (Jack Mott) Date: Fri, 29 Mar 1996 04:37:07 +0800 Subject: RC4 implementation questions Message-ID: <3159E690.5526@iconn.net> I just finished coding RC4 from the algorithm described in applied crypto 2nd edition. Could someone send me a little file encrypted with a know-to-work rc4 program so I can see if mine is working right? thanks a lot. -- thecrow at iconn.net "It can't rain all the time" From frantz at netcom.com Thu Mar 28 12:37:48 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 29 Mar 1996 04:37:48 +0800 Subject: Crypto CD UpDate Message-ID: <199603272250.OAA16507@netcom9.netcom.com> As I said in private mail, I'd spend $US20 for the disk particulary if included useful archives (like cypherpunks). I like my own library. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From yusuf921 at uidaho.edu Thu Mar 28 12:37:58 1996 From: yusuf921 at uidaho.edu (Syed Yusuf) Date: Fri, 29 Mar 1996 04:37:58 +0800 Subject: Why Americans feel no compulsion ... In-Reply-To: <199603272017.MAA09654@fionn.lbl.gov> Message-ID: If a person who speaks three languages is tri-lingual If a person who speaks two languages is bi-lingual What do you call a person who only speaks one language? ---------------------answer follows: An American. From rollo at artvark.com Thu Mar 28 12:38:47 1996 From: rollo at artvark.com (Rollo Silver) Date: Fri, 29 Mar 1996 04:38:47 +0800 Subject: Randomness paper Message-ID: Those of you interested in the notion of randomness may want to check out "On the Effective Definition of 'Random Sequence'", a paper written by Michael Levin, Marvin Minsky, and me in 1965. For a paper copy, send a SASE (78 cents worth of stamps) to me: Rollo Silver / PO Box 219 / San Cristobal, NM 87564 If anyone can tell me how to post a highly formatted file, with equations, on the Internet, so that anybody can read it, pls let me know! That would be preferable to a paper copy -- but I don't know how to do it. Rollo Silver | e-mail: rollo at artvark.com | Artvark | Home page: http://www.artvark.com/artvark/ | PO Box 219 | Voice: 505-586-0197 | San Cristobal, NM 87564 USA | Compuserve 71174,1453 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-= From markm at voicenet.com Thu Mar 28 12:40:57 1996 From: markm at voicenet.com (Mark M.) Date: Fri, 29 Mar 1996 04:40:57 +0800 Subject: Traffic Jams on the Internet In-Reply-To: <01I2SQ2FUST88ZDZ7I@mbcl.rutgers.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Tue, 26 Mar 1996, E. ALLEN SMITH wrote: > It occurs to me that it would be good if people sent in some > non-governmental/hierarchial solutions to this problem, such as ones using > digital cash as "postage" for prioritized mail. I read an article on various Internet pricing schemes a while ago and one of the ideas was a pretty clever solution. Internet services would be classified according to their bandwidth requirement and need for interactivity. The cost per byte of e-mail might be very cheap whereas the cost per byte for videoconferencing might be more. There's no real way to rip off this scheme, because if you try to send an e-mail and classify it as "high priority" it is more expensive. - --Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMVmq47Zc+sv5siulAQEIPwP/UG53An/wt2YzhBsxjFUDCK6eXwnVgPCg jCCxRCGIKOZXeTUfXxK390+XyZqFnue9TjJU1o5g+zMDqBei8AYCx7q3GV94BdPL 2dBFp4IszlNX+KDQs6XUYHkZP6sIIJZrN8wRA7yOhVQZWguzUPhkX71DkilYw2lO o1sqOAgsviU= =RXt3 -----END PGP SIGNATURE----- From tcmay at got.net Thu Mar 28 12:41:39 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Mar 1996 04:41:39 +0800 Subject: Crypto CD UpDate Message-ID: Thoughtful comments, so I'll comment on Henry's comments: At 6:10 PM 3/27/96, Henry Huang wrote: >I'd argue that having a slightly out-of-date CD-ROM is better than nothing, >because: > >- It gives you an idea of what sorts of crypto applications are out there, True, but your later point about who the intended market is makes the point I was making: the likeliest users pretty much know what they want and snarf the most recent (and debugged) version off the Net. (I have little interest, speaking as a user, in the zillions of variants of CryptDisk and SmartCrypt and whatnot that get mentioned here....I really only want "MacPGP" in its latest version, at this time, and for this the Web is certainly fast enough for me.) And I suspect I am not that unusual. The faster access to a CD-ROM is not too useful to most, as the time to install, learn, use, etc. a new crypto program is many orders of magnitude greater than getting it by even a 14.4 modem. >- If the authors are smart they'll include URL's to an update site > in the documentation (or the CD-ROM producer can do it), Indeed. Of course, many of these URLs will be dead within a few months of the CD-ROM being cut, so search engines remain the best way to find the actual sites and latest version. >- Not everyone out there is Net-savvy, or has the time to go trudging > around looking for the latest cutting-edge versions of software. > Time *IS* money. I agree. But they should learn to use search engines....even AOL and Compuserve are now offering such access to Alta Vista and such. Not to sound elitist--just realist--but anyone who wants "AmigaCrypt" and can't find a way to retrieve it from whatever obscure site that updates it with bug fixes, is lost. (And I think we have to be careful to remember the scope of Mr. Holiday's offer. What are the odds that he will become a nearly full-time archiver of interesting crypto programs and do the scouring of the Net/Web for interesting programs? What are the odds that AmigaCrypt will even _be_ on his CD-ROM?) >I'd almost argue that Tim's emphasis on using the Web to get crypto >assumes a sort of Net-centric view of how the crypto is going to be >used -- similar to reported provisions in the Leahy bill. The idea >that people who just want to encrypt personal data might not need the >latest versions of everything out there is reasonable -- as long as >the latest versions aren't BUG FIXES. ^^^^^^^^^^^^^^^^ Well, this is really what I had in mind as the main reason for using the latest version. Bug fixes that fix the actual crypto code may be less common than bug fixes that let the program work with the latest OS and such, but in either case it is important to have the bug fix. (Imagine the frustration of a user trying to run WindowsCryptomatic and finding, eventually, that the problem that prevented it from running in Windows 3.1 was fixed in WindowsCryptomatic 1.3? And that Mr. Holiday's opus only contained an early version of WindowsCryptomatic?) My essential point is that nearly any target user I can think of is going to zoom down the directory tree to his machine, his OS, his configuration, and then look for the handful of programs that work...the other 619 megabytes on the CD-ROM don't interest him. And he's going to want a robust, recent version. For nearly all target users, the Web is the ideal solution. (At least compared to a one-off CD-ROM....I haven't seen comments from Mr. Holiday recently, but I rather doubt he'll commit to an essentially full-time job of updating the CD-ROM. And of course, will customers buy it? This I doubt.) > >In that case, Tim's argument about stale versions would carry some >merit. But this is the case for ALL non-Net distributed software; you >don't see companies refusing to cut CD-ROMs simply because they're >worried their users won't be able to get the latest bug fixes. In the >ideal case, they'd do the best they can to make sure that people did, >but you have to be realistic. Companies cut CD-ROMs for lots of reasons. Often, it is much cheaper than distributing a dozen or more floppies. And manuals are often distributed online, in Postscript or Acrobat sorts of formats, thus cutting printing costs. If the Cypherpunks folks had a similar problem--distributing hundreds or thousands of floppies and printed manuals--then a CD-ROM would be a compelling alternative. Such is not the case, as the software already exists on the Web. So, what's the compelling reason, especially given the disadvantages cited? (An interesting question is why commercial vendors don't distribute on the Web. Well, some do. Netscape, for example. "Click to download." But large, expensive packages such as FrameMaker or Photoshop have other issues at hand--security, payment, lots of manuals, etc. I eventually expect more distribution via the Web. Not a wholly original thought.) >Plus, comparing the speed of a CD-ROM to a modem is like comparing the >speed of a station wagon to a skateboard. CD-ROMs aren't exactly fast, >but they sure as hell aren't anywhere near as slow as the water-torture >speeds of your average v.42bis modem. It depends on how narrow one's focus is. As I recall, it only took me a couple of minutes to download and automatically unbinhex/unstuff the latest MacPGP. I submit that _most_ crypto users and potential users have the same focus: they have little need to download tens of megabytes of programs, so the speed issue fades out. ... >I don't buy this. Many of the well-known/widely-used Net-distributed >crypto apps haven't put out updates for a LONG time. Even if it was the >case that they were throwing out bug fixes every two weeks, my previous >comments still hold. (And anyhow, you probably wouldn't WANT to have >software THAT unstable in your collection anyway. ;) I wouldn't. To answer this question we (or Mr. Holiday) need to look at some numbers: -- the frequency of "significant" updates for products -- the frequency of updates of Mr. Holiday's proposed CD-ROM I could give anecdotal experiences, but why bother. (I'll give one: I downloaded PGPhone, for the Mac only initially, the day it became available at the MIT Web site. For various reasons, I couldn't get it to work. This was last fall. I understand a new version that fixes some problems now exists, several months later. So, a CD-ROM that had the version of last fall would not be too interesting.) My guestimate is that a CD-ROM of crypto programs would have to be updated TWICE a year, consistently, to be useful. While I know nothing about Mr. Holiday (itself a reputation issue, not meaning any disrespect to Mr. Holiday), I do know that most "volunteer" projects follow a characteristic lifecycle: initial excitement, a "let's put on a show!" attitude, hard work to get thet first release out, a period of recuperation, and then, often, abandonment. (I plead guilty to this on my Cyphernomicon. There is no way in hell I'm going to devote months of my life to trying to keep it current, especially when it's so much easier now to just use Alta Vista to search Web pages and Usenet articles for keywords and concepts.) >I'm starting to think that the question of whether this CD-ROM is useful ^^^^^^^^^^^^^^^^^ This is where I started from! >depends on who you're selling it to. People who hang out on Coderpunks, >or are "in the loop" as to version updates and crypto sites won't want >this. People who want to buy the CD just to be "cool" aren't an issue. Indeed on both of these points. >The SOHO market (i.e. people who don't normally use the Net, and who >ordinarily wouldn't care too much about crypto) seems to be the ideal >target. But how do you sell a piece of software to an audience that >doesn't know it needs it? Indeed. Plus, the whole idea of "selling" this CD-ROM will trigger resistance. (I'm not saying Mr. Holiday doesn't have a right to try to sell it--though he may find that he'll have to be _very_ careful and diligent on getting appropriate releases, else he could find himself in hot water if even a _single_ author objects to having his program on such a CD-ROM!) >Perhaps this could be a chance to spread the gospel, so to speak. However, >that would mean the CD would have to be designed around these people -- >i.e. for ease of use, etc. These issues have probably been beaten to >death a long time ago (e.g. PGP shells), and shouldn't be too difficult >to resolve. The multi-platform stuff (DOS/Mac/**IX on one disc) will >be harder; you'll need to code a different interface to the CD for each >platform. Now this project is turning into a Big Project. Good luck! > >Hmm, do I hear a volunteer for writing that Crypto Software Web page? ;) > Actually, I've found there is no need for a specific page. There are hundreds of pages that have links to thousands of other pages. Maybe I've just gotten "searchcentric," but I rarely go to specific pages anymore to find information. Instead, I keep Alta Vista always ready to go and use it to zoom in quickly. These "metapages" are better than pages! --Tim Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Thu Mar 28 13:09:53 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Mar 1996 05:09:53 +0800 Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: At 4:27 AM 3/27/96, Herb Sutter wrote: >If you'll excuse a European joke: "Q: What does a European call someone who >speaks four languages? A: Gifted. Q: Three languages? A: Bright. Q: Two >languages? A: Normal. Q: One language? A: American." :-) (No, this isn't >a snub, it's just meant in good humour; it applies to a lot of us Canucks >too even though we do have two official languages. Heck, I apply it to >myself; my French is rusty, I haven't used it in over 12 years.) A girlfriend of mine was born in Denmark and spoke four languages (Danish, English, German, and French) before immigrating here at the age of 19. Danish was of course her native language, English is taught in all countries of Europe as a _lingua franca_ (ironically), German because the Danes have the Germans as neighbors, and French as her "elective." For Europeans, knowing the language of one's immediate neighbors (probably only a hundred kilometers away), and knowing English, accounts for much of their language facility. Americans are typically thousands of miles away from those speaking Japanese, Mandarin, Tagalog, Polish, Italian, Dutch, Spanish, Hindi, Talegu, and the hundreds of other languages. It is not at all clear what language Americans should pick as a "second language" to study. (Myself, I studied some German in high school, largely because in the 60s this is what science folks were expected to take. Artsy craftsy folks took French, and the slackers took Spanish. The real wonks took Latin, mainly to help them on their verbal SATs. Russian was offered as a trendy addition, later replaced by Mandarin and Japanese, the supposedly "essential business languages of the future," which have turned out not to be essential at all.) Europeans who look down on Americans for not studying the language of their neigbors simply aren't familiar with a map. The one language that a neighbor of ours differs on is Spanish, and this language is, for various reasons, useful mainly in infrequent vacations in Mexico, for speaking to gardeners and maids, and for giving instructions to day laborers and factory workers. Inasmuch as all Mexican hotels and restaurants understand English, and inasmuch as not many Americans travel to Mexico for other than vacations by the sea, etc., things become clearer. There is not a single foreign language I can think of it that would help me in my goals or help anyone I know. This is the reality of a world dominated by English-speaking persons and in which all technical people learn English. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Thu Mar 28 14:16:11 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Mar 1996 06:16:11 +0800 Subject: ITAR double standards? Message-ID: I think there's been ample evidence that the ITARs are often used to harass U.S. companies that "won't play ball," that refuse to go along with certain governmental policies. (Part of the think we libertarians hate about Big Government and Lots of Laws is that government can use selective enforcement an another lever of power. As a felon, I am acutely aware of this power.) Something Black Unicorn/Uni/Dirsec/whatever said reminded me of something interesting: At 8:45 PM 3/25/96, Black Unicorn wrote: >Further, a entirely foreign production, say for chip manufacture, would >probably make things easier. I had specifically contemplated hardware >applications. Indeed, there are problems with both, but they don't stem >from ITAR. Now when I was with Intel, we made many of our chips in plants in Ireland, Israel, and other locales outside the U.S. Some of these chips were forbidden for export by the ITARs. And certainly the knowledge of the engineers sent overseas was comparable to the knowledge of RSA programmers.... (Before anyone points out that Intel presumably was not skirting the ITARs by drop-shipping chips from Ireland directly to non-U.S. countries. This is indeed the case. My point is a slightly different one. Read on.) So, did Intel have to apply to the State Department's office on munitions exports in order to send engineers to Malaysia, Israel, Germany, Ireland, etc., to do development work? Not that I ever heard. Engineers simply hopped on planes and that was that. (I suspect the same is the case with programmers at RSADSI, Microsoft, etc. That is, people ignore the Munitions Act laws which--it is argued by some--forbid the export of "expertise.") Where am I going with this? It seems to me that crypto companies could point out to the ITARs/Munitions Office/etc. folks that vast amounts of "sensitive technologies" are being developed and built by U.S. companies in offshore locations without so much as a ripple of publicity or concern. (I should note that in several examples I can think of, the engineers I mentioned who were relocated to these offshore locales for chip development later left the companies that moved them offshore and started or joined competing companies. Sounds like an exact parallel to the dreaded "RSA moves development to Switzerland" scenario that so many of us have urged.) And yet mention that a crypto company is considering a move of its key development folks to Switzerland or Austria or Zambia and watch the sparks fly. Sounds like a double standard to me, meant to exert pressure on the crypto companies (whom the U.S. government, it is clear now, would just as soon see put out of business or strictly controlled). --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From ghio at netcom.com Thu Mar 28 15:52:02 1996 From: ghio at netcom.com (Matthew Ghio) Date: Fri, 29 Mar 1996 07:52:02 +0800 Subject: Crypto CD In-Reply-To: <2.2.32.19960324211510.00908844@mail.teleport.com> Message-ID: <199603280253.SAA12157@netcom22.netcom.com> alano at teleport.com (Alan Olsen) wrote: >It would be a nice thing to have if it is reletivly complete. Hopefully it >can be created with a minimum of government interfearence. (But then, I >have been xpecting alt.binaries.crypto to be created as well...) alt.binaries.warez.crypto has existed for a long time (at least on Netcom), although I haven't seen any posts lately. I suspect many sites deliberately exclude alt.binaries.warez.* to save disk space. From dwa at corsair.com Thu Mar 28 15:55:18 1996 From: dwa at corsair.com (Dana W. Albrecht) Date: Fri, 29 Mar 1996 07:55:18 +0800 Subject: HP & Export of DCE Message-ID: <199603272044.MAA13170@vishnu.corsair.com> > Adam Shostack writes: > > Well, if Leahy passes, DCE is exportable. Anyone know if the > > 'SecureRPC' in DCE is the one BAL broke years back? > > No, they broke Sun's Secure RPC, which is different. > > I must admit that I've never done a serious security analysis of DCE > RPC, though... > > Perry Where can one find detailed information regarding the (in)security of Sun's "Secure" RPC? Specifically, pointers to actual papers by those who have compromised it (both in theory and practice as relevant) would be appreciated. Thanks! Dana W. Albrecht dwa at corsair.com From quester at eskimo.com Thu Mar 28 15:56:06 1996 From: quester at eskimo.com (Charles Bell) Date: Fri, 29 Mar 1996 07:56:06 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: Message-ID: On Wed, 27 Mar 1996, Timothy C. May wrote: > > There is not a single foreign language I can think of it that would help me > in my goals or help anyone I know. This is the reality of a world dominated > by English-speaking persons and in which all technical people learn > English. > I guess you don't know anyone who expects to do extensive business in China during the 21st Century. Right now everyone in China who can do so is frantically trying to learn English, the international language. But as China lumbers massively back to its historic place among the world's greatest powers, its deference to foreign tongues may be expected to decline. Charles Bell From karlton at netscape.com Thu Mar 28 15:56:40 1996 From: karlton at netscape.com (Phil Karlton) Date: Fri, 29 Mar 1996 07:56:40 +0800 Subject: Edited Edupage, 24 March 1996 In-Reply-To: <199603271856.NAA03030@jekyll.piermont.com> Message-ID: <3159926C.FF6@netscape.com> Perry E. Metzger wrote: > We aren't talking about SSL, Mr. Karlton. My apologies for misunderstanding what you wrote. It could be that I am oversensitive on the issue since SSL has been "accused" of being proprietary in many forums. > If you don't know what RTP is, > you to learn before talking about it. I am not an expert, but I do have some familiarity, and I wasn't talking about it. PK -- Philip L. Karlton karlton at netscape.com Principal Curmudgeon http://home.netscape.com/people/karlton Netscape Communications They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin From tcmay at got.net Thu Mar 28 15:56:54 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Mar 1996 07:56:54 +0800 Subject: unsubscrive Message-ID: At 7:13 PM 3/27/96, Maurizio wrote: >unsubscrive cypherpunks Ah, a new spelling to be added to the archives. So far, we've got: undescribe unscribe unsubbscribe The penalty for not paying attention being continued receipt of 50 mail messages a day! --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From perry at piermont.com Thu Mar 28 15:57:02 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 29 Mar 1996 07:57:02 +0800 Subject: HP & Export of DCE In-Reply-To: <9603272138.AA03891@sabel.idacom.hp.com> Message-ID: <199603272233.RAA06214@jekyll.piermont.com> Martin Janzen writes: > The first "RPC" was produced by Sun's Open Network Computing group. Not even remotely the case -- RPC predates Sun Microsystems by a lot. > Another "RPC" comes from the Open Software Foundation, who unfortunately > chose the same acronym for the remote procedure calling mechanism in their > Distributed Computing Environment (DCE). I'm not sure its so bad, given that there are at least a dozen RPCs out there or more. > In short, it would help to avoid massive confusion if people were more > specific: refer to "DCE RPC", "ONC RPC" (or "Sun RPC", if you must :), > or "Microsoft RPC", not just to "RPC". Probably the case... Perry From perry at piermont.com Thu Mar 28 15:57:42 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 29 Mar 1996 07:57:42 +0800 Subject: Edited Edupage, 24 March 1996 In-Reply-To: <31598E35.1CFB@netscape.com> Message-ID: <199603271856.NAA03030@jekyll.piermont.com> Phil Karlton writes: > Perry E. Metzger wrote: > > > 2) I strongly hope that Netscape tries to move the product towards > > standards based mechanisms like the IETF's RTP protocol, which are > > in widespread use, rather than pushing yet more proprietary > > systems. Proprietary is bad in this instance. > > Personally, I have some trouble with the work proprietary above. > > SSL 2 and SSL 3 protocols have been IETF drafts from the beginning. We aren't talking about SSL, Mr. Karlton. We are talking about RTP vs. a proprietary audio encapsulation. If you don't know what RTP is, you to learn before talking about it. > SSL does depend upon an underlying reliable bytestream. This means it is > not the best choice for all applications. Such as internet phone, for example. Perry From 100561.744 at compuserve.com Thu Mar 28 15:57:55 1996 From: 100561.744 at compuserve.com (Maurizio) Date: Fri, 29 Mar 1996 07:57:55 +0800 Subject: unsubscrive Message-ID: <960327191354_100561.744_EHK55-1@CompuServe.COM> unsubscrive cypherpunks From roy at sendai.cybrspc.mn.org Thu Mar 28 15:58:07 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Fri, 29 Mar 1996 07:58:07 +0800 Subject: Edited Edupage, 24 March 1996 In-Reply-To: <01I2T0RRDGQO8ZDZIP@mbcl.rutgers.edu> Message-ID: <960327.172831.2j4.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, EALLENSMITH at mbcl.rutgers.edu writes: > Subj: Edupage, 24 March 1996 >>NETSCAPE TO GET IN ON THE PHONE-BY-INTERNET ACTION > Any possibility that Netscape might build in some form of > cryptography? I realize ITAR rules would make this problematic, but > perhaps some sort of out-of-country deal for putting in the hooks > for PGPhone could be done. Seems like SSL could work for this. - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVnQGxvikii9febJAQFcxAP/TkEuQ9lPx/USyQjptvmL8FvM+nMvZrn/ m1tS7nYJ7SR7DQWl5uZM8Y+MRPZeDsmqvPNT13auS7QVJYDbM58Jp35khbJ/jdND hWC/H4h/yyBt/GVoFgByLI/ORletMW5p9dEuVFXAY0BCFuB17yvdhr0UkOcaTPiZ ciSWevXjh1I= =L3PH -----END PGP SIGNATURE----- From quester at eskimo.com Thu Mar 28 15:58:36 1996 From: quester at eskimo.com (Charles Bell) Date: Fri, 29 Mar 1996 07:58:36 +0800 Subject: DESCRIBE In-Reply-To: Message-ID: On Tue, 26 Mar 1996, Dan Ringley wrote: > Take me off of the God Forbidden list already! Now! > > > What God hath joined together, let no man put asunder. Like Dan Ringley and terminal cluelessness. Charles Bell From tcmay at got.net Thu Mar 28 15:58:41 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Mar 1996 07:58:41 +0800 Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: At 9:37 PM 3/27/96, Alan Bostick wrote: >In article , >tcmay at got.net (Timothy C. May) wrote: > >> Americans are typically thousands of miles away from those speaking >> Japanese, Mandarin, Tagalog, Polish, Italian, Dutch, Spanish, Hindi, >> Talegu, and the hundreds of other languages. It is not at all clear what >> language Americans should pick as a "second language" to study. > >What continent do you live on? As I write this my next-door neighbor's >stereo is blaring out music in Yoruba. When I took my mother to the Your point being? My point was not that America is monolingual but that, in fact, the polyglot nature makes no particular language or small group of languages stand out as a compelling candidate for study. You want to study Yoruba, fine. It might be interesting. It might help you to follow the lyrics of your neighbor's music. But I don't find it compelling to study in the same way that English is important to study. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Thu Mar 28 15:58:48 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Mar 1996 07:58:48 +0800 Subject: Let's *NOT* "Raise their Awareness" Message-ID: At 8:23 AM 3/27/96, Charles Bell wrote: >Yes, and some years ago a State legislature (I forget which) passed a >resolution setting the value of pi at exactly 3. I'm not sure how they >planned to enforce their will. Do you know how the Texas judge means to >enforce his? By the way, this is a wonderful story to tell about the stupidity of government, but, alas, most of it is urban legend. The Tennessee or Kentucky (I forget which) state legislature did not actually pass such a law....it was merely _proposed_ by some particular legislator, and then never acted upon. (I suspect an Alta Vista search might turn something up on this.) As to the Texas court order...all sorts of restrictions are often imposed in divorce custody cases (which this is). Sometimes it's that a child shall not be exposed to second-hand smoke from one of the spouses (this has happened here in California, such restrictions, that is), sometimes it's other things. Enforcement is by testimony of the child and reporting of violations to the court. Child Protective Services probably has no involvement. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From asgaard at sos.sll.se Thu Mar 28 16:00:10 1996 From: asgaard at sos.sll.se (Asgaard) Date: Fri, 29 Mar 1996 08:00:10 +0800 Subject: Message-ID: I agree that for a native English/American speaker to learn other languages is mostly a waste of time (if you are not a spy; or businessman having to deal with constipated French etc). Only if you permanently move to another country the situation gradually becomes different. Americans who move to Sweden (we had a lot of Vietnam war 'deserters' coming way back) can keep on speaking American for a year or so without anyone taking notice (actually if the American tries to speek Swedish the Swedes may deny him to do so, they love to train themselves in speaking English), but then when years pass bye and the American still loves the special attention he receives as an American-speaker and refuses to learn Swedish, the situation will become awkward. I studied German, French, Italian and Russian and am still moderately fluent in German, but I care less and less to keep these languages up since English is more and more becoming the World Language. Asgaard From maldrich at grctechs.va.grci.com Thu Mar 28 16:00:18 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Fri, 29 Mar 1996 08:00:18 +0800 Subject: ViaCrypt PGP 4.0 for Windows shipping In-Reply-To: <2.2.32.19960327060017.0090a994@mail.teleport.com> Message-ID: On Tue, 26 Mar 1996, Alan Olsen wrote: > ViaCrypt is claiming that they are now shipping the Windows version of their > PGP 4.0. (I tend to not believe marketing claims until I hear from people > who actually have it.) Note that ViaCrypt is now using its own version numbers. PGP 4.0 is really the same crypto engine as in 2.7.1, but with some new features. > > Does anyone know if there are plans for this version to be interoperable > with PGP 3.0? > I asked about that, but the answer was indefinite. I'd say "no." > Furthermore, has anyone tried the new version? Yes. We were one of the beta sites for it. There are actually two new versions of ViaCrypt PGP 4.0: A business edition and a personal edition. Essentially, there's a bunch more key management features and some new windows features. In the business edition, you can configure it so that keys are essentially "escrowed" in that it will always add "the company" to the list of recipients. Thus, your company can read your traffic if they want to. This was at the request of many businesses who stated that they wanted to use PGP, but that they needed some means of escrowing the keys. What's really interesting is what ViaCrypt has planned for even later releases: support for DSS (and SHA), DES, triple DES, multiple key rings, PC Card token support, provision for large key certificate databases, integration with X.509 structures, and a high performance single pass mode of operation. ViaCrypt put up some marketing stuff on their web page. Try: http://www.viacrypt.com/ > --- > Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction > `finger -l alano at teleport.com` for PGP 2.6.2 key > http://www.teleport.com/~alano/ > "We had to destroy the Internet in order to save it." - Sen. Exon > > ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From blancw at accessone.com Thu Mar 28 16:10:07 1996 From: blancw at accessone.com (blanc) Date: Fri, 29 Mar 1996 08:10:07 +0800 Subject: ITAR double standards? Message-ID: <01BB1A9E.0E084AC0@blancw.accessone.com> From: Timothy C. May >You're a felon? For real? > Yes. ................................................................. Ah, yes - Tim the Indecent, vis-a-vis X-onomous signatures. Sheut. I thought maybe you'd done something really interesting. .. Blanc From unicorn at schloss.li Thu Mar 28 16:42:30 1996 From: unicorn at schloss.li (Black Unicorn) Date: Fri, 29 Mar 1996 08:42:30 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <2.2.32.19960326112653.00c3850c@panix.com> Message-ID: On Tue, 26 Mar 1996, Duncan Frissell wrote: > At 09:46 PM 3/25/96 -0500, Michael Froomkin wrote: > > >An interesting issue, likely to be addressed in future judicial > >assistence treaties... > > > > However, future judicial assistance treaties are meaningless if you store > your keys anonymously (domestically or internationally) so that even the > keeper doesn't know he has them or exactly where they are in his pile of keys. Given the significant contempt charges that can follow a refusal to produce items (anonymous or not) this still depends on the absence of initial detection. > In general, I think that we should attack government key escrow on economic > efficiency grounds by pointing out that it is unlikely that "socialized key > escrow" would do as good a job as private enterprise key escrow. The > Stalinist method of industrial production, is well known for its > inefficiencies and similar inefficiencies attach to government key escrow. Here I agree. > In fact, I suppose that government operation of the identification system > (drivers' licenses, passports, etc.) in general is also horribly inefficient > and should be attacked on efficiency grounds. You might not like what you get in response. Streamlined and uniform identity documents generated at birth and renewed with tax filings would be the likeliest efficiency improvement. An inefficient government identification system is to the advantage of the privacy seeker. > > DCF > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From rmccoy at mercury.interpath.com Thu Mar 28 17:17:48 1996 From: rmccoy at mercury.interpath.com (Ron McCoy) Date: Fri, 29 Mar 1996 09:17:48 +0800 Subject: ViaCrypt PGP 4.0 for Windows shipping In-Reply-To: <2.2.32.19960327060017.0090a994@mail.teleport.com> Message-ID: <199603271325.IAA11829@mercury.interpath.com> > > I have not seen this here yet, so sorry if you have seen it... > > ViaCrypt is claiming that they are now shipping the Windows version of their > PGP 4.0. (I tend to not believe marketing claims until I hear from people > who actually have it.) > > Does anyone know if there are plans for this version to be interoperable > with PGP 3.0? > > Furthermore, has anyone tried the new version? > --- > Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction I've got the Viacrypt Business Edition for Windows. It arrived late last week. I don't think the personal edition is shipping yet. The business edition adds features for corporate key escrow and limiting features available to users. I've just started playing with the software, but it looks like some of the user control features are implemented using security through obscurity. The windows implementation is ok, but does not include DDE or OLE. The floating toolbar looks useful. 4.0 will interoperate with current versions of PGP as long as a normal key is generated. 4.0 allows for generation of keys limited to signing or encryption. These keys will not interoperate with current versions of PGP. I'll know more as I use the software. If anyone has any specific question, feel free to ask. Ron McCoy Rmccoy at mercury.interpath.com From adam at lighthouse.homeport.org Thu Mar 28 17:18:13 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 29 Mar 1996 09:18:13 +0800 Subject: HP & Export of DCE Message-ID: <199603271408.JAA08085@homeport.org> Well, if Leahy passes, DCE is exportable. Anyone know if the 'SecureRPC' in DCE is the one BAL broke years back? I asked a few DCE supporters this, and never got an answer, so I suspect they're still shipping bogus crypto. Adam ----- Forwarded message from Anonymous ----- As I sit, somewhere not in North America, I can see a CD-Rom from Hewlett-Packard, which I've had since last year. Recently I received the following letter. I've attempted to retype its contents accurately. ---------8<--------8<--------8<--------8<--------8<--------8<--------8< [HP Logo] Hewlett-Packard Company Software and Information Delivery Operation, SST 690 East Middlefield Road Mountain View, California 94043 415/968-9200 Dear HP-UX Support Customer, Hewlett-Packard has uncovered a bundling problem in the DCE-Core fileset that is on the October HP-UX Application Release 10.0 s700/800 Application CDs. These products were bundled such that they are not compliant with U.S. Government export regulations. The part numbers for the affected CDs and products are listed below. From frantz at netcom.com Thu Mar 28 18:29:33 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 29 Mar 1996 10:29:33 +0800 Subject: So, what crypto legislation (if any) is necessary? (Was List O' , shame) Message-ID: <199603252350.PAA08745@netcom5.netcom.com> At 1:32 PM 3/25/96 -0500, Black Unicorn wrote: >All it would take is one anti-trust case with encryption as a concealing >method and people would be busting down doors at night looking for PGP. Back in the dark ages, IBM built an audio messaging system. It was quite popular in "cave of the winds" (IBM headquarters) because it allowed busy executives to leave audio memos for each other without needing a secretary to type them. Since storage was limited, and old messages were purged from the system it also had the effect that anti-trust discovery would have nothing to discover. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From alanh at mailhost.infi.net Thu Mar 28 19:27:22 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Fri, 29 Mar 1996 11:27:22 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: Message-ID: Certainly, one can _get along_ as a tourist using only English. If you like to travel among large crowds of American tourists along well-worn tourist migration routes, go ahead and do it, I say. "Where the rabble also drink, all wells are poisoned" - Nietsche From frantz at netcom.com Thu Mar 28 19:29:05 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 29 Mar 1996 11:29:05 +0800 Subject: What backs up digital money? Message-ID: <199603280558.VAA00137@netcom9.netcom.com> At 6:39 PM 3/27/96 -0800, Mike Duvos wrote: >Real electronic currency could be invented, but would have to >live its life within a population of tamper-proof smart cards >communicating with each other through secure protocols. Whether >anyone will bother to implement such a system remains to be seen. Sounds like the Mondex system, so I guess someone already has. I think the url is www.mondex.com, but I could be wrong. Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From mark at zang.com Thu Mar 28 19:32:24 1996 From: mark at zang.com (Mark (Mookie)) Date: Fri, 29 Mar 1996 11:32:24 +0800 Subject: Sun patch pulled Message-ID: <199603280505.TAA13153@zang.com> >I noticed that Sun's latest libc patch (101759-04) is empty. Previous >versions contained the complete U.S. version of libc, including the >tres-dangerous DES and crypt functions. In the current rev only the >README remains, presumably because: > EXPORT INFORMATION: This patch includes code which performs > cryptographic functions, which are subject to U.S. export > control, and must not be exported outside the U.S. without > prior approval of the U.S. government. Prior export approval > must be obtained by the user of this patch. The 101759-?? patch is missing from the Feb 1996 SunSolve Patches CD. However if one pops in the November 1995 Patches CD there is a nice little copy of the 101759-03 patch which also comes with the above warning and the DES enabled libraries. The Patches CD's are openly sent around the world by Sun Support, one CD for all the world. Cheers, Mark From frantz at netcom.com Thu Mar 28 19:35:09 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 29 Mar 1996 11:35:09 +0800 Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: <199603272046.MAA05540@netcom9.netcom.com> At 3:13 AM 3/27/96 -0800, Timothy C. May wrote: >There is not a single foreign language I can think of it that would help me >in my goals or help anyone I know. This is the reality of a world dominated >by English-speaking persons and in which all technical people learn >English. I would agree with you, except I started International Caving. When in Hungery, I heard, "Peter will guide you thru the rest of the cave. Don't worry, he speaks good German." Fortunatly, my German was good enough. While in China as a normal tourist, a travel agency in Yichang tried to extort $600 from our group. My wife's (very poor) knowledge of Manderin probably scared the preps enough to get them to lay off. BTW - There are also French speakers on the US border. They don't want to speak english either. ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From roy at sendai.cybrspc.mn.org Thu Mar 28 19:35:41 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Fri, 29 Mar 1996 11:35:41 +0800 Subject: Crypto CD UpDate In-Reply-To: Message-ID: <960327.200428.2c6.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, asgaard at sos.sll.se writes: > > >> A nice advantage of CD-ROMs is that many BBSs that aren't plugged into >> the net use them. I rememebr showing threads about a similar C'punks > > Suppose strong crypto is outlawed in all OECD countries by dec -96. > The known international sites with more or less complete coverage > today amount to a handful. They will be shut down pronto. Of course > lots of private persons have a lot of crypto files hanging around, > but a widely distributed CD-ROM, easily put up as a BBS partition, > wouldn't make the situation worse. Excellent point! I want one of those CDs! - -- Roy M. Silvernail [ ] roy at cybrspc.mn.org PGP Public Key fingerprint = 31 86 EC B9 DB 76 A7 54 13 0B 6A 6B CC 09 18 B6 Key available from pubkey at cybrspc.mn.org -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVnzzBvikii9febJAQHTBQP/fChoHXEzzDu0MVNbw4+BfX24fzPyaJO4 eUKK5i1tas73moo0EbaL2L3tN1OsTMQ6aUXjORdTmaKurRYeL5G09MtNBPYy/OZf +z0Vg2xOALkmOyeh+Ikmlsz/MtPNgcTMQsW4TXtaWk6G1mFswKzg1CS5KheO5KgQ dnHeCvliJ2A= =80/t -----END PGP SIGNATURE----- From tcmay at got.net Thu Mar 28 19:59:17 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Mar 1996 11:59:17 +0800 Subject: unsubscrive Message-ID: At 6:20 PM 3/27/96, David K. Merriman wrote: >Well, at least this one is *vaguely* forgiveable - the 'b' and 'v' keys >*are* next to each other on a keyboard.... A nice theory, but he uses the misspelling in the thread title ("unsubscrive") and in his body message of "unsubscrive cypherpunks." If he mistyped, it happened twice in the same way. (And I try to always check my spelling carefully when I am sending commands to a majordomo-type automatic processor!) "Measure twice, cut once." --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Thu Mar 28 20:00:01 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Mar 1996 12:00:01 +0800 Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: At 9:05 PM 3/27/96, Rich Graves wrote: >Undeniably true. I think Tim's point was more, "Who cares? Everyone *I* >want to talk to speaks English." > >One may quibble with the wisdom or morality of such a statement, but if >the second statement is true in your case, then there is no reason you >should have to learn another language. Most upper-income Americans have no >need for esoteric languages. Almost all upper-income Americans have a need >for English. Yes, this is mostly my point. And it is not just me I'm talking about--I don't see a compelling need for 95% of Americans to learn a second language...in fact, I'd rather they learned to speak and read English properly. (All of the America-bashers who were chiming in earlier today with their anti-American jokes...well, here's one for you: "What do you call someone who knows how to speak and write English properly? A European.") I don't deny that Alan Bostick needs to take a class in Yoruba so he can communicate with his neighbor, nor do I deny Michael Helm's point that by not studying Talegu we are denying ourselves access to the world's culture. In my next 25 lifetimes, with the advent of Nanocryonic Revitalization, I certainly will try to learn several of these obscure languages. Father Guido Sarducci has a nice routine in which he describes what happens to our high school Spanish in the several years after taking it. After the fourth or fifth year, all we remember is "Como esta?" (I took German, not Spanish, so my spelling is phonetic, from his dialog.) The point being that very few Americans have any _continuing_ way to use the languages we learn. Which is a major reason they are being dropped by many schools. Even in areas with lots of Mexicans and other Latinos, few opportunities. (Your mileage may vary, but I think this is generally so.) My sister lives near Miami and finds no need to brush up on her Spanish. The educated Cubans and ohter Latinos all speak English fluently, and the uneducated Mexicans and the like she has no need to communicate with. (No doubt some of the politically correct will once again denounce me as a racist. This is not racism, just reality. And to some, the truth hurts.) There is an "information theory" interpretation of learning foreign languages. Where I live, the issue is not that there are not native speakers of foreign languages...the issue is that no single foreign language stands out as being desirable to learn, except for one's personal edification or circumstances. So what languages should schools offer? French and German are not common in California, or the U.S. in general, and the languages of the immigrant communities (Spanish, Vietnamese, Tagalog, Laotian, Korean, etc.) have little use except in communicating with these communities. And they are all busy learning English.... --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Thu Mar 28 20:22:20 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Mar 1996 12:22:20 +0800 Subject: NSA/ITAR Message-ID: At 9:43 PM 3/25/96, Vladimir Z. Nuri wrote: >TCM: > >>* EXPORT OF CRYPTO BEYOND U.S.: This is indeed a thorn in the sides of U.S. >>companies, but is not _per se_ an issue I worry about. So long as I have >>strong crypto, I don't really care too much about export. It would be nice >>to get the ITARs modified, but not at the risk of adding language (such as >>Leahy did) making use of encryption a possible crime (we've debated this, >>so I won't elaborate here). Besides, I think the best way to overturn the >>ITARs is through a court challenge; as I have noted, even the NSA's lawyers >>felt that the ITARs would not withstand court scrutiny. > >hmmmm, I don't recall you saying that. would love to hear more about >"NSA's lawyers feeling the ITAR cannot withstand court scrutiny". My most recent mention of this was a few days ago, where I cited Carl Nicolai, inventor of the suppressed "PhasorPhone," as my source. He and his lawyer got access to papers inside the NSA building, though they could not make copies. They found memos from NSA staffers saying that the ITARs had never been tested in court and would not likely survive a full Consitutional test and that it would thus be best if court cases were avoided. I passed this information along to the Lee Tien, representing Gilmore in various cases, and to Phil Karn. --Medusa From norm at netcom.com Thu Mar 28 20:47:13 1996 From: norm at netcom.com (Norman Hardy) Date: Fri, 29 Mar 1996 12:47:13 +0800 Subject: WSJ on Big Java Flaw Message-ID: At 11:07 PM 3/26/96, Steve Gibbons wrote: .... >Actually, I suspected and reported the same bug some weeks before the group at >Princeton. . That said... .... Thanks for the pointer. I found it most interesting. I suppose that I am glad that I am not the only one who doesn't know how DNS works. From perry at piermont.com Thu Mar 28 20:53:05 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 29 Mar 1996 12:53:05 +0800 Subject: HP & Export of DCE In-Reply-To: <199603271408.JAA08085@homeport.org> Message-ID: <199603271607.LAA02400@jekyll.piermont.com> Adam Shostack writes: > Well, if Leahy passes, DCE is exportable. Anyone know if the > 'SecureRPC' in DCE is the one BAL broke years back? No, they broke Sun's Secure RPC, which is different. I must admit that I've never done a serious security analysis of DCE RPC, though... Perry From perry at piermont.com Thu Mar 28 20:57:47 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 29 Mar 1996 12:57:47 +0800 Subject: Edited Edupage, 24 March 1996 In-Reply-To: <315908B5.72DA@netscape.com> Message-ID: <199603271534.KAA02331@jekyll.piermont.com> Jeff Weinstein writes: > > Any possibility that Netscape might build in some form of > > cryptography? > > I realize ITAR rules would make this problematic, but perhaps some sort of > > out-of-country deal for putting in the hooks for PGPhone could be done. > > The internet phone software is coming from one of the companies that > we are acquiring. This is one obvious application of SSL that I will be > looking into after the merger is complete. 1) I strongly suggest that SSL is *not* in its current form the right technology, because internet phone type tools probably use UDP, not TCP. 2) I strongly hope that Netscape tries to move the product towards standards based mechanisms like the IETF's RTP protocol, which are in widespread use, rather than pushing yet more proprietary systems. Proprietary is bad in this instance. I believe, by the way, that several existing RTP implementations have encryption in them. Perry From os at cs.strath.ac.uk Thu Mar 28 21:17:47 1996 From: os at cs.strath.ac.uk (os) Date: Fri, 29 Mar 1996 13:17:47 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: Message-ID: <31595F37.2781@cs.strath.ac.uk> >There is not a single foreign language I can think of it that would help me >in my goals or help anyone I know. I have never known anyone being disadvantaged by knowing another language than their mother tongue. Oyvind -- From ericande at cnw.com Thu Mar 28 21:22:24 1996 From: ericande at cnw.com (Eric Anderson) Date: Fri, 29 Mar 1996 13:22:24 +0800 Subject: Weapons & Hope Message-ID: <01BB1AE5.90E0B8A0@king1-19.cnw.com> ---------- From: Duncan Frissell[SMTP:frissell at panix.com] Sent: Tuesday, March 26, 1996 8:42 AM To: cypherpunks at toad.com Subject: Weapons & Hope While it might be barely possible in the mass production age to control weapons by blocking the flow of these specific products (a Streetsweeper, say) into the marketplace, it will clearly not be possible in the age of custom production. General machines will be available to produce specialized products (often under the direct control of the customer, himself). Some of this custom production will be weapons. I took machine tool operations @ my local community college. suffice it to say, good, high-quality firearms are **EASY** to fabricate (Believe me!) So my point is this: Just as the Gov't CANNOT prevent me from making a gun in my basement, whats to stop some high-school juinor from writing a strong crypto program? I can just see Chuckie Schumer introducing (W/ Sen. Fine-Swine as co-sponor) a bill to ban "Cyberwar Software" i.e. mandatory registration of compilers, mandatory GAK, etc... What an asshole. Take care, Eric From owner-cypherpunks at toad.com Thu Mar 28 21:46:01 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 29 Mar 1996 13:46:01 +0800 Subject: No Subject Message-ID: <199603290546.NAA11595@infinity.nus.sg> The syslog problem is fixed in baseline SunOS 5.5. Sun and HP are apparently doing what the stupid law mandates - and they should do so, whether someone at NSA (or whatever) is on their case or not. :) They should also have someone in their respective legal departments bucking ITAR very hard. "tres-dangerous" must have been typed with a snear, no? ECafe Anonymous Remailer wrote: > > I noticed that Sun's latest libc patch (101759-04) is empty. Previous > versions contained the complete U.S. version of libc, including the > tres-dangerous DES and crypt functions. In the current rev only the > README remains, presumably because: > EXPORT INFORMATION: This patch includes code which performs > cryptographic functions, which are subject to U.S. export > control, and must not be exported outside the U.S. without > prior approval of the U.S. government. Prior export approval > must be obtained by the user of this patch. > > So, you might ask, what fixes is Sun not distributing??? > (Rev 04) > 1190985 gethostbyname() can trash an existing open file descriptor. > 1182835 portmapper silently fails with version mismatch by PC-NFS > client > 1219835 Syslog(3) can be abused to gain root access on 4.X systems. > > Yup, that's right. The syslog hole that was so well publicized by > CERT will remain open indefinitely because the ITAR makes it illegal > for Sun to distribute the fix! > > So did HP and Sun spontaneously, simultaneously develop crypto awareness, > or is some gummint dweeb whispering threats in their ear? From frantz at netcom.com Thu Mar 28 22:29:55 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 29 Mar 1996 14:29:55 +0800 Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: <199603281947.LAA14441@netcom9.netcom.com> At 2:22 AM 3/28/96 -0800, Timothy C. May wrote: >... In any case, the issue is not the >classes taken by _some_ (the few percent who study Russian, Japanese, >Mandarin, etc.), but the topic of this thread: "Why Americans feel no >compulsion to learn foreign languages." I, at least, want to know something of the language of the countries I travel in. Being able to get a meal or a room for the night is useful. As a rock bottom minimum, I want to know the phrases: Hello, Good by, Please, Thank You, More beer please, and Where's the bathroom. The look of pleased surprise on the face of the Budapest resident when I said "Thank you" to in Hungarian as he gave up his seat to me because I was loaded down with caving equipment is something I still treasure. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From owner-cypherpunks at toad.com Thu Mar 28 23:00:22 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 29 Mar 1996 15:00:22 +0800 Subject: No Subject Message-ID: <199603290700.PAA11741@infinity.nus.sg> Blanc Weber writes: > Perry, here's a question for you, and I am seriously interested in your > answer: [...] > what, then, would you yourself consider proper for discussion here? > [in the context of digital cash discussion] I'd say that anything directly dealing with digital cash, its implications, deployment, and technical issues associated with it. General discussions of whether the Federal Reserve is a bunch of evil old men and the like are what are out of bounds. This means: "How does blinding work" and "Do you think that digital cash systems will hurt bank regulatory supervision" are fine things to talk about but "Do you think the Federal Reserve issues counterfeit money" are not. Perry From adam at lighthouse.homeport.org Thu Mar 28 23:05:47 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Fri, 29 Mar 1996 15:05:47 +0800 Subject: firewalls and CKE (fwd) Message-ID: <199603271650.LAA08842@homeport.org> Marcus Ranum posted this to firewalls. Contains some interesting technical arguments against key escrow at the firewall level. ----- Forwarded message from Marcus J. Ranum ----- >From firewalls-owner at GreatCircle.COM Mon Mar 25 21:26:27 1996 From: "Marcus J. Ranum" Message-Id: <199603252204.RAA01115 at clark.net> Subject: Re: firewalls and CKE To: mckenney at smiley.mitre.org (Brian W. McKenney) Date: Mon, 25 Mar 1996 17:04:41 -0500 (EST) Brian W. McKenney writes: >I missed the jist of the original message The gist of the first message was that software key escrow is here, and it is the greatest thing since the discovery of fire. :) Granted, it's nice that someone has found a way of convincing the government to let them export good crypto, but in this particular application it makes no sense. >For the firewall-to-firewall encryption >scenario, the data recovery component (DRC) may be a machine that >intercepts (in real-time) the traffic and then decrypts the data (recovers >the data). The interception of encrypted data makes sense for this type of >communication since the data is not really stored on the firewall (it is >wrapped/unwrapped quickly). [the intercepted packet may be copied and then >decrypted] That's completely brain-damaged if you think about it for a second. Let's suppose I have a file and it is unencrypted. I FTP it through my SKE-equipped firewall to the Paris office. My file gets transparently encrypted as it is broken into packets and sent across the 'net. Then - what - someday I need the file back so I get the escrowed key and reassemble the file from raw packets? That's dumb! I dunno about you but I'd just recover the clear file from a backup tape. :) Firewall-to-firewall encryption is a link-layer security technology. It encrypts data in transit: before it leaves and after it arrives you *already* have a clear-text un-escrowed version of the data. If I have a corporate requirement to "escrow" my telnet sessions then I'll use a version of telnet that logs keystrokes. But I can't see any reason (unless I'm a spook) to de-archive, de-escrow, and reassemble a telnet session for archival purposes. It gets worse since all the "escrowed" packets will be mishmoshed in with DNS queries (all "escrowed") and NFS packets and lordy knows what else. If it came to having packet records, why not simply log all packets *before* they get encrypted at the firewall, while they are still in the clear? Easier, no? At least LOTUS' "key escrow" approach is openly designed for the spooks and doesn't pretend to add value to the end user. I appreciate that TIS has made a successful deal with the devil to export some strong encryption, but it's unfortunate that they're showcasing it in a way which makes absolutely no sense at all. It's a shame, because basically we're seeing smart people doing technically goofy things in order to comply with some ridiculous laws. mjr. ----- End of forwarded message from Marcus J. Ranum ----- From quester at eskimo.com Thu Mar 28 23:08:06 1996 From: quester at eskimo.com (Charles Bell) Date: Fri, 29 Mar 1996 15:08:06 +0800 Subject: Let's *NOT* "Raise their Awareness" In-Reply-To: <2.2.32.19960325205224.006866dc@arn.net> Message-ID: On Tue, 26 Mar 1996, David K. Merriman wrote: > whatever language one chooses. It seems that here in Texas (specifically, > here in Amarillo), a local judge informed a Hispanic family that they were > prohibited from speaking _only_ Spanish to their child at home. The > rationale was that since English is the (ostensibly, in this area) Public > Language of the school system here, failure to encourage use of English > would adversely impact the child's education, and was thus a form of child > abuse. If need be, I can provide excerpts from the local snoozepapers Yes, and some years ago a State legislature (I forget which) passed a resolution setting the value of pi at exactly 3. I'm not sure how they planned to enforce their will. Do you know how the Texas judge means to enforce his? Charles Bell From bsrour at netnet.net Thu Mar 28 23:21:33 1996 From: bsrour at netnet.net (Ben Srour) Date: Fri, 29 Mar 1996 15:21:33 +0800 Subject: Returned mail: User unknown Message-ID: <199603282136.PAA26198@netnet1.netnet.net> Spelling is the KEY to life. >>X-Sender: issup5 at mail >>Date: Mon, 26 Feb 1996 11:32:17 +0200 >>To: "cypherpunks at toad.com" >>From: Nibiru >>Subject: unsubscrive >>Sender: owner-cypherpunks at toad.com >> >>unsubscrive cypherpunks >> >> >>------------------------------------------------------------------- >>NIBIRU >>E-Mail : nibiru at columbus.co.za >>South-Africa >>-------------------------------------------------------------------- >> >> >> > > From mike at fionn.lbl.gov Thu Mar 28 23:50:14 1996 From: mike at fionn.lbl.gov (Michael Helm) Date: Fri, 29 Mar 1996 15:50:14 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: Message-ID: <199603282112.NAA08380@fionn.lbl.gov> On Mar 27, 10:57pm, Jonathon Blake wrote: > One other advantage to knowing a language other than > English. Legal encryption. << Unless a federal law > encrypt it with PGP. Would the cryptanalysts recognise > the plain text, even if they had it? >> Well, it's a special case of security by obscurity, isn't it? If the language is something unusual, maybe that helps, but if the language is too obscure, you may be identified (by your ethnicity, your history, or your friends/community) as a speaker of it. I guess it does raise the economic cost of "decipherment" some. But many immigrant parents have learned to their embarrassment that this kind of encoding doesn't work too well %^) The Navajo/Na Dene codetalkers (WW II) developed a real arcane jargon, so I was told. Maybe it was because the conditions of war were completely different than their language's environment so they were forced to invent words, or maybe they thought it was a good idea, or whatever. But I believe transcripts of their transmissions are often mostly unintelligible to native Navajo speakers who weren't in the know. From hfinney at shell.portal.com Thu Mar 28 23:56:15 1996 From: hfinney at shell.portal.com (Hal) Date: Fri, 29 Mar 1996 15:56:15 +0800 Subject: The Law Loft: Surviving the Biometric I.D. Card Message-ID: <199603281944.LAA20391@jobe.shell.portal.com> I have been surprised not to hear more about this aspect of the immigration reform laws. Unfortunately the alert which Tim forwarded is out of date, and I believe the reforms did pass in some form. I view biometric identification as a very disturbing development and I'd like to hear more about the wording of the bills as finally passed. If they really want to give people a card which proves their legal residence in the US, a less intrusive approach is possible. Rather than set up a database of all employees, and/or give each person an official identity card, instead have people come and prove their residency, then give them a card with the biometric information and a blind signature. No other information goes on the card, no information goes into a database. The signature is a certificate testifying that the person with the particular thumbprint is legal to work in the US. The card can't be transferred since no one else has that thumbprint. But no identifying information is recorded. There is no advantage in people coming in twice to get more than one card since their print will be the same each time, so no database is needed. A simpler approach dispenses with the blind signature and just issues a regular signature on the thumbprint or other biomarker. This is about as good since proving residency will probably require at least an incidental display of identity papers, so you are already trusting the agency not to log you, and you can just as easily trust them not to log the signature. This is an approach which accomplishes the goal with a minimal intrusion into people's privacy. I don't know how it compares with current biometric concepts - maybe this is similar to what they are proposing, minus the database. But there is a general principle that government regulations should use the least restrictive means where they violate people's rights, such as the seriouss privacy violations in the current proposals. So I think it should be possible to make a strong argument that privacy protecting alternatives which accomplish the objective must be considered. The key concept is to unlink identity from the credential. That is the crucial idea of credentials, one which has not yet pentrated the popular consciousness. Maybe we need to start pushing it more. You don't have to prove your identity to prove you have certain qualifications. There is no need to tie everything to a central identifier. A system of dispersed, stand-alone credentials will be far better at protecting privacy. Blind signatures can help protect against cheating, but policy can work too, especially when credentials are issued by a public agency on a large scale, so systematic and secret record keeping is impractical since so many people are involved. I know a lot of people will oppose even this form of biometric information, which is not tied to identity. Perhaps we could have some discussion on the degree to which people see this kind of system as a privacy threat. If the credential concept is new we could discuss that, too. Hal From s1113645 at tesla.cc.uottawa.ca Thu Mar 28 23:58:43 1996 From: s1113645 at tesla.cc.uottawa.ca (s1113645 at tesla.cc.uottawa.ca) Date: Fri, 29 Mar 1996 15:58:43 +0800 Subject: Canada's ISO standards body? In-Reply-To: Message-ID: On Thu, 28 Mar 1996, Eric Young vented: > exercise with no money to spend, I have learnt to dislike the way some > the 'standards' are not available (by which I mean available for > the masses via the internet, ala rfc's). > > eric (venting some frustration that build up during the just completed > 'quest for the X509v3 spec') Speaking of which, could someone tell me who Canada's standards body and rep to the ISO is (and if that's where I've gotta go to get my hands on X.509 and all those other X.docs.). Any addresses would be helpful too. (Excusa mi si eso no esta relevant to bilingualpunks ;-> ) From jimbell at pacifier.com Fri Mar 29 00:20:29 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 29 Mar 1996 16:20:29 +0800 Subject: New crypto bill to be introduced Message-ID: At 06:03 PM 3/28/96 -0500, Declan B. McCullagh wrote: >At CFP today, we heard about a new crypto bill being introduced >tomorrow, which will be similar to Leahy's bill with the >crypto-being-used-in-furtherance-of-crime portion removed and an >explicit no-government-mandated-escrow provision added. While this does sound like progress, I'm suspicious. Peter Junger's analysis raised serious doubt as to the ability of bill to open up the crypto export market as it purported to. And where, exactly, did this these changes come from? Who was consulted? What recommendations were NOT taken? >We have put our "List of Shame" numbers on our nametags. >-Declan You're overdoing it on this "List of Shame" thing. You don't know who actually made those anonymous postings, and it's been observed that those names seem to correspond nicely with an NSA-hate list. It would not take a great deal of imagination to conclude that the NSA was motivated to de-focus our anger at the Leahy bill and replace it with a great deal of back-stabbing commentary. (If that was the intent, it succeeded...) On the other hand, I've also noticed that there hasn't been a lot of specific analysis of the Leahy bill in the last few weeks, and my suggestion that the Leahy bill be informally re-written to address Junger's objections (as well as my own, and Tim May's, etc) has not resulted in a great deal of repair work. Now, miraculously, a replacement bill appears that includes SOME repairs. (obviously, we have to wait to hear how most of it comes out...) I get the impression that we are being sequentially offered ice cream cones with decreasing amounts of poison in them, in the hopes that at some point we'll bite. It seems to me that whoever is writing these bills should be willing to make a statement about what his goals are, and who he's talking to as he crafts them, and what changes he was UNwilling to include. Jim Bell jimbell at pacifier.com From ravage at ssz.com Fri Mar 29 00:50:28 1996 From: ravage at ssz.com (Jim Choate) Date: Fri, 29 Mar 1996 16:50:28 +0800 Subject: PPV Descrambler (fwd) Message-ID: <199603290523.XAA14754@einstein.ssz.com> Forwarded message: > > "This is cypherpunks. Not Cable-TV-Piracy-Punks." > > Cable-TV-Piracy-Punks? Who's this guy? I asked for a text file (for > informational purposes of course). Oh and David K. Merriman, PPV is > not on cable. > Video Scrambling & Descramblin for Satellite & Cable TV R.F. Graf & W. Sheets ISBN 0-672-22499-2 $31.95 PPV is on the Austin, TX cable systems. Several varieties even. From frantz at netcom.com Fri Mar 29 01:11:24 1996 From: frantz at netcom.com (Bill Frantz) Date: Fri, 29 Mar 1996 17:11:24 +0800 Subject: Traffic Jams on the Internet Message-ID: <199603272304.PAA18133@netcom9.netcom.com> At 3:54 PM 3/27/96 -0500, Mark M. wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >On Tue, 26 Mar 1996, E. ALLEN SMITH wrote: > >> It occurs to me that it would be good if people sent in some >> non-governmental/hierarchial solutions to this problem, such as ones using >> digital cash as "postage" for prioritized mail. > >I read an article on various Internet pricing schemes a while ago and one >of the ideas was a pretty clever solution. Internet services would be >classified according to their bandwidth requirement and need for >interactivity. The cost per byte of e-mail might be very cheap whereas the >cost per byte for videoconferencing might be more. There's no real way to >rip off this scheme, because if you try to send an e-mail and classify it >as "high priority" it is more expensive. The phone companies have dealt with this kind of problem for years. For example, there are issues of phase jitter and bit error rate that they deal with all the time. If anything, they don't quite understand the email type communication of, "Oh, anytime in the next 10 minutes, and tell me if it doesn't get thru and I'll send it again." In ATM, these characteristics are bundled into what is called Quality of Service. That, along with bandwidth, make a reasonable basis for charging. Email is a bit like flying standby, while video is more like the Concorde. IMHO, the only long-term solution to the problem of bandwidth allocation involves markets. Markets feed cost information back to the users and give the providers incentive to improve service. Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From abostick at netcom.com Fri Mar 29 01:12:23 1996 From: abostick at netcom.com (Alan Bostick) Date: Fri, 29 Mar 1996 17:12:23 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: Message-ID: In article , tcmay at got.net (Timothy C. May) wrote: > Americans are typically thousands of miles away from those speaking > Japanese, Mandarin, Tagalog, Polish, Italian, Dutch, Spanish, Hindi, > Talegu, and the hundreds of other languages. It is not at all clear what > language Americans should pick as a "second language" to study. What continent do you live on? As I write this my next-door neighbor's stereo is blaring out music in Yoruba. When I took my mother to the hospital in San Francisco last month, all the signs were bilingual in English and Russian. And many, many Californians whose first language is Spanish are from families that have lived here for generations. Ya ne znayu o *vas*, no ya panimayu po russki khorosho, et je comprend Francais suffisamment, aussi. I wish I had had the sense to study a *useful* language like Spanish in school; one of these years I'm going to make up that deficiency. -- Alan Bostick | I'm laughing with, not laughing at. mailto:abostick at netcom.com | The question is, laughing with WHAT? news:alt.grelb | James "Kibo" Parry http://www.alumni.caltech.edu/~abostick From tcmay at got.net Fri Mar 29 01:12:56 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Mar 1996 17:12:56 +0800 Subject: ITAR double standards? Message-ID: At 5:20 PM 3/27/96, Asgaard wrote: >I believe in this parallel thesis. As was reported from the dec -95 >OECD meeting in Paris: > >>The statement from SHELL International is interesting. >>They can accept 'a trustworthy international key escrow >>infrastructure based on X.509 certificates' but they also >>need to 'protect their assets against Government intelligence >>gathering, organised crime, civil unrest and data privacy >>legislation obligations'. Indeed, there are _many_ reasons for multinational and/or non-U.S.-based companies to be suspicious of the United States or any of its minions holding the keys to confidential business information. Bamford's "The Puzzle Palace" reports on many incidents in which U.S. agencies intercepted business transactions for various reasons. Even of allies, as in the case when one of the NSA's SIGINT antennas picked up a message from the U.K. government to the ambassador in Vienna alerting him to the coming devaluation of the pound. (A great opportunity for Ollie North and his covert ops boys to make some extra millions by currency speculation.) Likewise, ITT routinely cooperated with the FBI and pre-NSA surveillance agencies to supply the traffic of corporations and businessmen. Given that even nominal allies spy on each other (Pollard spied on the U.S. for Israel, Chobetsu routinely spies on U.S. companies in Japan, France bugged Air France jets to spy on U.S. businessmen, etc.), I just don't see any international agreements that protect adequately. And when I say "nominal allies," consider that many in Washington have been saying in recent years that Japan is America's "real" enemy! (I certainly don't endorse this view...they're all a bunch of rascals.) I believe the obvious flaw in the whole key escrow debate, the flaw that is so obvious it seldom gets discussed, is that it is expected that the U.S. will be the holder of keys. Or its minions in Europe and Asia. Flawed, irretrievably. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From hfinney at shell.portal.com Fri Mar 29 01:19:09 1996 From: hfinney at shell.portal.com (Hal) Date: Fri, 29 Mar 1996 17:19:09 +0800 Subject: What backs up digital money? Message-ID: <199603272304.PAA26037@jobe.shell.portal.com> -----BEGIN PGP SIGNED MESSAGE----- From: tcmay at got.net (Timothy C. May) > At 1:46 PM 3/27/96, Scott Schryvers wrote: > >Question. > >If e-cash were backed by gold would that make it more reliable than say the > >dollar? > > This question, and much of the debate that appears here about digital money > in its many and confusing forms (e-cash, digicash, bitmarks, e$, > cypherfrancs, chaums, etc.), displays a "type error" in thinking about > digital money. > > No form of digital money extant is an actual currency in the conventional > sense. Nor does this seem likely. Nor necessary. Nor useful. Nor important. > > Rather, think in terms of _checks_ or _wire transfers_ and the like. An > order to transfer funds from one account or place of holding to another. Tim is right when he goes on to say that digital money is not exactly like any of the traditional financial instruments. However I think it is more like cash, and for that matter more like currency, than like other things. Here are some of the ways it is like cash. It is basically anonymous, with neither buyer nor seller able to learn the identity of the other, even with the help of the bank. It is untraceable; there is no way to know, given a piece of cash, under which transaction it was withdrawn from the bank. It is a bearer instrument; anyone can hold it, and whomever presents it gets the value (that is, it is not "made out" to a certain individual). A piece of dcash is an asset, a claim on the bank. When dcash is withdrawn, the bank must debit (reduce) the customer's account immediately. Likewise, when it is deposited, the depositor's account gets credited. Between those times the net amount of money in bank accounts was reduced, by exactly the amount of circulating dcash. When the money supply is counted, circulating dcash will need to be included with traditional currencies like cash and coins (I think that is M1), since it is not counted in the bank accounts. The difference with checks and wire transfers is that in those cases there is a direct transfer of assets from one account to another. These are not bearer instruments; in fact wire transfers aren't really financial instruments at all, and do not carry value. There is normally no anonymity or untraceability either, with these kinds of transactions. So I see them as being very different from dcash. The best analogy to dcash is the private currency which was issued by banks and other financial institutions prior to about 1850 (in the US). Until that time the US government did not issue paper money, it was all private. A bank would issue bank notes, which would circulate in its local area as money. They were backed up by "real money", specie, metallic coins, which the bank kept in its vaults. The digital cash issued by Mark Twain bank is in many ways a throwback to these old bank notes. There are differences, of course. A lot of attention is focussed on the non-transferrability, the fact that you have to deposit the cash at the bank after each transaction. Some people say that this means that the cash doesn't circulate, hence is not a currency, hence must be more like checks, etc. But I disagree. I view this aspect of dcash as superficial and unimportant. First, it may not be technically necessary. Some cash systems have been proposed which allow for transferrability. But second, even if it is necessary to exchange cash after each transaction, that can be done completely automatically. In fact, the agency which does so doesn't even have to be the bank, as far as the financial aspects go. The exchange has no financial impact on the bank's accounting procedures. And it can be completely automated for users. They don't even have to be aware of it. Their software can turn in received dcash at the bank for fresh banknotes, anonymously and automatically. So I view dcash as a circulating currency, where the act of transfer in some implementations requires some technical assistance from an agent of the bank able to make digital signatures on its behalf. It is more than simply a mechanism for transferring funds from one account to another (unless you think of government currency in those terms). I view it as possessing real value, as being a genuine asset in the same sense as other forms of cash. Hal -----BEGIN PGP SIGNATURE----- Version: 2.6 iQBVAwUBMVnJehnMLJtOy9MBAQGoxwIAiFRtBo215dXzlRWR1drH8dQR63zKkPoQ 5EDk85YM8fxIaDg/cYrGEzl+bDlF2qOJisjrCl9XkTJEBrifHavrEQ== =792N -----END PGP SIGNATURE----- From deven at ties.org Fri Mar 29 01:40:41 1996 From: deven at ties.org (Deven T. Corzine) Date: Fri, 29 Mar 1996 17:40:41 +0800 Subject: National speed limits and expansion of federal power... In-Reply-To: <199603280812.DAA06739@mail.voicenet.com> Message-ID: <199603282352.SAA14137@escher.ties.org> At 06:06 PM 3/27/96 -0500, Deven T. Corzine wrote: >Actually, the national government didn't even *pretend* it had jurisdiction >here. Instead, they used an indirect approach -- they passed laws which >denied some of the existing highway funding to states with higher speed >limits than 55 MPH. (Later this limit was raised to 65 MPH, given some >additional restrictions such as proximity to population centers.) At 03:12 AM 3/28/96 -0500, Chevelle wrote: >It was only months ago that they passed a bill raising alot of speed limits >to the 75mph range. To be precise, Congress repealed the laws which had pressured states into the 55/65 MPH speed limits. Once this happened, a number of states either took advantage of it immediately to raise speed limits, or are considering it... Other states don't intend to raise the limits. In Montana, you can now drive at *any* speed legally, in the daytime. So if you want to go 100 MPH, head to Montana... :-) Deven From unicorn at schloss.li Fri Mar 29 01:46:06 1996 From: unicorn at schloss.li (Black Unicorn) Date: Fri, 29 Mar 1996 17:46:06 +0800 Subject: What backs up digital money? In-Reply-To: <199603272304.PAA26037@jobe.shell.portal.com> Message-ID: On Wed, 27 Mar 1996, Hal wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > From: tcmay at got.net (Timothy C. May) > > At 1:46 PM 3/27/96, Scott Schryvers wrote: > > >Question. > > >If e-cash were backed by gold would that make it more reliable than say the > > >dollar? > > > > This question, and much of the debate that appears here about digital money > > in its many and confusing forms (e-cash, digicash, bitmarks, e$, > > cypherfrancs, chaums, etc.), displays a "type error" in thinking about > > digital money. > > > > No form of digital money extant is an actual currency in the conventional > > sense. Nor does this seem likely. Nor necessary. Nor useful. Nor important. > > > > Rather, think in terms of _checks_ or _wire transfers_ and the like. An > > order to transfer funds from one account or place of holding to another. > > Tim is right when he goes on to say that digital money is not exactly > like any of the traditional financial instruments. However I think it is > more like cash, and for that matter more like currency, than like other > things. > > Here are some of the ways it is like cash. It is basically anonymous, > with neither buyer nor seller able to learn the identity of the other, > even with the help of the bank. So are bearer bonds, stock warrants, coupons... It is untraceable; there is no way to > know, given a piece of cash, under which transaction it was withdrawn > from the bank. Ditto above. > It is a bearer instrument; anyone can hold it, and > whomever presents it gets the value (that is, it is not "made out" to a > certain individual). There are any number of bearer instruments that are not "currency." > A piece of dcash is an asset, a claim on the > bank. Not technically true unless it is specifically structured this way. It's more of a bearer draft. Because digital cash is a token used by the bank to represent currency, which is backed by a government, digital cash, in it's current form, is a second tier bearer instrument. > When dcash is withdrawn, the bank must debit (reduce) the > customer's account immediately. This is so of checks too, but the processing time gets in the way. > Likewise, when it is deposited, the > depositor's account gets credited. See above. > Between those times the net amount > of money in bank accounts was reduced, by exactly the amount of > circulating dcash. Ditto uncashed checks. > When the money supply is counted, circulating dcash > will need to be included with traditional currencies like cash and > coins (I think that is M1), since it is not counted in the bank > accounts. Actually, it looks more like circulating dcash is a subset of outstanding obligations. Same as, e.g., letters of credit. > The difference with checks and wire transfers is that in those cases > there is a direct transfer of assets from one account to another. These > are not bearer instruments; in fact wire transfers aren't really > financial instruments at all, and do not carry value. There is normally > no anonymity or untraceability either, with these kinds of transactions. > So I see them as being very different from dcash. Making a check payable to "cash" makes it, for practical purposes, a bearer instrument. > The best analogy to dcash is the private currency which was issued by > banks and other financial institutions prior to about 1850 (in the US). > Until that time the US government did not issue paper money, it was all > private. A bank would issue bank notes, which would circulate in its > local area as money. They were backed up by "real money", specie, > metallic coins, which the bank kept in its vaults. The digital cash > issued by Mark Twain bank is in many ways a throwback to these old bank > notes. But instead of backing in gold, or some tangible asset, dcash is still ultimately backed by the full faith and credit of the government who's currency the dcash is denominated in. > There are differences, of course. A lot of attention is focussed on the > non-transferrability, the fact that you have to deposit the cash at the > bank after each transaction. Some people say that this means that the > cash doesn't circulate, hence is not a currency, hence must be more like > checks, etc. But I disagree. I view this aspect of dcash as superficial > and unimportant. First, it may not be technically necessary. Some cash > systems have been proposed which allow for transferrability. But second, > even if it is necessary to exchange cash after each transaction, that can > be done completely automatically. In fact, the agency which does so > doesn't even have to be the bank, as far as the financial aspects go. > The exchange has no financial impact on the bank's accounting procedures. > And it can be completely automated for users. They don't even have to be > aware of it. Their software can turn in received dcash at the bank for > fresh banknotes, anonymously and automatically. > > So I view dcash as a circulating currency, where the act of transfer in > some implementations requires some technical assistance from an agent > of the bank able to make digital signatures on its behalf. It is more > than simply a mechanism for transferring funds from one account to > another (unless you think of government currency in those terms). I > view it as possessing real value, as being a genuine asset in the same > sense as other forms of cash. I still think the essential issue here is the manner in which the ecash is based. If it is based on government currency, the U.S. dollar, then it is still just a second tier bearer instrument. I think that the diet coke backed cash I tried to promote back when was closer to a "currency" than d/ecash issued by a bank and drawable on government currency. (Maybe this is why no one was interested?) Real solid ecash, and the kind of cash I would like to see out there, would be limited to a non-dilutable one time issuance and backed in some precious commodity held on reserve. A closed-ended share of a stock of gold, for instance. That would require no intermediation of a "currency" based on the full faith and credit of an issuing sovereign. Private currencies are not private currencies at all if they have to be linked to a government issued denomination. > Hal > > -----BEGIN PGP SIGNATURE----- > Version: 2.6 > > iQBVAwUBMVnJehnMLJtOy9MBAQGoxwIAiFRtBo215dXzlRWR1drH8dQR63zKkPoQ > 5EDk85YM8fxIaDg/cYrGEzl+bDlF2qOJisjrCl9XkTJEBrifHavrEQ== > =792N > -----END PGP SIGNATURE----- > --- My prefered and soon to be permanent e-mail address: unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From firebrd123 at ns.interconnect.net Fri Mar 29 02:12:36 1996 From: firebrd123 at ns.interconnect.net (Dan Nikolai) Date: Fri, 29 Mar 1996 18:12:36 +0800 Subject: PPV Descrambler In-Reply-To: <2.2.32.19960328050605.00698058@arn.net> Message-ID: <315AE567.7405@mail.interconnect.net> David K. Merriman wrote: > > At 01:34 AM 03/28/96 +0000, you wrote: > >I've been looking for a file on how to make PPV descramblers and havn't > >found any. Commercial descramblers cost around $200 base price. If > >anyone has a file on how to make them please e-mail me one. Thanks. > > > >captain_lee @mail.interconnect.net > > > > This is cypherpunks. Not Cable-TV-Piracy-Punks. > > Dave Merriman > ------------------------------------------------------------- > "Giving money and power to government is like giving > whiskey and car keys to teenage boys." > P. J. O'Rourke (b. 1947), U.S. journalist. > <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> > http://www.shellback.com/personal/merriman/index.htm "This is cypherpunks. Not Cable-TV-Piracy-Punks." Cable-TV-Piracy-Punks? Who's this guy? I asked for a text file (for informational purposes of course). Oh and David K. Merriman, PPV is not on cable. From brookfld at netcom.com Fri Mar 29 02:48:14 1996 From: brookfld at netcom.com (Brookfield Economics Institute U.S.A. Limited) Date: Fri, 29 Mar 1996 18:48:14 +0800 Subject: suggestions for starting an e-bank Message-ID: <199603282331.PAA22199@mail.instanet.com> Hi! If I were going to start an e-bank, what would you suggest? 1. What type of e-cash system? 2. What services to offer? 3. Where would I get information? 4. Where is there a need in the marketplace? A friend of mine has the means and desire to do this, and he wanted me to ask and then forward the answers to him. Thank you in advance. --Richard From owner-cypherpunks at toad.com Fri Mar 29 02:53:28 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 29 Mar 1996 18:53:28 +0800 Subject: No Subject Message-ID: <199603291053.SAA12001@infinity.nus.sg> On Wed, 27 Mar 1996, Mike Duvos wrote: > tcmay at got.net (Timothy C. May) writes: > > > At 1:46 PM 3/27/96, Scott Schryvers wrote: > > >> Question. If e-cash were backed by gold would that make it > >> more reliable than say the dollar? > > Not necessarily. Historically, gold emerged as the primary > currency metal because [Excellent points about gold's practical use, good timing, and industrial value countered by the current lack of industrial value.] > Basically, one can create monetary value for any commodity whose > supply can be controlled, usually by the folks wishing to lend it > value, by simply making a stable market in it, and having the > reputation and power to control that market in perpetuity. > > The best example of this is probably the diamond market. Here we > have a rare but intrinsically worthless material, the gem quality > diamond, which has no useful industrial applications at all, > since non-gem quality diamonds and substitutes, both synthetic > and natural, are in abundance. I was with you until this. In fact diamonds are anything but rare. Their value is the result of the most exceptional marketing by DeBeers, and the very tight restrictions on supply. I might note that the restrictions on supply are even somewhat tangential. DeBeers has created one of the most historic, long standing and impressive market distortions anyone has ever seen. Of course this only goes to further the argument (which I think you are adopting) that it is fairly simple to estlablish a commodity of "value" regardless of intrinsic worth) > Gem quality diamonds are extremely valuable, because their supply > is carefully controlled, and because of clever marketing designed > to convince every male human in North America and most of Europe > that shelling out two months salary for one is the unique and > true symbol of everlasting love. Even gem quality stones are relatively abundant believe it or not. > The diamond industry has even made plans for the holographic > fingerprinting of every diamond they release, should synthetic > gem-quality diamonds ever hit the market, so that they may > continue their control of the supply of their "currency", even in > the face of a flood of absolutely identical "unsanctioned" gems. Again, even absent the intrinsic value of the substance it seems that marketing and perception will dictate "effective value." > I recall a very clever Science Fiction story I read a number of > years ago in which aliens completely destroyed human civilization > by manufacturing all the world's goods and services, and > accepting payment only in cowpies, which were subject to an > arbitrary and complicated grading system similar to that used by > modern gemologists. One day, the aliens simply left, and human > civilization, consisting mostly by then of PhD Cowflopologists > with expertise only in interpreting swirls on lumps of shit, > promptly folded. This is precisely the point, and why, while I agree with your comments about gold today, I think the most important issue is the long term solvency of a commodity. As you have noted, anyone can make a substance worth something in the short term. (Tulips) The challenge, and the goal in my view, is to create a currency based on a backing which endures the long term, and the unthinkable (collapse of a major government or some such). > Before I digress to far from your original question, let me state > the point I am trying to make here. If a entity, or group of > entities, with reputation and power to make a market, decide to > demoninate a currency using a rare commodity, it makes little > difference whether the rare commodity is near-perfect crystals of > carbon found only on land that they own, a vault filled with gold > bars, exponentiated random numbers modulo the product of two > large but closely guarded primes, or statistically unlikely > swirls in wads of digested plant material dropping from the butt > of a cow. > > In all these cases, the important thing is not the commodity, but > the entities guaranteeing the market, and the perception of their > reputation and ability to support said currency in perpetuity. > Absolute control over the supply of the commodity in question > doesn't hurt either. When the value of the intrinsic worth of a commodity in question does become apparent is in periods of transition, flux, disorder, or strife. The security of a currency is going to be a major factor, especially immediately following introduction, to its popularity- except in unusual circumstances (tulips, market distortions, etc.) > Indeed, US government backed e-cash would be a far more trusted > and reliable currency than gold backed currency printed by > DigiCash BV. I'm not sure this is precisely true. While gold itself might not be the best choice, the general principal that a commodity based currency is less secure or trustworthy than a government backed one (even a powerful and imposing government) is not one I'm prepared to endorse without reservation. > One good inflation-resistant indicator of whether gold is a good > value is the ratio between gold and silver prices. Both of these > metals are mined with similar difficulty, and have similar uses > for backing currency and as coinage metals. Historically, there > have been times when gold and silver prices were approximately > equal. > > I have no doubt that if the unwashed masses were sold the notion > that gold was the single reliable inflation-proof form of wealth > they could own, and the holdings of international bankers were > sold into the hands of millions of individual citizens, a > controlled devaluation would follow, together with much chortling > and uncorking of champagne, as gold and silver prices became > nearly equal again. I believe this correct. > As long as people who count have vaults full of the stuff, and > wish to carry it on their books as an expensive asset, it will of > course continue to have its current inflated value, and nothing > will be done to depress the market. In that sense gold is a > reliable asset, as long as most of the little people refrain from > jumping on the bandwagon. Just like diamonds. Again, while the commodity itself (gold) may not be appropriate, I don't believe this ends the argument. > > No form of digital money extant is an actual currency in > > the conventional sense. Nor does this seem likely. Nor > > necessary. Nor useful. Nor important. > > Actual currency can circulate forever in the economy without > eventual conversion into some other kind of money. The > requirements of current digital cash systems for centralized > clearing to eliminate double spending and to mint new coins tends > to preclude the kinds of perpetual peer-to-peer transactions we > think of when we conceptualize "currency." Which suggests that private currencys must utilize e-cash (if at all) merely as monetary instruments which continue to look much like what exists today. (e.g., drafts, checks, bonds...) > Real electronic currency could be invented, but would have to > live its life within a population of tamper-proof smart cards > communicating with each other through secure protocols. Whether > anyone will bother to implement such a system remains to be seen. I concur. > Until then, the "check" model of digital money is, as Tim points > out, the correct one. I concur again. > > The point being that talking about "what backs up digital > > cash?" is misleading. (What really backs it up is the > > reputation of the entities, but I digress.) > > "The reputation of the entities" is the only important > consideration regardless of what the cash is denominated in. In > most cases, the valued commodities, if they exist, are simply > pretty window-dressing for some unseen but powerful syndicate. Yet here I must differ. I'm still not convinced that a legitimate commodity somewhat resistant to the market distortions you cite does not exist. Don't ask me what it is yet, I'll have to give it some thought. > -- > Mike Duvos $ PGP 2.6 Public Key available $ > mpd at netcom.com $ via Finger. $ --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From blancw at MICROSOFT.com Fri Mar 29 02:55:54 1996 From: blancw at MICROSOFT.com (Blanc Weber) Date: Fri, 29 Mar 1996 18:55:54 +0800 Subject: What backs up digital money? Message-ID: >From: Perry E. Metzger > >I'd say that anything directly dealing with digital cash, its >implications, deployment, and technical issues associated with >it. General discussions of whether the Federal Reserve is a bunch of >evil old men and the like are what are out of bounds. [...etc.] .................................................................. So you mean rather than merely, or only, complaining that things have not, or are not, working right (in our favor, to our benefit), because of what Evil Old Men have done to the system as it now operates, the discussion should go in the direction of: . "doing something about it", or . ideas on methods and techniques which would work, which could . make a difference (potentially, hopefully) towards the success of techie systems which would result in greater personal, individual control, also including perhaps: . clarifications on why, in spite of the resistance of those who are apprehensive about the break-down of law&order, these are a "good thing" to promote and implement (for those who don't "get it"), . aiming more at postive improvements and successes in the future, rather than focusing too much on past mistakes, failures, injustices (where the reader could wonder, "so how does this relate"). ...or something like that. .. >Blanc From merriman at arn.net Fri Mar 29 02:58:04 1996 From: merriman at arn.net (David K. Merriman) Date: Fri, 29 Mar 1996 18:58:04 +0800 Subject: PPV Descrambler Message-ID: <2.2.32.19960328050605.00698058@arn.net> At 01:34 AM 03/28/96 +0000, you wrote: >I've been looking for a file on how to make PPV descramblers and havn't >found any. Commercial descramblers cost around $200 base price. If >anyone has a file on how to make them please e-mail me one. Thanks. > >captain_lee @mail.interconnect.net > This is cypherpunks. Not Cable-TV-Piracy-Punks. Dave Merriman ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From owner-cypherpunks at toad.com Fri Mar 29 02:59:51 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 29 Mar 1996 18:59:51 +0800 Subject: No Subject Message-ID: <199603291059.SAA12014@infinity.nus.sg> Does anyone have ANY code for DES or RSA encryption for use on a PIC microcontroler? A friend and I are developing an ASCII terminal (dumb term) that encrypts data going to the serial port and decrypts data coming from the serial port, so you could successfully send a message over a modem and have it automatically encrypted\decrypted. We have all the hardware almost done, but we are having a hell of a time writing the code for the encryption... Thanx in advance... l8r, -MeRC merc at redrose.net -or- merc at success.net -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUAMUC05tnn3Dsf47p5AQE6AAP9E/JebLn1UtkOk41IGw/i4XHKckVcI6RH ptBMucqx01sSTxaR8tXPmmkKjz5f3xndxepbbs6nKfoNuSaODWSirOlNvt3i1DWL iUmB9+rUYmwwlpD7t6qyy2XzsAxO/M/nFT4ZxO8wi96nR/Rmp00LvCoK+YcjgQnj HReyQrIl4X+ZAI0DMUCzOgAAAQQAv6IH+OnLeP+chsgwymSVKqsXHO1xwJLxs657 Cf3miDM3mNBB/qmRziQ1zHeC/nXgaGhR7eAdidL6MngDXl6+cw4Z5xXvenu5MpEW zpZpwDK5/XwuvCIexQP2eHIb2Ms6vna7fUoaHGrrV4844KIVg+E36ZgWT1ZP2efc Ox/junkABRGwAYe0I01pY2hhZWwgRC4gV2hpdGUgPG1lcmNAc3VjY2Vzcy5uZXQ+ sAED =ZbPJ -----END PGP MESSAGE----- From declan+ at CMU.EDU Fri Mar 29 03:25:26 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Fri, 29 Mar 1996 19:25:26 +0800 Subject: New crypto bill to be introduced Message-ID: At CFP today, we heard about a new crypto bill being introduced tomorrow, which will be similar to Leahy's bill with the crypto-being-used-in-furtherance-of-crime portion removed and an explicit no-government-mandated-escrow provision added. John Gilmore asked wonderful questions after the moot Supreme Court session. We have put our "List of Shame" numbers on our nametags. -Declan From merriman at arn.net Fri Mar 29 03:30:48 1996 From: merriman at arn.net (David K. Merriman) Date: Fri, 29 Mar 1996 19:30:48 +0800 Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: <2.2.32.19960328110922.00689c18@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 11:49 AM 03/28/96 -0800, frantz at netcom.com (Bill Frantz) wrote: >I, at least, want to know something of the language of the countries I >travel in. Being able to get a meal or a room for the night is useful. As >a rock bottom minimum, I want to know the phrases: Hello, Good by, Please, >Thank You, More beer please, and Where's the bathroom. Indeed, I've found that pretty much covers the essentials :-) First things I've always tried to learn in a foreign language are "please" and "thank you". > >The look of pleased surprise on the face of the Budapest resident when I >said "Thank you" to in Hungarian as he gave up his seat to me because I was >loaded down with caving equipment is something I still treasure. > Sounds much similar to the reaction I got in Japan, speaking broken Japanese. Atrocious accent, of course; abysmal grammar, and a fair share of mispronunciation tossed in - but I was *trying*, and that counted for a _lot_. I also have to concur with the point about the language/point-of-view argument. I never have learned to _think_ in a foreign language (a prerequisite for fluency, I believe :-), but have gotten sufficiently skilled to be able to understand some of the subtleties of the languages I've (kind of) learned. Regarding the notoriety of British (and, yes, Americans), I met up with a Brit in Japan who complained about the 'bloody foreigners that don't understand proper English'. I pointed out to him that *we* were the foreigners, and that the Japanese had a nicely organized society about the same time that his ancestors and mine were still smearing themselves with blue mud. That earned me an Evil Look. Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVpW7MVrTvyYOzAZAQE/xQP/WhYi/LAT2M/QYJ+b2PW7sOrRg2r0ZNcU gl3gk50RWY7AOUeEaifNM2ZWMl5oqqKSjA+eV5pnFZBlQBgrbnuzRHLi2F9IigZ6 Uu2V3/DHaTGY9ZVdWok0deU8DnkoY0W07pafggB9qpTCgqTGhU0NNOVxeWlU2HsT 6Yu9l5QduHM= =XMSb -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From alanh at mailhost.infi.net Fri Mar 29 03:32:58 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Fri, 29 Mar 1996 19:32:58 +0800 Subject: What backs up digital money? In-Reply-To: <199603280239.SAA15391@netcom17.netcom.com> Message-ID: Gold is almost always mined for its own market value. Whereas most silver reaches the market as a byproduct of tin and other base-metal mining. From llurch at networking.stanford.edu Fri Mar 29 03:42:53 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 29 Mar 1996 19:42:53 +0800 Subject: The Law Loft: Surviving the Biometric I.D. Card In-Reply-To: <199603281944.LAA20391@jobe.shell.portal.com> Message-ID: On Thu, 28 Mar 1996, Hal wrote: > If they really want to give people a card which proves their legal > residence in the US, a less intrusive approach is possible. Rather > than set up a database of all employees, and/or give each person an > official identity card, instead have people come and prove their residency, > then give them a card with the biometric information and a blind signature. > No other information goes on the card, no information goes into a > database. The signature is a certificate testifying that the person > with the particular thumbprint is legal to work in the US. The card > can't be transferred since no one else has that thumbprint. But no > identifying information is recorded. There is no advantage in people > coming in twice to get more than one card since their print will be > the same each time, so no database is needed. The only problem I see with this approach (from the government's perspective, and assuming that the only state interest is in immigration control -- you can all stop laughing now) is that the government can't revoke citizenship. There are several reasons they might want to do this: an erroneous or fraudulent application, a political-driven expulsion, or a resident-driven renunciation of citizenship (usually for tax/inheritance reasons). Of course, the real reason they want this proof of residency is for work authorization, which means income tax, which means database. And heck, since we already have a database, why not track child molesters and deadbeat dads the same way. Or anyone else we don't like, for that matter. The replacement of income tax with sales and real estate taxes -- despite the fact that such a move would be incredibly regressive -- would be a very good thing for freedom. -rich From llurch at networking.stanford.edu Fri Mar 29 03:44:33 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Fri, 29 Mar 1996 19:44:33 +0800 Subject: Why Americans feel no compulsion to learn foreign langua In-Reply-To: <01BB1C93.A8A24E40@jbugden.alis.com> Message-ID: On Thu, 28 Mar 1996, James Bugden wrote: > At Thursday, March 28, 1996 12:32 AM, Timothy C. May wrote: > >My point is not against the learning of a foreign language, just that > >economic considerations _must_ play a role. > > Q: What do you call an American company that ported its internet software > to 22 different langauges in order to compete in the world? > > A: Microsoft BWAHAHAHA!!! That's a good one. Did you hear the one about the SMB security patch affecting *two* files that was released in English on October 20th, and for other major western languages in mid-January? -rich From alano at teleport.com Fri Mar 29 03:45:50 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 29 Mar 1996 19:45:50 +0800 Subject: PolicyMaker paper available Message-ID: <2.2.32.19960328185955.00919564@mail.teleport.com> At 12:15 PM 3/28/96 -0500, Ted Anderson wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >"Perry E. Metzger" writes: >> Huh? Postscript an "obscure printer code"? > >I now work from a paperless office and find postscript an "obscure >printer code". It has taken an annoying amount of hacking to view this >postscript file on my PC. A paperless office is about as useful as a paperless bathroom. Try using Ghostscript and Ghostview. There are versions for both 16 bit and 32 bit Windows. (As well as about every other platform on the planet.) They will allow you to display PostScript files to your screen, as well as print them to non-postscript printers. (But being a paperless office, you probibly don't have printers...) Information on Ghostview and GhostScript can be found at: http://www.cs.wisc.edu/~ghost/index.html --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From ota+ at transarc.com Fri Mar 29 03:48:49 1996 From: ota+ at transarc.com (Ted Anderson) Date: Fri, 29 Mar 1996 19:48:49 +0800 Subject: PolicyMaker paper available In-Reply-To: <199603162353.SAA15330@jekyll.piermont.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- "Perry E. Metzger" writes: > Huh? Postscript an "obscure printer code"? I now work from a paperless office and find postscript an "obscure printer code". It has taken an annoying amount of hacking to view this postscript file on my PC. > The paper in question is seminal. I strongly urge people who don't > drool when they open their mouths to read it. On the strength of this recomendation I did the hacking and make it available for the "convenience" of others in the same boat. http://www.transarc.com/afs/transarc.com/public/ota/html/policymaker.html This page consists on Matt's original message plus 10 inline gif images of about 40Kb each. Clumsy but effective. Ted Anderson -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVrJBQGojC9e/wyBAQFN3gQAvt1rX/fw76zhlsU0Td8CbBpUCc6qKoel xCX647WovUWnyoGnjCoYYruEPiCI6QT2KUo6dpWRR1dIdZVshLCT3gsnJe5m+qRp rQBthay+T3kk0ZQqVnwlXoLYMJoFQVBhScfxhMta/RGopzS6OYnwrAJHzET62Dgf b0bPURYrkNA= =ZqYX -----END PGP SIGNATURE----- From anonymous-remailer at shell.portal.com Fri Mar 29 03:48:55 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Fri, 29 Mar 1996 19:48:55 +0800 Subject: Mad_Software_Disease Message-ID: <199603282207.OAA01356@jobe.shell.portal.com> Path: newsfeed.internetmci.com!howland.reston.ans.net!news-e2a.gnn.com!pop.gnn.com!JDonth From: JDonth at gnn.com (Joseph L. Donth) Newsgroups: comp.sources.testers Subject: Beta Testers Wanted Date: Tue, 26 Mar 1996 13:09:55 Organization: InfoBook Technology Lines: 251 Message-ID: <4j9fer$sr1 at news-e2c.gnn.com> NNTP-Posting-Host: www-31-240.gnn.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-GNN-NewsServer-Posting-Date: 26 Mar 1996 19:10:19 GMT X-Mailer: GNNmessenger 1.2 InfoBook Technology is looking for Beta Testers for our latest product called ONE-PHONE-CALL. This post is in four parts: 1) What does a Beta tester do? 2) How Do I Sign-up? 3) How do I get chosen? 4) The product description The product description is quite lengthy. Feel free to bail on it when you have decided to be a tester or have decided not to be one. Note: Since the program includes encryption software, we are restricting our testing (and possible distribution of the commercial release) to people living in the USA. I will restrain from comment on governments, export licenses, the NSA and the like. If you decide not to be a tester, would you drop me a post and tell me why? This is our second posting of this request - our goal is to have at least one hundred testers - so far we have less than two dozen. If you have any thoughts on where else I might post this beta test request and meet with a favorable response please let me know that as well. Thanks and without further delay... ****************************************************************************** ** What Does a Beta Tester Do? Although we will not ask you to sign any agreements, we do ask that you honor the following conditions of our Beta Test Program: 1. The software being tested is not for commercial use. If you use it in a commercial fashion, you do so at your own risk. The software may have 'bugs' in it. The purpose of the beta test program is to identify those problems. 2. Don't give copies of the software (except when authorized) to other people. If you know of someone that you think might be a good beta tester, let us know and we will look at adding him or her to the beta list. 3. Please let us know when you have problems with the software. Don't assume that someone else has reported it. A written response sent to JDONTH at GNN.COM, is the requested communication method. 4. We also ask for comments on the whole package you received from us. Did it create a good first impression? Was it complete? Is the User's Guide clear? What would you change? Why? ****************************************************************************** ** How Do I Sign up? Please reply by EMail (JDonth at gnn.com) with the following information: 1. Full Name 2. Surface mail and preferred email address 3. City, State and Zip code 4. Attention Line 5. Telephone number 6. An "I agree to the terms of the Beta Test Program" statement 7. Computer system information 8. Computer expertise (optional) 9. Experience as a Beta Tester (no previous experience is required) 10. Why you want to test this product ****************************************************************************** ** How Do I Get Chosen? We will be choosing testers on a first-come, first-serve basis. You are not guaranteed a position as a tester of ONE-PHONE-CALL. If you are chosen you will receive an email confirmation, followed by the software, sent via fist class mail. The software will be a 30+ day version with all features and capabilities. You will be sent an email questionnaire about 30 days after shipment of the software. Your reply to the questionnaire will insure you a FREE copy of the software after it is released into retail sales. If you are not chosen you will be notified by email. If you have any questions, please contact me at JDonth at gnn.com or Joseph L. Donth InfoBook Technology 7660 Reed Rd. Azle, Texas 76020 ****************************************************************************** ** What is ONE-PHONE-CALL? ONE-PHONE-CALL is a PC-based software product that enables you to transfer electronic information such as a program, a scanned fax, a word-processing document or a spreadsheet to someone, in a secure environment, with just one telephone call. It features a simple installation, user-friendly interface, mouse support, a menu system, and easy-to-remember commands. First, Some Background More and more of our correspondence is electronic in nature. We use word processors to compose letters and reports. We use spreadsheets to do budgets and financial analysis and we use accounting programs to keep track of everything from the corporate books to our personal checking accounts. The power of these software tools is easily appreciated and the trend is to use our computers in meeting more and more of our daily needs. What is lacking, however, is a simple, easy-to-use method of sharing our electronic information with each other. Using the facilities of fax, EMail or floppy disks has problems. A fax can only transmit printed information, EMail is difficult to use and can be expensive, and mailing floppy disks is very slow. Also, none of these methods is very secure. The wrong people can read a fax, open business mail, or gain access to voice-mail or EMail accounts. Now with your modem equipped computer and ONE-PHONE-CALL you can addresses all of these issues. Let's illustrate with three examples: The first example demonstrates the simplest issue: sharing electronic information with someone else. You are working on a report at home and need to confer with a co-worker in the office. You place a telephone call to your co-worker and discuss the report. You decide he needs to see a copy of the report. Without ONE-PHONE-CALL it might go like this: To fax a copy of the report you might: ... Print out the report on your printer ... Dial his fax number ... Fax the report ... Call him back to tell him the fax has been sent ... Wait for him to get the fax and call you back! The result - at least three phone calls and who knows how much time wasted in printing, faxing, perhaps getting busy signals and so on. Or perhaps you decide to send him an electronic version of the report, via his EMail account. You might: ... Format the document properly for the EMail service to accept ... Dial the EMail service, connect, log-in, and all the rest ... Transmit the report ... Call him back to tell him the report is on the EMail service ... Your co-worker connects to the EMail service ... He downloads the report ... He calls you back. At least four phone calls! And who knows how much money and effort? Now with ONE-PHONE-CALL, you can accomplish the same task with your original phone call. You and your co-worker can stay on the phone and transfer the information back and forth as many times as necessary, without having to make another phone call! A second example demonstrates a more complex problem. The ability to transfer information when you don't know exactly what information needs to be transferred. You have just received a copy of a great new shareware game from the XYZ Software Company. Your brother shares your liking for this company's software and you have exchanged previous shareware games with him. It's a great game and you're pretty sure he'll want a copy too. Without ONE-PHONE-CALL, you have two obvious choices. First, you could upload all the software to his EMail account (see above!) and maybe call him to tell him it's there, or you could copy the software to a floppy disk and mail it to him. If you go the EMail route, you're out the upload time and several dollars. (So is he, on the other end.) If you go with the Postal Service, you're out a buck or so for a floppy and some postage and the software gets there days later. With ONE-PHONE-CALL, it's as simple as calling him, finding out if he wants the software, and sending it right then and there! ONE-PHONE-CALL will even figure out what software he needs (perhaps several of the files are the same as in previous games) and will only send the new files that he doesn't have, and update any files that are out-of-date. We can extend this example to many specific problem areas: You own a software company that operates a customer service line for help with your products. If your customer needs an updated version of the software, you can upload the new software to him immediately, sending him only what he needs, during the one phone call the customer has made to your company. Result! a happy customer. A friend is having a problem with his computer. You suspect he may have a problem with one of his configuration files such as CONFIG.SYS, AUTOEXEC.BAT or one of his Windows INI files. Without using the capabilities of ONE-PHONE-CALL he is either reading you the text of the file over the phone (yea, right!) or he is printing it out to fax it or mail it to you. You get the listing (maybe days from now) and find the problem. You need him to edit his CONFIG.SYS file to fix the problem. "How do I do that?" he asks. You get the idea. With ONE-PHONE-CALL, he simply sends you the files, you edit them on your computer, and send them back, he reboots, and the problem is solved. All with ONE-PHONE-CALL. Our final example highlights the security aspects of electronic information transfer. Have you ever sent a fax and wondered if it went to the wrong machine? Did you dial that number correctly? Or did you wonder if it was "eaten" by the machine? or was read by the wrong people? or fell into the "black hole" of cyberspace? Have you ever wanted to send some confidential information but didn't "quite trust" your on-line service? Have you ever wanted to make sure the right person and ONLY that person sees your communication? Without ONE-PHONE-CALL, the electronic exchange of confidential information can be very difficult. With ONE-PHONE-CALL, your life just got much easier. Here's a hyperbolic example but it makes the point: You have been away at your summer retreat working on the company annual report and budget. It is FULL of confidential information. You need to send it to your CFO back at the office for review and the insertion of some background information that he has in his computer. How do you get it to him? With ONE-PHONE-CALL, you call his office, get him on the phone, and send the document! You KNOW you dialed the right number. You KNOW you have the right person on the line. And by using the encryption feature of the software, you can even deter access to your information in the event of a wiretap. How do you do that without ONE-PHONE-CALL? Minimum System Requirements ONE-PHONE-CALL runs under Windows 95, Windows 3.1 or MS-DOS. System Requirements: For operation under Windows 3.1 or higher: IBM-compatible PC (386 or higher) 4 mb of RAM memory, 8 mb recommended Mouse Hard drive with at least 1 MB of free space 1200, 2400, 9600, 14.4K, 28.8K modem For operation under MS-DOS 3.11 or higher IBM-compatible PC (8088 or higher, 80286 or higher recommended) 640 kb of RAM memory Mouse recommended Hard drive with at least 1 MB of free space 1200, 2400, 9600, 14.4K, 28.8K modem Best Regards, Joe JDonth at gnn.com From Adam_Pingitore at alli.wnyric.org Fri Mar 29 04:00:51 1996 From: Adam_Pingitore at alli.wnyric.org (Adam Pingitore) Date: Fri, 29 Mar 1996 20:00:51 +0800 Subject: Crypto CD UpDate Message-ID: <9602288280.AA828043590@ccmail.wnyric.org> Um, why am I getting mail from you people. From editor at cdt.org Fri Mar 29 04:13:51 1996 From: editor at cdt.org (Bob Palacios) Date: Fri, 29 Mar 1996 20:13:51 +0800 Subject: CDT Policy Post 2.12 - Sen. Burns Announces New Bill To Lift Crypto ExportControls Message-ID: ----------------------------------------------------------------------------- _____ _____ _______ / ____| __ \__ __| ____ ___ ____ __ | | | | | | | | / __ \____ / (_)______ __ / __ \____ _____/ /_ | | | | | | | | / /_/ / __ \/ / / ___/ / / / / /_/ / __ \/ ___/ __/ | |____| |__| | | | / ____/ /_/ / / / /__/ /_/ / / ____/ /_/ (__ ) /_ \_____|_____/ |_| /_/ \____/_/_/\___/\__, / /_/ \____/____/\__/ The Center for Democracy and Technology /____/ Volume 2, Number 12 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 2, Number 12 March 28, 1996 CONTENTS: (1) Sen. Burns Announces New Bill To Lift Crypto Export Controls (2) Subscription Information (3) About CDT, contacting us This document may be redistributed freely provided it remains in its entirety ** Excerpts may be re-posted by permission (editor at cdt.org) ** ----------------------------------------------------------------------------- (1) SENATOR BURNS ANNOUNCES BILL TO LIFT CRYPTO EXPORT CONTROLS The battle to roll back the Clinton Administration's encryption policy escalated on Thursday when Senator Conrad Burns (R-MT) announced that he will introduce a new proposal to repeal restrictions on encryption exports and to encourage the growth of electronic commerce. Senator Burns announced the bill via a teleconference during a special session at the Computers, Freedom, and Privacy Conference in Boston, MA. The bill, titled the "Promoting Commerce On-Line in the Digital Age Act" (PROCODE), joins two recent bills introduced earlier this month (S. 1587 and HR 3011) designed to encourage the development of strong, easy-to-use privacy and security products for the Internet. The Burns bill is different from the other proposals in several respects. Specifically, the latest bill does not contain any new criminal provisions or provisions imposing liability on third party key holders. In his presentation today at CFP, Sen. Burns outlined his new bill. Among other things, the "Promoting Commerce On-Line in the Digital Age Act" would: * Allow for the unrestricted export of "mass-market" or "public-domain" encryption programs, including such products as Pretty Good Privacy and popular World Wide Web software. Encryption software and hardware for sale in local software stores or widely available on the Internet would all be exportable under the proposed Act. * Require the Secretary of Commerce to allow the unrestricted export of other encryption technologies if products of similar strength are generally available outside the United States. * Prohibit the Federal Government from imposing mandatory key-escrow encryption policies on the domestic market. * Limit the authority of the Secretary of Commerce to set standards for encryption products. CDT applauds this effort by Senator Burns to put strong privacy and security technologies in the hands of individuals and businesses. CDT is also pleased that the Senator chose the Computers, Freedom, and Privacy Conference as a forum to announce this proposal. The choice of CFP demonstrates that the Internet community is becoming an increasingly important political constituency. CDT looks forward to working with Senator Burns and other members of Congress interested in policies which encourage the development and widespread use of strong privacy protecting technologies for the Global Information Infrastructure. FOR MORE INFORMATION For more information on the cryptography policy debate, including the text of Senator Burns' proposal when available, visit CDT's Cryptography Issues Web Page: http://www.cdt.org/crypto/ Contacts: Center for Democracy and Technology +1.202.637.9800 Daniel Weitzner, Deputy Director, Alan Davidson, Staff Counsel, ------------------------------------------------------------------------- (2) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 9,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to policy-posts-request at cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts ----------------------------------------------------------------------- (3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info at cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ----------------------------------------------------------------------- End Policy Post 2.12 3/28/96 ----------------------------------------------------------------------- From alanh at mailhost.infi.net Fri Mar 29 04:18:27 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Fri, 29 Mar 1996 20:18:27 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: Message-ID: << "You can't get a non-Federal job in South Florida if you don't speak Spanish" >> Wrong. From unicorn at schloss.li Fri Mar 29 04:25:23 1996 From: unicorn at schloss.li (Black Unicorn) Date: Fri, 29 Mar 1996 20:25:23 +0800 Subject: What backs up digital money? In-Reply-To: <199603280546.VAA02513@jobe.shell.portal.com> Message-ID: On Wed, 27 Mar 1996, Hal wrote: > I have to disagree somewhat with a few points Mike made. I would say > that gold and diamonds do have intrinsic value, based on their beauty > and the desire of people to own them. I think it is too simplistic to > denigrate these desires as the product of advertising. The feelings that > people have which make them desire these things are as legitimate as > other forms of desire. Take a look at the frontline piece on DeBeers, (there's also a good "Nova" on the subject) has some very interesting points which tend to support the view that the value of diamonds is almost entirely dependent on marketing and public perception. At one time I had some works which supported this view as well. I'll try to find pointers to them again. [...] > A particular issue of "digital cash" could be denominated or backed by > anything the issuer thinks there is a market for. Diet coke? :) [...] > > Hal > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From JR at ns.cnb.uam.es Fri Mar 29 04:29:38 1996 From: JR at ns.cnb.uam.es (JR at ns.cnb.uam.es) Date: Fri, 29 Mar 1996 20:29:38 +0800 Subject: Crypto CD Message-ID: <960328194536.20200293@ROCK.CNB.UAM.ES> At 01:52 AM 3/24/96 -0500, Ben Holiday wrote: >I would plan to put unix/dos/mac all on one CD. I'm thinking that >realistically I can expect 50 megs or so. Possibly as much as 100 if I >find a TON of wonderful text. I burned one such CD this last fall. Oh, well, it wasn't for publishing, although I thought of that at the time. It was mainly to be able to move with me all my data when I switched positions. I included all the Cypherpunks archives, and several international FTP crypto sites in full (ya know, the italian, australian, english, pgp, etc... places). It was well over your "50 megs". And I would find that pretty more useful (if I hadn't it already). :-) Oh, I'm lying. I also did a "purged" version to remove duplicated packages first, when I didn't know if I would have enough sapce in the few CDs I had to burn in the few days I had left. I seem to remember that wasn't as big and maybe in the range that you mentioned. But it was compressed, and hence its usefulnes now is somewhat less since I have to expand everything if I want to get it. I was filling the CDs with other "important to me" stuff, and wanted to save space, but having the space available I don't see any reason not to expand the material. What I'd suggest is a compilation of all main archives, purged from duplications, rearranged rationally (I have it just in the original hierarchies) and all expanded for direct access. If you add to that executables for most packages compiled for a few popular platforms (Mac, PC, Linux and FreeBSD come to mind), I'd bet that you'd get a far greater amount of space. But that's a lot of additional work though. I know from experience. It might do for a very nice cypherpunk project. Although, there still remains the "trustfulness" of the product: how can the final user know that the sources, executables, key databases, etc... have not been tampered with? From the original archives one has the truth one poses on them, but from a copy, one needs to trust the copier. And if it became a multi-person project, all the people involved... But it's well worth a thought o two. If it helps you, my CDs are probing now invaluable to me. jr From owner-cypherpunks at toad.com Fri Mar 29 04:34:11 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 29 Mar 1996 20:34:11 +0800 Subject: No Subject Message-ID: <199603291234.UAA12135@infinity.nus.sg> os writes: > >There is not a single foreign language I can think of it that would help me > >in my goals or help anyone I know. > > I have never known anyone being disadvantaged by knowing another language tha > tongue. Tim (and others) miss out the pleasure of using an exotic language in the presense of people who won't understand it. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From grafolog at netcom.com Fri Mar 29 04:44:32 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Fri, 29 Mar 1996 20:44:32 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: <31595F37.2781@cs.strath.ac.uk> Message-ID: On Wed, 27 Mar 1996, os wrote: TCMay wrote > >There is not a single foreign language I can think of it that would help me > >in my goals or help anyone I know. Oyvind wrote > I have never known anyone being disadvantaged by knowing another > language than their mother tongue. I'd say Oyvind is right. If you can't speak Spanish the only jobs available in Southern Florida are with the federal government. If you can't speak French, you can't get a job in northern New Hampshire, or northern Vermont. One other advantage to knowing a language other than English. Legal encryption. << Unless a federal law bans the use of any language other than English for any purpose, which would be a violation of NAFTA, not that the US hasn't allready violated NAFTA. >> So if the use of encryption is banned, just switch to writing everything in something like Xhosa, or Chinese, using the Wade Giles transliteration, or Dervish. << Heck, do all your important stuff in languages like that, and then encrypt it with PGP. Would the cryptanalysts recognise the plain text, even if they had it? >> xan jonathon grafolog at netcom.com From alano at teleport.com Fri Mar 29 04:44:52 1996 From: alano at teleport.com (Alan Olsen) Date: Fri, 29 Mar 1996 20:44:52 +0800 Subject: Crypto CD Message-ID: <2.2.32.19960328073312.0096faa8@mail.teleport.com> At 06:53 PM 3/27/96 -0800, Matthew Ghio wrote: >alano at teleport.com (Alan Olsen) wrote: > >>It would be a nice thing to have if it is reletivly complete. Hopefully it >>can be created with a minimum of government interfearence. (But then, I >>have been xpecting alt.binaries.crypto to be created as well...) > >alt.binaries.warez.crypto has existed for a long time (at least on Netcom), >although I haven't seen any posts lately. I suspect many sites deliberately >exclude alt.binaries.warez.* to save disk space. I notice that Netcom takes *EVERYTHING*. (Including the incredibly bogus and silly groups.) Teleport has never, to my knowledge, taken that group. Teleport has since removed all of the remaining warez groups in an effort of moral excess. (After taking all of the groups in existance, including the forign ones that nobody on Teleport reads, and claiming they did not censor groups.) Personally I could care less about the warez groups (it is not as if you could ever find a complete program), but the crypto one would have been nice to see... --- Alan Olsen -- alano at teleport.com -- Contract Web Design & Instruction `finger -l alano at teleport.com` for PGP 2.6.2 key http://www.teleport.com/~alano/ "We had to destroy the Internet in order to save it." - Sen. Exon From hfinney at shell.portal.com Fri Mar 29 04:45:42 1996 From: hfinney at shell.portal.com (Hal) Date: Fri, 29 Mar 1996 20:45:42 +0800 Subject: What backs up digital money? Message-ID: <199603280546.VAA02513@jobe.shell.portal.com> I have to disagree somewhat with a few points Mike made. I would say that gold and diamonds do have intrinsic value, based on their beauty and the desire of people to own them. I think it is too simplistic to denigrate these desires as the product of advertising. The feelings that people have which make them desire these things are as legitimate as other forms of desire. Along these lines, I think one of the factors which made gold and silver coins accepted as money was their intrinsic value. Even without being certain that another person would take the coin, a person might accept payment in such a coin because of its inherent value to him. Other early forms of money, such as beads or tobacco, also had intrinsic value in their time and place. One area I would agree with Mike is that these items may not always retain their value, since part of it is psychological. And as with any other commodity, if new supplies became available their value would fall. This might be especially pronounced with gold and diamonds since part of their value is due to their intrinsic rarity. Diamonds as common as glass would not be worth much more. (Of course, government money as common as paper is worth the same as well, as hard experience has taught us.) A particular issue of "digital cash" could be denominated or backed by anything the issuer thinks there is a market for. Gold backed digital currency would have certain advantages and disadvantages. Currency could be backed by a basket of commodities, or a synthetic average of several countries' currencies. You would not exchange your dcash for a bushel of wheat and a barrel of oil, but rather for dollars or pounds equal to the market value of these commodities. These and more elaborate possibilites are no more difficult to imagine than mutual funds or stock market index futures, not to mention the more complex synthetic investments. Hal From jsw at netscape.com Fri Mar 29 04:45:49 1996 From: jsw at netscape.com (Jeff Weinstein) Date: Fri, 29 Mar 1996 20:45:49 +0800 Subject: Edited Edupage, 24 March 1996 In-Reply-To: <199603271534.KAA02331@jekyll.piermont.com> Message-ID: <315A3ECA.6E53@netscape.com> Perry E. Metzger wrote: > > Jeff Weinstein writes: > > > Any possibility that Netscape might build in some form of > > > cryptography? > > > I realize ITAR rules would make this problematic, but perhaps some sort of > > > out-of-country deal for putting in the hooks for PGPhone could be done. > > > > The internet phone software is coming from one of the companies that > > we are acquiring. This is one obvious application of SSL that I will be > > looking into after the merger is complete. > > 1) I strongly suggest that SSL is *not* in its current form the right > technology, because internet phone type tools probably use UDP, not > TCP. I guess that is what I get for posting when too tired. Certainly the current SSL won't work for UDP based protocols. Either we will have to make a UDP version of SSL or use some existing protocol that gets the job done. Since our acquisition is not complete I haven't really had an opportunity to talk to the streaming media guys yet... > 2) I strongly hope that Netscape tries to move the product towards > standards based mechanisms like the IETF's RTP protocol, which are > in widespread use, rather than pushing yet more proprietary > systems. Proprietary is bad in this instance. I believe, by the > way, that several existing RTP implementations have encryption in > them. Here is a quote from a recent press release - "The Netscape LiveMedia framework will be based on the Internet Realtime Transport Protocol (RTP), RFC number 1889...". The full release can be found at: http://home.netscape.com/newsref/pr/newsrelease81.html I believe that the current product (which was developed by a company that we are acquiring) will be migrated to RTP as soon as we can do it. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw at netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine. From grafolog at netcom.com Fri Mar 29 04:46:23 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Fri, 29 Mar 1996 20:46:23 +0800 Subject: Crypto CD UpDate In-Reply-To: <199603271810.NAA75303@fulton.seas.Virginia.EDU> Message-ID: Henry: On Wed, 27 Mar 1996, Henry Huang wrote: > On Mar 26, 21:18, Timothy C. May wrote: > > At 10:16 PM 3/26/96, aba at atlas.ex.ac.uk wrote: > > >The idea of putting together a CD with crypto stuff is an excellent > ITAR is going to be a mess either way. If the CD is put together outside > the U.S., you'd have to only use non-U.S. executables/source (or else Develop it ad cut it outside the US. << Can it be done in St Pierre? Alternatively, how about Bermuda? >> Include Source code for both US and Non-US versions, but only executable for non-US versions. > target. But how do you sell a piece of software to an audience that > doesn't know it needs it? It doesn't take much. The hard part is configuring a system for the user. Plug and Play Crypto applications are required. Now if the CD-Rom had all the crypto applications, with examples of how to configure various things, you are a step closer towards the plug & play requirement. > to resolve. The multi-platform stuff (DOS/Mac/**IX on one disc) will > be harder; you'll need to code a different interface to the CD for each > platform. Depends on your search engine. > issue being addressed here (getting easy-to-digest crypto to the masses) > is a lot more difficult than just pressing a CD-ROM. Ben may need to > rethink his strategy on this, in terms of how to most effectively promote > this CD to that market. Trial run -- press, say 20 CD-Roms. Have people use them on various platforms, and provide the examples, etc, to make it plug and play for the rest of the world. Then press them in batches of 100, or 500 to sell /distribute to users. Market it on a web page, and accept the various forms of digital currency, credit cards, etc. > Hmm, do I hear a volunteer for writing that Crypto Software Web page? ;) Just for the links to each of the crypto software archives? It would need somebody playing with alta-vista, etc for a while --- or somebody sending URL, and a brief site description, to maintain such a page. I started to do something like that a long time ago, but got involved in some other projects. << The relics of that can be found at ftp://ftp.netcom.com/pub/gr/graphology/private.html >> << If I knew of any easy way to sort mail with stuff to be added to such a webpage, from the rest of my mail, I'd volunteer. >> xan jonathon grafolog at netcom.com From perry at piermont.com Fri Mar 29 04:49:10 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 29 Mar 1996 20:49:10 +0800 Subject: What backs up digital money? In-Reply-To: Message-ID: <199603281526.KAA02714@jekyll.piermont.com> Alan Horowitz writes: > I will put forth the proposition that Federal Reserve "Notes" are not > notes. Probably true, but not relevant here on cypherpunks. Same, by the way, with discussions of whether Americans are ignorant pig dogs for not speaking forieign languages and lots of other stuff that has been posted of late. Perry From mike at fionn.lbl.gov Fri Mar 29 04:51:29 1996 From: mike at fionn.lbl.gov (Michael Helm) Date: Fri, 29 Mar 1996 20:51:29 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: Message-ID: <199603281708.JAA05726@fionn.lbl.gov> On Mar 27, 1:05pm, Rich Graves wrote: > Undeniably true. I think Tim's point was more, "Who cares? Everyone *I* > want to talk to speaks English." Maybe; & who someone talks to & how they do it is of no particular interest to me. However, he said something else: that foreign language speakers were unavailable to most Americans. This is easily shown to be false. That many other people in our English-speaking community also believe it is interesting. Often, they can provide counterexamples themselves without too much trouble (& you may recall that Tim May did). This says something about this culture. What, I don't know, but it's some kind of cognitive dissonance. It occurs to me that members of certain large language groups in the US, who don't speak English, sometimes make the same statement -- "Everyone I want to talk to speaks X". I don't know why this disclaimer is necessary, but please note that I don't think for a moment that you all are "bad" if your beliefs are in accord with what Tim May wrote. Nor do I think you should go out & learn some random language. > One may quibble with the wisdom or morality of such a statement, but if > the second statement is true in your case, then there is no reason you > should have to learn another language. Most upper-income Americans have no I'm not sure what the "second statement" is you're referring to. Anyway, there are a lot of reasons one might choose to study a foreign language, and many levels of fluency. There are many economic issues that could apply, & some non - economic arguments as well. There are very good reasons not to bother, as well. From alanh at mailhost.infi.net Fri Mar 29 05:06:34 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Fri, 29 Mar 1996 21:06:34 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: Message-ID: Certainly, I believe TCM's proposition that there is no "economic need" for an American to learn a second language. On the other hand, I haven't seen any demonstration of the "value" of learning history. Yet, who would argue that ignorance of history is a good policy to follow? From perry at piermont.com Fri Mar 29 05:54:08 1996 From: perry at piermont.com (Perry E. Metzger) Date: Fri, 29 Mar 1996 21:54:08 +0800 Subject: PolicyMaker paper available In-Reply-To: Message-ID: <199603281719.MAA03000@jekyll.piermont.com> Ted Anderson writes: > "Perry E. Metzger" writes: > > Huh? Postscript an "obscure printer code"? > > I now work from a paperless office and find postscript an "obscure > printer code". It has taken an annoying amount of hacking to view this > postscript file on my PC. Printer code, yes. Obscure, no. Perry From love5683 at voicenet.com Fri Mar 29 05:58:07 1996 From: love5683 at voicenet.com (Chevelle) Date: Fri, 29 Mar 1996 21:58:07 +0800 Subject: National speed limits and expansion of federal power... Message-ID: <199603290134.UAA23638@mail.voicenet.com> let me tell ya' I live in Central Texas and regularly use I-35, which was the primary highway considerd for the bill. The speed limits were raised to 75 mph at increments of every 4 to 5 miles. By that I mean the minute you pass the sign that says 75 with good eyes you can see the one up ahead that says 65 or 55 and you might even catch a glimpse of the state trooper parked beside it. I personally think its a joke and an inconvience, I was totally for the the bill as it was stated but this "red light, green light" game is very disapointing. Just goes to show the government still can't do anything right. Chevelle out.... At 06:52 PM 3/28/96 -0500, Deven T. Corzine wrote: >At 06:06 PM 3/27/96 -0500, Deven T. Corzine wrote: >>Actually, the national government didn't even *pretend* it had jurisdiction >>here. Instead, they used an indirect approach -- they passed laws which >>denied some of the existing highway funding to states with higher speed >>limits than 55 MPH. (Later this limit was raised to 65 MPH, given some >>additional restrictions such as proximity to population centers.) > >At 03:12 AM 3/28/96 -0500, Chevelle wrote: >>It was only months ago that they passed a bill raising alot of speed limits >>to the 75mph range. > >To be precise, Congress repealed the laws which had pressured states into the >55/65 MPH speed limits. Once this happened, a number of states either took >advantage of it immediately to raise speed limits, or are considering it... >Other states don't intend to raise the limits. In Montana, you can now drive >at *any* speed legally, in the daytime. So if you want to go 100 MPH, head to >Montana... :-) > >Deven > > From froomkin at law.miami.edu Fri Mar 29 06:15:24 1996 From: froomkin at law.miami.edu (Michael Froomkin) Date: Fri, 29 Mar 1996 22:15:24 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: On Tue, 26 Mar 1996, Lucky Green wrote: > At 2:08 3/26/96, Shabbir J. Safdar wrote: > > > It is a widespread myth that wiretaps require warrants. Court ordered Unfair. > warrants are not required for a wiretap. They have not been required since > the Digital Telephony Bill passed. That the net, the media, and even > attorneys are so blissfully unaware of this, even years after the provision > doing away with requiring warrants became law, is one of the finest > examples of cognitive dissonance you are ever likely to find. It is too > disturbing to believe it, so the mind ignores the facts. Unfair. > > Excerpt from the Digital Telephony Bill > > quote > SEC. 103. ASSISTANCE CAPABILITY REQUIREMENTS. > (a) Capability Requirements: [...] a telecommunications carrier shall > ensure that its equipment, facilities, or services, that provide a customer > or subscriber with the ability to originate, terminate, or direct > communications are capable of-- > > (1) expeditiously isolating and enabling the government, pursuant to a > court order or other form of authorization, to intercept, [...] all wire > and electronic communications [...]. > end quote > > *Other forms of authorization*, other than a court ordered warrant that is, > are explicitly allowed. Nowhere in the bill, or anywhere else AFIK, is > stated what form these other forms of authorization can take. No limits > whatsoever as to what the government can do. > > "My supervisor approved it" may well suffice. > > Untrue. I see no reason whatsoever to believe that an un-warranted wiretap would be legal in any but two cases. (1) Emergency threatening life (e.g. hostage-taking) pending judicial authorizaiton -- very rare. (2) The president claims residual authority to wiretap on national security grounds without a court order. Since the FISA court provides the authority, this (one is told) is not used. There is no question that the Justice dept is very cagey about not ever admitting that one has an exhausive list of means by which they claim the authority to tap. If some other tap is in use, however, it is an awfully well-kept secret, which argues that it is used for inltellignece and not law enforcement. LEOs can't keep that kind of secret any more. A. Michael Froomkin | +1 (305) 284-4285; +1 (305) 284-6506 (fax) Associate Professor of Law | U. Miami School of Law | froomkin at law.miami.edu P.O. Box 248087 | http://www.law.miami.edu/~froomkin Coral Gables, FL 33124 USA | It's warm here. From dmacfarlane at zip.sbi.com Fri Mar 29 06:15:30 1996 From: dmacfarlane at zip.sbi.com (David Macfarlane) Date: Fri, 29 Mar 1996 22:15:30 +0800 Subject: WSJ on Big Java Flaw Message-ID: <9603271351.AA18267@zip_master2.sbi.com> [snip] > > Mr. Felten said that unscrupulous people who discovered the > > flaw could boobytrap a Web page on the Internet, > > essentially seizing control of the browser software of any > > PC that tapped into that page. At that point, the hackers > > could read or delete an entire hard disk of data files. > > "The consequences of this flaw are as bad as they can be," > > he said.[..] > > The generalized halting problem comes to mind... > > Since it can be proved that there's no complete set of heuristics > to tell if a given program has a characteristic (such as "secureness") > then sooner or later someone will discover another security flaw. > > A question is whether a simple patch is made or if the set of heuristics > is widened (ie, learn from mistakes) so that similar flaws can be found > based on knowledge of that one flaw. Since this Java error is probably deep in the bytecode interpreter, the question is will Sun patch this *particular* problem, still allowing others, or will it have to rewrite the interpreter so that it enforces the language more rigorously? They are under pressure to make a "quick fix" (they've promised something in two days), but real security needs to be built in to a system from the ground up, with disciplline and thorough design. If they need to redesign their approach to implementing the bytecode interpreter, that could take weeks, months? BTW, its a testament to security through code review, as the Princeton team probably could not have discovered this deep flaw without looking through the code. David Macfarlane. From carboy at hooked.net Fri Mar 29 06:21:48 1996 From: carboy at hooked.net (Michael E. Carboy) Date: Fri, 29 Mar 1996 22:21:48 +0800 Subject: NOISE: Scriveners Attack C-Punks Message-ID: <199603290008.QAA11067@get.hooked.net> Watch out folks... the scriveners are after us! No doubt in cahoots with teh exonites! ---------- From: Nibiru[SMTP:nibiru at columbus.co.za] Sent: Monday, February 26, 1996 1:32 AM To: cypherpunks at toad.com Subject: unsubscrive unsubscrive cypherpunks ------------------------------------------------------------------- NIBIRU E-Mail : nibiru at columbus.co.za South-Africa -------------------------------------------------------------------- From owner-cypherpunks at toad.com Fri Mar 29 06:44:19 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 29 Mar 1996 22:44:19 +0800 Subject: No Subject Message-ID: <199603291444.WAA12232@infinity.nus.sg> Here is an abstract of a report the German newsmagazine Focus published on March 11, 1996 (p. 16) - "Spaete Ermittlungen gegen Techno-Spione" (late/belated investigations against technology spies). I do not include a translation of the whole original text for copyright reasons. "Specialists of the German Federal Police Agency (BKA) have decrypted 44 floppy disks from the former [East German] Ministry for State Security" (MfS). A defector had handed over the floppies to the German Federal Intelligence Agency (BND) in spring 1990. The disks contain information on East German spies in former West Germany. Judicial inquiries against 29 suspects have started now. Apparently, the BKA got the data no sooner than 1994. This is because the BND did not tell law authorities about the floppy disks. German federal DAs learned about the data in late summer 1994 by chance. The article does not say whether the defector came over with the keys. - Probably not, otherwise prosecution should have started much earlier. It is likely that the extremely paranoic MfS used a cipher and a key length it believed to be sufficiently strong. According to Bruce Schneier's Applied Cryptography East Germany was quite aware of DES, it even produced DES chips. Another possibly strong algorithm used in the former Soviet block is GOST (a block cipher derived from the concepts of DES, also described by Schneier). Let us assume BKA specialists have broken the code using a combination of cryptoanalysis, brute force and good luck. They are policemen, not espionage professionals. Further, the BKA is much smaller than the FBI. Imagine what code breaking capabilities a well-funded, big intelligence agency should have then! From tcmay at got.net Fri Mar 29 06:49:04 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Mar 1996 22:49:04 +0800 Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: At 11:31 PM 3/28/96, Alan Horowitz wrote: >Certainly, I believe TCM's proposition that there is no "economic need" >for an American to learn a second language. > >On the other hand, I haven't seen any demonstration of the "value" of >learning history. Yet, who would argue that ignorance of history is a >good policy to follow? Bad analogy. Studying a combination of world history and one's nation's history is an obvious thing to do. And good bang for the buck. Choosing a language is a much harder proposition. No single language stands out for most Westerners, at least not nearly as much as it once did. (Or one of several "top pick" languages, e.g., German, French, and Spanish.) My last word on this language topic will be this: far from being a closed, ignorant, immigrant-hating, shit-eating nation, as some of the usual America bashers have intimated, the decline of language skills reflects a decline in the "ethnocentrism" of the past. A few decades ago, one studied German to be a scientist, one studied French to be cultured, one studied Latin for unexplained reasons (just a joke), and one studied Spanish if not one of the others. As immigrant waves entered the U.S., and as the anti-Westernism meme spread amongst educators, Latin faded out, then German, then French. (All are still taught, but not in the numbers once seen.) Given the explosion of languages--Yoruba, Talegu, Tagalog, Russian, Korean, and on and on--the role of French, German, and to some extent Spanish is less clear than ever. (Spanish is admittedly a growing language, but not in technical fields...just a fact.) So, I am not surprised that American students have no desire to learn one of these languages. They'll have to search to find people to practice with, which they won't (on average, not at the 2-sigma point). While I don't deny the niceness of knowing Russian or Korean, the effort needed to achieve reasonable proficiency (beyond the simple words Bill Frantz was talking about....this thread is about actually learning a language, not a handful of phrases!) is not worth, in my opinion and that apparently of many others, the effort. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From kelli at zeus.towson.edu Fri Mar 29 06:50:26 1996 From: kelli at zeus.towson.edu (K. Ellis) Date: Fri, 29 Mar 1996 22:50:26 +0800 Subject: Councilman/Usenet porn case... In-Reply-To: <315AB3E4.41B6@rgalex.com> Message-ID: On Thu, 28 Mar 1996, Vincent S. Gunville wrote: > Here is an example of what anonymous remailers can > do....... I'm re-forwarding you the second half of this article, because it seems clear that you didn't read the whole thing the first time. > > Suponcic, being a public official, knew his way around the local > > police department, and soon a detective started pounding the Net. By > > tracing the header information on the Usenet postings, the detective > > determined--O.K., this part is murky, we admit--that the messages had > > originated in Ohio, passed through Florida Online, an Internet > > provider in the Sunshine State, and then through anon.penet.fi, a free > > E-mail remailer service based in Finland that allows Internet users to > > post messages anonymously. > > > > The identity of the poster was, and is, unknown, though Suponcic has > > his suspicions. "It's my personal belief that the root of this is > > political," says the councilman, who had to get an unlisted telephone > > number and whose wife now wants to move. > > > > On Feb. 6, at Suponcic's urging, the Willowick city council passed a > > resolution asking the state and federal governments to close the > > "loopholes" that allowed anonymous remailers to operate outside the > > authority of U.S. law-enforcement officials. "Once you've achieved one > > of these anonymous identities, you're dangerous, and there's no way > > law enforcement can track it," Suponcic says. "The animal's out of > > control." > > I know you read at least this far, but keep reading... > > Still not content, Suponcic contacted Steven LaTourette, the U.S. > > Congressman who represents his district. LaTourette's staff suspects > > that the problem lies with Julf Helsingius, the Finn who runs the > > anonymous remailer. They wrote a letter to the Finnish ambassador and > > sent copies to the Secretary of State and the chairman of the House > > Committee on International Relations. The State Department agreed last > > week to look into the complaint. > > > > But here's a reality check. The Finnish remailer could not have been > > used, since anon.penet.fi no longer transmits binary image files. > > Jerry Russell, who runs Florida Online and who looked into the case, > > says he figures the whole thing was a relatively simple prank called a > > sendmail spoof, in which the prankster posts a message with a phony > > return address. He says the Willowick police never produced a copy of > > the posting for him so that he could unravel the tangle for them. > > Indeed, when the policeman called, "he didn't really understand what > > he was trying to tell me," says Russell. "The average Joe Blow police > > detective doesn't know flip about the Internet." > > > > Neither does the average public official. And that, friends, is why > > stuff like the Communications Decency Act--the Christian Coalition's > > attempt to remove pornography from the Internet--sails through > > Congress. Allow me to adjust your point to "Here's an example of what sendmail exploits can do". Kathleen M. Ellis http://zeus.towson.edu/~kelli/ kelli at zeus.towson.edu Diverse Sexual Orientation Coll. Towson State University DSOC at zeus.towson.edu "I can't help it, I'm a born lever-puller" -Ringo from "Yellow Submarine" "Your friends are really just enemies who don't have the guts to kill you" -J. Tenuta "Obscenity is a crutch for inarticulate motherfuckers." -Fortune Cookie Courtesy of Linux 1.3.45 From weisman at osf.org Fri Mar 29 06:54:58 1996 From: weisman at osf.org (David Weisman) Date: Fri, 29 Mar 1996 22:54:58 +0800 Subject: HP & Export of DCE In-Reply-To: <199603271619.LAA08716@homeport.org> Message-ID: <9603281530.AA22135@oberon.osf.org.osf.org> On Wed Mar 27, 1996, Martin Janzen wrote: Another "RPC" comes from the Open Software Foundation, who unfortunately chose the same acronym for the remote procedure calling mechanism in their Distributed Computing Environment (DCE). This DCE is a part of the OSF/1 operating system, but implementations are available for many versions of UNIX, often as a separate product or option. This is a semi-common misconception, there is no relationship between DCE and OSF/1. OSF/1 was one of the reference platforms during the original DCE development, but so was SVR4, AIX and HP/UX. Except for parts of DFS (the distributed file system), all of DCE is user-mode code and ports easily between un*x platforms. Dave From herbs at connobj.com Fri Mar 29 06:55:34 1996 From: herbs at connobj.com (Herb Sutter) Date: Fri, 29 Mar 1996 22:55:34 +0800 Subject: DESCRIBE Message-ID: <2.2.32.19960327042728.0072a724@mail.interlog.com> At 14:27 03.26.1996 -0500, Perry E. Metzger wrote: >If you had an ounce of intelligence, of course, you would simply use >the automated unsubscription instructions you got when you >subscribed. Sadly for the rest of us, who will now have to deal with >your whining indefinately, intelligence is a commodity in precious >supply around this planet. The total intelligence on the planet is constant. The population is growing. --- Herb P. Sutter Current Network Technologies Corp. Senior Architect, Distributed Computing 2655 Benedet, Mississauga ON Canada Cell 416-618-0184 Tel 416-805-9088 Fax 905-855-7194 From tcmay at got.net Fri Mar 29 06:57:29 1996 From: tcmay at got.net (Timothy C. May) Date: Fri, 29 Mar 1996 22:57:29 +0800 Subject: Crypto CD UpDate Message-ID: It pains me to often be the one who throws cold water on what seems to be a good idea, and what comes from a well-intentioned person. But I have to call 'em as I see 'em. And maybe I'm wrong. But here are my thoughts. At 10:16 PM 3/26/96, aba at atlas.ex.ac.uk wrote: >The idea of putting together a CD with crypto stuff is an excellent >IDEA, and one which I very much welcome. > >However a question .. are you (Ben) located in the US? If so... > >that rules out overseas buyers unless you fancy messing with ITAR... >Is it possible that you could come to some arrangement with some one >outside the ITAR fence who has a CD writer (any one reading have one?) >put together the same CD for those outside the US? A CD-ROM containing crypto programs, source code, etc. sounds like a nice idea. But it falls apart for various reasons. For brevity, I'll just list some: 1. The CD-ROM "freezes" the various programs, archives, etc. at the moment the files are finalized and the CD-ROMs are pressed (or burned individually on a CD-R, at somewhat higher per-copy price). If the author of the CD-ROM is not committed to updating the CD-ROM at frequent intervals--say, every few months--then the programs will exhibit "version decay" and be nearly useless. The next point is the reason. 2. The Web does a better job at making the latest versions instantly accessible. True, a CD-ROM will generally have faster access, but I care more about getting the _latest_ version of PGP, even if takes a minute or two to snarf off the Web. That I could get an _older_ version of PGP in fractions of a second off this CD-ROM is not compelling to me. (And fractions of a second is too charitable: in actuality, I'd have to locate the CD-ROM, dismount anything already mounted, mount the CD-ROM, search it for "PGP," etc. Probably not even faster than using Alta Vista and downloading.) 3. Where CD-ROMs really shine over modem alternatives is, of course, for very large files. Images, MPEG or Quicktime movies, etc. "Multimedia" being the operative term. For crypto, this is not an issue. (Except for list archives, where having a few hundred megabytes of articles might be nice. However, the absolute KILLER of this idea is the staleness problem mentione in Point #1: if the archives on CD-ROM lack the most recent month or two, their usefullness drops precipitously. If the CD-ROM is a year old, and no updates have appeared, then its archives are useful only to list historians. (In other words, I will almost always go to up-to-date archives on a Web site rather than dusting off a CD-ROM that was issued several months ago. And a CD-ROM every several months is more than I think we can hope for. Or pay for.) 4. The Web approach allows powerful search engines, links from other pages, and--importantly--multiple jurisdictions. The PGP could come from the U.S., the Digital Postage code from Sweden, and so on. And, again as noted in # 1, the developers could keep improving and iterating the code. And so on....I can think of more problems, but these are enough. I have no interest in quashing the enthusiasm of Mr. Holiday. Nor do I have the power to do so, except by my comments. But I'd hate to see him invest several months of his life preparing this CD-ROM only to find that it is a novelty item, ordered by some people to be "cool," with actual downloads of the latest versions of software being done the way it is now done--the Web. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From m5 at vail.tivoli.com Fri Mar 29 07:10:01 1996 From: m5 at vail.tivoli.com (Mike McNally) Date: Fri, 29 Mar 1996 23:10:01 +0800 Subject: Let's *NOT* "Raise their Awareness" In-Reply-To: Message-ID: <315AA025.795A@vail.tivoli.com> Timothy C. May wrote: > By the way, this is a wonderful story to tell about the stupidity of > government, but, alas, most of it is urban legend. The Tennessee or > Kentucky (I forget which) state legislature did not actually pass such a > law....it was merely _proposed_ by some particular legislator, and then > never acted upon. "A history of pi". P. Beckman. Golem Press, CO, 1971 If you haven't read it, do so. A wonderfully opinionated little book. ______c_____________________________________________________________________ Mike M Nally * Tiv^H^H^H IBM * Austin TX * pain is inevitable m5 at tivoli.com * m101 at io.com * * suffering is optional From jimbell at pacifier.com Fri Mar 29 07:14:09 1996 From: jimbell at pacifier.com (jim bell) Date: Fri, 29 Mar 1996 23:14:09 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 03:46 PM 3/28/96 -0500, Black Unicorn wrote: >On Tue, 26 Mar 1996, Duncan Frissell wrote: > >> At 09:46 PM 3/25/96 -0500, Michael Froomkin wrote: >> >> >An interesting issue, likely to be addressed in future judicial >> >assistence treaties... >> > >> >> However, future judicial assistance treaties are meaningless if you store >> your keys anonymously (domestically or internationally) so that even the >> keeper doesn't know he has them or exactly where they are in his pile of keys. > >Given the significant contempt charges that can follow a refusal to >produce items (anonymous or not) this still depends on the absence of >initial detection. You clearly don't understand. You're making the ASSumption that the organization keeping the keys can produce them in a form that is "useful" to the cops. Escrowing encrypted keys makes them useless to subpoena, and in fact it helps the key owner because the escrow agent can (and, in fact, must!) be obligated to inform the key owner if his key is requested. You also seem to assume that "contempt charges" will be able to operate world-wide, which is a highly dubious proposition. (Read Froomkin's paragraph above CAREFULLY. He said "internationally.") And in any case, I consider it highly doubtful that anybody would contract with an escrow agent and identify himself by name. It would be a simple matter to operate "escrow agents," just glorified data-holders, who would receive data anonymously and send it out just as anonymously, to the person who can identify themselves via some sort of encrypted ID system. Even "detecting" such a transfer is useless because the cops won't be able to figure out what the data is, since it's encrypted in both directions while being transferred, in addition to being encrypted while being held, with a code the escrow agent doesn't know. In short, you need to comprehend what you're responding to before you express your opinions. You're living down to my expectations. >> In fact, I suppose that government operation of the identification system >> (drivers' licenses, passports, etc.) in general is also horribly inefficient >> and should be attacked on efficiency grounds. > >You might not like what you get in response. Streamlined and uniform >identity documents generated at birth and renewed with tax filings would >be the likeliest efficiency improvement. An inefficient government >identification system is to the advantage of the privacy seeker. You seem to be ASSuming that an "efficient identification system" is one that will ALSO operate to the benefit of the government, as opposed to the individual who wants to be identified for only limited purposes. I don't think so. Chaum's encrypted ID system described in the August 1992 Scientific American makes it clear that identification can occur without the ability to cross-reference databases. Chaum's system, if implemented with current microprocessor technology, would be extremely "efficient," at least from the standpoint of the amount of human effort involved. It would, however, be extremely hostile to the government. Jim Bell jimbell at pacifier.com From ses at tipper.oit.unc.edu Fri Mar 29 07:15:34 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Fri, 29 Mar 1996 23:15:34 +0800 Subject: Edited Edupage, 24 March 1996 In-Reply-To: Message-ID: On Thu, 28 Mar 1996, Eric Young wrote: > On Wed, 27 Mar 1996, Phil Karlton wrote: > > My apologies for misunderstanding what you wrote. It could be that I am > > oversensitive on the issue since SSL has been "accused" of being > > proprietary in many forums. A lot of the aura of "proprietariness" of SSL comes from the early history, which I don't think we need to go into again. > ASN.1 BOOLEAN type, and I have only just been able to get hold of the > actual full specification of X509v3. The UNIVERSALSTRING type? Only > found out about it's existance 3 days ago. DER BOOLEAN : [UNIVERSAL 1] true - 0x01 0x01 0xff false- 0x01 0x01 0x00 I never had any problem getting hold of ASN.1 information for free (I even managed to get a change into the PER spec without being a government). Marshall Rose's "The Open Book" really helped. protectzia rules, even if Tim doesn't know what it means :) Mind you, when I was working on z39.50 I had tremendous fun working on debugging when just about everybody had hand-rolled their own compilers or codecs, and nobody actually had a real copy of the ASN.1 specs The real problem with asn.1 is that it is so easily abused; unless you stop and think about what the spec you're writing is going to look like in terms of structs and bits on the wire it's way too easy to come up with something completely unimplementable. When used correctly it can be a life saver, and when used with PER, the encodings generated are often way better than you'ld end up with if you designed the encodings manually, especially for modern cache architectures; however if the spec is fucked up there's not a lot you can do. Hmm - hi abuse potential - now there's something that really needs federal regulation. Simon From owner-cypherpunks at toad.com Fri Mar 29 07:18:49 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 29 Mar 1996 23:18:49 +0800 Subject: No Subject Message-ID: <199603291518.XAA12287@infinity.nus.sg> > My question is when I see how RSA encrypts using PKCS > [desc. deleted] > How to solve this?? You don't. Blind signatures only work with "pure" RSA. You cannot use PKCS encoding to perform blind signatures. PKCS nullifies the multiplicity that is required for these blinding techniques to work. -derek From mpd at netcom.com Fri Mar 29 07:20:11 1996 From: mpd at netcom.com (Mike Duvos) Date: Fri, 29 Mar 1996 23:20:11 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks In-Reply-To: <2.2.32.19960328050605.00698058@arn.net> Message-ID: <199603281828.KAA10403@netcom8.netcom.com> "David K. Merriman" writes: > At 01:34 AM 03/28/96 +0000, you wrote: >> I've been looking for a file on how to make PPV >> descramblers and havn't found any. Commercial descramblers >> cost around $200 base price. If anyone has a file on how to >> make them please e-mail me one. Thanks. > This is cypherpunks. Not Cable-TV-Piracy-Punks. ObCrypto: Scrambling TV signals sometimes makes use of encryption, so perhaps a brief discussion of how this is done could be tolerated. If you are talking about recovering signals from completely encrypted digital MPEG-2 streams, such as those used by the DBS folks, you are probably out of luck. The relevant processing in the decoder exists on a small card which has so far resisted attempts at reverse engineering. As far as analog signals are concerned, the "scrambling" of the video only involves the clipping of the horizontal sync pulses. This causes the picture to tear and the color burst to be missed. So you get a funny torn picture with odd colors in place of the original. Sometimes, the set will momentarily lock on to something in the picture in place of the missing sync and you will get a reasonable picture for a few moments. Kids often watch porn channels for hours waiting for such an effect to occur. The usual way of transmitting the missing sync information is to place an appropriately tuned 15,750 hz subcarrier on the sound channel. If you pick this up, and use it to add pulses back onto the video, you will again get a signal your set will correctly process. There are a variety of techniques for scrambling audio. The most expensive is to DES encrypt the sound and place it in the horizontal blanking interval. The regular sound channel can then be used for advertising. This requires a bit of processing at both ends, and is generally used for satellite to ground transmission of cable signals. The other common method is to modulate the sound on a subcarrier, usually the one transmitted in phase with the missing sync. In most cable systems using addressable decoders, nothing is done to the sound at all, and the box simply mutes the set if its address is not in the list of authorized users for that channel. Persons viewing a PPV without a cable box will get a scrambled picture, but perfectly normal sound. This is commonly referred to by people who listen to PPV events without paying as watching in "scramblevision." A hostile attack on such a system can be mounted in a number of ways. One can simply mung the set top box to restore sync on all channels unconditionally, either by replacing a single chip with a black market substitute, or by doing some surgery on the electronics. Once can also construct a number of simple circuits which will yank the subcarrier off the sound channel, and use it to trigger a pulse generator which gets added to the video. You can even stick one of these in your TV set to render it truly "cable ready." Of course, once television transmission goes completely digital, and strong encryption is used on both audio and video, the opportunity for such simple attacks will vanish. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From dgbeards at southern.edu Fri Mar 29 07:20:34 1996 From: dgbeards at southern.edu (Doug Beardsley) Date: Fri, 29 Mar 1996 23:20:34 +0800 Subject: QuickBooks file format Message-ID: <199603290411.XAA03370@southern.edu> I would like to get information about how the QuickBooks accounting program by Intuit stores its data files. I also would like to know what it does with the passwords and how it encrypts the files. (If it even encrypts them) If you have any of this information or know where I can find it I would really appreciate it. Thanks in advance to any replies. Doug Beardsley dgbeards at southern.edu KE4ZPI Committees: Where minutes are kept and hours are lost From vznuri at netcom.com Fri Mar 29 07:26:06 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Fri, 29 Mar 1996 23:26:06 +0800 Subject: java: vending machine software (long) Message-ID: <199603282211.OAA15109@netcom14.netcom.com> Java seems to be catching on in a big way (only a few months ago, the hook-line-and-sinker interest by MS would not have been conceivable) and seems to be leading to some radical new programming and cyberspace paradigms. I thought I would try to anticipate some of these future developments. what does it mean that "the network is the computer"? there are three very important aspects of Java in my view that make it much more than your everyday programming language, and all of these could be classed as "revolutionary" if they stay airtight and hold up to the rigors of worldwide keyboard banging. not all of these are recognized for their importance or potential future significance at the moment. 1. it can be easily translated across platforms. this translation is far more robust and reliable than say the supposed portability of "C" which is in fact not very portable and whose "portability" seems largely an illusion at times. complicated makefiles with a zillion special cases are far from seamless. Java has reached the level of almost "foolproof portability". of course there are some minor sacrifices (such as possibly) efficiency. however Java has always been designed with high efficiency in mind. 2. the security aspects are extremely significant. the end design goal of course is that the end user should never have to worry about whatever software he downloads-- he can run it all knowing it is theoretically impossible for it to screw up his system. all other schemes, such as a "software certification authority" which e.g. MS has been pursuing, seem inferior to some degree. 3. the whole concept of an "applet" is again very critical to the Java design. the name connotes something that is trivial to run, and may be tiny. i.e. one might be running tiny little programs all day instead of monster applications that we have right now. the philosophy is of "lean and mean" vs. the massive dinosaur. one way to state it would be to say that the applet is a program with "small granularity". == now, all the above elements are present in various languages and platforms, but Java has focused on refining them to the utmost degree, to the point that every nonprogrammer can use a Java application without worrying about compilation or whatever. this goal of "increased sophistication for the less sophisticated" has always been foremost in software development, and alas has largely been lost in the minds of many designers. (look how many years it took MS to come up with the concept of "plug and play" when it would seem like an obvious feature from the very beginning of computing). the process of complex program translation/porting has been reduced to the minimum of clicking on a hypertext button. look how many countless man-lifetimes have been wasted by beginners trying to hack through their autoexec.bat, config.sys, and whatever else silly configuration files the software requires them to tweak. look at the lifetimes wasted on bad IRQ settings. what utter shamefulness, to think that all this could have been averted by a few farsighted designers who took the time to "do it right" the first time around and develop standards that didn't require a burden on the human, but instead put it where it belonged: on the designer!! those who argue, "yes, but as soon as you learn this stuff its not a big deal" are completely missing the point. the point that I am getting to is that I think we are entering a new era of "seamlessness" everywhere in cyberspace, and java is going to be a big part in helping that goal be achieved. we are going to see our machines rarely ever ask us for ridiculously arcane or abstruse information such as IRQ settings, IP addresses, or require us to maintain it--things we should not have to care about as humans. its really amazing how often designers simply replace one set of problems with another set, and these people are increasingly going to have to get their act together in the future as people simply don't tolerate poorly designed software that requires them to do things they shouldn't have to do. == Java reminds me in many ways of the Unix operating system. now I'm not claiming a parallel in the "use" of the language, but the design goals are somewhat similar. Unix was broken down into very fine "pieces" of code that could be interchanged and plugged into each other in the same way that subroutines or classes can be shared today. the obvious goal is to have the ability to string pieces of code together, no matter how small or how large. this goal has largely eluded software programmers. it seems that after code gets to a certain size it becomes far less able to be used as a module or subroutine to other code. it seems one has to constantly invent new languages to string all this code together (machine language, C, then shell scripts, then an operating system on top of that, then a network). I believe we are moving toward an environment in which code becomes incredibly interchangeable. the entire cyberspace will be seen in the same way that we see our own local computer system today. cyberspace will be thought of as an enormous code library that one can "link to" in any way one likes with one's own code. the distinctions between operating system, computer languages, shell scripts etc. are all going to blur into one massive, unified algorithmic structure. "object oriented programming" is slowly moving in this direction. it does seem to be that the basic unit of software is not a "subroutine" or an "application" but an "object" and that this paradigm can be utilized in almost any situation, at any level. Unix has what I describe as "fine granularity" and was designed purposely and almost fanatically to have this feature. in short it is the philosophy that no code is an island and no matter what hierarchy of code one is talking about, from subroutines all the way up to complex applications, standards should exist that let it all "interoperate" in automated fashions. a shell script is merely a way of treating large pieces of code as subroutines. (one can get their exit status, pass parameters on a "command line" etc.) Unix succeeded in bringing the "interchangeable code" concept up higher in the hierarchy to shell scripts and OS utilities etc.-- but it had to keep inventing new languages at every level to do so. to say that Excel "interoperates" with some other software seems deceptive, if one is using the term in the same way it was used in Unix. the user has to click around in menus to accomplish what they want; whereas the situation of making the software so that it can be called as a subroutine from code requires an entirely different design. when Excel began allowing all its features to be called from Visual Basic functions, such that a series of mouse clicks and operations implied a particular Visual Basic program, is the direction I am referring to. today we see code as something hiding behind user interfaces. but increasingly in the future, we are going to be able to see the code itself and view the user interface as simply a kind of "grafting" on top of it. it is a sort of "handle" that lets one access the code. there are other "handles" that can be created to use the same code, such as a specialized language, subroutines that name the code, or objects. generally objects are going to win out in the future as the "thing" that describes all code. the object paradigm does come very close to the goal of interchangeable software parts. increasingly the objects that hide behind complex applications are going to become "visible" to the end user who can combine them in novel ways. the analogy I like to use is that the "hood of the car" can be opened to let people to tinker with the engine. == when one thinks about this, I think it becomes clear that we are going to see many, many new standards for code communication in the future. if we don't want all these java applets to be isolated, we are likely to see many standards emerge that allow people to write applets that "fit into" various places in a sort of "plug and play" approach. in Unix, the standards that were devised were shell scripts and command line parameters. much effort went into trying to deal with compatibility of command line arguments and that kind of thing. these standards will tend to define things like "the standard methods that [x] java widgets must support, and in what ways". I expect to see a lot of these standards be developed and proliferate. in fact, musing on all this reminds me that it seems to me the heart of computing involves creating standards and interfaces, and that very few computer languages address this aspect of computation. I'm toying with the idea of inventing a computer language that actually manages standards. (future posts on this will probably go to coderpunks) == now a few words about something I talked about in the title, or "vending machine software". I imagine we are going to see a whole new paradigm for software use in the future that is going to absolutely baffle companies used to the old paradigm, and who built their kingdoms on it, the most obvious being Microsoft. the key concept is to combine cyberspace, digital cash, microcurrency, applets, and interchangeability into a new complex holographic recipe. imagine in the future that massive single, "circumscribed" applications such as Excel become more rare, and instead what develops is an incredible variety and diversity of applets around the world. I suspect that in the future, people will use software something like the way vending machines work. you look around, pick the exact thing you want in the moment, and pay a pretty small fee. you may come back later and pick something else out. eventually I think cyberspace is going to look like one massive application that one can click anywhere to do anything. anyone will be able to put their own "code" into this massive vending machine. sophisticated methods of organizing the hierarchies to aid finding what you want quickly will evolve, just as Yahoo and all the other search services are now proliferating. the point is that you no longer "buy" an application-- you pay for each individual use of pieces that exist all over cyberspace, i.e. every time you "call" a subroutine, so to speak. the cost-per use is so low that you don't mind this, and in fact you probably save a lot of money in the long run, because you only pay for what you use. furthermore, the software is very specialized and you can get applications that are very much tailored to what you want them to do-- they require less and less configuration. entire companies will specialize in delivering what you want very quickly if what they are selling is not exactly what you want that moment. people will in fact create massive applications that are strings of subroutines of software written elsewhere all over the world. I think that rapid network speeds will actually allow software to be written that doesn't reside on a local computer, but in fact in which some subroutine calls happen over a network!! the parameters and return data are passed over the network, and the code never runs on a local computer. notice the "boundaries" of such an application seems to shift dramatically. you cannot "circumscribe" such an application as easily, it is not one "thing" that runs isolated on your own computer. it is a sort of holographic element in a massive algorithmic universe that calls on all kinds of other elements in the universe. it may be possible to build in the same kinds of "resistance to errors" in this kind of computation that we now have in TCP/IP protocols. i.e. if a certain module fails, the system may automatically call up other modules that work. all of this requires a reliability and complexity we do not have at the moment, but I see major hints of it in our current system, and I believe we are rapidly evolving towards the above scenarios. the above cannot really be realized so long as people insist on selling their code as if it is a massive product that has to be purchased and shipped somewhere in shrinkwrapped packaging. as we begin to move away from the concept of, "you are buying the right to use this program whenever you want for a lot of money" to "you are buying this particular computation or use of the algorithm for a small fraction of the development cost", the above system will begin to proliferate and blossom. == what does this all mean to existing (software) companies? increasingly, the value of a company of people, or some kind of structure, will be how well it can coordinate people and resources to accomplish some particular goal. but the company will increasingly have to compete with other structures that may be more able to coordinate resources efficiently. if an incredible groupware program evolved, for example, that let people coordinate themselves and others as "efficiently" or more so than a company does today, companies in the modern sense would tend to die out. a "company" becomes a virtual collection of people and resources to accomplish a common goal, but the geographic localization/focus characteristic of modern companies will be seen as something as an anachronism. a company that is drowning in inefficient bureacracy will tend to find that people will simply go elsewhere and find more efficient methods of "plugging in" their value, because they are better paid by some structure that does not waste their energies. I am not saying above that bureacracy is evil-- we are going to find out what kinds of bureacracy (or "coordination") is really necessary in the future, and what kind is superfluous, burdensome, and inefficient, as people increasingly move out of/away from structures running amuck in the latter. From owner-cypherpunks at toad.com Fri Mar 29 07:32:12 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 29 Mar 1996 23:32:12 +0800 Subject: No Subject Message-ID: <199603291532.XAA12310@infinity.nus.sg> Hi! I have some stupid question about how to implement blind signature. I Know it works as follows: If A wants B to sign X but donot know it is X, A can send X*PK(random) : PK is public key of B Then B signs on message: SK(X*PK(random)) ==> SK(X)*random Then A can obtain SK(X) by SK(X)*random/random My question is when I see how RSA encrypts using PKCS The PKCS block is like this 00 01 FF FF FF FF ... 00 input Then SK(00 01 FF FF FF .. 00 input) . If the input = X*PK(random) then SK(00 01 FF FF FF .. 00 X*PK(random)) will not produce SK(X)*random How to solve this?? Thanks!! From owner-cypherpunks at toad.com Fri Mar 29 07:35:32 1996 From: owner-cypherpunks at toad.com (owner-cypherpunks at toad.com) Date: Fri, 29 Mar 1996 23:35:32 +0800 Subject: No Subject Message-ID: <199603291535.XAA12314@infinity.nus.sg> Mutatis Mutantdis writes: > >I've got a short program for the PC (w/TPascal source) that plots a > >noise sphere from a file of (pseudo) random data, if anyone is > >interested. Requires a VGA card that handles mode 5Fh (640 x 480, > [..] > >The source has a brief explanation of what noise spheres are and a > >reference to the Pickover article the program was based on. > Somebody sent me a C++ conversion of it. It compiles fine with BCC 4.02. > > Enclosed here (thanks to "James Pate Williams, Jr." ) Here's a version of it for X Windows, translated into plain-old C. -- Jeff oo -----------------------------cut /\ here------------------------------ /* xnoisesph.c Compiled on Linux with: cc -o xnoisesph xnoisesph.c -L /usr/X11R6/lib -lX11 -lm Usage: xnoisesph file Or: xnoisesph No copyright is claimed. No guarantees made. Usage: noisesph file This program reads a file of random or pseudo-random data and plots a noise sphere of the data. Poor RNGs or sampling methods will show clear patterns (definite splotches or spirals). The theory behind this is to get a set of 3D polar coordinates from the RNG and plot them. An array is kept of the values, which is rotated each time a new byte is read (see the code in the main procedure). Rather than plot one sphere which can be rotated around any axis, it was easier to plot the sphere from three different angles. This program is based on a description from the article below. It was proposed as a means of testing pseudo-RNGs: Pickover, Clifford A. 1995. "Random number generators: pretty good ones are easy to find." The Visual Computer (1005) 11:369-377. */ #include #include #include #include #include typedef struct _Cartesian { double x, y, z; unsigned Color; } Cartesian; typedef struct _Polar { double r, theta, phi; } Polar; double ByteToReal(unsigned char); unsigned int ScaleColor(double); int Round(double); void Plot(Cartesian *); void PolarToCartesian(Polar *, Cartesian *); int MidA, MidB, MidC, MidY, Scale; char *pgm; Window w; Display *d; GC gc; void main(int ac, char **av) { int i; char *fname; FILE *inp; XEvent event; XExposeEvent *ee = (XExposeEvent *)&event; int width, height, bwidth, depth, wx, wy; Window root; pgm = basename(*av); if (ac > 2) { fprintf(stderr, "Usage: %s [file]\n", pgm); exit(1); } if (ac == 2) { fname = av[1]; if ((inp = fopen(fname, "rb")) == NULL) { fprintf(stderr, "%s: Can't open %s - %s\n", pgm, av[1], strerror(errno)); exit(1); } } else { inp = stdin; fname = "(stdin)"; } if (!(d = XOpenDisplay(NULL))) { fprintf(stderr, "%s: Can't open display\n", pgm); exit(1); } w = XCreateSimpleWindow(d, RootWindow(d, DefaultScreen(d)), 0, 0, 640, 480, 0, BlackPixel(d, DefaultScreen(d)), BlackPixel(d, DefaultScreen(d))); XSelectInput(d, w, ExposureMask); gc = XCreateGC(d, w, 0L, NULL); XSetBackground(d, gc, BlackPixel(d, DefaultScreen(d))); XSetForeground(d, gc, WhitePixel(d, DefaultScreen(d))); XMapRaised(d, w); while (XNextEvent(d, &event), event.type != Expose) ; /* * Get the window's actual width and height. */ XGetGeometry(d, w, &root, &wx, &wy, &width, &height, &bwidth, &depth); /* * Initialization done, window on screen; time for real work. */ { double X[3]; int i, n = 0; int byte; Cartesian C; Polar P; Scale = width / 6; MidA = Scale; MidB = 3 * Scale; MidC = 5 * Scale; MidY = height / 2; if (MidY < Scale) Scale = MidY; for (i = 0; i < 3; i++) { if ((byte = getc(inp)) == EOF) { fprintf(stderr, "%s: Early EOF on %s\n", pgm, fname); exit(1); } X[i] = ByteToReal((unsigned char) byte); } while (1) { P.r = sqrt(X[(n + 2) % 3]); P.theta = M_PI * X[(n + 1) % 3]; P.phi = 2 * M_PI * X[n]; PolarToCartesian(&P, &C); Plot(&C); if ((byte = getc(inp)) == EOF) break; X[n] = ByteToReal((unsigned char) byte); n = (n + 1) % 3; } } /* * Now hang out. Let the window manager kill us. */ while (1) XNextEvent(d, &event); exit(0); } double ByteToReal(unsigned char b) { /*note that there will be some gaps since we're only using the equivalent of an 8-bit decimal here*/ return b / 256.0; } unsigned int ScaleColor(double x) { return 0; } int Round(double x) { return (int) (x + 0.5); } void Plot(Cartesian *C) { XDrawPoint(d, w, gc, MidA + Round(Scale * C->y), MidY - Round(Scale * C->z)); XDrawPoint(d, w, gc, MidB + Round(Scale * C->x), MidY - Round(Scale * C->y)); XDrawPoint(d, w, gc, MidC + Round(Scale * C->z), MidY - Round(Scale * C->x)); } void PolarToCartesian(Polar *P, Cartesian *C) { /* No rotation was added. Instead we plot from three angles... */ C->x = P->r * sin(P->phi) * cos(P->theta); C->y = P->r * sin(P->phi) * sin(P->theta); C->z = P->r * cos(P->phi); /* We can assign colors based on x, y, z, r, theta / pi or phi / (2 * pi) */ C->Color = ScaleColor(C->y); } From ncognito at gate.net Fri Mar 29 08:32:26 1996 From: ncognito at gate.net (nCognito) Date: Sat, 30 Mar 1996 00:32:26 +0800 Subject: Crash Message-ID: <199603290840.DAA03640@osceola.gate.net> Introduction to the French Edition of "Crash" J.G.Ballard, 1974 The marriage of reason and nightmare which has dominated the 20th century has given birth to an ever more ambiguous world. Across the communications landscape move the specters of sinister technologies and the dreams that money can buy. Thermonuclear weapons systems and soft drink commercials coexist in an overlit realm ruled by advertising and pseudoevents, science and pornography. Over our lives preside the great twin leitmotifs of the 20th century - sex and paranoia. Despite McLuhan's delight in high-speed information mosaics we are still reminded of Freud's profound pessimism in "Civilization and its Discontents". Voyeurism, self-disgust, the infantile basis of our dreams and longings - these diseases of the psyche have now culminated in the most terrifying casualty of the century: The death of affect. This demise of feeling and emotion has paved the way for all our most real and tender pleasures - in the excitements of pain and mutilation; in sex as the perfect arena, like a culture bed of sterile pus, for all the veronicas of our own perversions; in our moral freedom to pursue our own psychopathology as a game; and in our apparently limitless powers for conceptualization - what our children have to fear is not the cars on the highways of tomorrow but our own pleasure in calculating the most elegant parameters of their deaths. To document the uneasy pleasures of living within this glaucous paradise has more and more become the role of science fiction. I firmly believe that science fiction, far from being an unimportant minor offshoot, in fact represents the main literary tradition of the 20th century, and certainly its oldest - a tradition of imaginative response to science and technology that runs in an intact line through H.G. Wells, Aldous Huxley, the writers of modern American science fiction, to such present-day innovators as William Burroughs. The main "fact" of the 20th century is the concept of the unlimited possibility. This predicate of science and technology enshrines the notion of a moratorium on the past - the irrelevancy and even death of the past - and the limitless alternatives available to the present. What links the first flight of the Wright brothers to the invention of the Pill is the social and sexual philosophy of the ejector seat. Given this immense continent of possibility, few literatures would seem better equipped to deal with their subject matter than science fiction. No other form of fiction has the vocabulary of ideas and images to deal with the present, let alone the future. The dominant characteristic of the modern mainstream novel is its sense of individual isolation, its mood of introspection and alienation, a state of mind always assumed to be the hallmark of the 20th century consciousness. Far from it. On the contrary, it seems to me that this is a psychology that belongs entirely to the 19th century, part of a reaction against the monolithic character of Victorianism and the tyranny of the paterfamilias, secure in his financial and sexual authority. Apart from its marked retrospective bias and its obsession with the subjective nature of experience, its real subject matter is the rationalization of guilt and estrangement. Its elements are introspection, pessimism and sophistication. Yet if anything befits the 20th century it is optimism, the iconography of mass merchandising, naivety and a guilt-free enjoyment of all the mind's possibilities. The kind of imagination that now manifests itself in science fiction is not something new. Homer, Shakespeare and Milton all invented new worlds to comment on this one. The split of science fiction into a separate and somewhat disreputable genre is a recent development. It is connected with the near disappearance of dramatic and philosophical poetry and the slow shrinking of the traditional novel as it concerns itself more and more exclusively with the nuances of human relationships. Among those areas neglected by the traditional novel are, above all, the dynamics of human societies (the traditional novel tends to depict society as static), and man's place in the universe. However crudely or naively, science fiction at least attempts to place a philosophical and metaphysical frame around the most important events within our lives and consciousness. If I make this general defense of science fiction it is, obviously, because my own career as a writer has been involved with it for almost 20 years. >From the very start, when I first turned to science fiction, I was convinced that the future was a better key to the present than the past. At the time, however, I was dissatisfied with science fiction's obsession with its two principal themes - outer space and the far future. As much for emblematic purposes as any theoretical or programmatic ones, I christened the new terrain I wishred to explore INNER SPACE, that psychological domain (manifest, for example, in surrealist painting) where the inner world of the mind and the outer world of reality meet and fuse. Science and technology multiply around us. To an increasing extent they dictate the languages in which we speak and think. Either we use those languages, or we remain mute. Yet, by an ironic paradox, modern science fiction became the first casualty of the changing world it anticipated and helped to create. The future envisioned by the science fiction of the 1940s and 1950s is already our past. Its dominant images, not merely of the first Moon flights and interplanetary voyages, but of our changing social and political relationships in a world governed by technology, now resemble huge pieces of discarded stage scenery. For me, this could be seen most touchingly in the film "2001: A Space Odyssey", which signified the end of the heroic period of modern science fiction - its lovingly imagined panoramas and costumes, its huge set pieces, remind me of "Gone With the Wind", a scientific pageant that became a kind of historical romance in reverse, a sealed world into which the hard light of contemporary reality was never allowed to penetrate. Increasingly, our concepts of past, present and future are being forced to revise themselves. Just as the past itself, in social and psychological terms, became a casualty of Hiroshima and the nuclear age (almost by definition a period where we were all forced to think prospectively), so in its turn the future is ceasing to exist, devoured by the all-voracious present, as merely one of those manifold alternatives open to us. Options multiply around us, we live in an almost infantile world where any demand, any possibility, whether for lifestyles, travel, sexual roles and identities, can be satisfied instantly. In addition, I feel that the balance between fiction and reality has changed significantly in the past decade. Increasingly their roles are reversed. We live in a world ruled by fictions of every kind - mass merchandising, advertising, politics conducted as a branch of advertising, the instant translation of science and technology into popular imagery, the increasing blurring and intermingling of identities within the realm of consumer goods, the preempting of any free or original imaginative response to experience by the television screen. We live inside an enormous novel. For the writer in particular it is less and less necessary for him to invent the fictional content of his novel. The fiction is already there. The writer's task is to invent the reality. In the past we have always assumed that the external world around us has represented reality, however confusing or uncertain, and that the inner world of our minds, its dreams, hopes, ambitions, represented the realm of fantasy and the imagination. These roles too, it seems to me, have been reversed. The most prudent and effective method of dealing with the world around us is to assume that it is a complete fiction - conversely, the one small node of reality left to us is inside our own heads. Freud's classic distinction between the latent and manifest content of the dream, between the apparent and the real, now needs to be applied to the external world of so-called reality. Given these transformations, what is the main task facing the writer? Can he any longer make use of the techniques and perspectives of the traditional 19th century novel, with its linear narrative, its measured cronology, its consular characters grandly inhabiting their domains within an ample time and space? Is his subject matter the sources of character and personality sunk deep in the past, the unhurried inspection of roots, the examination of the most subtle nuances of social behavior and personal relationships? Has the writer still the moral authority to invent a self-sufficient and self- enclosed world, to preside over his characters like an examiner, knowing all the questions in advance? Can he leave out anything he prefers not to understand, including his own motives, prejudices and psychopathology? I feel myuself that the writer's role, his authority and license to act, has changed radically. I feel that, in a sense, the writer knows nothing any longer. He has no moral stance. He offers the reader the contents of his own head, he offers a set of options and imaginative alternatives. His role is that of the scientist, whether on safari or in his laboratory, faced with a completely unknown terrain or subject. All he can do is to devise hypotheses and test them against the facts. "Crash" is such a book, an extreme metaphor for an extreme situation, a kit of desperate measures only for use in an extreme crisis. If I am right, and what I have done over the past few years is to rediscover the present for myself, "Crash" takes up its position as a cataclysmic novel of the present day in line with my previous novels of world cataclysm set in the near or immediate future - "The Drowned World", "The Drought" and "The Crystal World". "Crash", of course, is not concerned with an imaginary disaster, however imminent, but with a pandemic cataclysm institutionalized in all industrial societies that kills hundreds of thousands of people each year and injures millions. Do we see, in the car crash, a sinister portent of a nightmare marriage between sex and technology? Will modern technology provide us with hitherto undreamed-of means for tapping our own psychopathologies? Is this harnessing of our innate perversity conceivably of benefit to us? Is there some deviant logic unfolding more powerful than that provided by reason? Throughout "Crash" I have used the car not only as a sexual image, but as a total metaphor for man's life in today's society. As such the novel has a political role quite apart from its sexual content, but I would still like to think that "Crash" is the first pornographic novel based on technology. In a sense, pornography is the most political form of fiction, dealing with how we use and exploit each other in the most urgent and ruthless way. Needless to say, the ultimate role of "Crash" is cautionary, a warning against that brutal, erotic and overlit realm that beckons more and more persuasively to us from the margins of the technological landscape. J.G.Ballard, 1974 From blancw at MICROSOFT.com Fri Mar 29 09:03:14 1996 From: blancw at MICROSOFT.com (Blanc Weber) Date: Sat, 30 Mar 1996 01:03:14 +0800 Subject: What backs up digital money? Message-ID: >From: Perry E. Metzger > >Alan Horowitz writes: >> I will put forth the proposition that Federal Reserve "Notes" are not >> notes. > >Probably true, but not relevant here on cypherpunks. ...................................................................... Perry, here's a question for you, and I am seriously interested in your answer: I agree that discussing the past history of money in relation to whether the Federal Reserve should exist, or has the authority to issue "Notes", and whether the Notes are actually worth anything, is too involved and political and complex a discussion to pursue on this list. But since electronic cash does involve encryption, and since this does have social/political repercussions for the future of mankind, and since the list does involve itself with an acute awareness of what this means for life, liberty, and the pursuit of international wealth, and since you know a lot about the place of free banking and currency in the world economy (not to mention the Peruvian economy ), and since it is a valuable exercise therefore to examine the logical, valid perspective that one should have on this matter in order that one be correct, rather than mistaken, on just how a fluid medium like electronic currency could exist within this new cyber-world order while not yet losing the attributes which have made it acceptable in the past, what, then, would you yourself consider proper for discussion here? A brief outline would be sufficient, to create a context to keep in mind, within which to contain & limit discussion, as we ponder the subject. Perhaps something which could be re-sent when newbies bring up the question again. Thanks. .. >Blanc > From WlkngOwl at UNiX.asb.com Fri Mar 29 09:45:01 1996 From: WlkngOwl at UNiX.asb.com (Deranged Mutant) Date: Sat, 30 Mar 1996 01:45:01 +0800 Subject: Random Number Testing Message-ID: <199603291150.GAA16425@unix.asb.com> On 28 Mar 96 at 15:32, Jeff Barber wrote: [..] > Here's the bottom line to this discussion. Tests that various people on > and off this list have run show some evidence that there *is* "entropy" > to be derived from loop timings (well, actually from a combination of > clock-related, OS-related, and other peripheral-related activities that > cause variations in loop timings). [..] > But, IMO, they qualify as software-only because the interface to the > hardware is indirect and, at least potentially, non-system-specific. I disagree. The methods of timing (how to sample a specific timer) and the various interactions that generate the entropy *are* system specific. Code written for Suns won't work on PCs or Amigas or Macs, etc. The implementation would probably be better if it were built into the OS, which rules out Win95, DOS, OS/2, Macs, etc. (unless the companies decide to add such a feature...) > This leaves several questions that may be of interest to cypherpunks: > > - Is this apparent entropy really *unpredictable* (the most useful > definition of "random" for cryptographic purposes)? Good question. You'd need to look for patterns. Barring none, you'd have to guess the factors that lead to the entropy, and then see if there's a way to reverse-engineer it. (Perhaps use a stripped down system and build it up, or disable some of the hardware and OS features etc.) > - Is there any way to harvest this entropy in a way that is safe to > use for cryptographic purposes? > > - If so, how much of this "apparent entropy" needs to be collected > in order to get a given quantity of "true entropy"? Another question: how do you estimate entropy? [..] Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From jamesd at echeque.com Fri Mar 29 09:59:00 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sat, 30 Mar 1996 01:59:00 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <199603290803.AAA06737@mail1.best.com> At 03:43 PM 3/27/96 -0500, Shabbir J. Safdar wrote: > Your misunderstanding of how interceptions are done is dangerous to > what is otherwise a rational, intelligent argument. > > Indeed, there are ways to conduct a wiretap without a judge. They require > dispensations from people like the Attorney General, for example. And > this is certainly not a normal practice. I suggest that you study arithmetic before pontificating on normal government practice: 1% of all phone capacity = 850 wiretaps a year. Yeah, right. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From perry at piermont.com Fri Mar 29 10:18:01 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sat, 30 Mar 1996 02:18:01 +0800 Subject: Edited Edupage, 24 March 1996 In-Reply-To: <315A3ECA.6E53@netscape.com> Message-ID: <199603281535.KAA02728@jekyll.piermont.com> Jeff Weinstein writes: > > 1) I strongly suggest that SSL is *not* in its current form the right > > technology, because internet phone type tools probably use UDP, not > > TCP. > > I guess that is what I get for posting when too tired. Certainly the > current SSL won't work for UDP based protocols. Either we will have to > make a UDP version of SSL or use some existing protocol that gets the job > done. Since our acquisition is not complete I haven't really had an > opportunity to talk to the streaming media guys yet... You probably want to look into the hooks that RTP audio programs like VAT use right now to do their cryptography (yes, they do crypto) -- I belive there is lots of precedent. Perry From nibiru at columbus.co.za Fri Mar 29 10:38:01 1996 From: nibiru at columbus.co.za (Nibiru) Date: Sat, 30 Mar 1996 02:38:01 +0800 Subject: NOISE: Scriveners Attack C-Punks Message-ID: <199603291452.MAA09117@intp1.columbus.co.za> >Watch out folks... the scriveners are after us! No doubt in cahoots with teh exonites! Take this dweeb ** BONK ** . From jbugden at alis.com Fri Mar 29 10:57:14 1996 From: jbugden at alis.com (James Bugden) Date: Sat, 30 Mar 1996 02:57:14 +0800 Subject: Why Americans feel no compulsion to learn foreign langua Message-ID: <01BB1C93.A8A24E40@jbugden.alis.com> At Thursday, March 28, 1996 12:32 AM, Timothy C. May wrote: >My point is not against the learning of a foreign language, just that >economic considerations _must_ play a role. Q: What do you call an American company that ported its internet software to 22 different langauges in order to compete in the world? A: Microsoft >My European friends usually study the language of their direct neighbors >and important trading/scientific partners. English, German, French, >typically. So the question is: Who do you want as a neighbour and/or trading partner? >(One person communicated with me in private about this, saying that the >international nature of the Internet is an ironic counterpoint to my point. >So I promised this guy I would learn Hindi and Polish to better be able to >use the Internet. Actually, you promised me that you'd sign up to learn "Swedish. No, wait, to learn Polish. Or is it Japanese, or Greek, or Hindi, or...." But why bother going to all that trouble. Everything you need to be able to encounter another language is right in front of you. http://www.branchezvous.com could be one place to start. But perhaps my point is misdirected. Even those who speak English and share a similar culture can find it hard to communicate sometimes. Ciao, James jbugden at alis.com From Doug.Hughes at Eng.Auburn.EDU Fri Mar 29 11:10:27 1996 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Sat, 30 Mar 1996 03:10:27 +0800 Subject: Sun patch pulled (was Re: HP & Export of DCE) In-Reply-To: <199603272316.XAA13429@pangaea.hypereality.co.uk> Message-ID: > >I noticed that Sun's latest libc patch (101759-04) is empty. Previous >versions contained the complete U.S. version of libc, including the >tres-dangerous DES and crypt functions. In the current rev only the >README remains, presumably because: > EXPORT INFORMATION: This patch includes code which performs > cryptographic functions, which are subject to U.S. export > control, and must not be exported outside the U.S. without > prior approval of the U.S. government. Prior export approval > must be obtained by the user of this patch. > >So, you might ask, what fixes is Sun not distributing??? > (Rev 04) > 1190985 gethostbyname() can trash an existing open file descriptor. > 1182835 portmapper silently fails with version mismatch by PC-NFS > client > 1219835 Syslog(3) can be abused to gain root access on 4.X systems. > Yes, all very dangerous, but, come on, how hard is it to call sun to get a copy of the patch? (answer, it's not). This is not that big of a deal. >Yup, that's right. The syslog hole that was so well publicized by >CERT will remain open indefinitely because the ITAR makes it illegal >for Sun to distribute the fix! > It's easy to patch yourself too. I had a patch for this three days after it was announced, distributed via anon FTP and bugtraq. Basically, replacing syslog.c with one that Perry had written and adding an snprintf.c function. I've discontinued offering this since Sun's patch is now available. >So did HP and Sun spontaneously, simultaneously develop crypto awareness, >or is some gummint dweeb whispering threats in their ear? > Who cares as long as they distribute the patch? The international libc patch is still freely available to anyone who wants it. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu Pro is to Con as progress is to congress From mrm at netcom.com Fri Mar 29 11:18:30 1996 From: mrm at netcom.com (Marianne Mueller) Date: Sat, 30 Mar 1996 03:18:30 +0800 Subject: WSJ on Big Java Flaw In-Reply-To: <9603271351.AA18267@zip_master2.sbi.com> Message-ID: <199603291255.EAA26954@netcom20.netcom.com> We are doing several things: 1) continuing a "scrubbing" of the code, to look for holes so we can fix them 2) listening (really) to all comments about the applet security model and mechanisms - some people fault the model, others fault the mechanisms, and I'm interested in all critical feedback and find it helpful 3) continuing to be committed to source code releases to continue vetting by internet community 4) working with others in the networking security community to design ways to expand the functionality allowed to applets in a secure way 5) working on mechanisms to support signed classes, so that people will be able to authenticate downloaded code. Granted just because code is authenticated, that doesn't necessarily mean it's trusted As technical info on those things is written down, we'll put it on our web site for review and criticism - Marianne JavaSoft, Sun Microsystems mrm at eng.sun.com mrm at netcom.com From vingun at rgalex.com Fri Mar 29 11:20:32 1996 From: vingun at rgalex.com (Vincent S. Gunville) Date: Sat, 30 Mar 1996 03:20:32 +0800 Subject: Councilman/Usenet porn case... In-Reply-To: Message-ID: <315AB3E4.41B6@rgalex.com> Here is an example of what anonymous remailers can do....... > > > > TIME Magazine > > April 1, 1996 Volume 147, No. 14 > _________________________________________________________________ > > Return to Contents page > _________________________________________________________________ > > > WAY WRONG NUMBER > > HELL HATH NO FURY LIKE A CITY COUNCILMAN PORNED > > > > JOSHUA QUITTNER > > This is a tale about how an online prank grows into an international > incident. It also goes a long way toward explaining the fear many > non-Internet people have about this out-of-control thing called > cyberspace. > > Our story begins on the banks of Lake Erie, in Willowick, Ohio (pop. > 15,469). It is the last Monday night in January, about 9 o'clock. City > councilman Frank Suponcic is home with his wife Linda when the phone > rings. Linda answers. "Hi, this is Mike," says the man at the other > end, politely enough. Linda chats with Mike, figuring he must be a > constituent. (As Willowick's longest-serving ward councilman, Suponcic > has lots of voters calling him at home.) After a while, Mike asks for > Annette. Linda tells him he has the wrong number. Mike apologizes and > hangs up. > > The phone rings again at 11:30 p.m. And again. And again. Wrong > numbers until 4:30 a.m. A weary Suponcic wonders what's up and checks > the Caller-ID logs on his phone. The first call was from British > Columbia. The next was from Connecticut. There was one from > Indianapolis and a few from California. Clearly these are not > constituents. But who are they? > > Suponcic calls the Canadian back--it is now 5:30 a.m. in that time > zone, and he is only too happy to wake the dude up--and he demands to > know what is going on. The guy explains, vaguely, that he was merely > answering an "ad on the Internet. You know, the one about horny > housewives..." > > So now we have a problem. Suponcic, like a lot of people, has a new > computer. But like most people, he hardly knows what the Internet is. > Now, somewhere there's an ad on it. For horny housewives. With his > home phone number. > > That night, when the next wrong number came in, Suponcic interrogated > the caller and learned that the councilman's phone number was printed > at the bottom of some pictures of naked women that had been posted to > a Usenet newsgroup called alt.binaries.pictures.erotica, which, > naturally, Suponcic had never heard of. But he had a friend in > Cleveland who was something of a computer buff. So the next day the > two of them jacked into Usenet and spent three hours sifting through > about 7,400 files on alt. binaries.etc. > > Eventually, they found two with Suponcic's phone number. One featured > a topless brunet wearing only a string of pearls and offering phone > calls for "as low as 87 [cents] per minute." The other showed a blond > woman advertising "hot amateur wives ready for you from there [sic] > own bed." Yikes. > > Over the next week, Suponcic received more than 75 calls a day from > lusty Netizens. "You just could not make phone calls," says the > exasperated councilman. "And when you went to bed, you had to take > your phone off the hook." > > It was the sorcerer's apprentice scenario, and there was no way to > stop it. > > Suponcic, being a public official, knew his way around the local > police department, and soon a detective started pounding the Net. By > tracing the header information on the Usenet postings, the detective > determined--O.K., this part is murky, we admit--that the messages had > originated in Ohio, passed through Florida Online, an Internet > provider in the Sunshine State, and then through anon.penet.fi, a free > E-mail remailer service based in Finland that allows Internet users to > post messages anonymously. > > The identity of the poster was, and is, unknown, though Suponcic has > his suspicions. "It's my personal belief that the root of this is > political," says the councilman, who had to get an unlisted telephone > number and whose wife now wants to move. > > On Feb. 6, at Suponcic's urging, the Willowick city council passed a > resolution asking the state and federal governments to close the > "loopholes" that allowed anonymous remailers to operate outside the > authority of U.S. law-enforcement officials. "Once you've achieved one > of these anonymous identities, you're dangerous, and there's no way > law enforcement can track it," Suponcic says. "The animal's out of > control." > > Still not content, Suponcic contacted Steven LaTourette, the U.S. > Congressman who represents his district. LaTourette's staff suspects > that the problem lies with Julf Helsingius, the Finn who runs the > anonymous remailer. They wrote a letter to the Finnish ambassador and > sent copies to the Secretary of State and the chairman of the House > Committee on International Relations. The State Department agreed last > week to look into the complaint. > > But here's a reality check. The Finnish remailer could not have been > used, since anon.penet.fi no longer transmits binary image files. > Jerry Russell, who runs Florida Online and who looked into the case, > says he figures the whole thing was a relatively simple prank called a > sendmail spoof, in which the prankster posts a message with a phony > return address. He says the Willowick police never produced a copy of > the posting for him so that he could unravel the tangle for them. > Indeed, when the policeman called, "he didn't really understand what > he was trying to tell me," says Russell. "The average Joe Blow police > detective doesn't know flip about the Internet." > > Neither does the average public official. And that, friends, is why > stuff like the Communications Decency Act--the Christian Coalition's > attempt to remove pornography from the Internet--sails through > Congress. > > --With reporting by Noah Robischon/New York > > _________________________________________________________________ > > > [IMAGE] > > Text Only -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= |Vincent S. Gunville |Robbins-Gioia |209 Madison St Email vingun at rgalex.com |Alexandria, Va 22314 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From llurch at networking.stanford.edu Fri Mar 29 11:21:40 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 30 Mar 1996 03:21:40 +0800 Subject: Netscape 2.01 fixes server vulnerabilities by breaking the client... Message-ID: Now I suppose they'll want me to fix all the pages where I do a finger with a gopher://host:79/0user. Any chance this nonfix can be unfixed? This nonfix was applied to the UNIX and Win32 versions; I haven't checked the other platforms. -rich >From http://home.netscape.com/eng/mozilla/2.01/relnotes/unix-2.01.html >go to the security stuff and find: > > * Relating to Ports: > > 2.01 fixes a problem where it was possible for a Gopher URL to be > used to send commands to ports other than those that were > reasonable for the Gopher service. It was possible that this > feature could be used to exploit other security vulnerabilities > behind firewalls. Navigator 2.01 fixes this problem by limiting > the ports that a Gopher URL can access and by disallowing certain > control characters in a valid Gopher URL. From shamrock at netcom.com Fri Mar 29 11:42:51 1996 From: shamrock at netcom.com (Lucky Green) Date: Sat, 30 Mar 1996 03:42:51 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 10:47 3/27/96, Michael Froomkin wrote: >I see no reason whatsoever to believe that an un-warranted wiretap would >be legal in any but two cases. (1) Emergency threatening life (e.g. >hostage-taking) pending judicial authorizaiton -- very rare. >(2) The president claims residual authority to wiretap on national >security grounds without a court order. Since the FISA court provides >the authority, this (one is told) is not used. On what do you base your belief, give that the law explicitly allows for "other forms of authorization"? Where does it say that these "other forms of authorization" are limited to the examples you give? TIA, -- Lucky Green PGP encrypted mail preferred. From unicorn at schloss.li Fri Mar 29 12:08:16 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 30 Mar 1996 04:08:16 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: On Thu, 28 Mar 1996, jim bell wrote: > At 03:46 PM 3/28/96 -0500, Black Unicorn wrote: > >On Tue, 26 Mar 1996, Duncan Frissell wrote: > > > >> At 09:46 PM 3/25/96 -0500, Michael Froomkin wrote: > >> > >> >An interesting issue, likely to be addressed in future judicial > >> >assistence treaties... > >> > >> However, future judicial assistance treaties are meaningless if you store > >> your keys anonymously (domestically or internationally) so that even the > >> keeper doesn't know he has them or exactly where they are in his pile of > keys. > > > >Given the significant contempt charges that can follow a refusal to > >produce items (anonymous or not) this still depends on the absence of > >initial detection. > > You clearly don't understand. You're making the ASSumption that the > organization keeping the keys can produce them in a form that is "useful" to > the cops. Escrowing encrypted keys makes them useless to subpoena, and in > fact it helps the key owner because the escrow agent can (and, in fact, > must!) be obligated to inform the key owner if his key is requested. You clearly don't understand. You are an ass making an assumption that a court cares or believes that the witness can actually produce the requested information or not. Fines tend to be imposed regardless. > You also seem to assume that "contempt charges" will be able to operate > world-wide, which is a highly dubious proposition. (Read Froomkin's > paragraph above CAREFULLY. He said "internationally.") Contempt charges do operate world wide. The reach of U.S. jurisdiction is very extensive and the United States generally doesn't care what the foreign jurisdiction thinks of it. See my large note on asset concealing. > And in any case, I consider it highly doubtful that anybody would contract > with an escrow agent and identify himself by name The same way no one creates Panamanian companies with their own name. So what? Third parties are still fined heavily. It would be a simple > matter to operate "escrow agents," just glorified data-holders, who would > receive data anonymously and send it out just as anonymously, to the person > who can identify themselves via some sort of encrypted ID system. And simpler for courts to fine them out of existance (which happened to several banks, trust companies and agents in Cayman and Panama). Even > "detecting" such a transfer is useless because the cops won't be able to > figure out what the data is, since it's encrypted in both directions while > being transferred, in addition to being encrypted while being held, with a > code the escrow agent doesn't know. They need only suspect or have reason to suspect it might be exculpatory. Practically speaking this means convincing a judge. Not hard when the words "offshore holding company" are mentioned in a brief or hearing. > In short, you need to comprehend what you're responding to before you > express your opinions. You're living down to my expectations. In short, go to law school, then try to talk about legal issues. > >> In fact, I suppose that government operation of the identification system > >> (drivers' licenses, passports, etc.) in general is also horribly inefficient > >> and should be attacked on efficiency grounds. > > > >You might not like what you get in response. Streamlined and uniform > >identity documents generated at birth and renewed with tax filings would > >be the likeliest efficiency improvement. An inefficient government > >identification system is to the advantage of the privacy seeker. > > You seem to be ASSuming that an "efficient identification system" is one > that will ALSO operate to the benefit of the government, as opposed to the > individual who wants to be identified for only limited purposes. Without getting into semantics, and "efficient identification system" implies one that identifies people efficently. Blocking government use, or limiting it to certain circumstances is not efficiency. > I don't think so. Opinions are like assholes.... > Chaum's encrypted ID system described in the August 1992 > Scientific American makes it clear that identification can occur without the > ability to cross-reference databases. Chaum's system, if implemented with > current microprocessor technology, would be extremely "efficient," at least ^^^^^^^ > from the standpoint of the amount of human effort involved. It would, > however, be extremely hostile to the government. Hedge just a bit more and your argument will be completely underground. > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From miron at miron.vip.best.com Fri Mar 29 12:15:41 1996 From: miron at miron.vip.best.com (Miron) Date: Sat, 30 Mar 1996 04:15:41 +0800 Subject: ANNOUNCE: remail@extropia moves Message-ID: <199603290238.VAA09647@miron.vip.best.com> Hello, My remailer moved from: remail at extropia.wimsey.com to: remail at miron.vip.best.com Please adjust your pointers accordingly. Mail through extropia should be forwarded for the next few days. There is no change to the encryption key. Miron From Doug.Hughes at Eng.Auburn.EDU Fri Mar 29 12:58:44 1996 From: Doug.Hughes at Eng.Auburn.EDU (Doug Hughes) Date: Sat, 30 Mar 1996 04:58:44 +0800 Subject: Sun patch pulled In-Reply-To: <199603280505.TAA13153@zang.com> Message-ID: >The 101759-?? patch is missing from the Feb 1996 SunSolve Patches CD. However >if one pops in the November 1995 Patches CD there is a nice little copy of >the 101759-03 patch which also comes with the above warning and the DES >enabled libraries. > >The Patches CD's are openly sent around the world by Sun Support, one CD >for all the world. > >Cheers, >Mark > > > Warning!!!!!!! 101759-03 does NOT fix the syslog hole!! Call sun support and get 101759-04! (they will get it to you one way or another. I had them ftp it to my anon incoming directory) -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug at eng.auburn.edu Pro is to Con as progress is to congress From dlv at bwalk.dm.com Fri Mar 29 13:31:04 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sat, 30 Mar 1996 05:31:04 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: Message-ID: <4uyJLD6w165w@bwalk.dm.com> Alan Horowitz writes: > Certainly, I believe TCM's proposition that there is no "economic need" > for an American to learn a second language. > > On the other hand, I haven't seen any demonstration of the "value" of > learning history. Yet, who would argue that ignorance of history is a > good policy to follow? Likewise, Tim says there's no value in learning about "traditional" crypto. I say there is. There's a value in convinving a child to learn a second language (at least 1) or history or geometry: it improves his/her thinking process in general. Sure beats baseball (one of the things I dislike most about the U.S.) As someone pointed out, most monolingual Americans can't use English properly. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From campbell at c2.org Fri Mar 29 14:09:35 1996 From: campbell at c2.org (Rick Campbell) Date: Sat, 30 Mar 1996 06:09:35 +0800 Subject: xnoisesph.c Message-ID: <199603291331.FAA09008@infinity.c2.org> -----BEGIN PGP SIGNED MESSAGE----- It looks like the original headers got stripped off of this (at toad?). Could the author of xnoisesph.c please contact me directly? I have some questions about the code. Thanks. Rick - ------- Forwarded Message From: owner-cypherpunks at toad.com Date: Fri, 29 Mar 1996 07:09:16 -0500 Mutatis Mutantdis writes: > >I've got a short program for the PC (w/TPascal source) that plots a > >noise sphere from a file of (pseudo) random data, . . . Here's a version of it for X Windows, translated into plain-old C. . . . xnoisesph.c Compiled on Linux with: cc -o xnoisesph xnoisesph.c -L /usr/X11R6/lib -lX11 -lm - ------- End of Forwarded Message -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVvlXxj0UvMeUesFAQHQ6gQAxdI8otmXPrHlPtmetv73Hq05dDqZNmgg qDyrrKqVQyURElQ+82uWYpA/5WbhhcwGg0SUNn3hvR5pg4LouqyPQjMTb6C69nQF eEHuSmym2MXE4TqDFhgMvbcv54m3ixHGa3RdhWMUeA4Y2il0+WwQJP+igcybJR95 JF4AAQagMzM= =ePqE -----END PGP SIGNATURE----- -- Rick Campbell http://www.c2.org/~campbell/ From declan+ at CMU.EDU Fri Mar 29 14:27:14 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 30 Mar 1996 06:27:14 +0800 Subject: New crypto bill to be introduced In-Reply-To: Message-ID: Two observations: * Jim Bell would be unduly suspicious if _anyone_ introduced a crypto bill in Congress. I'm not surprised that here on conspiracypunks someone would be raising alarums without knowing what they're talking about. * Jim Bell says we're "overdoing it on this 'List of Shame' thing." Not at all -- we're proud to be on it! And you, Jim Bell, are one of my primary suspects for authorship. -Declan Excerpts from cypherpunks: 28-Mar-96 Re: New crypto bill to be i.. by jim bell at pacifier.com > While this does sound like progress, I'm suspicious. Peter Junger's > analysis raised serious doubt as to the ability of bill to open up the > crypto export market as it purported to. > > And where, exactly, did this these changes come from? Who was consulted? > What recommendations were NOT taken? > > > >We have put our "List of Shame" numbers on our nametags. > >-Declan > > You're overdoing it on this "List of Shame" thing. You don't know > who actually made those anonymous postings, and it's been observed that > those names seem to correspond nicely with an NSA-hate list. It would not > take a great deal of imagination to conclude that the NSA was motivated to > de-focus our anger at the Leahy bill and replace it with a great deal of > back-stabbing commentary. (If that was the intent, it succeeded...) > > On the other hand, I've also noticed that there hasn't been a lot of > specific analysis of the Leahy bill in the last few weeks, and my suggestion > that the Leahy bill be informally re-written to address Junger's objections > (as well as my own, and Tim May's, etc) has not resulted in a great deal of > repair work. Now, miraculously, a replacement bill appears that includes > SOME repairs. (obviously, we have to wait to hear how most of it comes out...) > > > I get the impression that we are being sequentially offered ice cream cones > with decreasing amounts of poison in them, in the hopes that at some point > we'll bite. It seems to me that whoever is writing these bills should be > willing to make a statement about what his goals are, and who he's talking > to as he crafts them, and what changes he was UNwilling to include. From herbs at connobj.com Fri Mar 29 14:31:12 1996 From: herbs at connobj.com (Herb Sutter) Date: Sat, 30 Mar 1996 06:31:12 +0800 Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: <2.2.32.19960328153613.006e3378@mail.interlog.com> At 02:13 03.28.1996 -0800, Timothy C. May wrote: >Yes, this is mostly my point. And it is not just me I'm talking about--I >don't see a compelling need for 95% of Americans to learn a second >language...in fact, I'd rather they learned to speak and read English >properly. > >(All of the America-bashers who were chiming in earlier today with their >anti-American jokes...well, here's one for you: "What do you call someone >who knows how to speak and write English properly? A European.") Hold on, hold on... :-) As the first to post along that line, may I reiterate I'm in no way "anti-American"? It's just that some Americans (and some Canadians, and especially some Englishmen) do have a reputation in the world for going places and expecting the natives to speak their language. It gets interpreted as arrogance, sometimes unjustly. Hence some of the jokes. Funny thing: I rarely hear someone who does know another language argue that it's not desirable and beneficial; only among the unilingual do I regularly find such strong feelings. As a wise man once said (sorry, source unknown): "If you do not know another language, you do not know your own." There's a lot of truth to that... I never knew English as well as I do now before I learned French, and German in particular helped immensely. Fact is, once you know a couple of languages in that group, the others (e.g., Italian, Spanish, Portuguese, Dutch, Swedish) are relatively easy to pick up because now you start seeing the underlying patterns -- that in itself being a big part of knowing your own language better. Or, as a more contemporary souce (I ) would put it: "Speaking with only one language is like seeing with only one eye." But try to explain colour to a blind man... :-/ >very few Americans have any _continuing_ way to use the languages we learn. >Which is a major reason they are being dropped by many schools. I agree; I haven't used French practically at all in over 12 years. However, had I never learned it, I would have been diminished (and, worse, never known my ignorance). A language is not just about word-communication; it is about thought, expression, and especially point of view. There are things you can say in English that you could never say the same way in German, and vice versa; which means that there are ideas and viewpoints you could never fully appreciate without another language. If some folks feel this is unnecessary, well, they can get through life quite well with just one tongue... that's their decision. Anyway, apologies for starting this tangent here, since its crypto relevance is zero or less. :-) I only wanted to express why the word "compulsion" in this thread's new title already speaks volumes to me, and to help explain why this sort of thing sounds to outsiders like another form of isolationism (not that many countries haven't been getting accused of that recently, particularly in the East; it's not just a Western thing). --- Herb Sutter "If ignorance is bliss, why aren't there more happy people?" "The nice thing about standards is that there are so many to choose from." From schryver at radiks.net Fri Mar 29 14:34:31 1996 From: schryver at radiks.net (Scott Schryvers) Date: Sat, 30 Mar 1996 06:34:31 +0800 Subject: (X:x)e$ 's other use Message-ID: <199603271348.HAA05321@sr.radiks.net> At 10:30 PM 3/26/96 -0800, you wrote: >At 04:05 PM 3/26/96 EDT, E. ALLEN SMITH wrote: >> The >> Fed has done an actually rather admirable job of standing up to the pressure > >Every couple of years the politicians start leaning on Greenspan. Greenspan >lets it be known they are leaning on him, the money markets mark the >dollar down and the politicians stop leaning on him. > >The Greenspan standard is not a good as a gold standard, but its not bad. Only >trouble is he is mortal, unlike gold. > >Come to think of it, there is actually some crypto relevance here: Internet >currencies will be necessarily non physical and it will be difficult to go >after the issuer in the event of default, so the best currency will have a >value that depends on peoples belief that the issuer will defend the value >of the currency. Strange how religion and monetary markets work. They both demand the suspension of fact and or physical items in favor of some ethereal object or person's view of reality. I'm not saying that the dollar is some object that does not physically exist, I'm just saying that the value inherent is no longer based on a physical item. Question. If e-cash were backed by gold would that make it more reliable than say the dollar? PGP encrypted mail preferred. Scott J. Schryvers -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzFX9usAAAEH/2r2eovPAoYZbxzmfJ1DW7yjjdVnckXjUVKU/zZNAUV/IjzF GDEq040wbAG1rFHDYoBOjjJTOGWMFuZ9apqoAvvI7Q4NAmVrNif0Rp8q/j4jib13 dlAA4Q0nvJZ5YNw4sf4r0iug76+9i0WpIZoP60DEB8BTuyCP55+nsbe7Ii3xLRyq ThZ2fhNqK2hD/rFugXK29Ynyzuc6TuFfu78kVOsYUUbQpplXyaLjhGKN94pZ5jox x7/wvqmBoH9E3rnaIPY9vOwy3kvMmCTlkjhlCzMXZHDn0e3UHWAax2mUTMttRzzi +SUv45h6ua+eSwUkA8uojojn/JiPOKIPwPk3hq0ABRG0KFNjb3R0IEouIFNjaHJ5 dmVycyA8c2Nocnl2ZXJAcmFkaWtzLm5ldD4= =58dK -----END PGP PUBLIC KEY BLOCK----- From J.Roissetter at plymouth.ac.uk Fri Mar 29 15:01:57 1996 From: J.Roissetter at plymouth.ac.uk (Jason Roissetter) Date: Sat, 30 Mar 1996 07:01:57 +0800 Subject: Controversys in security Message-ID: <150848663C2@cs_fs15.csd.plym.ac.uk> I am currently writting a report into the controverys invovled with data encyption and have desided to target the current DES system, I have found pages on the internet explaining the new triple DES system thought i need more information on the current controversys involved with the current DES system i'm aware that the key is no longer long enough for data to be protected for any amount of time, thought i really need more information to draw conclutions, if there is anyone with information could they please forward it to me. jason roissetter From rollo at artvark.com Fri Mar 29 15:15:41 1996 From: rollo at artvark.com (Rollo Silver) Date: Sat, 30 Mar 1996 07:15:41 +0800 Subject: Randomness paper (posting it) Message-ID: OK. Post it WHERE? >> Postscript, only in FrameMaker format, or as Interchange - MIF or as Text. > >If you can save it as text, then please post it as text. > > Yiorgos Adamopoulos adamo at noc.ntua.gr > National Technical University of Athens, NOC Rollo Silver | e-mail: rollo at artvark.com | Artvark | Home page: http://www.artvark.com/artvark/ | PO Box 219 | Voice: 505-586-0197 | San Cristobal, NM 87564 USA | Compuserve 71174,1453 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-= From Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com Fri Mar 29 16:58:32 1996 From: Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com (Paul_Koning/US/3Com%3COM at smtp1.isd.3com.com) Date: Sat, 30 Mar 1996 08:58:32 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <9603291828.AA1144@smtp1.chipcom.com> unicorn @ schloss.li (Black Unicorn) wrote: >On Tue, 26 Mar 1996, Duncan Frissell wrote: >>... >> In fact, I suppose that government operation of the identification system >> (drivers' licenses, passports, etc.) in general is also horribly inefficient >> and should be attacked on efficiency grounds. > >You might not like what you get in response. Streamlined and uniform >identity documents generated at birth and renewed with tax filings would >be the likeliest efficiency improvement. An inefficient government >identification system is to the advantage of the privacy seeker. Indeed. A wise man once said "Thank goodness we don't get all the government we pay for". Government inefficiency is our friend (except at tax time) -- don't wish for it to get more efficient unless it gets a lot smaller FIRST. paul !----------------------------------------------------------------------- ! Paul Koning, NI1D, C-24183 ! 3Com Corporation, 1-3A, 118 Turnpike Road, Southborough MA 01772 USA ! phone: +1 508 229 1695, fax: +1 508 490 5873 ! email: paul_koning at isd.3com.com or paul_koning at 3mail.3com.com ! Pgp: 27 81 A9 73 A6 0B B3 BE 18 A3 BF DD 1A 59 51 75 !----------------------------------------------------------------------- ! "The only purpose for which power can be rightfully exercised over ! any member of a civilized community, against his will, is to prevent ! harm to others. His own good, either physical or moral, is not ! a sufficient warrant." -- John Stuart Mill, "On Liberty" 1859 From winn at Infowar.Com Fri Mar 29 17:16:45 1996 From: winn at Infowar.Com (winn at Infowar.Com) Date: Sat, 30 Mar 1996 09:16:45 +0800 Subject: InfoWarCon IV - Final Schedule Message-ID: <199603281504.KAA04763@mailhost.IntNet.net> P L E A S E D I S T R I B U T E W I D E L Y F I N A L S C H E D U L E IW4 -- InfoWarCon (Europe) '96 Fourth International Conference on Information Warfare: Defining the European Perspective Brussels, Belgium May 23-24 1996 Sponsored by: National Computer Security Association Winn Schwartau, President and CEO, Interpact, Inc. Robert David Steele, Chairman & CEO, Open Source Solutions Group CoSponsors: IBM Internet Security Systems, Inc. Jane's Information Group Network Systems, Inc. Norman Data Defense Background Information Warfare represents a global challenge that faces all late-industrial and information age nation states. It also represents the easiest and cheapest way for less developed nation-states and religious or political movements to anonymously and grieviously attack major nations and international corporations. Not only are the definitions of InfoWar unclear, but they span many areas and disciplines. This conference will examine the European perspectives on all three classes of Information Warfare while contributing some American lessons learned, mistakes made and successes enjoyed. Class One: Personal Privacy Class Two: Industrial and Economic Spying and Warfare Class Three: Global Conflict, Terrorism and the Military As at all other Information Warfare Conferences, this special European Conference encourages active audience participation, contribution and debate. May 22, 1996 17:00 - 20:00 Pre-Registration 18:00 - 21:00 Hosted Cocktail Party with Music Meet Mr. Schwartau, Mr. Steele and many of our other distinguished guests and conference speakers for casual 'off-line' conversation.. May 23, 1996 07:00 - 08:30 Registration 07:00 - 08:30 Sponsored Continental Breakfast PLENARY SESSIONS 08:30 - 09:00 Keynote Speech Maj. General Edwin Ebert J-6 Assistant Chief of Staff (C4I) USA 09:00 - 10:00 "Information Warfare: Chaos on the Electronic Superhighway" Winn Schwartau, President and CEO, Interpact, Inc., USA 10:00 - 11:15 East Versus West: Military Views of Information Warfare Moderator: Robert Steele East: General Nikolai Ivanovich Turko, Information Warfare Russia West: US - Gen. Jim McCarthy USAF (Retired) 11:15 - 11:45 Sponsored Break 11:45 - 13:00 Information Warfare or Information in Warfare? Support for Conventional War Fighting Moderator: Winn Schwartau Panel: Russia: Admiral Vladimir Semenovich Pirumov (Retired) Chairman of Scientific Counsel of the Russian Security Counsel Sweden: Navy Captain Bo Wallendar UK: Captain Patrick Tyrell, Assistant Director, Information Warfare Policy, Ministry of Defence 13:00 - 13:30 Dealing with Internet Intruders in Emergency Mode: An IBM Perspective Peter Streibelt, IBM Europe Program Manager for Advanced Networking and Internet Emergency Response 13:30 - 14:30 Lunch BREAKOUT SESSIONS 14:30 - 16:00 Breakout One: Defending Against the Internet: The Threat to European Civil Prosperity Moderator: Mich Kabay, Klaus-Peter Kossakowski, DFN-CERT, Univ. of Hamburg, Germany Christopher Klaus, CEO and Founder, Internet Security Systems, US Peter Streibelt, IBM Europe Breakout Two: "Paradigm Shift" Moderated by: Winn Schwartau Dr. Phillipe Beaumard, University of Paris, France Colonel George Dunlop, USAF 16:00 - 16:30 Sponsored Break PLENARY SESSION 16:30 - 18:00 "Hackers: National Resources or Merely Cyber-Criminals?" Co-Moderators: Mich Kabay, Ph.D., Director of Education, NCSA and Robert Steele, President, OSS, Inc. Rop Gonggrijp - Hactic and The Digital City, Amsterdam, Andy Mueller-Maguhn, CHAOS Computer Club Germany "Frantic" - Anthony C. Zboralski - Convicted French Hacker 18:00 - 21:00 Hosted Reception 21:00 - 23:00 Self-paid Dinners for "Birds of a Feather." Rallying points will be provided. May 24, 1996 07:00 - 8:30 Sponsored Continental Breakfast 08:30 - 9:00 Keynote Speech "Efforts to Maximize Information As New Age Weapon" General Pichot-Duclos, France PLENARY SESSIONS 9:00 - 10:00 "Creating Smart Nations Through National Information Strategies: Intelligence And Security Issues" Robert David Steele, President, OSS, Inc. US 10:00 - 11:15 "The Convergence of Military and Commercial Vulnerabilities" Moderator: Winn Schwartau Panel: Bob Ayers, Chief IW Division, DISA, Department of Defense, US Captain Patrick Tyrell, Assistant Director, Information Warfare Policy, Ministry of Defence, United Kingdom 11:15 - 11:45 Sponsored Break 11:45 - 13:00 Societal Impact of Information Warfare Moderator: Winn Schwartau, Panel:The Croatian View: Pedrag Pale, Chairman of the InfoTech Coordinating Committee, Ministry of Science, Technology, and Informatics Dr. Ken Dark, Fellow, University of Camabridge, UK 13:00 - 13:30 Sponsored Luncheon Presentation 13:30 - 14:30 Special Luncheon Presentation BREAKOUT SESSIONS 14:30 - 16:00 Breakout One: Legislation & Personal Privacy: A Global Electronic Bill of Rights? Dr. Mich Kabay, Director of Education, NCSA Simon Davies, Electronic Privacy International, UK Dr. Leroy Pearce, Senior Technical Advisor, representing MajGen Leech, Asst. Deputy Minister of Defence Information Services, Canada Breakout Two: "Industrial Espionage: An Update" Moderator: Robert Steele Maurice Najman, Television Coorespondent, France Miguel Chamorro, Exec. Director, Interpol (invited) UK, Arish Turle, Kroll Associates 16:00 - 16:30 Sponsored Break PLENARY 16:30 - 18:00 Defining War in the Information Age "The New National Security" Brief comments by Winn Schwartau and Robert Steele - and then a lively interactive audience debate. 18:00 - 18:10 Closing Comments 18:00 - 20:00 No-Host Reception For complete schedules, and information on InfoWarCon IV (Europe) MAIL OR FAX OR EMAIL: National Computer Security Association 10 South Courthouse Avenue Carlisle, PA 17013 Phone 717-258-1816 or FAX 717-243-8642 EMAIL:conference at ncsa.com To obtain the latest edition of this program, send EMail to: euroinfowar at ncsa.com For more information about NCSA: WWW: http://www.ncsa.com CompuServe: GO NCSA Email: info at ncsa.com Sponsorships for various InfoWarCon (Europe) 96 events are still available. To Find out how to sponsor portions: Contact Paul Gates at the NCSA: pgates at ncsa.com To reach: Winn Schwartau: winn at infowar.com Robert Steele: ceo at oss.net V 1.19/3.11.96 SH Peace Winn Winn Schwartau - Interpact, Inc. Information Warfare and InfoSec V: 813.393.6600 / F: 813.393.6361 Winn at InfoWar.Com From jamesd at echeque.com Fri Mar 29 19:07:44 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sat, 30 Mar 1996 11:07:44 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <199603291652.IAA10994@dns2.noc.best.net> On Thu, 28 Mar 1996, jim bell wrote: > > Escrowing encrypted keys makes them useless to subpoena, and in > > fact it helps the key owner because the escrow agent can (and, in fact, > > must!) be obligated to inform the key owner if his key is requested. At 05:49 AM 3/29/96 -0500, Black Unicorn wrote: > I thought I would take the time to let everyone know that this is > baseless as well. Most jurisdictions forbid third parties to reveal > prosecution inquries to the principal for which they are holding > documents or other information. A VERY few have laws on the books that > require this disclosure. Switzerland is no longer one of them. If you had actually read the article that you criticize you would have noticed that the "must" was enforced by cryptographic protocols, not by the blunt sword of the law. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From declan+ at CMU.EDU Fri Mar 29 19:23:00 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sat, 30 Mar 1996 11:23:00 +0800 Subject: Open letter from the Congressional Internet Caucus In-Reply-To: <315C21A7.37BF@hr.house.gov> Message-ID: ---------- Forwarded message begins here ---------- Date: Fri, 29 Mar 1996 09:45:11 -0800 From: Congressional Internet Caucus Organization: U.S. House of Representatives X-Mailer: Mozilla 2.0 (Win16; I) Mime-Version: 1.0 To: fight-censorship+ at andrew.cmu.edu Subject: Open letter from the Congressional Internet Caucus To the Internet Community at-large, Finally, there is something that both Democrats and Republicans can agree on -- it is time to get Congress on-line for the 21st Century. Over the past few years, the Internet has changed the way we communicate, do business and educate our children. Millions of people log-on to the Internet each day to send and receive information. And this new medium has created thousands of new jobs in our nation's economy. As more and more people go on-line and as the Internet becomes a greater part of our daily lives, new questions arise about how to deal with this new medium. Members of Congress are having to make policy decisions on Internet issues that will impact our future. What role, if any, will the federal government have in developing the Internet? How will Congress respond to Internet-related issues? From encryption to indecency, copyright protection to universal service, Congress will need to make prudent public policy decisions about a medium that presents such enormous opportunities for all Americans. Congress must not make these decisions without the full understanding of and familiarity with the Internet. The Internet will also transform Congress and the government. From communicating with constituents to making government documents available on-line, we need to move into the Information Age NOW. Members of Congress need to use the Internet. To solve some of these problems, we are forming the Internet Caucus: a bipartisan, bicameral group of members with diverse viewpoints. What we share is a mutual concern for promoting the Internet. We will not just talk the talk. Caucus members will walk the walk into cyberspace by signing a pledge to 1) educate themselves about the Internet, 2) get on-line, 3) and educate other members about the Internet. The caucus will also serve as a clearinghouse of information for the public and other offices about Internet related issues. With the assistance of an advisory committee comprised of public interest groups, industry, and respected experts on the Internet, members will discuss and debate policy options. We look forward to getting your input on the many issues before Congress. See you on-line! Sincerely, Congressman Rick White http://www.house.gov/white/ Senator Patrick Leahy http://www.house.gov/~leahy Congressman Rick Boucher http://www.house.gov/boucher/welcome.htm Senator Larry Pressler http://www.senate.gov/senator/pressler.html Speaker Newt Gingrich mailto:georgia6 at hr.house.gov Congressman Jack Fields Congressman Edward Markey Congressman Mike Oxley http://www.house.gov/oxley/welcome.html Congressman Christopher Cox Congresswoman Anna Eshoo http://www-eshoo.house.gov/ Congressman Bob Goodlatte mailto:talk2bob at hr.house.gov Congressman Tom Campbell mailto:campbell at hr.house.gov Congressman Robert Walker http://www.house.gov/walker/welcome.html Congresswoman Jennifer Dunn mailto:dunnwa08 at hr.house.gov Congressman Vern Ehlers http://www.house.gov/ehlers/welcome.html Senator Slade Gorton http://www.senate.gov/senator/gorton.html Senator Conrad Burns http://www.senate.gov/~burns Senator Ron Wyden http://www.senate.gov/senator/wyden.html Congressman Sam Farr http://www.house.gov/farr/welcome.html Congressman Bill Luther http://www.house.gov/luther/welcome.html From ses at tipper.oit.unc.edu Fri Mar 29 19:23:44 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sat, 30 Mar 1996 11:23:44 +0800 Subject: Canada's ISO standards body? In-Reply-To: Message-ID: On Thu, 28 Mar 1996 s1113645 at tesla.cc.uottawa.ca wrote: > Speaking of which, could someone tell me who Canada's standards body and > rep to the ISO is (and if that's where I've gotta go to get my hands on X.509 > and all those other X.docs.). Any addresses would be helpful too. Try www.itu.org (X. series docs come from the ITU, not ISO. Same text though). I don't think v3 has been balloted yet - that gives you a chance to explore one of the more amusing twists of OSI standardisation- you can get copies for free of most drafts from the editor right up until it gets standardised. Silly, isn't it. Simon ---- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From jimbell at pacifier.com Fri Mar 29 20:51:38 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 30 Mar 1996 12:51:38 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 05:49 AM 3/29/96 -0500, Black Unicorn wrote: >On Thu, 28 Mar 1996, jim bell wrote: > >> Escrowing encrypted keys makes them useless to subpoena, and in >> fact it helps the key owner because the escrow agent can (and, in fact, >> must!) be obligated to inform the key owner if his key is requested. > >I thought I would take the time to let everyone know that this is >baseless as well. Most jurisdictions forbid third parties to reveal >prosecution inquries to the principal for which they are holding >documents or other information. A VERY few have laws on the books that >require this disclosure. Switzerland is no longer one of them. As usual, Unicorn is FOS. Not entirely in his facts, but in his conclusions. To "forbit third parties to reveal prosecution inquiries" is an obvious violation of freedom of speech, and in fact is PRIOR RESTRAINT. Maybe Unicorn can't see what's wrong with that, but I can. It is unclear whether this has ever been tested in court, or whether that test occurred recently. Now, in practice I recognize that in the past large organizations which are subpoenaed usually comply with requests to keep an inquiry secret, but one of the effects of the "crypto revolution" and the "net revolution" is clearly to decentralize information power from the places it used to be carefully kept (IBM, ATT, etc) and is now distributing it among many more, far smaller organizations which are much closer to the people the prosecutors might be inclined to target. (for example, your friendly neighborhood ISP). Furthermore, the development of good encryption will allow a willing ISP (for example) to send an encrypted (and possibly semi-anonymous) message to the target of the investigation (or possibly a public USENET area, unaddressed), containing a pre-arranged alarm code to be sent to the target of the investigation, in such a way that any other people (for example, the brainless cops) won't know. The target will be assured (though encryption and signing, or prior arrangement) that the message could only have originated from the contractor (ISP) but the target (and nobody else, as well) will not be able to prove this knowledge to a third party. For example, if I ask my ISP to send me an anonymous, encrypted message with the word, "Rosebud" in it to me if he receives any requests to tap my connection, he can do so with no fear of being discovered, because no third party can decrypt the message, know who is is from, or know the real meaning of the word, "Rosebud" in the context of an encrypted, anonymized message. Further, since the whole thing is by pre-arrangement, even I cannot prove (to the satisfaction of a third party) that the message really meant what I would interpret it to mean. The message is useful to me, as a warning, but it could never turn around and "bite" the ISP. The end result is that your foolish opinion of what the law allows will simply become irrelevant: The government cannot mandate what it cannot enforce, and it cannot enforce what it cannot detect. You may ask, "Why would the operator of a small ISP want to take even a minor risk informing the target of the investigation?" There are a number of obvious answers: 1. He's promised his customer to do so. 2. It's in the contract. 3. And the ever-popular, "He's afraid of getting killed, or his ISP business torched, if word later leaks out that he failed to inform his customer of an investigation." Don't underestimate the significance of such a risk to those people. Destruction of even a full phone switch would not have fazed ATT in the 1960's, but a small ISP depends on valuable equipment at (presumably) a single location. Getting a person mad at them for failing to anonymously inform them of an inquiry would NOT be the best tactic for these small-time operators. >Even if a judge was convinced by the defense not to levy heavy fines >against a third party who pleaded that he or she was simply unable to >comply, informing the principal would literally assure such fines would >be imposed regardless. Again, you assume that informing "the principal" would be detectable. Your wishful thinking is palpable. I really wish you'd be able to distinguish what "the law" could do, given limitless knowledge of the actions of the population, and the REAL WORLD, in which those judges and prosecutors and cops are limited in what they can do by what they can know. This is critical, because we are rapidly approaching a time in which what these people know will be dramatically limited by many of the technologies regularly discussed on Cypherpunks. >Criminal charges of obstruction could easily attach. Bullets could easily fly. You repeatedly state what might, hypothetically, happen, but you don't back it up with a realistic assessment of what actually would _likely_ happen. > Obstruction in connection with narcotics cases or other major >felonies are generally extraditable offenses as well. Someday, obstruction of the Constitution by government agents will be a death-penalty crime. >Once again Mr. Bell pulls legal analysis out of his rectum rather than >basing it in fact or research. > >With Mr. Bell as a defense attorney, who needs prosecutors? If I intended to limit myself to the tools of the court room (that's the enemy's playpen, BTW) I would probably be just as ineffective as the next defense attorney. I've frequently found that the question of who wins in any confrontation is strongly affected by whether I allow myself to be lured into the home territory of the other. This is actually more a psychological battle than a physical one. You obviously believe that the cops and judges can frequently win, if they are able to control the location of the battle; this is true, but it ignores the fact that "the legal system" is generally an 8-hour-per-day, 40-hour-per week system. Going outside the system and attacking directly bypasses all the rules and restrictions which are set up to allow THEM to win. This may sound unfair to people brainwashed to believe that the court system is and should be the final arbiter, but I suggest that long ago they lost whatever moral authority they once might have had. Every time you talk about them fining or prosecuting some third party for not cooperating, you demolish your own claims. Jim Bell jimbell at pacifier.com From jya at pipeline.com Fri Mar 29 22:19:13 1996 From: jya at pipeline.com (John Young) Date: Sat, 30 Mar 1996 14:19:13 +0800 Subject: POT_ktl Message-ID: <199603291247.HAA12258@pipe1.nyc.pipeline.com> 3-29-96 NYT reports on the Montana Freemen's competition with the USG: printing money and fostering free market brigandry; building arsenals for terrorizing the weak and suppressing dissent; amassing national security treasure for the protection of the people; and PC education to boot. The USG, looking in the mirror, says such actions are a criminal conspiracy, a "school for crime." POT_ktl From jimbell at pacifier.com Fri Mar 29 22:20:33 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 30 Mar 1996 14:20:33 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 05:32 AM 3/29/96 -0500, Black Unicorn wrote: >On Thu, 28 Mar 1996, jim bell wrote: > >> At 03:46 PM 3/28/96 -0500, Black Unicorn wrote: >> >Given the significant contempt charges that can follow a refusal to >> >produce items (anonymous or not) this still depends on the absence of >> >initial detection. >> >> You clearly don't understand. You're making the ASSumption that the >> organization keeping the keys can produce them in a form that is "useful" to >> the cops. Escrowing encrypted keys makes them useless to subpoena, and in >> fact it helps the key owner because the escrow agent can (and, in fact, >> must!) be obligated to inform the key owner if his key is requested. > >You clearly don't understand. You are an ass making an assumption that a >court cares or believes that the witness can actually produce the >requested information or not. Fines tend to be imposed regardless. Bullets don't care that a judge was justified in his decisions, either. Ultimately, your repeated argument is simply, "The legal system can be abused by those who work in it." I don't challenge this claim, in fact my position depends on its truth; my assertion is that the current legal situation is out of the control of people faithful to the meaning of the Constitution, and has been so for a long time. One of the main reasons I promote a de-facto (and unofficial) death penalty for recalcitrant politicians and other government employees is because the traditional "checks and balances" system seems to no longer be working for the interests of the average citizen. >> And in any case, I consider it highly doubtful that anybody would contract >> with an escrow agent and identify himself by name > >The same way no one creates Panamanian companies with their own name. So >what? Third parties are still fined heavily. Any specific examples? No? I thought so! In any case, if "third parties" are "fined heavily," that is even more justification for setting up a method to deter out-of-control courts. Remember, freedom is always strongly disliked by authoritarian and totalitarian governments; you need to explain why the hypotheticals you're describing don't indicate that some emergency effort is needed. >>It would be a simple >> matter to operate "escrow agents," just glorified data-holders, who would >> receive data anonymously and send it out just as anonymously, to the person >> who can identify themselves via some sort of encrypted ID system. > >And simpler for courts to fine them out of existance (which happened to >several banks, trust companies and agents in Cayman and Panama. I guess you really don't realize that every claim you make demolishes the justification for your obvious hostility to a system which prevents exactly the kind of abuses you list. (Although it really isn't clear whether you would classify them as "abuses.") > Even >> "detecting" such a transfer is useless because the cops won't be able to >> figure out what the data is, since it's encrypted in both directions while >> being transferred, in addition to being encrypted while being held, with a >> code the escrow agent doesn't know. > >They need only suspect or have reason to suspect it might be exculpatory. _ ^^^^^^^^^^^ Sloppy word usage. I think you meant, "incriminating." Typical for you. >Practically speaking this means convincing a judge. Not hard when the >words "offshore holding company" are mentioned in a brief or hearing. > >> In short, you need to comprehend what you're responding to before you >> express your opinions. You're living down to my expectations. > >In short, go to law school, then try to talk about legal issues. In this day and in this country, "going to law school" is basically synonymous with "learn to get along with the current legal system." It should have been obvious long ago that I don't consider the current legal system to be worth living with. >> >> In fact, I suppose that government operation of the identification system >> >> (drivers' licenses, passports, etc.) in general is also horribly inefficient >> >> and should be attacked on efficiency grounds. >> > >> >You might not like what you get in response. Streamlined and uniform >> >identity documents generated at birth and renewed with tax filings would >> >be the likeliest efficiency improvement. An inefficient government >> >identification system is to the advantage of the privacy seeker. >> >> You seem to be ASSuming that an "efficient identification system" is one >> that will ALSO operate to the benefit of the government, as opposed to the >> individual who wants to be identified for only limited purposes. > >Without getting into semantics, and "efficient identification system" >implies one that identifies people efficently. Blocking government use, >or limiting it to certain circumstances is not efficiency. Only if viewed from the statist perspective, which I suppose is easy for you. An "efficient identification system" identifies me, efficiently, to anybody I _choose_ to be identified to, to whatever level of identification I choose to allow. Nothing more. Read Chaum's Sci Am article, carefully. From rollo at artvark.com Fri Mar 29 22:23:07 1996 From: rollo at artvark.com (Rollo Silver) Date: Sat, 30 Mar 1996 14:23:07 +0800 Subject: Let's *NOT* "Raise their Awareness" Message-ID: >>On Tue, 26 Mar 1996, David K. Merriman wrote: >>Yes, and some years ago a State legislature (I forget which) passed a >>resolution setting the value of pi at exactly 3. Well, this one has a grain of truth in it, but has drifted a bit in the telling. >From 's FAQ: T. *Indiana House Bill #246 of 1897 would've set pi=3.2. Killed in state Senate. Fb. Some state (e.g., KS, OK, etc.) once considered a bill setting pi = 3 (or some other arbitrary, non-transcendental number). Key to Listed FAQs: T = 100% scientific truth Tb = believed true, but not conclusively proven F = 100% falsehood Ft = A legend, mostly untrue, but with a true occurrence or known origin. Fb = believed false, but not conclusively proven There is a comment, "*", on certain lines in the FAQ. This indicates that there is further information on this point available via anonymous ftp. See the AFU anonymous ftp sites noted in Part I of the FAQ for more information. The four part FAQ for alt.folklore.urban is also available via anonymous ftp at rtfm.mit.edu. You can retrieve them by grabbing the following files: /pub/usenet/news.answers/folklore-faq/part1 /pub/usenet/news.answers/folklore-faq/part2 /pub/usenet/news.answers/folklore-faq/part3 /pub/usenet/news.answers/folklore-faq/part4 /pub/usenet/news.answers/folklore-faq/part5 Or heck, just do: /pub/usenet/news.answers/folklore-faq/part* Rollo Silver | e-mail: rollo at artvark.com | Artvark | Home page: http://www.artvark.com/artvark/ | PO Box 219 | Voice: 505-586-0197 | San Cristobal, NM 87564 USA | Compuserve 71174,1453 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-= From jimbell at pacifier.com Fri Mar 29 22:52:49 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 30 Mar 1996 14:52:49 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 04:54 PM 3/29/96 -0500, Black Unicorn wrote: >On Fri, 29 Mar 1996, jim bell wrote: >> >I thought I would take the time to let everyone know that this is >> >baseless as well. Most jurisdictions forbid third parties to reveal >> >prosecution inquries to the principal for which they are holding >> >documents or other information. A VERY few have laws on the books that >> >require this disclosure. Switzerland is no longer one of them. >> >> As usual, Unicorn is FOS. Not entirely in his facts, but in his >> conclusions. To "forbit third parties to reveal prosecution inquiries" is >> an obvious violation of freedom of speech, and in fact is PRIOR RESTRAINT. >> Maybe Unicorn can't see what's wrong with that, but I can. It is unclear >> whether this has ever been tested in court, or whether that test occurred >> recently. > >(Snore) How many cases do you want me to cite that hold that the >disclosure of an inquiry with the intent of evasion is conspiracy and >entails criminal charges? You _do_ have an odd way with words. "entails" criminal charges? Hey, they can charge ANYBODY with ANYTHING, but that doesn't mean that a crime has actually been committed. Further, it isn't clear that anybody is obligated to respond to a subpoena without the possibility of a court challenge, and your fantasy about the cops showing up and trying to strongarm the ISP is laughable at best. >Do you honestly think you can evade prosecution for suborning the >destruction of material evidence in a criminal trial? Who said anything about "destruction of material evidence"? Refusing to hand over information until AFTER a court has properly responded to a challenge to a subpoena is old hat to newspapers, TV stations, and other media-organizations who are occasioinally served with a subpoena. The ISP need merely say, I'm challenging this subpoena in court, go away motherfuckers! ISP prepares a challenge, "CC's" ALL the affected individuals, (including the person whose information is desired!), and the validity of the subpoena is tested. >Please. My feelings exactly. Please stop acting like a government suck-up all the time. Maybe you're paid to do it, but unless you're a plant, you're on your free time now. >> For example, if I ask my ISP to send me an anonymous, encrypted message with >> the word, "Rosebud" in it to me if he receives any requests to tap my >> connection, he can do so with no fear of being discovered, because no third >> party can decrypt the message, know who is is from, or know the real meaning >> of the word, "Rosebud" in the context of an encrypted, anonymized message. >> Further, since the whole thing is by pre-arrangement, even I cannot prove >> (to the satisfaction of a third party) that the message really meant what I >> would interpret it to mean. The message is useful to me, as a warning, but >> it could never turn around and "bite" the ISP. > >Unfortunately, by the time (in the case of domestic investigations, and >foreign investigations in more compliant jurisdictions) it gets to the >point where authorities are checking about, they will have walked into >the ISP and personally requested the information with subpoena in hand. Again, you blindly assume that the subpoena can't be challenged in court. It can be. >Perhaps the ISP with the nerve to destroy material evidence in the >presence of law enforcement exists, You keep inventing these phony scenarios, building up these straw men and knocking them down. Clearly, your underlying argument is quite weak. I said nothing about "destroying evidence." In fact, the ISP could simply encrypt everything with the target's public key, and keep it. That's not "destroying evidence," that's locking it away in such a way so that nobody except the target can unlock it. Ideally, this would be done automatically every time a person calls his ISP, although the software to do this probably doesn't exist yet. The result would be that whenever the target was NOT connected to the ISP, there would be no information on the ISP's system that could be decrypted by the ISP operator. This would be one of those inventive future uses of encryption, well beyond plain vanilla PGP, which we must assure ourselves will be developed. The kind of thing you dread, obviously. >but I sincerely doubt this ISP will >escape serious prosecution for doing it. I sincerely doubt Unicorn will ever stop being a government suck-up. > At the very least the employees >of the ISP will have knowledge of this practice. Unless it's a single >person run ISP, I doubt you're going to be able to keep everyone from >testifying. What you propose is a crime in the United States, and in >many foreign jurisdictions. If an ISP's system automatically encrypts all received message's with the destination's public key when received, and doesn't keep an unencrypted copy around, showing up at that ISP's location with a warrant will result in ZERO (ZIP, ZILCH, NEGATORI, etc) information that can be delivered, unencrypted, to the cops. >> The end result is that your foolish opinion of what the law allows will >> simply become irrelevant: The government cannot mandate what it cannot >> enforce, and it cannot enforce what it cannot detect. > >I have often noted that the best defense is the lack of detection in the >first place. No, an even better defense is to make it absolutely impossible, as a matter of business practice, to assist the police with any kind of an investigation. Before you go off and shoot your mouth off about how evil and bad that is, you need to remember that regular destruction of records is an acceptable practice in any company today. While courts will look askance at it when it does not appear to be a regular business practice (say, the company gets sued today and they have a mass shredding tomorrow) there is nothing wrong about regularly making past records unavailable by shredding, burning, erasing, or by any other method. Making those records SELECTIVELY unavailable by encrypting them with somebody else's public key and keeping them has probably never been tested in court, but if the business contracts this ISP regularly signs have this as a provision of doing business, the court can't squawk after the fact. After all, the ISP might have simply erased the files, keeping them from being accessed by ANYBODY, including their "owner." > Unfortunately this is the oft denounced "security through >obscurity." Look, I know it's fun to imagine you can thwart the >authorities with impunity within the United States. Hey, you can FREQUENTLY "thwart the authorities." If I have evidence of a crime in my house, the cops can't come in unless they have a warrant. If I know they're coming, and can destroy it untraceably, I WIN! See, that's how freedom works! It's nearly the exact opposite of "the government can do anything it wants, any time it wants, and anybody who frustrates them is a criminal!" Naturally, you won't like this. >Unfortunately it is >a fantasy. The system you propose requires someone to be present in the >ISP 24 hours a day. It requires some method of getting word to the >operator who will trigger the alarm both that an investigation is >looming, and who it entails. It requires someone to talk to the >authorities and stall them while the message is sent. It requires you to >be sitting at the screen when the message is received (perhaps this isn't >a problem for Mr. Bell), or to get home before the law enforcement >officials get a 2 hour warrant and open your door. Yet another one of your multiple problems is that you have no imagination when it comes to "thwarting the authorities." I do. Don't try to tell me what can't be done, because I'll turn around and tell you how it CAN be done! I just did. The actual implementation waits for some slick coder to do it, but I give you 5 years, tops, before it's in regular usage. And that's assuming they're all a bunch of lazy bastards. >> 3. And the ever-popular, "He's afraid of getting killed, or his ISP >> business torched, if word later leaks out that he failed to inform his >> customer of an investigation." > Don't underestimate the significance of such >> a risk to those people. Destruction of even a full phone switch would not >> have fazed ATT in the 1960's, but a small ISP depends on valuable equipment >> at (presumably) a single location. Getting a person mad at them for failing >> to anonymously inform them of an inquiry would NOT be the best tactic for >> these small-time operators. > >Your last resort in all of your arguments seems to be murder, extortion, >the threat of bodily harm, arson or assault, or destruction of private >property. A list which seems to be the current modus operandi of most levels of government in America, today. In any case, I think it's fair to hold an ISP to his word and contract. If the "normal" referee to such contracts (the court system) becomes biased because it begins to be an interested party to the enforcement of the contract terms, then bypassing that court system is unavoidable and is entirely appropriate. You won't like this, either. >> >Even if a judge was convinced by the defense not to levy heavy fines >> >against a third party who pleaded that he or she was simply unable to >> >comply, informing the principal would literally assure such fines would >> >be imposed regardless. >> >> Again, you assume that informing "the principal" would be detectable. Your >> wishful thinking is palpable. > >No. I speak from experience when I say that "proof" of complicity is >rarely a requirement. The judge need only suspect wrong doing. It's >easy to levy contempt fines, and very hard to overturn them. It's easy to kill, and hard to resurrect the dead. >The >standard in most jurisdictions is "clearly erronious." Tough stuff. Yes, I'd say you're "clearly erronious." If you can repeatedly describe, in nominally accurate terms, how abusive the government has become and NOT oppose its actions with every fiber in your being, then YOU have made yourself part of the problem. > >> I really wish you'd be able to distinguish >> what "the law" could do, given limitless knowledge of the actions of the >> population, and the REAL WORLD, in which those judges and prosecutors and >> cops are limited in what they can do by what they can know. This is >> critical, because we are rapidly approaching a time in which what these >> people know will be dramatically limited by many of the technologies >> regularly discussed on Cypherpunks. > >Unfortunately, fines and penalities are imposed every day based on >assumptions by the trier of fact. Go watch a major court case some time. You still haven't given me specific examples. >> Bullets could easily fly. > >And will. I've seen this happen. Trustee refuses to produce documents, >court imposes compelled discovery, documents burn or are lost or have been >stolen, trustee (who can be assigned no direct evidence of complicity) is >fined heftily. A case I was not personally involved in saw the judge >jail the trustee for 4 months. That's not what I'm referring to. Judges are mortal. If they abuse the sense of propriety of the average indidivual, they SHOULD be removed, by legal methods if possible, by other methods if not. Remember that prosecutor who died in Boston a few months ago? You know, the one who made the national news? I'm still waiting to see how that one came out, but I suspect they will never be able to prove who did it, and may not even be able to find out. >> >With Mr. Bell as a defense attorney, who needs prosecutors? >> >> If I intended to limit myself to the tools of the court room (that's the >> enemy's playpen, BTW) I would probably be just as ineffective as the next >> defense attorney. > >So again, we see Mr. Bell in his basic form. Violent offender. He will >obtain by force that which he cannot argue into his hands. Except that in a court room, the decision maker is PAID by a party to the case, the government. That sounds like a classic conflict of interest to me. What's the old rhyme, "Treason doth not prosper, what is the reason? Where treason does prosper, none dare call it treason." Jim Bell jimbell at pacifier.com From unicorn at schloss.li Fri Mar 29 22:56:37 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 30 Mar 1996 14:56:37 +0800 Subject: Councilman/Usenet porn case... In-Reply-To: <315AB3E4.41B6@rgalex.com> Message-ID: On Thu, 28 Mar 1996, Vincent S. Gunville wrote: > Here is an example of what anonymous remailers can > do....... [...] You need to start reading the material you use to support your positons: Especially this paragraph. > > But here's a reality check. The Finnish remailer could not have been > > used, since anon.penet.fi no longer transmits binary image files. > > Jerry Russell, who runs Florida Online and who looked into the case, > > says he figures the whole thing was a relatively simple prank called a > > sendmail spoof, in which the prankster posts a message with a phony > > return address. He says the Willowick police never produced a copy of > > the posting for him so that he could unravel the tangle for them. > > Indeed, when the policeman called, "he didn't really understand what > > he was trying to tell me," says Russell. "The average Joe Blow police > > detective doesn't know flip about the Internet." > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > |Vincent S. Gunville > |Robbins-Gioia > |209 Madison St Email vingun at rgalex.com > |Alexandria, Va 22314 > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From maldrich at grctechs.va.grci.com Fri Mar 29 22:57:22 1996 From: maldrich at grctechs.va.grci.com (Mark Aldrich) Date: Sat, 30 Mar 1996 14:57:22 +0800 Subject: PPV Descrambler In-Reply-To: <315AE567.7405@mail.interconnect.net> Message-ID: On Thu, 28 Mar 1996, Dan Nikolai wrote: > > This is cypherpunks. Not Cable-TV-Piracy-Punks. > > > > Dave Merriman > "This is cypherpunks. Not Cable-TV-Piracy-Punks." > > Cable-TV-Piracy-Punks? Who's this guy? I asked for a text file (for > informational purposes of course). Oh and David K. Merriman, PPV is > not on cable. PPV sure is on cable. We get five or six channels of the crap pumped in over the cable in my neck of the woods. You call a six digit telephone number, it ANI's you to your account records, and then tweaks the 'key' into your box for the duration of the show. End of the month, you get a bill for the program. That's what us country folks call "pay per view." Maybe you're looking for Satellite-Dish-TV-Piracy-Punks or Small-Dish-Digital-TV-Piracy-Punks? They're up the corner, around on the left - can't miss 'em. ------------------------------------------------------------------------- | Liberty is truly dead |Mark Aldrich | | when the slaves are willing |GRCI INFOSEC Engineering | | to forge their own chains. |maldrich at grci.com | | STOP THE CDA NOW! |MAldrich at dockmaster.ncsc.mil | |_______________________________________________________________________| |The author is PGP Empowered. Public key at: finger maldrich at grci.com | | The opinions expressed herein are strictly those of the author | | and my employer gets no credit for them whatsoever. | ------------------------------------------------------------------------- From ses at tipper.oit.unc.edu Fri Mar 29 23:01:06 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sat, 30 Mar 1996 15:01:06 +0800 Subject: NOISE: Scriveners Attack C-Punks In-Reply-To: <199603290008.QAA11067@get.hooked.net> Message-ID: [unsubscrive commentary] This is cypherpunks- cypherpunks have colds. --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From unicorn at schloss.li Fri Mar 29 23:02:28 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 30 Mar 1996 15:02:28 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: This will be my last comment on this thread. Mr. Bell is beginning to lapse into the "yadda yadda yadda" phase. Constructive progress becomes nil at this point typically. On Fri, 29 Mar 1996, jim bell wrote: > At 05:06 PM 3/29/96 -0500, Black Unicorn wrote: > >> Ultimately, your repeated argument is simply, "The legal system can be > >> abused by those who work in it." > > > >I wouldn't call fines imposed on a third party who clearly was complicit > >in the destruction of material evidence to a proceeding "abuse." > > Since you keep inventing these straw men and knocking them down, it is > really questionable whether you have any kind of good judgment as to who is > "clearly complicit in the destruction of material evidence." My judgment is not important. What I have seen courts do is. > It would be far more effective and credible if you would at least admit that > not every action by a third party which has the effect of frustrating some > court is actionable. The simple action of FAILING to store information that > may later be wanted by the officials is an excellent example, for instance. I never claimed anything so broad. I pointed out that the examples you gave (tipping off the offender that he was being investigated, creating provisions to destroy or otherwise make unavailable evidence material to a criminal or civil investigation), were going to have to confront these problems. > > Naturally, you won't like this either. And you certainly won't want > to rise to my challenge and draw a distinct line, because that would put > you to your proof, and you have none. Mostly because there is no distinct line. You make your argument to the judge, he makes his ruling based on his perceptions and bias. Sometimes you win, sometimes you lose. When "offshore holding agent" or "trustee" is mentioned in the context of "unavailable" evidence, judges are not very patient. Of course, your only response to this is "so kill them." Unfortunately, in the absence of your system, that's not much of an option. > >Yadda yadda yadda. > > What?!? you don't have a better response to this? I don't talk to feces on the sidewalk either. > >Sure, several. See my large note on the subject of asset protection. > > Well, you're trying to change the subject. It's "escrow agents." And the > question is, "must an escrow agent always know the identity of the people > for whom the information is kept." The simple answer, invoking existing > software technology, is, "no." No, that's not the question. This question you just invented. The question was, and specifically in reference to your "rosebud" tip-off scheme, can an escrow agent warn the principal of an impending investigation with the intent of facilitating the destruction or diversion of material evidence. Of course, having this scheme debunked forced you to alter the facts, yet again, to favor you. > So now you need to explain why courts are going to be able to force a > third-party to give what he doesn't know he has, and in fact nobody else > knows either. You'll fail at this task, of course, because the answer is > not politically correct by your standards. Again, you have to convince the judge of all this, and even if it is true, he doesn't have to buy it, can still impose fines, and can still jail the third party until he is convinced he/she is either telling the truth, or is very determined no to release the information at any cost to self. Even if you can show that the third party is faultless, the principal is probably going to suffer the same fate. > >My hostility is for a system that allows mob mentality and murder run the > >streets like a bad day in Beruit. > > A position which fails to do anything about the current problems in society. The only way to do anyhting about the "current problems" in society is to kill and threaten? Move to East Turkey. > Show me that my solution is worse than the status quo, and you'll have a > point. Until then, you're just a complainer. Considering it combines the tyranny of the majority with the tyrrany of the minority and provides both with sovereign powers to sentence individuals to death arbitrarily.... I'll leave the rest to the reader. > >Actually I should have said "material." > > Still sloppy. Classic Unicorn. Pay me my hourly rate and I will be happy to copy-edit everything I post. For legal work involving international transactions or compulsary jurisdiction issues that tends to run $200-$300/hr. > >I don't much like the system in the United States either. But there are > >two ways around it. Ways that work, and ways that don't. > > There are not ONLY "two ways around it." There are also clearly "ways that > Unicorn likes" and "ways Unicorn doesn't like." I admit that ways that I don't like may work. Your's wont. > >Encouraging random murder and mob justice is, in my view, in the second > >field. > > I've never encouraged "random murder." Quite the opposite: It would be far > more accurate to say that I encourage VERY SELECTIVE killing. It is not, > however, GOVERNMENT SPONSORED killing, which is why you won't like it. Encouraging selective murder and mob justice is, in my view, in the second field. You know, if Mr. Bell turned out to be L.D., he'd be violating our settlement agreement. > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From abc at gateway.com Fri Mar 29 23:03:50 1996 From: abc at gateway.com (Alan B. Clegg) Date: Sat, 30 Mar 1996 15:03:50 +0800 Subject: Mailing lists moving site! (list outages may occur) Message-ID: The physical and network location of the machine doing mail service for gateway.com will be moving some time around March 31/April 1. Hopefully, service will not be interrupted for more than about 3-4 hours, but I can't promise anything (the system will be moving to my side of an ISDN circuit instead of living on-site with one of my clients). This move will affect the following mailing lists: bsdi-users bsdi-users-d cypherpunks-d unix-lizards There may also be an impact on other lists as routing for the gateway.com domain is moved from its current 192.x.x.x network to a CIDR block under another provider. The other lists involved will be: bsdi-isps cheapnet humor xconq Sorry about this, but over-all, service will be better after the move (I will once again, be the master of my network's destiny [or something like that]) -abc \ Alan B. Clegg Just because I can \ Network Technologist does not mean I will. \ gateway.com, inc. \ From tcmay at got.net Fri Mar 29 23:04:15 1996 From: tcmay at got.net (Tim May) Date: Sat, 30 Mar 1996 15:04:15 +0800 Subject: Electronic locksmiths are watching you (Belgium's ban on PGP) Message-ID: <199603300202.SAA18349@you.got.net> This seems like an interesting glimpse into the future of crypto banning around the world. France's ban on unapproved crypto has been well-publicized, but I hadn't heard until this message that Belgium has joined in. The reference to Belgium's wiretap law and "But little-known sections of the law state that all cryptograhic systems aimed at protecting privacy must not block these wiretaps" suggests that we ought to look _very_ closely at our own Wiretap Act (aka Digital Telephony) for similar language. (Many of us thought at the time DT was being debated--both weeks of the public debate--and then when it was passed that things would get real interesting when the "central office wiretappability" vanished with end-to-end encryption. Louis Freeh even said as much, that the issue of end-to-end encryption would have to be addressed once the Digital Telephony Act was passed.) With Internet phone systems (various) and easy integration of PGP, a la PGPhone, even the Little Italy businessmen may start to use encryption. Likewise, there are currently no laws (that I am aware of) forbidding encrypted telephones--indeed, the Clipper phones were just this, and they were available for general purchase. Granted, the gubment knew the algorithm and there _may_ (emphasis on the "may") have been backdoors allowing easy wiretapping. But there was no key escrow per se. So, when the $500 M to make digital switches "compliant" with DT is spent (and bear in mind it hasn't been allocated yet by Congress, to the best of my knowledge), and yet some future John Gotti is untappable because he's using Eric Blossom's crypto phone, what then? Anyway, here's the item about Belgium's law: > From: Jerome Thorel > Newsgroups: talk.politics.crypto,alt.privacy,alt.security.pgp > Subject: Electronic locksmiths are watching you (Belgium's ban on PGP) > Date: 26 Mar 1996 00:08:44 GMT ... > > Some hot news about Belgium: > > After reports in two Belgian newspapers (De Standaart and Le Soir), it > turns out that Belgium had passed a law in late 1994 that formerly bans > "non approved" encryption systems. This means that France is not alone > to block domestic use and distribution of strong encryption systems, > since a December 1990 law which came into effect in France in early > 1993. > > In its March 13 edition, French-speaking newspaper Le Soir ran a whole > page survey about the fact that a 21 December, 1994 law oblige the > telecom state-own company Belgacom to make any wiretap possible for law > enforcement purposes. But little-known sections of the law state that > all cryptograhic systems aimed at protecting privacy must not block > these wiretaps. Crypto systems have to be "agreed" by the government's > Institut Belge des postes et telecommunications (IBPT). The author of Le > Soir's article, Alain Guillaume, speculates that this "agreement" means > that encryption keys must be kept by IBPT. > > "The idea is neither new nor surprising," Guillaume writes. "To stop > criminals from hiding. (...) But does anyone believe that mafia gangs, > crooks or terrorists will let their keys to IBPT's hands?" > > =+= France enthrone key escrow =+= > > At the same time, France is keen to give up his isolationist position. > French telecom Minister Fran�ois Fillon has prepared a kind of Telco Act > "� la francaise" -- new regulations to prepare the end of France Telecom > monopoly in 1998 -- in which encryption would be freed to allow the > emergence of "efficient electronic commerce". Under the new rules, > special "authorization" will no more be needed to use PGP-like tools, > but every user would be obliged to let their keys in custody in > so-called "trusted third parties" (TTPs) agencies, a kind of "electronic > locksmith", or notary, alternative. The option smells quite the same as > Sen. Leahy bill (Encrypted Communications Privacy Act of 1996, archived > at http://www.epic.org/crypto/legislation/s1587.html), in which escrow > agents would hold keys to help the police, with a court order, to > intercept communications. > > In France no one knows who will play the role of "key escrow agent", but > sources said it may be some independent agencies. Independent? The > governement will anyway have to approve them, and Mr Fillon said France > will enthrone its first TTP "before the end of this year". > > This bulletin and the British weekly Nature discovered last November > that a group of 18 European nations were soon to adopt this alternative > (http://www.freenix.fr/netizen/chiffre /nature-eurottp.html). The UK and > Germany have declared themselves ready for such an alternative (see > lambda bulletin 1.06). Belgium, with its new iron bullet, would be keen > to follow. > ------------------------------ > Jerome Thorel. Free-lance reporter, Paris > netizen's lambda bulletin (issue 2.05) > http://www.freenix.fr/netizen/ From cme at cybercash.com Fri Mar 29 23:08:42 1996 From: cme at cybercash.com (Carl Ellison) Date: Sat, 30 Mar 1996 15:08:42 +0800 Subject: Random Number Testing Message-ID: At 01:34 3/29/96, Deranged Mutant wrote: >> - Is this apparent entropy really *unpredictable* (the most useful >> definition of "random" for cryptographic purposes)? > >Good question. You'd need to look for patterns. Barring none, you'd >have to guess the factors that lead to the entropy, and then see if >there's a way to reverse-engineer it. (Perhaps use a stripped down >system and build it up, or disable some of the hardware and OS >features etc.) There's more to unpredictability than patterns or their absense. In addition, you have to look at the ability of anyone else on the same machine to learn things about the data you're gathering and subtract the entropy of that commonly available data. +--------------------------------------------------------------------------+ |Carl M. Ellison cme at cybercash.com http://www.clark.net/pub/cme | |CyberCash, Inc., Suite 430 http://www.cybercash.com/ | |2100 Reston Parkway PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 | |Reston, VA 22091 Tel: (703) 620-4200 | +--------------------------------------------------------------------------+ From jamesd at echeque.com Fri Mar 29 23:11:47 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sat, 30 Mar 1996 15:11:47 +0800 Subject: Edited Edupage, 24 March 1996 Message-ID: <199603291625.IAA09564@dns2.noc.best.net> Perry E. Metzger wrote: > 2) I strongly hope that Netscape tries to move the product towards > standards based mechanisms like the IETF's RTP protocol, which are > in widespread use, Unfortunately RTP is not a crypto protocol, and does not have a standardized encrypted form. Therefore any encrypted protocol is necessarily proprietary and non standard, unless Phill Zimmerman has published a standard. If Netscape creates a standard for encrypting RTP, and publishes it, that will be a move towards a standard, not a move away from a standard. One mechanism for encrypting RTP would be to construct a shared secret key by DH exchange, or Rabin if one wished to dodge patents, construct a cryptographically strong pseudo random data stream from the key, using Ron's code, and for each RTP packet, encrypt using a block from that data stream as the packet key. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jimbell at pacifier.com Fri Mar 29 23:34:26 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 30 Mar 1996 15:34:26 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 05:06 PM 3/29/96 -0500, Black Unicorn wrote: >On Fri, 29 Mar 1996, jim bell wrote: > >> At 05:32 AM 3/29/96 -0500, Black Unicorn wrote: >> >On Thu, 28 Mar 1996, jim bell wrote: >> > >> >> At 03:46 PM 3/28/96 -0500, Black Unicorn wrote: >> >> >You clearly don't understand. You are an ass making an assumption that a >> >court cares or believes that the witness can actually produce the >> >requested information or not. Fines tend to be imposed regardless. >> >> Bullets don't care that a judge was justified in his decisions, either. > >God I hope you keep talking like this. The list might not have to endure >you anymore unless you get a cushy prison cell with internet hookups. As far as I know, the 1st amendment to the US Constitution is there to protect unpopular, as well as popular, speech. And while it may be a surprise to you, my kind of speech is getting far more popular and has been for the last few years. Much of the reason for this has been the abusiveness that you describe but don't seem to try to do anything about. In any case, the "clear and present danger" standard to speech such as mine is not satisfied. Nobody is under the illusion that anybody else is going to rush right out and kill someone as a consequence of my comments. It is, therefore, protected speech. (Not that I really have much respect for the distinction, anyway. The issue is, is there some OFFICIAL distinction, and there apparently is.) >> Ultimately, your repeated argument is simply, "The legal system can be >> abused by those who work in it." > >I wouldn't call fines imposed on a third party who clearly was complicit >in the destruction of material evidence to a proceeding "abuse." Since you keep inventing these straw men and knocking them down, it is really questionable whether you have any kind of good judgment as to who is "clearly complicit in the destruction of material evidence." It would be far more effective and credible if you would at least admit that not every action by a third party which has the effect of frustrating some court is actionable. The simple action of FAILING to store information that may later be wanted by the officials is an excellent example, for instance. Naturally, you won't like this either. And you certainly won't want to rise to my challenge and draw a distinct line, because that would put you to your proof, and you have none. > I don't challenge this claim, in fact my >> position depends on its truth; my assertion is that the current legal situation is >> out of the control of people faithful to the meaning of the Constitution, >> and has been so for a long time. One of the main reasons I promote a >> de-facto (and unofficial) death penalty for recalcitrant politicians and >> other government employees is because the traditional "checks and balances" >> system seems to no longer be working for the interests of the average citizen. > >Yadda yadda yadda. What?!? you don't have a better response to this? >> >> And in any case, I consider it highly doubtful that anybody would contract >> >> with an escrow agent and identify himself by name >> > >> >The same way no one creates Panamanian companies with their own name. So >> >what? Third parties are still fined heavily. >> >> Any specific examples? > >Sure, several. See my large note on the subject of asset protection. Well, you're trying to change the subject. It's "escrow agents." And the question is, "must an escrow agent always know the identity of the people for whom the information is kept." The simple answer, invoking existing software technology, is, "no." So now you need to explain why courts are going to be able to force a third-party to give what he doesn't know he has, and in fact nobody else knows either. You'll fail at this task, of course, because the answer is not politically correct by your standards. >> >And simpler for courts to fine them out of existance (which happened to >> >several banks, trust companies and agents in Cayman and Panama. >> >> I guess you really don't realize that every claim you make demolishes the >> justification for your obvious hostility to a system which prevents exactly >> the kind of abuses you list. (Although it really isn't clear whether you >> would classify them as "abuses.") > >My hostility is for a system that allows mob mentality and murder run the >streets like a bad day in Beruit. A position which fails to do anything about the current problems in society. Show me that my solution is worse than the status quo, and you'll have a point. Until then, you're just a complainer. > >> >They need only suspect or have reason to suspect it might be exculpatory. >> _ ^^^^^^^^^^^ >> Sloppy word usage. I think you meant, "incriminating." Typical for you. > >Actually I should have said "material." Still sloppy. Classic Unicorn. >> In this day and in this country, "going to law school" is basically >> synonymous with "learn to get along with the current legal system." It >> should have been obvious long ago that I don't consider the current legal >> system to be worth living with. > >Suicide is always an option. I take great pains and give them to others. Anyway the reason suicide is a silly option is that it assumes that the problem lies with me, not others. Obviously, other people are complaining about the same situation, so the problem is not my fault. But I'm hoping to be part of the solution. You REALLY won't like this! >I don't much like the system in the United States either. But there are >two ways around it. Ways that work, and ways that don't. There are not ONLY "two ways around it." There are also clearly "ways that Unicorn likes" and "ways Unicorn doesn't like." It is possible that if they were studied carefully a person would discover that (warning! Set theory terms coming up!) intersection between the two groups, "Ways that work" and "ways that Unicorn likes" is zero. As if by design. >Encouraging random murder and mob justice is, in my view, in the second >field. I've never encouraged "random murder." Quite the opposite: It would be far more accurate to say that I encourage VERY SELECTIVE killing. It is not, however, GOVERNMENT SPONSORED killing, which is why you won't like it. Jim Bell jimbell at pacifier.com From stewarts at ix.netcom.com Fri Mar 29 23:35:25 1996 From: stewarts at ix.netcom.com (Bill Stewart) Date: Sat, 30 Mar 1996 15:35:25 +0800 Subject: What backs up digital money? Message-ID: <199603290555.VAA24804@dfw-ix7.ix.netcom.com> At 03:25 PM 3/28/96 -0500, Black Unicorn wrote: [a bunch of mostly correct things, except for] >But instead of backing in gold, or some tangible asset, dcash is still >ultimately backed by the full faith and credit of the government who's >currency the dcash is denominated in. Well, after dealing with the full faith and credit of the issuing bank, you may acquire some pieces of paper which are backed by the dubious faith, credit, and reputation of some government. As you later say, >it is still just a second tier bearer instrument. >I think that the diet coke backed cash I tried to promote back when was >closer to a "currency" than d/ecash issued by a bank and drawable on >government currency. (Maybe this is why no one was interested?) I've used coffee-based currency, backed by my co-worker Joe. Worked fine, and excess profits usually got turned into bagels and donuts. >Real solid ecash, and the kind of cash I would like to see out there, >would be limited to a non-dilutable one time issuance and backed in some >precious commodity held on reserve. A closed-ended share of a stock of >gold, for instance. That would require no intermediation of a "currency" >based on the full faith and credit of an issuing sovereign. Most of my money is usually in banks, where it exists as bits in a ledger rather than as government-backed paper; my credit union at least has private insurance in addition to the government insurance, so there's someone honest backing the bank, even though it's only denominated in fiats. Digicash of various sorts may be able to get some political support if some bank wants to issue accounts denominated in ECUs, though ultimately the issue isn't whether it's backed by governments, gold, or insurance agents, but whether someone's willing to give you stuff for it when you want stuff. If you're buying physical stuff, you're probably buying from someone nearby, so it's usually useful to be able to _pay_ in local-flavored currency. In Europe, "local" may include the currencies of several nearby countries; in the US lower-48, that usually means US dollars, since Canadians will usually take them and Mexican pesos can be trusted to devalue rapidly. ObLinguaPunk: One cypherpunk-relevant use for speaking foreign languages is that you sometimes need to speak local-talk long enough to find an Internet connection when you've boogied overseas to retire on your digicash earnings or run your consulting business to make the big bucks before you go rent a cabin in Nevada from some Panamanian corporation that's owned by several Caribbean bank accounts.... #-- # Thanks; Bill # Bill Stewart, stewarts at ix.netcom.com, +1-415-442-2215 pager 408-787-1281 1995: Chat rooms, espresso, and Linux 1996: Exon, melatonin, and Java. From kinney at bogart.Colorado.EDU Fri Mar 29 23:36:27 1996 From: kinney at bogart.Colorado.EDU (W. Kinney) Date: Sat, 30 Mar 1996 15:36:27 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: Message-ID: <199603291526.IAA17231@bogart.Colorado.EDU> Tim May writes: > Given the explosion of languages--Yoruba, Talegu, Tagalog, Russian, Korean, > and on and on--the role of French, German, and to some extent Spanish is > less clear than ever. (Spanish is admittedly a growing language, but not in > technical fields...just a fact.) Entirely brushing aside the idea that there might be more to the world than technical fields, my observation has been that knowing at least one foreign language would be an enormous professional advantage. At one computer company I worked for, the only person who could speak Italian was in constant demand as an informal translator. Doing research, I have had a number of occasions to regret my lack of proficiency with a foreign language. I regularly come into contact with German and Spanish speaking scientists. (Probably number one on the hit parade is Chinese, but I'm kind of daunted by the idea of taking it on ;-). Granted, English is the technical lingua franca, but the statement that there's no point in learning a foreign language is shortsighted, and I think that will become more true, not less, in the future. > My last word on this language topic will be this: far from being a closed, > ignorant, immigrant-hating, shit-eating nation, as some of the usual > America bashers have intimated, the decline of language skills reflects a > decline in the "ethnocentrism" of the past. And besides, you only need Spanish for maids, gardeners, and day-laborers, right? -- Will From unicorn at schloss.li Fri Mar 29 23:46:25 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 30 Mar 1996 15:46:25 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: On Thu, 28 Mar 1996, jim bell wrote: > Escrowing encrypted keys makes them useless to subpoena, and in > fact it helps the key owner because the escrow agent can (and, in fact, > must!) be obligated to inform the key owner if his key is requested. I thought I would take the time to let everyone know that this is baseless as well. Most jurisdictions forbid third parties to reveal prosecution inquries to the principal for which they are holding documents or other information. A VERY few have laws on the books that require this disclosure. Switzerland is no longer one of them. Even if a judge was convinced by the defense not to levy heavy fines against a third party who pleaded that he or she was simply unable to comply, informing the principal would literally assure such fines would be imposed regardless. Criminal charges of obstruction could easily attach. Obstruction in connection with narcotics cases or other major felonies are generally extraditable offenses as well. Once again Mr. Bell pulls legal analysis out of his rectum rather than basing it in fact or research. With Mr. Bell as a defense attorney, who needs prosecutors? > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From wlkngowl at UNiX.asb.com Fri Mar 29 23:58:24 1996 From: wlkngowl at UNiX.asb.com (Mutatis Mutantdis) Date: Sat, 30 Mar 1996 15:58:24 +0800 Subject: Noise sphere plotter in C Message-ID: <199603300240.VAA07216@unix.asb.com> Noise sphere plotter written in Borland C (w/executable), added options for rotation or plotting 16-bit samples etc. [Interesting patterns show up w/16-bit plotting, esp. with timer drift sampling from Win 3.11] Reply with subject "send nsphere-c". From Mark.Graff at Eng.Sun.COM Sat Mar 30 00:03:50 1996 From: Mark.Graff at Eng.Sun.COM (Mark Graff) Date: Sat, 30 Mar 1996 16:03:50 +0800 Subject: Sun patch pulled Message-ID: <199603300105.RAA07911@liberty.eng.sun.com> Folks, I am the person responsible at Sun for coordinating security-related patches. I got several copies of Wednesday's message about Sun's syslog/libc patches. There are plenty of disasters we can blame on ITAR, but the statement > Yup, that's right. The syslog hole that was so well publicized by > CERT will remain open indefinitely because the ITAR makes it illegal > for Sun to distribute the fix! is in fact 100% incorrect. I know; I was personally involved at every stage. I'm afraid the detailed explanation which follows is necessarily stultifying. But the key points are: 1. Our syslog patches (and in fact all of our security-related patches) are available to anyone who wants them, anywhere in the world, whether they are a Sun customer or not and whether they have a support contract or not. This has been Sun's policy since about 1990, and it hasn't changed. 2. We did make a change in February--it seems fairly routine to me, but you be the judge--but we weren't prodded by any government figure. We were just making sure that we complied with the letter of the law. That's no fun either, but it's a far cry from "gummint dweeb[s] whispering threats". 3. We didn't document the change very well, which surely contributed to the confusion. I expect we will update the README files to try to explain this better. OK, now before I lose you in the morass of detail that follows, please note this. Sun maintains an alias, "security-alert at sun.com", for questions about security issues, especially as they relate to patches and fixes. I'm the person who tends it (I got about 2,000 inquiries last year) and I will be glad to answer any questions like this in the future. (Please send them to the alias, not to me: it's got backup coverage and my personal e-mail doesn't). If this inquiry had gone to any of our Solution Centers, they would have come up with this answer, too, by the way. All right, Here We Go... SYSLOG/LIBC PATCHES Here is the list of patches currently available for libc to patch the syslog vulnerability. Note that, for some versions, there are both "U.S." and "international" versions. This distinction is the source of the confusion. I'll explain it later. PATCH # VERSION RELEASED --------- ----------- ------------ 100891-13 - SunOS 4.1.3 Oct 27, 1995 (International) 101558-07 - SunOS 4.1.3_U1 Oct 27, 1995 (International) 102545-04 - SunOS 4.1.4 Nov 16, 1995 (International) 100890-13 - SunOS 4.1.3 Feb 21, 1996 (US only) 101759-04 - SunOS 4.1.3_U1 Feb 21, 1996 (US only) 102544-04 - SunOS 4.1.4 Feb 21, 1996 (US only) 102903-01 - Solaris 2.3 Nov 2, 1995 101945-36 - Solaris 2.4 Jan 11, 1996 102905-01 - Solaris 2.4_x86 Nov 2, 1995 Notes: 1. The patches shown for 4.1.3 also apply to 4.1.3c. 2. Solaris 2.x (SunOS 5.x) systems are internationalized, so there's no distinction between "US-only" and "International" versions. To completely close the syslog family of attacks, you will need to install recent versions of the jumbo kernel patches (not shown) also. 3. No patches are necessary for SunOS 5.5 (Solaris 2.5) and later. The fixes made the release. "US-ONLY" VS. "INTERNATIONAL" VERSIONS OF THE C LIBRARY In SunOS 4.1.x (the BSD-based Unix), Sun maintained two separate versions of the C library. The so-called "domestic" version contained DES-based crypto routines, accessible via a public API. Since we interpreted ITAR to outlaw the exportation of such a library, we modified our build procedures to produce a less capable version which we could legally export. All this time, then, we have maintained two separate sets of patches, one which could legally be exported and one which could not. (I'm not going to get into details about the technical differences between the two.) With the advent of SunOS 5.x, we introduced new methods of handling both libraries and patches, and this problem went away. That's why there is only one version of the C library for each version of the OS. for many years, we called the library version which contain the forbidden-to-export stuff the "domestic" version, and the other the "international" version. When we made the latest change (described in the next section), we changed the wording from "domestic" to "U.S.-only". After all, the word "domestic" applies to every country from a certain point of view, doesn't it? The nomenclature is still not quite right. Here is an attempt at a precise statement. If your SunOS 4.1.x system has the "crypto kit", you can and should use the version of the C library dubbed "U.S.-only". If your system is not using the "crypto kit" --whether or not you or it resides in the U.S.--you can and should be running the "international" version. The crypto kit costs extra, so if you're not sure, you're probably running the "international" version. Most of our customers are. The folks at your local Solution Center can probably explain this better than I can. I encourage you to contact them for more details on this part, or help in determining which software you are running. WHAT CHANGED IN FEBRUARY The change we made in February was to stop the practice of making the "U.S.-only" version freely available through our world-wide patch database. It is, after all, "world-wide"; so, after one of our periodic reviews of patch practices the responsible manager made the policy change. We removed the library code from the latest versions of the 4.1.x patches, and updated the README files to explain the change. I don't know for certain whether this was in response to any particular warning from the U.S. government. I'm assured by the person who made the decision that it wasn't. Anyway, the only impact of this change on our customers is that 4.1.x customers who do have the "crypto kit" installed on their systems now have to go through the Solution Centers to get C library patches. (I guess a second impact is that folks who aren't licensed to have the crypto kit can't get the "U.S.-only" library version--but they're not entitled to have it, and in theory couldn't make use of it anyway.) I can understand why the original poster found this difficult to figure out by him- (or her-) self, I guess. Anyway, the README file does say, right near the top, Please contact your Sun Solution Center or other SunSoft authorized service provider (ASP) in the U.S. to obtain a copy of the actual patch. ... and that's what several of our affected customers have done, since. We certainly apologize for any confusion. -mg- Mark Graff Sun Security Coordinator mark.graff at sun.com security-alert at sun.com p.s. I'll include this explanation in my next Sun Security Bulletin. (If you want a free subscription, BTW, just send a message to security-alert at sun.com with the subject "SUBSCRIBE CWS your-mail-address". p.p.s (If anyone wants to discuss this further with me, please pursue it privately. I didn't pop my head up over the parapet to get drawn into a big public ITAR debate.) From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) To: cypherpunks at toad.com Subject: Sun patch pulled (was Re: HP & Export of DCE) Date: Wed, 27 Mar 1996 23:16:56 GMT I noticed that Sun's latest libc patch (101759-04) is empty. Previous versions contained the complete U.S. version of libc, including the tres-dangerous DES and crypt functions. In the current rev only the README remains, presumably because: EXPORT INFORMATION: This patch includes code which performs cryptographic functions, which are subject to U.S. export control, and must not be exported outside the U.S. without prior approval of the U.S. government. Prior export approval must be obtained by the user of this patch. So, you might ask, what fixes is Sun not distributing??? (Rev 04) 1190985 gethostbyname() can trash an existing open file descriptor. 1182835 portmapper silently fails with version mismatch by PC-NFS client 1219835 Syslog(3) can be abused to gain root access on 4.X systems. Yup, that's right. The syslog hole that was so well publicized by CERT will remain open indefinitely because the ITAR makes it illegal for Sun to distribute the fix! So did HP and Sun spontaneously, simultaneously develop crypto awareness, or is some gummint dweeb whispering threats in their ear? From mpd at netcom.com Sat Mar 30 00:06:58 1996 From: mpd at netcom.com (Mike Duvos) Date: Sat, 30 Mar 1996 16:06:58 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks In-Reply-To: <199603292053.UAA18333@GPO.iol.ie> Message-ID: <199603300210.SAA09465@netcom3.netcom.com> kooltek at iol.ie (Hack Watch News) writes: > The DSS smart card has been reverse-engineered for at least > six months now and pirate devices are in the market. The > encryption used on those systems is good but it does not > stand up to a well financed attack. This is indeed good news. I haven't followed the satellite wars for a while, and although I was aware that the earlier European system had been broken, I didn't know that the one used by the DSS folks had by now also met a similar fate. This is interesting, since the technology to do unbreakable encryption and authorization certainly exists. Perhaps the DSS folks should have brought in a few Cypherpunks as quality control consultants. :) > Using DES to encrypt the audio on the fly is an old > technique and was used in the VideoCipher II system. Most of > the more recent systems use a PRNBSG EXORed with the digital > audio data stream. Again, it's been a while since I looked at the industry, but I was under the impression that the VideoCipher II was still used by Satellite dish owners to receive CNN, HBO, SHO, TMC, and the rest of the ordinary analog pay cable channels. Has everyone now been forced to upgrade to something "new and improved?" > The problem of piracy will still exist on digital systems. > The DSS system is a completely digital system and it too is > hacked. Digital systems eliminate the main drawback of analog ones for using cryptography, namely that there is no way to strongly encrypt the video and ship it out using the same modulation technique which originally encoded it. Once you have both audio and video streams in digital form, having ones encryption "hacked" is more a function of cluelessness on the part of those engineering the encryption and authentication mechanism than some latent vulnerability on the part of the technology. I'm really surprised that DSS got hacked, given that the hacking of the European digital system was well known while DSS was being constructed. Sounds like a very slow learning curve somewhere in the engineering process. > Admittedly some of the elements of security in the DSS are > good, most can be rendered void by hackers. The problem for > DSS is that the smart card they used is not secure enough. > It was a Motorola 6805 type. What appears to be the pattern > with the hacks on more recent smart card systems is an > inversion of the original pattern on the simple analogue > systems. The original pattern was that some hobbyists would > figure out how to hack the system and then the hack would be > commercialised. With the smart card hacks - the pattern is > inverted so that it becomes a trickle down pattern. The > professional hackers reverse and emulate the smart card and > then the code is sometimes hacked from the emulator card and > then distributed among hobbyists. In a well engineered smart card system for authorizing individual viewers of a digital audio/video stream, each card contains a unique serial number and a random cryptographic key stored during the manufacturing process in a manner which cannot be obtained even by destructive reverse engineering of a particular card. The originating system then uses this information to embed messages in the transmitted data stream permitting individual cards to decrypt and recover the random and frequently changing session key with which the channel bitstream has been strongly encrypted. If such a system has been properly implemented, all the specifications for it should be able to be published without compromising it. Emulators for the software used in the cards shouldn't be a problem as long as serial#/key pairs for specific cards are not disclosed. > The most dangerous thing in all this is that the smart > cards that have been hacked in Pay TV systems throughout > the world are also used in other applications. The expertise > and the knowledge of reversing smart cards is now more > common in the Pay TV piracy business. There is always the > possibility that these skills could be applied elsewhere. Perhaps in the private sector, where snake oil abounds. I suspect military types do things a bit more cleverly than the prior scenario implies. BTW - what is the legal status of hacking DSS? It's not like cable, where you are tapping into a municipal service illegally. You own the dish, the decoder, and the photons with which the satellite is irradiating your back yard. Can the government really regulate how you choose to process photons found on your own private property with equipment you own? Have there been any test cases? -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From rollo at artvark.com Sat Mar 30 00:39:26 1996 From: rollo at artvark.com (Rollo Silver) Date: Sat, 30 Mar 1996 16:39:26 +0800 Subject: java security Message-ID: >Based on recent events, as soon as you implement anything in Java you are >making the creation of a secure ANYTHING a highly uncertain venture. You >have just made it MUCH MORE difficult to ensure security, not less, >given the current state of the Java art. I will be spending a fair part of my time over the next few months investigating java security, especially from the point of view of trying to break it. I'd like to hear from coderpunks/cypherpunks having ideas about how to break it, especially if you don't have the time/energy to pursue the idea to fruition yourself. Rollo Silver | e-mail: rollo at artvark.com | Artvark | Home page: http://www.artvark.com/artvark/ | PO Box 219 | Voice: 505-586-0197 | San Cristobal, NM 87564 USA | Compuserve 71174,1453 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-= From unicorn at schloss.li Sat Mar 30 01:05:58 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 30 Mar 1996 17:05:58 +0800 Subject: Note: Problems Confronting the Asset Concealer [Part 1 of 2 of Volume I] Message-ID: Prologue: C'Punks: While direct crypto relevance is limited, I thought that this work might interest many on the list and so I decided to post it in any event. The sections on fourth and fifth amendment protections, or lack thereof, for banking documents might shed some light on the eventual disposition of crypto keys under the same circumstances. This text represents a sanitized and >heavily< modified version of scholarly work I recently published. I should also mention that portions of the original work have been subjected to official review prior to publication. For the purposes of posting to the list, and to conceal my identity, I changed the note to approach things from the perspective of the asset concealer. Although this wouldn't have gone over well when submitted for a scholarly publication, it better represents the way I think about these issues. Given the nature of the "legitimate" scholarly work that predates it and its subject matter, this note seemed the logical extension, and I found myself a bit carried away with it before I was done. In this regard the below is a more honest and complete picture of asset protection than the scholarly work, or probably than any other publication floating about right now. And it's just for you cypherpunks, for the moment. Unfortunately, after completing the work I began to realize that many sections were inappropriate for general release. As a result several source cites that survived review have been removed, but I have tried, where able, to keep the majority of the substantive material present. When I felt the need to remove substantive portions it was either to prevent exposing what I believe to be novel methods, because I consider the sections work product which I would like to continue utilizing effectively, or to protect those methods I know to be utilized by my associates. To prevent misunderstandings, where large portions (more than a few lines) or crucial elements have been removed, I have so indicated with empty brackets. ("[]" and "[...]"). I've segmented the note. I'll consider posting the second, third and forth volumes if there's enough interest. As they involve some of the more sensitive issues, I'm not sure yet if I'm willing to release them generally, with more deletions, or at all. If it gets to you garbled, mail me, I'll send you another copy. As always, this is an educational/academic work. The law is ever- changing and attempting to conduct international financial transactions without exacting professional advice is ill advised and extremely dangerous. I'm not being paid for services, so the reader uses this material at his or her own peril. I reserve all rights to this work. Please do not re-distribute it without permission. I intend to allow its semi-free circulation generally, but I must ask that forwarders request permission before reproducing it so that I may have an idea of where it is going. This is mostly for my personal edification. >Please do not< make it available via WWW, FTP, or other unrestricted distribution. If you insist on ignoring my wishes, may a thousand biting flies infest your pubic hair, but at least leave my e-mail address on it. ********** [...] Practical and Legal Problems Confronting the Asset Concealer in Relation to Offshore Financial and Corporate Entities: A View from the Perspective of the Individual Attempting to Avoid Extraterritorial Discovery, Attachment, or Coercion. [] (unicorn at schloss.li)* * LL.M.,[]; M.A.,[]; J.D.,[]; B.A.,[];. [] is an attorney licensed to practice in The District of Columbia, Switzerland, [], and also a former member of the intelligence community. ''''' I. Introduction II. Use of the Offshore Haven [] What to Look for in an Offshore Haven [] III. Legal Considerations for the Asset Concealer U.S. Discovery Compelled Consent Orders Local Illegality Foreign Offshore Jurisdictions Respond Discovery Blocking Judgment Blocking Are High Profile Offshore Centers to be Avoided? [] The Goals of the Asset Concealer and Selection of Jurisdiction Tax Cases Securities Issues [] The Constitution is of No Help. The Fourth Amendment The Fifth Amendment IV. Esoteric Considerations Intelligence Threats The Anatomy of a Money Laundering Investigation [] Private Banks Using Private Banks to your Advantage [] Bearer Shares V. Reviews of Specific Jurisdictions Why I Don't Like Switzerland Anymore The SBA Mutual Legal Assistance Treaties Why I Like Panama Why I Like Liechtenstein The Anstalt/The Treuunternehmen The Stifung/The Aktiengesellschaft Secrecy Why I Like (sort of) The Cayman Islands Private Banks [] Why I Like Vanuatu Bearer Shares [] Private Banks (Easy?) [] Why I Like Turks and Caicos Redomiciling Private Banks (The Easiest?) [] Why I Like Bermuda Why I Like (in a pinch) The Bahamas The Bahamas Corporation Private Banks The Local Authorities Why I Like Nauru Holding Corporations Private Banks Why I Like (sort of) The Virgin Islands Security Through Obscurity The Thatcher Appeal to Reagan Why I Like (in a pinch) Aruba Why Moving Money is Easy in Latvia Why Moving Money is Easier in Thailand Why Moving Money is Easiest in Estonia Arms Dealing and the Velocity of Money [] Liquidity and Ease of Exchange The Local Authorities Why I Send Casual Arms Dealers to Liberia [] Why I Send those with $10m+ to Seychelles Diplomatic Immunity [] Investment Incentives Reliability Why I Send Those with $15m+ to Monaco Conversion to Bearer Shares Shipping Investments Why I Send Dirty Money to Rumania Why I Send the Filthiest Clients to Bulgaria Fraud in the Bright of Day. The Local Authorities: A Case Study [] Why I Send Narcotics Money to Turkey Why I See Promise in Gibraltar VI. Conclusions Constructing Asset Concealing Organizations: Step by Step Forming the Holding Entity Forming the Direct Asset Holders [] Bearer Shares: Double Blinds Forming and Using Your Personal Financial Institution Moving the Money: Avoiding Currency Reporting [] The Re-investment Vehicle Warning Signs Pressing the Panic Button The Tools of the Trade and How to Use Them A Case Study I A Case Study II [] A Case Study IV The Future of International Asset Protection The Key to Success in Any Jurisdiction Secrecy or Expatriation? Final Thoughts VII. Appendix Detailed Analysis: Personal Financial Institution Formation in: The Cayman Islands Panama Luxembourg Jersey Bahrain [] Vanuatu The Bahamas [] [] Contacts: Professionals I Recommend to Asset Concealers [] Financial and Trust Institutions of Note [] ''''' I. Introduction While there has been much writing on "tax shelters," money laundering, and the use of the international business corporation to "judgment proof" assets, I've seen little discussion of the practical considerations in shielding assets effectively, especially for the United States resident. With all the seminars, and "insider's guides" to the various jurisdictions and their incentives, there exists a significant amount of disinformation floating about. I thought I would take the time to dispel some of the rumors and myths about asset protection and try to give a practical view that is sorely lacking in any of the common or scholarly literature on the subject. The following work will examine these issues in more detail. Part II will examine very briefly the uses of the offshore "tax haven." Part III will consider some of the legal aspects confronting the asset concealer. Part IV will examine some of the more esoteric issues and attacks on the asset concealer. Part V will take a closer look at some jurisdictions. Part VI will draw some conclusions, provide a step by step guide for constructing asset concealing organizations and make some predictions for the future. II. Use of the Offshore Haven Most people assume that the amount of the underground economy is fairly small and that offshore banking is entirely too complicated for the everyday person to deal with. This is patently false. Even as early as 1979 estimates of illegal money flowing through the Caribbean tax havens alone was in excess of fifty billion dollars a year. The Use of Offshore Tax Havens for the Purpose of Evading Income Taxes: Hearings Before the Subcommittee on Oversight of the House Committee on Ways and Means, 96th Cong., 1st Sess. 1 (1979). One estimate at the time attributed $25 billion a year to the Bahamas alone. Illegal Narcotics Profits: Hearings Before the Permanent Subcommittee on Investigations of the Senate Committee on Governmental Affairs, 96th Cong., 1st Sess. 474 (1979) (Exhibit No. 33, Offshore Banking: Issues With Respect to Criminal Use, Submitted to the Ford Foundation, Nov. 1979, by Richard Blum and John Kaplan). In 1978, the Bahamas held $95.2 billion in foreign assets, a mere $1.8 billion of which was used to finance foreign trade. Douglas J. Workman, The Use of Offshore Tax Havens for the Purpose of Criminally Evading Income Taxes. Today the Cayman Islands have a population of 30,000, over 500 banks and some $415 billion of assets on deposit. All one must do to take advantage of an offshore tax haven is get the money offshore and design a vehicle to use it where you live. The techniques used to accomplish these goals are as varied as the creativity of the asset concealer. Even so, and while any treatment of this subject must almost by definition be incomplete, some of the more apparent aspects and methods are touched on below: A) Moving money offshore: Obviously, a cash producing business could easily stream funds overseas without much auditing liability. Follow this simple procedure: 1. Put cash in pocket. 2. Get on plane to offshore jurisdiction. 3. Deposit cash. 4. Return. Or in the case of non-cash businesses: American Business ("Biz") is owned by U.S. Citizens 1-3. Business "expenses" for Biz are paid to a foreign corporation ("For1"), and deducted from Biz's corporate taxes. While an audit might disclose these payments to the foreign corporation, it is fairly easy to shield them within the cost of goods sold. If pressed, it is easy for Biz to claim that For1 and Biz are unrelated, and produce canceled checks and/or receipts to effect such proof. For1 retains 10% of the payments from Biz, and passes the remainder to another foreign corporation ("For2"). An auditor will now have no direct access to records of the payments from For1 to For2, and indeed, the records may not even be in the country. Biz could also claim to be paying for services rendered under contract by For1, where in actuality said services are being performed by Biz and claimed by Biz as business expense deductions. [...] B) Bringing the money back. Assume For2 is owned by a foreign offshore trust ("Trust") the beneficiaries of which are citizens 1-3. Any investigation would be tasked to reveal the existence of this relationship or the flow of funds back to the citizens. While for technical purposes these funds are held offshore, their presence in a U.S. bank in the name of Trust is certainly possible. Wiser still, For2 could direct Trust to make a third foreign corporation ("For3") the 100% beneficiary, invest in U.S. securities through For3 (the capital gains of which are not technically taxable to foreign entities not connected to the United States). Repatriating the assets is a simple matter accomplished either by situating For3 in a jurisdiction with a treaty waiving the withholding tax on dividends and interest (in past this has been the Netherland Antilles) or by drawing directly on the foreign accounts of For3 in such a way so as not to draw undue attention. In past if Citizen 2 had some appreciated securities he would have sold them to Trust in return for an annuity with a carryover basis, or as an installment sale. Citizen 2 would recognize only the annuity gain on the transaction because the gain will be realized by the offshore entity. Obviously, the capital gain can be repatriated in the same way as above. Citizen 3 lives and spends a great deal of money in the United States, but is already the subject of several large judgments in the country. She instructs Trust to lease a new Ferrari, and obtain a secured Gold Mastercard in the trust's name from the bank administering Trust. Citizen 3 can enjoy the fast life, draw massive cash advances as well as purchase anything she likes without income accountability. Various complications can be included in any liberation/repatriation plan. Tainted funds can be exchanged for large denomination bank notes in varied currencies, the notes exchanged for bank checks, bearer credit, or bearer bonds/certificates of deposit, or any liquid monetary instrument easy to travel with. (Uncut diamonds, precious metals or securities are all quite popular). The goods are then transferred into another country and liquidated or stored. [...] While many of the legal loopholes have been filled with regard to the more public transactions, it becomes increasingly clear that asset concealing is an informational issue. The more difficult one makes it for investigators to discover assets, trace their movement, or to attribute any of these things to the depositor, the more effective the asset concealing endeavor will be. Asset concealing thus becomes a question of economics. How much can the prosecuting authorities spend, how much time do they have, and is there any degree of suspicion to begin with? What to Look for in an Offshore Haven [...] III. Legal Considerations for the Asset Concealer U.S. Discovery Compelled Consent Orders Many people believe that foreign and domestic banks, particularly those situated in jurisdictions that criminalize such disclosure, will never release depositor's account information, assets, or related documents. This too is patently false. In fact, the United States has gone to lengths to make it difficult for foreign banks and fiduciaries to withhold such items from U.S. litigants. Typically, heavy fines are imposed on banks refusing to comply with court orders compelling discovery of financial documents, even those located in foreign jurisdictions and where the disclosure imposes criminal and civil penalties on the disclosing bank. Fines of $2 million are not without precedent. (Unites States v. Bank of Nova Scotia, 740 F.2d 817, 832 (11th Cir. 1984), cert. denied, 469 U.S. 1106 (1985)(upholding $25,000/day fine totaling $1,750,000 for failing produce documents located in the Cayman Islands under grand jury subpoena duces tecum; Marc Rich & Co., A.G. v. United States, 707 F.2d 663, 670 (2d Cir.), cert. denied, 463 U.S. 1215 (1983)($50,000/day against Swiss corporation for noncompliance with subpoena duces tecum demanding documents located in Switzerland). It should be very apparent that U.S. courts are not shy about imposing potent sanctions, even upon third parties, in order to facilitate plaintiffs and prosecutors access to documents and evidence. On international discovery, See Generally, Note: Ordering Production of Documents from Abroad in Violation of Foreign Law, 31 U. Chi. L. Rev. 791 (1964); Note: Recent Developments in the Law Concerning the Foreign Illegality Excuse for Non-Production, 14 Va. J. Int'l L. 747 (1974); Note: Foreign Nondisclosure Laws and Domestic Discovery Orders in Antitrust Litigation, 88 Yale L.J. 612 (1979); Limitations on Concurrent Jurisdiction -- U.S. Court May Order Discovery of Foreign Documents, Notwithstanding Foreign Law, If Discovery Will Support National Policy, Is Vital to the Litigation, and May Be Accommodated by the Foreign Sovereign, 20 Va. J. Int'l L. 925 (1980); Rosdeitcher, Foreign Blocking Statutes and U.S. Discovery: A Conflict of National Policies, 16 N.Y.U. J. Int'l L. & Pol. 1061 (1984); Robinson, Compelling Discovery and Evidence in International Litigation, 18 Int'l Law. 533 (1984). Local Illegality This puts many banks in dire straits as local jurisdictions can in turn impose powerful sanctions for complying with court ordered discovery in the United States. See e.g., Bank and Trust Company Regulation Act of 1965, @ 10(3) (amended 1980)(Bahama Islands)(fine up to $ 15,000, prison term up to two years, or both); Art. 47, Bank G. (Switzerland)(fine up to $ 50,000 or prison term up to two years, fine to $ 30,000 for negligence); Montserrat Ordinance, No. 5 Section 5 (1980)(The Confidential Information Ordinance)(fine up to $ 5,000 and prison term up to two years for "nonprofessional person," fine up to $ 10,000 and prison term to four years for "professional person"); The Bank Secrecy Act, Art. 2 (Greece)(minimum of six months imprisonment with no possibility of suspended sentence, or imposition of fine). >From the perspective of the asset concealer it is worth noting that it is not only banks that can be fined for failure to disclose financial information. Accountants, clerks, corporations, or literally any fiduciary, are subject to significant fines and incarceration in the United States for failing to comply with court ordered discovery. Many of these "secondary" participants are targeted and, as often they have shallower pockets, are less able to bear the legal costs of defending against these powerful fines and, unlike banks, have less to lose in the way of reputation and client goodwill if they comply and disclose. Given the lower fines and the infrequency with which criminal penalties are imposed on professionals so compelled, it is often to the advantage of the foreign document or evidence holder to disclose and risk the ire of local authorities rather than the notoriously vigorous U.S. courts. Some U.S. courts have gone so far to indicate that banks unwilling to submit to the will of one or the other sovereign should "cease operation of the foreign branch." See e.g., First Nat'l City Bank v. IRS, 271 F.2d 616 (2d Cir. 1959); United States v. First Nat'l City Bank, 396 F.2d 897 (2d Cir. 1968). At least one court has not only acknowledged this dilemma, but wielded it as a policy measure, "...the defendant should feel the full measure of each sovereign's conflicting commands and so choose between laws of those two sovereigns." Westinghouse Elec. Corp. v. Rio Algom, Ltd., 480 F. Supp. 1138 (N.D. Ill. 1979). Generally speaking, there is little guidance for federal district courts, in which most of the litigation arises, as the only solid Supreme Court authority is Societe Internationale pour Participations Industrielles et Commerciales, 357 U.S. 197 (1958). Courts, while a bit shifting in their doctrine, have tended to apply a few common considerations. Factors indicating the United States interests at stake and the foreign entity's good faith attempts to comply with the court's order will both, almost without exception, be considered in reviewing the need for sanctions against foreign entities. See Generally, Mark Brodeur, Note: Court Ordered Violations of Foreign Bank Secrecy and Blocking Laws: Solving the Extraterritorial Dilemma, 1988 U. Ill. L. Rev. 563. What is concerning for the asset concealer is the meaning of the latter. Good faith attempts to comply with a U.S. court order do not typically include refusal, however apologetic, on the grounds of local illegality or violation of general privacy considerations of the fiduciary's client. In practice the balance between U.S. interests rarely, if ever, weighs in favor of the party resisting disclosure. United States v. Davis, 767 F.2d 1025 (2d Cir. 1985); Bank of Nova Scotia I, 691 F.2d 1256 (11th Cir. 1982); Bank of Nova Scotia II, 740 F.2d 817 (11th Cir. 1984); United States v. Vetco Inc., 644 F.2d 1324 (9th Cir. 1981); State of Ohio v. Arthur Andersen & Co., 570 F.2d 1370 (10th Cir. 1978); United States v. Field, 532 F.2d 404 (5th Cir. 1976); Garpeg Ltd. v. United States, 583 F. Supp. 789 (S.D.N.Y. 1984); Compagnie Francaise D'Assurance pour le Exterieur v. Phillips Petroleum Co., 105 F.R.D. 16 (S.D.N.Y. 1984); Banca Della Svizzera Italiana, 92 F.R.D. 111 (S.D.N.Y. 1981)(All resulting in findings of bad faith on the part of the custodial agent). Foreign Offshore Jurisdictions Respond Many foreign states have sought to eliminate the dilemma by enacting laws ("blocking statutes") re-enforcing banking secrecy. Blocking legislation usually takes two forms. Judgment blocking, which indicates that the enacting nation will simply not recognize certain foreign judgments, and discovery blocking, which prohibit disclosures for certain discovery requests. It is interesting to note that much of the disagreement surrounding the efficacy of judicially compelled extraterritorial disclosure seems to revolve around a basic difference in approach for foreign states and U.S. Courts. Mr. Brodeur, notes that foreign states usually find themselves concerned with the applicability of U.S. jurisdiction in their state and questions of sovereignty, where U.S. courts tend to feel that the "pertinent legal conflict" revolves around the general legitimacy of the compulsory disclosure orders themselves. While the perspective of the United States is understandable, foreign states have a point. Rare indeed is the U.S. court that bothers to assert jurisdiction based on the 'required' finding for extraterritorial extension of jurisdiction that the foreign entities activities have sufficient "effects" within its borders. Brodeur notes further that there is little precedent in international law for compelled discovery orders and that many states protest such orders consistently. See, International Law Association, Report of the Fifty-First Conference 407 (1964), documenting the protests of, e.g., Denmark, the United Kingdom, France, the Federal Republic of Germany, Italy, Japan, Norway, Sweden, Belgium, Greece, and the Netherlands. Most foreign states view their active resistance to U.S. policy as a preservation of their own sovereignty and policy. See, Rosenthal & Yale-Loehr, 16 N.Y.U. J. Int'l L. & Pol. 1075, 1080 (1984); Comment: Foreign Blocking Legislation: Recent Roadblocks to Effective Enforcement of American Antitrust Law, ARIZ. ST. L.J. 945 (1981). Given the above, the asset concealer will want to select an entity located in a jurisdiction with strict banking secrecy law and, ideally, one which has enacted legislation blocking compelled discovery. Such legislation will give the investor an idea of the local policy and posture vis-a-vis the United States and compelled discovery generally. Lists of such jurisdictions are somewhat difficult to come by but the generally accepted (if dated) authority on the subject is E. Chambost, Bank Accounts -- A World Guide to Confidentiality 93-259 (1983). Chambost lists comprehensive treatments of 44 countries that provided banking secrecy in 1983. More recent publications include Grundy's Tax Havens, Tolley's Tax havens, and the superior Practical International Tax Planning by Marshall Langer. This publication is updated quarterly and if a comparable alternative exists publicly, I am unaware of its existence. Among the more robust of the listed countries are Great Britain, South Africa, Australia, Germany, France, Italy, Denmark, Japan, Portugal, Sweden, Belgium, Spain, Finland, Mexico, Norway, the Netherlands, Andorra, Bahrain, Hong Kong, the British Virgin Islands, Guernsey, Luxembourg, Isle of Man, Russia, the Bahamas, the Cayman Islands, Hungary, Liechtenstein, Vanuatu, Panama, Singapore, Switzerland, Lebanon, Malaysia, Nauru, Austria, Costa Rica, Klienwalsertal, Jungholz, St. Vincent, the Turks and Caicos Islands. The surest and longest standing banking secrecy jurisdictions have historically been Austria, The Cayman Islands, The Bahamas, Switzerland, Costa Rica, El Salvador, Liechtenstein, and Panama. Unfortunately, with the growing EC/EU membership, Austria and Switzerland have begun to lean away from their strict banking secrecy and I personally find these jurisdictions to be a bit risky, especially given Switzerland's recent legislation and adoption of the latest round of banking reform treaties with the United States, which I will treat later. While the treaty is not in full release as of this writing I am able to disclose that it deals, among other things, in detail with Banking Secrecy compromises. Jurisdictions in which I found significant discovery blocking statutes include: The United Kingdom, Australia, Belgium, Denmark, Finland, France, Germany, Italy, the Netherlands, New Zealand, Norway, the Philippines, South Africa, Sweden, and Switzerland. Jurisdictions with judgment blocking which I consider sufficient include the United Kingdom, Australia, Belgium, Canada, the Netherlands, the Philippines, and South Africa. The most powerful blocking statutes, (as in the United Kingdom) provide for the private recovery against the disclosing party of funds lost as a result of violation of the statute. The cautious asset concealer will seek such a jurisdiction. It is wise to keep in mind, however, that many jurisdictions do not have explicit blocking statutes on the books and yet are as secretive, or indeed, more secretive than those which do. Vanuatu is a good example of such a jurisdiction. Still other jurisdictions find their basis for banking secrecy in common law. Hong Kong: based on, Tournier v. National Provincial & Union Bank of England, 1 K.B. 461 (C.A. 1924); Anguilla, Antigua, Barbados, Bermuda, Montserrat, St. Vincent, the Turks and Caicos Islands, (Fedders, Waiver by Conduct -- A Possible Response to the Internationalization of the Securities Markets, 6 J. Comp. Bus. & Cap. Market L. 1, 30 (1984) are among these. The dedicated asset concealer will take note that discovery and judgment blocking statutes, unlike banking secrecy laws, are not waivable by banking customers. If placed in custody by local authorities to effect compliance, the depositor will be unable to effect his or her own release by instructing the foreign institution to surrender the requested documents or information. Almost all such blocking statutes require express governmental authority for disclosure. The hard core concealer will recognize, however, that many judges will be more sympathetic to the defendant who is unable to comply, even in good faith, and may refuse to impose incarceration for contempt as a result. While a factor, relying on the good graces of the judge overseeing a proceeding involving the magnitude of assets likely to be present is probably ill advised. Some jurisdictions refuse to acknowledge the instructions of asset holders held against their will. Others will refuse to acknowledge judicially compelled consent orders. (The Cayman Islands). Still others will refuse to release documents or funds unless the asset holder or fiduciary signs a form personally in the offshore jurisdiction (which does not have extradition treaties). An array of anti-duress, coercion and compulsion provisions are available from the more creative fiduciaries. For example, duress code words triggering the transfer of assets to a separate random jurisdiction at the trustee's discretion, or into the care of a unnamed third trustee. In the latter instance, the first trustee can plausibly deny any knowledge of the assets disposition. One arrangement I am fond of is illustrative of the range of options available to the innovative designer. Client A expects difficulties with local law enforcement. If Client A's attorney learns of his arrest or detention, he is instructed to call the trustee managing A's assets. The trustee, when notified, would collect the documents from his office, walk across the street and deposit the documents in a drop box at a neighboring trust company. The trustee would then phone the neighboring trust company and notify one of the managers of the document deposit. The manager of the neighboring trust company would select a nominee at random and instruct him to assume the duties entailed by the documents in the drop box. In this way, even if traced to the original trustee the assets are now managed and assumably have been transferred by an entirely different trustee who is unknown to the first. In the event A is released, he need only accompany the original trustee to the neighboring trust company to reclaim his assets. Those countries which have statutes that U.S. courts have recognized as criminalizing disclosures tend to represent the most stringent tested blocking law examples. These include Mexico, (Securities & Exch. Comm'n v. Minas de Artemisa, S.A., 150 F.2d 215, 218 (9th Cir. 1945) and Panama, In re Chase Manhattan Bank, 297 F.2d 611, 612-13 (2d Cir. 1962). After 1962, most courts refused to take judicial notice of the legality of disclosure in the foreign jurisdiction as it is currently considered irrelevant to the proceedings. While many of the statutes enacted to counter aggressive United States discovery practices are based on the increasing anti-trust litigation in the 1970's, anti-trust law is beyond the scope of this note. For a detailed treatment See e.g., I E. Nerep, Extraterritorial Control of Competition Under International Law 54-162 (1983). The most important distinction in the appellate cases which have denied motions to compel discovery of foreign documents in the face of the foreign states criminalization of such disclosure, e.g., Ings v. Ferguson, 282 F.2d 149 (2d Cir. 1960) First Nat'l City Bank v. IRS, 271 F.2d 616 (2d Cir. 1959) is that in both of these instances the entities holding the documents or discovery information were not themselves were not parties to the litigation. See, e.g., Ings at 152 (citing fact that custodian of records was not a party to the litigation as a prominent factor in its reasoning). The astute asset concealer will not use his concealing bank to, e.g., trade securities illegally, and thus involve the concealing bank in the litigation. Still, it should be noted that the existence of an agency relationship provides an easy out for courts determined to compel discovery and the easiest way to assure that ones concealing institution is not named in a suit is to conceal the identity of the institution in the first place. While jurisdictions which have active blocking statutes requiring governmental authority for a financial institution to release depositor information or documents are probably safest, courts at one time held that compelling a defendant depositor to actually instruct a bank to disclose his financial records violates his fifth amendment rights. See In re Grand Jury Proceedings, 814 F.2d 791 (1st Cir. 1987). Fifth amendment rights will be discussed more fully below. Generally speaking, the asset concealer should avoid relying on the fifth amendment absent extraordinary circumstances. For a full and detailed treatment of the fifth amendment non-applicability in cases involving judicially compelled document production, See Gordon Hwang, Note: Fisher v. United States: Compelled Waiver of Foreign Bank Secrecy and the Privilege Against Self-Incrimination, 56 Fordham L. Rev. 453 (1987)(Concluding that "the act of producing a consent directive... does not violate a witness' fifth amendment privilege against self-incrimination"). Are High Profile Offshore Centers to be Avoided? Further considerations for the U.S. asset concealer relate to the Cayman Islands and like jurisdictions. For some time American citizens traveling frequently to the Cayman Islands have experienced increased law enforcement and tax scrutiny. While I won't speculate as to the existence of a "black list," the glorious war on drugs has assured that The Cayman Islands and her visitors have, on occasion, attracted more law enforcement attention than the prudent asset concealer would want to endure. In addition, both the Bahamas and the Cayman Islands have signed Mutual Legal Assistance Treaties ("MLATS") with the United States. Though the Bahamian and Cayman MLATs both have important restrictions on information relating to tax matters, the Bahamian treaty, requires assistance in tax matters where the "offense" involves narcotics, theft, violence, or dual crimes. The Cayman MLAT excludes tax and currency offenses not relating to another criminal matter. [...] An excellent source for current high profile banking secrecy jurisdictions can be the periodic study by the Subcommittee on Investigations of the Senate Committee on Governmental Affairs, "Use of Offshore Banks and Companies." The Goals of the Asset Concealer and Selection of Jurisdiction Tax Cases The reason for secrecy is terribly important in deciding jurisdiction. Of course, most litigation on the subject is with reference to taxation actions. Jurisdictions with favorable laws for the "tax problem" depositor have traditionally included Switzerland, the Bahamas, the Cayman Islands, Bahrain, and Hong Kong. See Generally Crinion, Information Gathering on Tax Evasion in Tax Haven Countries, 20 Int'l Law. 1209 (1986)(analysis of law and practice of obtaining evidence from abroad in IRS investigations). Switzerland, however, has leaned away from providing shelter to U.S. depositors accused of tax evasion. While in practice Switzerland has been reluctant to disclose the information of depositors engaged in tax litigation with the United States and other nations, pressure from the U.S. has moved Switzerland, grudgingly, to comply in many of these cases. Banking secrecy in Switzerland remains more stringent in other areas, but her deference to the United States is disturbing. Securities Issues Securities litigation is probably the next most frequent category of case involving international discovery and the compelled discovery of documents. Blocking and secrecy laws of those countries with robust legislation will protect the asset concealer concerned with this area. Many countries which have signed agreements with the United States, notorious for its excessively energetic securities regulation, still have found ways to avoid complete compliance through treaty loopholes. Of particular note, with my previously expressed reservations about newly emerging agreements, is the Swiss accord, The United States- Swiss Treaty on Mutual Assistance in Criminal Matters 27 U.S.T. 2019, T.I.A.S. No. 8302 (1977) which is fairly typical of such agreements. Because the Swiss agreement requires that the alleged acts which are the subject of the litigation spurring discovery be illegal in Switzerland as well as the prosecuting nation, and because some U.S. and other securities violations do not expressly "contravene" Swiss law, the Swiss treaty is, in extremely limited circumstances, an open tunnel for non-disclosure. See Generally, Brodeur supra. Offshore entities are particularly useful in active trading for the asset concealer anticipating securities regulation problems. Problems with the SEC's Enforcement of U.S. Securities Laws in Cases Involving Suspicious Trades Originating from Abroad, H.R. Rep. No. 1065, 100th Cong., 2d Sess. 2-6 (1988). The sheer volume of international trading on the large U.S. markets provides an excellent opportunity for securities traders to become a "drop in the bucket." Reported purchases of stock in the United States by foreign entities were $41.8 billion as early as 1982. Swiss banks alone may account for as much as 20% of the trading volume on the New York Stock Exchange. Siegel, United States Insider Trading Prohibition in Conflict with Swiss Bank Secrecy, 4 J. Comp. Corp. L. & Sec. Reg. 353, 357 (1983). Because the enforcement of securities laws within the United States has been so dependent on disclosure and the open identity of the traders, many have used this "weak link" to avoid unwanted attention by trading from anonymous or nearly anonymous accounts abroad. [...] Some jurisdictions continue to provide a measure of safety against outside investigation of fraudulent and illicit trading through blocking and privacy statutes, Liechtenstein, Monaco, Luxembourg, and the Cayman Islands are the best examples. See Generally, Rochelle G. Kauffman, Note, Secrecy and Blocking Laws: A Growing Problem as the Internationalization of Securities Markets Continues, 18 Vand. J. Transnat'l L. 809, 819-26 (1985)(discussing countries with blocking statutes and the effect of these laws on the SEC); Yvonne G. Grassie, Recent Development, Foreign Bank Secrecy and Disclosure Blocking Laws as a Barrier to SEC Policing of Transnational Securities Fraud, 65 Wash. U. L.Q. 259 (1987)(discussing judicial and administrative efforts to deal with blocking statutes). Occasionally, where suspicious trading originates from a country such as Panama, Luxembourg, or Liechtenstein with blocking or secrecy statutes and no bilateral agreements with the United States, the SEC takes no investigative action. See Grassie. at 11 (statement of Mr. Mountjoy). Where a bilateral agreement exists, the Commission is often reluctant to invoke less it "wear out its welcome" with the host country. Id. at 12-13 (investigation into suspicious trading through Swiss banks in which conclusive indications that U.S. securities laws had been violated existed still resulted in no request information to the Swiss authorities). Identifying foreign owners can be virtually impossible when ownership must be traced through bearer shares, such as those issued by Liechtenstein Anstalts, or when ownership is held through accounts in jurisdictions with iron clad bank secrecy laws. See, e.g., Ingo Walter, The Secret Money Market 185-237 (1990) (emphasizing use of secrecy jurisdictions as means of avoiding detection and enforcement); Marc C. Corrado, Comment, The Supreme Court's Impact on Swiss Banking Secrecy: Societe Nationale Industrielle Aerospatialle v. United States District Court, 37 Am. U. L. Rev. 827, 829-31 (1988)(reviewing Swiss domestic policy rationales for bank secrecy); Michael Getler, Europe's Ultimate Tax Haven, Wash. Post, Jan. 15, 1978, at H5; Liechtenstein; Coming Clean, The Economist, Apr. 26, 1980, at 59; Steve Lohr, Where the Money Washes Up, N.Y. Times, Mar. 29, 1992, at 27 (Magazine); John Wicks, A Tax Haven Where Companies Outnumber the Population, Fin. Times, Aug. 24, 1984, at 8. To deal with the challenges posed by foreign ownership and trading, the U.S. Securities and Exchange Commission has negotiated an intricate web of treaties and memoranda of understanding. See, e.g., Richard M. Phillips & Gilbert C. Miller, The Internationalization of Securities Fraud Enforcement in the 1990s, 25 Rev. Sec. & Commodities Reg. 119 (1992). Switzerland now often conditions permission to trade on U.S. securities markets with a waiver of secrecy. [...] (End of Segment 1 of Volume I) --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From kooltek at iol.ie Sat Mar 30 01:13:23 1996 From: kooltek at iol.ie (Hack Watch News) Date: Sat, 30 Mar 1996 17:13:23 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks Message-ID: <199603292053.UAA18333@GPO.iol.ie> >"David K. Merriman" writes: > > > At 01:34 AM 03/28/96 +0000, you wrote: > > >> I've been looking for a file on how to make PPV > >> descramblers and havn't found any. Commercial descramblers > >> cost around $200 base price. If anyone has a file on how to > >> make them please e-mail me one. Thanks. > > > This is cypherpunks. Not Cable-TV-Piracy-Punks. > >ObCrypto: Scrambling TV signals sometimes makes use of >encryption, so perhaps a brief discussion of how this is done >could be tolerated. > >If you are talking about recovering signals from completely >encrypted digital MPEG-2 streams, such as those used by the DBS >folks, you are probably out of luck. The relevant processing in >the decoder exists on a small card which has so far resisted >attempts at reverse engineering. > The DSS smart card has been reverse-engineered for at least six months now and pirate devices are in the market. The encryption used on those systems is good but it does not stand up to a well financed attack. In the European version of the system, the encryption routines were using a hashing function. The input packet also carried the authorisation data so it was using this as an input packet. The DSS routine is probably based on a similar hashing routine. >There are a variety of techniques for scrambling audio. The most >expensive is to DES encrypt the sound and place it in the >horizontal blanking interval. The regular sound channel can then >be used for advertising. This requires a bit of processing at >both ends, and is generally used for satellite to ground >transmission of cable signals. The other common method is to >modulate the sound on a subcarrier, usually the one transmitted >in phase with the missing sync. > Using DES to encrypt the audio on the fly is an old technique and was used in the VideoCipher II system. Most of the more recent systems use a PRNBSG EXORed with the digital audio data stream. >Of course, once television transmission goes completely digital, >and strong encryption is used on both audio and video, the >opportunity for such simple attacks will vanish. > The problem of piracy will still exist on digital systems. The DSS system is a completely digital system and it too is hacked. Admittedly some of the elements of security in the DSS are good, most can be rendered void by hackers. The problem for DSS is that the smart card they used is not secure enough. It was a Motorola 6805 type. What appears to be the pattern with the hacks on more recent smart card systems is an inversion of the original pattern on the simple analogue systems. The original pattern was that some hobbyists would figure out how to hack the system and then the hack would be commercialised. With the smart card hacks - the pattern is inverted so that it becomes a trickle down pattern. The professional hackers reverse and emulate the smart card and then the code is sometimes hacked from the emulator card and then distributed among hobbyists. The most dangerous thing in all this is that the smart cards that have been hacked in Pay TV systems throughout the world are also used in other applications. The expertise and the knowledge of reversing smart cards is now more common in the Pay TV piracy business. There is always the possibility that these skills could be applied elsewhere. Regards...jmcc ******************************************** John McCormac * Hack Watch News jmcc at hackwatch.com * 22 Viewmount, Voice&Fax: +353-51-73640 * Waterford, BBS: +353-51-50143 * Ireland ******************************************** -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAzAYPNsAAAEEAPGTHaNyitUTNAwF8BU6mF5PcbLQXdeuHf3xT6UOL+/Od+z+ ZOCAx8Ka9LJBjuQYw8hlqvTV5kceLlrP2HPqmk7YPOw1fQWlpTJof+ZMCxEVd1Qz TRet2vS/kiRQRYvKOaxoJhqIzUr1g3ovBnIdpKeo4KKULz9XKuxCgZsuLKkVAAUX tCJKb2huIE1jQ29ybWFjIDxqbWNjQGhhY2t3YXRjaC5jb20+tBJqbWNjQGhhY2t3 YXRjaC5jb20= =sTfy -----END PGP PUBLIC KEY BLOCK----- From frissell at panix.com Sat Mar 30 01:16:10 1996 From: frissell at panix.com (Duncan Frissell) Date: Sat, 30 Mar 1996 17:16:10 +0800 Subject: Account ID Controls Message-ID: <2.2.32.19960329200538.00759bf0@panix.com> -----BEGIN PGP SIGNED MESSAGE----- We are informed that the primary method of social control in the future will be account access control. Bank account, credit account, phone account, internet account, all of these accounts are supposed (or proposed) to be restricted to True Persons (or other entities reliably linked to True Persons). The Powers That Be will then be able to track Bad Guys via their account activity and use denial of service as a punishment. Of course, these controls will only work if the accounts are not anonymous. Which leads us to the ads recently appearing in the New York Daily News. Electronics Communications Corp (800) NYNEX 31 offers a no credit check cellular phone. You call them up, supply name, address and phone number and they overnight you a phone C.O.D. for $243.56. This includes one hour of talk time. The ongoing cost is $24.99/month and $36.00/hour (60 cents a minute) for airtime (payable in advance). You own the phone and your service contract is renewed on a month-to-month basis as you pay the bill. I wonder if they will ship to accomodation addesses? If the authorities can't keep cellphone service out of the hands of the unidentified anonymous hordes, it's hard to believe that they will be able to keep any other kind account out of those hands. DCF "When phones are outlawed, only the outlaws will have phones." -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVxA4oVO4r4sgSPhAQEo2gQAo/1Is0hIMeQtRLii3rzl+s5+ZDPRbhSa m1Zjk/kuaNdhzLej0r671AsWov131KMCcRvEM9QlxuLJnYWDiwXpEnaY3/terI+B 4H+s7T5uxzjnKyGVthOqW+bDSt2yur61j9BJULUiQJKNO/PiSHAXaqqkA5HxgFpq 875rXZMEEbk= =/DJs -----END PGP SIGNATURE----- From jimbell at pacifier.com Sat Mar 30 01:19:28 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 30 Mar 1996 17:19:28 +0800 Subject: New crypto bill to be introduced Message-ID: At 08:35 AM 3/29/96 -0500, Declan B. McCullagh wrote: >Two observations: > >* Jim Bell would be unduly suspicious if _anyone_ introduced a crypto >bill in Congress. I'm not surprised that here on conspiracypunks someone >would be raising alarums without knowing what they're talking about. It's not that I'm suspicious of the wording of this new bill; I haven't even seen it yet. What is a bit suspicious is its timing. Let's see, where do I begin? When the Leahy bill was first discussed around here, there were claims (which, arguably, might be true) that this bill "couldn't be passed" without the negative portions of the bill (key escrow commentary; criminalization of encryption use, etc.) More recently, it was claimed that the Leahy bill was dead, and couldn't be revived by the end of the session due to lack of time. I don't necessarily challenge these claim; but I note them and I also note that this new bill is going to run into the same kind of time restraints as the Leahy bill would have, even more so. Even worse, this new bill will split off support from Leahy, meaning that (everything else being equal) it is hard to imagine how this new bill (even if it is everything we want, and nothing we don't want) will get passed. Maybe that's the idea: As Tim May pointed out, at this time maybe no bill is better than any bill. And maybe what is needed is a bill to siphon support away from Leahy, to ensure it's dead, which I presume this new bill will do quite well even if it's never voted on. If that's the case, this new bill may be a "conspiracy," but it might be a conspiracy that I can actually sympathize with and support, even like. Nevertheless so, I would at least like to look that gift horse in the mouth, and understand the motivations of the people proposing this new bill. >* Jim Bell says we're "overdoing it on this 'List of Shame' thing." Not >at all -- we're proud to be on it! And you, Jim Bell, are one of my >primary suspects for authorship. That is a silly conclusion. The primary reason for anonymity with such postings is to avoid controversy being associated with one's name. I, as anyone who's read my writing can attest, not only do not try to avoid controversy, but in fact appear to seek it out, perhaps even to revel in it. Having taking a strongly anti-Leahy position before this anonymous poster first appeared, it would be pointless for me to add my commentary in anonymous form to that which I've already posted under my own name. Furthermore, I've pointed out that there is no reason to exclude the possibility that this anonymous poster isn't deliberately going too far, mixing "deserving" names in with undeserving ones, in order to discredit those people who are criticizing the supporters of the Leahy bill. I can't say this for certain, because there were a number of names on this "list of shame" whose positions on Leahy I haven't even seen. Nevertheless, propaganda techniques are sophisticated, and I do notice a suspicious number of people who appeared to want to "stand up for those people" rather than standing up for the positions they took. (Whatever they were.) The implication is that the people who oppose this "list of shame" are doing so primarily for PERSONALITY reasons, rather than on the issues. I would feel better about the whole thing if the people who volunteered for the list had engaged in some sort of serious effort to show that the placement of the other people on that list was unjustified. Lacking even the most rudimentary effort along these lines, I really wonder who (and what) these people think they're supporting. Jim Bell jimbell at pacifier.com From merriman at arn.net Sat Mar 30 01:27:14 1996 From: merriman at arn.net (David K. Merriman) Date: Sat, 30 Mar 1996 17:27:14 +0800 Subject: java security Message-ID: <2.2.32.19960329165034.00693330@arn.net> -----BEGIN PGP SIGNED MESSAGE----- At 08:44 PM 03/29/96 -0700, rollo at artvark.com (Rollo Silver) wrote: >I'd like to hear from coderpunks/cypherpunks having ideas about how to >break it, especially if you don't have the time/energy to pursue the idea >to fruition yourself. I wonder if it's possible to _subvert_ Java. That is, have site "A" send along some modifications to a Java class, so that when the user logs into site "B" (which calls that class), Nasty Things Happen. What site "A" does raises no alarm flags _until_ site "B" trips the trigger - making it look like site "B" is the Bad Guy. (WARNING! CDA Violation!) Hell, you might even be able to spread the modifications around some, so that it's even less obvious where they were done. Maybe even use the technique to modify Java itself, thus disabling security controls. Dave Merriman -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVv4Y8VrTvyYOzAZAQEt3wP+JBpJtTLoBLuMSqWpl6b8qSsIiIVXi6fh 9JiK9xfOEptPljW1Ca/KhHNmX8wHpUyR8U8vU4XZKraAAqcGiPlHO4ojuaJfa87I LgkKGuSlsmaA7VSIZc7NkjH87B+IRhMgk5IkAE15StGyDAh9ugEm1e8X0PZjcDV0 HgokmdQMppA= =XHYT -----END PGP SIGNATURE----- ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From unicorn at schloss.li Sat Mar 30 01:42:20 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 30 Mar 1996 17:42:20 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: On Fri, 29 Mar 1996, jim bell wrote: > At 05:49 AM 3/29/96 -0500, Black Unicorn wrote: > >On Thu, 28 Mar 1996, jim bell wrote: > > > >> Escrowing encrypted keys makes them useless to subpoena, and in > >> fact it helps the key owner because the escrow agent can (and, in fact, > >> must!) be obligated to inform the key owner if his key is requested. > > > >I thought I would take the time to let everyone know that this is > >baseless as well. Most jurisdictions forbid third parties to reveal > >prosecution inquries to the principal for which they are holding > >documents or other information. A VERY few have laws on the books that > >require this disclosure. Switzerland is no longer one of them. > > As usual, Unicorn is FOS. Not entirely in his facts, but in his > conclusions. To "forbit third parties to reveal prosecution inquiries" is > an obvious violation of freedom of speech, and in fact is PRIOR RESTRAINT. > Maybe Unicorn can't see what's wrong with that, but I can. It is unclear > whether this has ever been tested in court, or whether that test occurred > recently. (Snore) How many cases do you want me to cite that hold that the disclosure of an inquiry with the intent of evasion is conspiracy and entails criminal charges? Do you honestly think you can evade prosecution for suborning the destruction of material evidence in a criminal trial? Please. > Furthermore, the development of good encryption will allow a willing ISP > (for example) to send an encrypted (and possibly semi-anonymous) message to > the target of the investigation (or possibly a public USENET area, > unaddressed), containing a pre-arranged alarm code to be sent to the target > of the investigation, in such a way that any other people (for example, the > brainless cops) won't know. The target will be assured (though encryption > and signing, or prior arrangement) that the message could only have > originated from the contractor (ISP) but the target (and nobody else, as > well) will not be able to prove this knowledge to a third party. > > For example, if I ask my ISP to send me an anonymous, encrypted message with > the word, "Rosebud" in it to me if he receives any requests to tap my > connection, he can do so with no fear of being discovered, because no third > party can decrypt the message, know who is is from, or know the real meaning > of the word, "Rosebud" in the context of an encrypted, anonymized message. > Further, since the whole thing is by pre-arrangement, even I cannot prove > (to the satisfaction of a third party) that the message really meant what I > would interpret it to mean. The message is useful to me, as a warning, but > it could never turn around and "bite" the ISP. Unfortunately, by the time (in the case of domestic investigations, and foreign investigations in more compliant jurisdictions) it gets to the point where authorities are checking about, they will have walked into the ISP and personally requested the information with subpoena in hand. Perhaps the ISP with the nerve to destroy material evidence in the presence of law enforcement exists, but I sincerely doubt this ISP will escape serious prosecution for doing it. At the very least the employees of the ISP will have knowledge of this practice. Unless it's a single person run ISP, I doubt you're going to be able to keep everyone from testifying. What you propose is a crime in the United States, and in many foreign jurisdictions. > The end result is that your foolish opinion of what the law allows will > simply become irrelevant: The government cannot mandate what it cannot > enforce, and it cannot enforce what it cannot detect. I have often noted that the best defense is the lack of detection in the first place. Unfortunately this is the oft denounced "security through obscurity." Look, I know it's fun to imagine you can thwart the authorities with impunity within the United States. Unfortunately it is a fantasy. The system you propose requires someone to be present in the ISP 24 hours a day. It requires some method of getting word to the operator who will trigger the alarm both that an investigation is looming, and who it entails. It requires someone to talk to the authorities and stall them while the message is sent. It requires you to be sitting at the screen when the message is received (perhaps this isn't a problem for Mr. Bell), or to get home before the law enforcement officials get a 2 hour warrant and open your door. > You may ask, "Why would the operator of a small ISP want to take even a > minor risk informing the target of the investigation?" There are a number > of obvious answers: > > 1. He's promised his customer to do so. >Snort< > 2. It's in the contract. >Laugh< What happened to no evidence that the ISP informed you of an investigation? > 3. And the ever-popular, "He's afraid of getting killed, or his ISP > business torched, if word later leaks out that he failed to inform his > customer of an investigation." >Chortle< Don't underestimate the significance of such > a risk to those people. Destruction of even a full phone switch would not > have fazed ATT in the 1960's, but a small ISP depends on valuable equipment > at (presumably) a single location. Getting a person mad at them for failing > to anonymously inform them of an inquiry would NOT be the best tactic for > these small-time operators. Your last resort in all of your arguments seems to be murder, extortion, the threat of bodily harm, arson or assault, or destruction of private property. > >Even if a judge was convinced by the defense not to levy heavy fines > >against a third party who pleaded that he or she was simply unable to > >comply, informing the principal would literally assure such fines would > >be imposed regardless. > > Again, you assume that informing "the principal" would be detectable. Your > wishful thinking is palpable. No. I speak from experience when I say that "proof" of complicity is rarely a requirement. The judge need only suspect wrong doing. It's easy to levy contempt fines, and very hard to overturn them. The standard in most jurisdictions is "clearly erronious." Tough stuff. > I really wish you'd be able to distinguish > what "the law" could do, given limitless knowledge of the actions of the > population, and the REAL WORLD, in which those judges and prosecutors and > cops are limited in what they can do by what they can know. This is > critical, because we are rapidly approaching a time in which what these > people know will be dramatically limited by many of the technologies > regularly discussed on Cypherpunks. Unfortunately, fines and penalities are imposed every day based on assumptions by the trier of fact. Go watch a major court case some time. > >Criminal charges of obstruction could easily attach. > > Bullets could easily fly. And will. I've seen this happen. Trustee refuses to produce documents, court imposes compelled discovery, documents burn or are lost or have been stolen, trustee (who can be assigned no direct evidence of complicity) is fined heftily. A case I was not personally involved in saw the judge jail the trustee for 4 months. Attorneys are likely to lose their licenses, same with trustees. > You repeatedly state what might, hypothetically, happen, but you don't back > it up with a realistic assessment of what actually would _likely_ happen. See above. Happened. Been there. Seen that. > > Obstruction in connection with narcotics cases or other major > >felonies are generally extraditable offenses as well. > > Someday, obstruction of the Constitution by government agents will be a > death-penalty crime. Yadda yadda yadda. > >Once again Mr. Bell pulls legal analysis out of his rectum rather than > >basing it in fact or research. > > > >With Mr. Bell as a defense attorney, who needs prosecutors? > > If I intended to limit myself to the tools of the court room (that's the > enemy's playpen, BTW) I would probably be just as ineffective as the next > defense attorney. So again, we see Mr. Bell in his basic form. Violent offender. He will obtain by force that which he cannot argue into his hands. > I've frequently found that the question of who wins in any confrontation is > strongly affected by whether I allow myself to be lured into the home > territory of the other. This is actually more a psychological battle than a > physical one. [large amounts of psycho-babble deleted] > This may sound unfair to people brainwashed to believe that the court system > is and should be the final arbiter, but I suggest that long ago they lost > whatever moral authority they once might have had. Every time you talk about > them fining or prosecuting some third party for not cooperating, you > demolish your own claims. What claims? > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From asgaard at sos.sll.se Sat Mar 30 01:43:18 1996 From: asgaard at sos.sll.se (Asgaard) Date: Sat, 30 Mar 1996 17:43:18 +0800 Subject: Blind signatures In-Reply-To: <199603290709.IAA28320@slld01.SLL.SE> Message-ID: Perry said: > "How does blinding work" ... > are fine things to talk about but Yeah, how does it really work? Could you explain it in 'kitchen modular arithmetics' to us groupies? Asgaard From drose at AZStarNet.com Sat Mar 30 01:43:47 1996 From: drose at AZStarNet.com (drose at AZStarNet.com) Date: Sat, 30 Mar 1996 17:43:47 +0800 Subject: Foreign language brouhaha Message-ID: <199603300058.RAA10019@web.azstarnet.com> As is par for the course, Tim May's comments are apposite and on the mark. As for the fellow whose neighbor was blasting "Yoruba 'music'", he certainly has my sympathy, but amazingly, he seems to feel that that this is something that we should all put up with/enjoy to encourage diversity. Perhaps it's time to revive that "racist" "thang" called decent people and their sensibilities. From teddygee at visi.net Sat Mar 30 01:45:56 1996 From: teddygee at visi.net (Ted Garrett) Date: Sat, 30 Mar 1996 17:45:56 +0800 Subject: Anonymous Cpunk Bashing Message-ID: <2.2.32.19960330062934.006c422c@mail.visi.net> -----BEGIN PGP SIGNED MESSAGE----- At 01:06 PM 3/29/96 -0800, you wrote: >The implication is that the people who oppose this "list of shame" are doing >so primarily for PERSONALITY reasons, rather than on the issues. I would >feel better about the whole thing if the people who volunteered for the list >had engaged in some sort of serious effort to show that the placement of the >other people on that list was unjustified. Lacking even the most >rudimentary effort along these lines, I really wonder who (and what) these >people think they're supporting. I think that sometimes, one's cumulative reputation must count for something. Most of the people who are included in this 'list of shame' have contributed enormously to the furtherance of the crypto field in general. Whether I conscribe to their viewpoints or not on a given subject, it is rather easy for me to think of something they have written which I use as a rather concrete reference. Thusly, given a track record of open and noteworthy thought on the field, I find it difficult to denounce, as an example, Bruce Schneier. Especially IF it's only a matter of sharing a difference of opinion on a given bill or set of bills before our lawmakers. Considering the fact that I've not seen Mr. Schneier come out on either side of the Leahy Bill or, for that matter, many of the other bills currently before the congress, it's hard for me to support mail-bombing him or many of the others on the list. I think that the anonymous poster is behaving in a manner which I find reprehensible in calling for such measures. Therefore I simply ignore most of the postings which match the pattern of the List Of Shame. Have I researched what statements or postings could have brought about the addition in the beginning? Nope. And since Mr/Ms Anonymous has chosen not to cite any particular references, I'm not inclined to follow his/her lead. To follow the example of several hundred thousand lemmings is not often gauged as a wise thing. Provide me a REASON to believe there has been a treachery perpetrated, and perhaps that cliff won't look quite so high. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMVzUm81+l8EKBK5FAQGR9wf+PU0tN4tvfWcEXTfSBYISSKeVcxzv+rPH WgmQy2LL8UBnR1lgPgZByf9obHsXA4ocXlbzYe/8Pke7TO61WFarXDR7t6GiCFDI GM4fH8PV/iYVXTUl3oX5aUdh0mQ29t0+0wI2Jp7D1hL2fCeWR8YF7LTTluSL7mc3 SQtirVB7PC+QyquYhx8hyqIlvnIRolqc+NwqhapF9f4u8UzK3oTvWKf/6cHNijRx Nn3rU/T9WGV0N7lN9s4+yyvsR1wo+cZET3cs6SSbaEhm9PIM7NMHMP1kvxewC64Z msy48RMvCmtvT3A9ovXbFT5lunQiGBoySXj9l9rUDC75j0oX3gJWnA== =it9D -----END PGP SIGNATURE----- --------------------------------------------------------------------------------------------------------- Ted Garrett http://www.visi.net/~teddygee "Those who desire to give up Freedom in order to gain Security will not have, nor do they deserve, either one." Thomas Jefferson From mpd at netcom.com Sat Mar 30 02:31:57 1996 From: mpd at netcom.com (Mike Duvos) Date: Sat, 30 Mar 1996 18:31:57 +0800 Subject: PGP Crack??? In-Reply-To: <2.2.16.19960330050617.3fdf7540@tiac.net> Message-ID: <199603300650.WAA06087@netcom15.netcom.com> > This just appeared in alt.security.pgp. Is there anything > to it? I'm dubious. Gee - Is it April 1st again? Time to troll the newbies in all my favorite newsgroups. On a more serious note, does anyone know what is happening with Arjen Lenstra and RSA-130? Last I heard back in late December, FAFNER, the magic WWW sieving dragon, had collected more than enough relations from participants to yield a factorization. Surely they have not spent an additional four months crunching the big boolean matrix at CWI. This is an important experiment, since it will yield a robust estimate of the time required to break 512 bit PGP keys using the best available factoring software. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From accessnt at ozemail.com.au Sat Mar 30 02:34:41 1996 From: accessnt at ozemail.com.au (Mark Neely) Date: Sat, 30 Mar 1996 18:34:41 +0800 Subject: What backs up digital money? Message-ID: <199603300000.KAA12656@oznet02.ozemail.com.au> >I would say >that gold and diamonds do have intrinsic value, based on their beauty >and the desire of people to own them. Well, doesn't this beg the question - the "desire" by people to own them is not as a result of advertising, but the fact that society has long fixed them as standard units of "currency". If all those centuries ago marble was decided upon as a central unit of currency, we'd all be killing ourselves to get some, not because of any aestetic beauty. Mark ___ Mark Neely - accessnt at ozemail.com.au Lawyer, Internet Consultant, Professional Cynic Author: Australian Beginner's Guide to the Internet Work-in-Progress: Australian Business Guide to the Internet WWW: http://www.ozemail.com.au/~accessnt From tomw at netscape.com Sat Mar 30 03:08:01 1996 From: tomw at netscape.com (Tom Weinstein) Date: Sat, 30 Mar 1996 19:08:01 +0800 Subject: Netscape 2.01 fixes server vulnerabilities by breaking the client... In-Reply-To: Message-ID: <315C8FCB.2781@netscape.com> Rich Graves wrote: > > Now I suppose they'll want me to fix all the pages where I do a finger > with a gopher://host:79/0user Any chance this nonfix can be unfixed? > > This nonfix was applied to the UNIX and Win32 versions; I haven't > checked the other platforms. It may be unpleasant, but it's a fact that there was a real security hole here. There is a well known buffer overrun bug in finger that a lot of people inside firewalls haven't fixed. Using gopher: URLs in IMG tags it was possible to do nasty things. We tried to err on the side of permissivity, but finger was one port we just couldn't allow. Yes, it sucks. So does someone reaching through your firewall and running commands as root. -- Sure we spend a lot of money, but that doesn't mean | Tom Weinstein we *do* anything. -- Washington DC motto | tomw at netscape.com From pgut001 at cs.auckland.ac.nz Sat Mar 30 03:11:04 1996 From: pgut001 at cs.auckland.ac.nz (pgut001 at cs.auckland.ac.nz) Date: Sat, 30 Mar 1996 19:11:04 +0800 Subject: trouble with idea.c from cryptl99.zip Message-ID: <199603300350.PAA14507@cs26.cs.auckland.ac.nz> Tall men in dark suits made Jack Mott write: >Hey, I downloaded the crypto lib 'cryptl99.zip' from one of the crypto web >sites, I got IDEA.C to compile, but it doesn't seem to encrypt. > >[...] > memcpy(YY, XX, 8); > for (l = 0; l < BLOCKS; l++) > ideaCipher(YY, YY, EK); /* repeated encryption */ > memcpy(ZZ, YY, 8); > for (l = 0; l < BLOCKS; l++) > ideaCipher(ZZ, ZZ, DK); /* repeated decryption */ Arrgghh!!! That defeats the whole purpose of the library, which is to provide a standard interface to many different algorithms. If you use the routine the way it's meant to be used (via initCryptContext(), etc) it'll work fine. BTW the reason it isn't encrypting is that by the looks of it you're not calling the IDEA key schedule code. Peter. From unicorn at schloss.li Sat Mar 30 03:12:31 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 30 Mar 1996 19:12:31 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: On Fri, 29 Mar 1996, jim bell wrote: > At 04:54 PM 3/29/96 -0500, Black Unicorn wrote: > >On Fri, 29 Mar 1996, jim bell wrote: > > > >(Snore) How many cases do you want me to cite that hold that the > >disclosure of an inquiry with the intent of evasion is conspiracy and > >entails criminal charges? > > You _do_ have an odd way with words. "entails" criminal charges? Hey, they > can charge ANYBODY with ANYTHING, but that doesn't mean that a crime has > actually been committed. Further, it isn't clear that anybody is obligated > to respond to a subpoena without the possibility of a court challenge, and > your fantasy about the cops showing up and trying to strongarm the ISP is > laughable at best. Ok, forget "entails" try "is a crime." As for strong arming, ever see a search warrant served at a law firm or a trust company, or a bank? > > >Do you honestly think you can evade prosecution for suborning the > >destruction of material evidence in a criminal trial? > > Who said anything about "destruction of material evidence"? Refusing to > hand over information until AFTER a court has properly responded to a > challenge to a subpoena is old hat to newspapers, TV stations, and other > media-organizations who are occasioinally served with a subpoena. The ISP > need merely say, I'm challenging this subpoena in court, go away > motherfuckers! ISP prepares a challenge, "CC's" ALL the affected > individuals, (including the person whose information is desired!), and the > validity of the subpoena is tested. What you miss are provisions for the preservation of evidence called for in the order during the hearing process. The fact that you can fight a subpoena has no bearing what-so-ever on the fact that its a crime to destroy the evidence until the court rules that its non-material or otherwise quashes the subpoena. I grow tired of being the source of your continuing legal education. > My feelings exactly. Please stop acting like a government suck-up all the > time. Maybe you're paid to do it, but unless you're a plant, you're on your > free time now. Anyone who knows me knows I spend all my days end arounding the U.S. government. The reason you can't see that is because I don't threaten to murder officials, but choose the intellectual detour around the myopic laws instead. I realize that, lacking the facilities to pursue the latter, you must resort to the former. > >Unfortunately, by the time (in the case of domestic investigations, and > >foreign investigations in more compliant jurisdictions) it gets to the > >point where authorities are checking about, they will have walked into > >the ISP and personally requested the information with subpoena in hand. > > Again, you blindly assume that the subpoena can't be challenged in court. > It can be. See above. Has no bearing on the willful destruction of evidence. > > >Perhaps the ISP with the nerve to destroy material evidence in the > >presence of law enforcement exists, > > You keep inventing these phony scenarios, building up these straw men and > knocking them down. Clearly, your underlying argument is quite weak. I > said nothing about "destroying evidence." What is the function of your elusive super-secret "rosebud" warning then? To tell the account holder to get a cup of coffee and call the prosecutor to arrange for the delivery of the sought information? > In fact, the ISP could simply > encrypt everything with the target's public key, and keep it. That's not > "destroying evidence," that's locking it away in such a way so that nobody > except the target can unlock it. Subjecting the target to compelled discovery orders $50,000+/day fines, contempt charges, and incarceration for non-compliance. This, by the way, regardless of the "incriminating" nature of the evidence. Fines are not going to be refunded if the data/evidence is later proved immaterial. > Ideally, this would be done automatically > every time a person calls his ISP, although the software to do this probably > doesn't exist yet. The result would be that whenever the target was NOT > connected to the ISP, there would be no information on the ISP's system that > could be decrypted by the ISP operator. Again, this still subjects the account holder to fines etc. God help him if he can't produce the desired information. He's likely to spend quite a long time in jail until the judge is convinced that he's telling the truth when he says "I threw away the key." > This would be one of those inventive future uses of encryption, well beyond > plain vanilla PGP, which we must assure ourselves will be developed. The > kind of thing you dread, obviously. I don't dread it at all. I simply recognize the limited protection it affords the evidence concealer. > > >but I sincerely doubt this ISP will > >escape serious prosecution for doing it. > > I sincerely doubt Unicorn will ever stop being a government suck-up. I certainly won't endorse moronic schemes that are so out of touch with practical and legal reality so as to be laughable. I will certainly not keep quiet when I see, yet another, misleading out-of-rectum-pulled plan to evade all liability in the most pervasive and coercive jurisdiction in the world. Word to the wise reader: If you're considering asset / informational protection from discovery or attachement, by all means consult a professional. Mr. Bell's disinformation and illusions are dangerous in the extreme. > > At the very least the employees > >of the ISP will have knowledge of this practice. Unless it's a single > >person run ISP, I doubt you're going to be able to keep everyone from > >testifying. What you propose is a crime in the United States, and in > >many foreign jurisdictions. > > If an ISP's system automatically encrypts all received message's with the > destination's public key when received, and doesn't keep an unencrypted copy > around, showing up at that ISP's location with a warrant will result in ZERO > (ZIP, ZILCH, NEGATORI, etc) information that can be delivered, unencrypted, > to the cops. The what's the purpose of your secret-super-duper "rosebud" warning? In the absence of evidence/information availability to law enforcement at the ISP, the account holder will be directly accountable. Is this a better solution? You've now changed the structure of your "protection" scheme four times to duck my criticisms. This was the same with your inventive but impractical nuclear detonation scheme, and your kill-the-pigs "dead pool" scheme. > >> The end result is that your foolish opinion of what the law allows will > >> simply become irrelevant: The government cannot mandate what it cannot > >> enforce, and it cannot enforce what it cannot detect. > > > >I have often noted that the best defense is the lack of detection in the > >first place. > > No, an even better defense is to make it absolutely impossible, as a matter > of business practice, to assist the police with any kind of an > investigation. On the part of the ISP, this is possible. A secret "rosebud" tipoff is not the way to do it. Your constant encryption option is a bit better, but still subjects the account holder to an investigation where the ISP is compelled to cooperate with the authorities in secret and intercept or record the computing session in real time. Your fourth scheme is thus reliant on the trust-worthiness of the ISP, which I have indicated, and you have acknowledged by your constant ranting about the abuses of the justice system, is dubious at best. > Before you go off and shoot your mouth off about how evil > and bad that is, you need to remember that regular destruction of records is > an acceptable practice in any company today. Unfortunately, records can only be completely destroyed in a pre-emptive way when they are of no use any longer. This, again, ignores the possibility of real-time investigation or informers. While courts will look askance > at it when it does not appear to be a regular business practice (say, the > company gets sued today and they have a mass shredding tomorrow) there is > nothing wrong about regularly making past records unavailable by shredding, > burning, erasing, or by any other method. Once suit is filed there is. > Making those records SELECTIVELY unavailable by encrypting them with > somebody else's public key and keeping them has probably never been tested > in court, but if the business contracts this ISP regularly signs have this > as a provision of doing business, the court can't squawk after the fact. No, instead, knowing of this provision, any plaintiff or prosecutor will apply for a TRO to preserve evidence before ever filing for a warrant. Review: Fines and contempt that can be leveled for non compliance on third parties. > After all, the ISP might have simply erased the files, keeping them from > being accessed by ANYBODY, including their "owner." This argument will go over real well in court. > > Unfortunately this is the oft denounced "security through > >obscurity." Look, I know it's fun to imagine you can thwart the > >authorities with impunity within the United States. > > Hey, you can FREQUENTLY "thwart the authorities." If I have evidence of a > crime in my house, the cops can't come in unless they have a warrant. Uh, not precisely so. Lots of circumstances exist where your home can be searched without a search warrant. Search of premises incident to a lawful arrest is just one of them. > If I > know they're coming, and can destroy it untraceably, I WIN! See, that's how > freedom works! It's nearly the exact opposite of "the government can do > anything it wants, any time it wants, and anybody who frustrates them is a > criminal!" Yadda yadda yadda. > Naturally, you won't like this. I don't like it because it's not a solution, because it's not novel, and because courts, law enforcement, prosecutors and private litigants have thought of it already and created provisions to prevent it. > >Unfortunately it is > >a fantasy. The system you propose requires someone to be present in the > >ISP 24 hours a day. [description of problems with Mr. Bell's scheme removed] > Yet another one of your multiple problems is that you have no imagination > when it comes to "thwarting the authorities." I do. Don't try to tell me > what can't be done, because I'll turn around and tell you how it CAN be > done! I just did. The actual implementation waits for some slick coder to > do it, but I give you 5 years, tops, before it's in regular usage. And > that's assuming they're all a bunch of lazy bastards. You told me nothing. You hedged, changed your scheme, altered the portions I attacked and revered to a previous scheme I had already decimated. And you made several legal analysis errors, as usual, in the process. > >Your last resort in all of your arguments seems to be murder, extortion, > >the threat of bodily harm, arson or assault, or destruction of private > >property. > > A list which seems to be the current modus operandi of most levels of > government in America, today. So you might as well murder a few people. Why not? > In any case, I think it's fair to hold an ISP to his word and contract. Contracts are void to the extent they are illegal. Obstruction is illegal. Destruction of material evidence to a crime is illegal. Conspiracy to obstruct justice is illegal. > If > the "normal" referee to such contracts (the court system) becomes biased > because it begins to be an interested party to the en- "CUT!" Yadda yadda yadda. > >No. I speak from experience when I say that "proof" of complicity is > >rarely a requirement. The judge need only suspect wrong doing. It's > >easy to levy contempt fines, and very hard to overturn them. > > It's easy to kill, and hard to resurrect the dead. > > >The > >standard in most jurisdictions is "clearly erronious." Tough stuff. > > Yes, I'd say you're "clearly erronious." > > If you can repeatedly describe, in nominally accurate terms, how abusive the > government has become and NOT oppose its actions with every fiber in your > being, then YOU have made yourself part of the problem. Who said I didn't oppose it? I just don't kill people, or call for their death (other than by suicide) to accomplish my goals. > >Unfortunately, fines and penalities are imposed every day based on > >assumptions by the trier of fact. Go watch a major court case some time. > > You still haven't given me specific examples. My note contains many. Consider a pair: Unites States v. Bank of Nova Scotia, 740 F.2d 817, 832 (11th Cir. 1984), cert. denied, 469 U.S. 1106 (1985)(upholding $25,000/day fine totaling $1,750,000 for failing produce documents located in the Cayman Islands under grand jury subpoena duces tecum; Marc Rich & Co., A.G. v. United States, 707 F.2d 663, 670 (2d Cir.), cert. denied, 463 U.S. 1215 (1983)($50,000/day against Swiss corporation for noncompliance with subpoena duces tecum demanding documents located in Switzerland). In both cases the documents were not shown to be material evidence when the fines were imposed and the judge was merely assuming they would be incriminating. I don't name specific cases I have been involved in without client waiver, but I have myself seen larger fines for less in white collar crime cases. > >> Bullets could easily fly. > > > >And will. I've seen this happen. Trustee refuses to produce documents, > >court imposes compelled discovery, documents burn or are lost or have been > >stolen, trustee (who can be assigned no direct evidence of complicity) is > >fined heftily. A case I was not personally involved in saw the judge > >jail the trustee for 4 months. > > That's not what I'm referring to. Judges are mortal. Yadda yadda yadda. > Remember that prosecutor who died in Boston a few months ago? You > know, the one who made the national news? I'm still waiting to see how > that one came out, but I suspect they will never be able to prove who > did it, and may not even be able to find out. Parties who believe Mr. Bell might have been responsible are invited to call the Boston Police and provide an anonymous tip. > >> >With Mr. Bell as a defense attorney, who needs prosecutors? > >> > >> If I intended to limit myself to the tools of the court room (that's the > >> enemy's playpen, BTW) I would probably be just as ineffective as the next > >> defense attorney. > > > >So again, we see Mr. Bell in his basic form. Violent offender. He will > >obtain by force that which he cannot argue into his hands. > > Except that in a court room, the decision maker is PAID by a party to the > case, the government. That sounds like a classic conflict of interest > to me. Yadda yadda yadda. > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From Casper.Dik at Holland.Sun.COM Sat Mar 30 03:14:47 1996 From: Casper.Dik at Holland.Sun.COM (Casper Dik - ENS Network Security - Network Security Engineer) Date: Sat, 30 Mar 1996 19:14:47 +0800 Subject: Sun patch pulled Message-ID: <199603290826.JAA01442@room101.Holland.Sun.COM> >>I noticed that Sun's latest libc patch (101759-04) is empty. Previous >>versions contained the complete U.S. version of libc, including the >>tres-dangerous DES and crypt functions. In the current rev only the >>README remains, presumably because: >> EXPORT INFORMATION: This patch includes code which performs >> cryptographic functions, which are subject to U.S. export >> control, and must not be exported outside the U.S. without >> prior approval of the U.S. government. Prior export approval >> must be obtained by the user of this patch. >The 101759-?? patch is missing from the Feb 1996 SunSolve Patches CD. However >if one pops in the November 1995 Patches CD there is a nice little copy of >the 101759-03 patch which also comes with the above warning and the DES >enabled libraries. The wide distribution of the DES enabled libc.so was a mistake, as it made DES code available world wide. Now it's no longer even available from our patchserver in the local office in the Netherlands. The "Doemstic" libc patch is only required for thsoe sites that have installed the "U.S. Encryption kit". If you can't get hold of the patch through official channels, it *is* possible to take the international version, take the DES modules from your U.S. Encyption kit and build a new libc.a and libc.so (the latter utilizing the files form /usr/lib/shlib.etc). It's a lot more work, but unfortunately Sun can't distribute the library the easy way. Casper From adam at lighthouse.homeport.org Sat Mar 30 03:15:18 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sat, 30 Mar 1996 19:15:18 +0800 Subject: Party! (Boston) Message-ID: <199603291529.KAA03136@homeport.org> Adam Shostack & Eric Hughes invite you to the third occaisonal Cypherpunks, Cypher-Anarchists, info-terrorists, smart-drug dealers, photoshop pornographers, e-money launderers, provocateurs, undercover agents and fellow travellers Post Computers, Freedom, and Privacy party Saturday, 8:00 PM 14 Central Terrace Newton MA 244 5243 Directions: BY CAR, FROM THE NORTH, SOUTH, or WEST: (West: Take Mass Pike/Rt 90 to exit 14, 128/95. Get off onto Rt 30 just before you would otherwise get on 128/95) Take Rt 128/95 to Exit 14, Rt 30 East, aka Commonwealth Avenue Take a right onto Lexington Street at the fourth light There will be a Mobil station on your left. There's a green sign pointing left labelled "Waltham 2". There's a green sign pointing right labelled "Auburndale Center". (If you pass a Star Market, you've passed it.) Go over the bridge At the end of the bridge, take a right onto Central Street. Take an immediate left onto Central Terrace BY CAR, FROM THE EAST: Take Commonwealth Avenue / Rt 30 West Left onto Lexington Street at Auburndale, just after the Gulf station. (If you see the Mariott Hotel, you've gone too far.) Go over the bridge At the end of the bridge, take a right onto Central Street. Take an immediate left onto Central Terrace PUBLIC TRANSPORTATION MBTA or Bus to Riverside Station (End of the D Line) Call us to be picked up, or... Exit the station onto Grove Street and take a left Staying on Grove Street, walk for about three quarters of a mile Central Terrace will be on your left If you get to the bridge, go left onto Central Street before the bridge and your next left will be the other side of Central Terrace Commuter Rail to Auburndale Station (Worcester Line) Cross one of the the bridges over the Pike. If you are at a traffic light, go right and then left onto Central Terrace. If you are not at a light and could go straight onto Woodland Road, take a left and Central Terrace will be your third right. From dlv at bwalk.dm.com Sat Mar 30 03:16:53 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sat, 30 Mar 1996 19:16:53 +0800 Subject: Reposted from Usenet: Freedom Knights Message-ID: <6Z8kLD20w165w@bwalk.dm.com> These two Usenet articles have little crypto relevance (one sentense that I put in). Still, those who believe in free speech should be interested. From: dave at jetcafe.org (Dave Hayes) Newsgroups: news.admin.censorship,news.admin.misc,news.admin.policy,news.admin.net-abuse.announce,alt.culture.usenet Subject: An Alternative Primer on Net Abuse, Free Speech, and Usenet Followup-To: news.admin.censorship Date: 28 Mar 1996 03:54:04 -0800 Organization: JetCafe - A Non-Profit Internet Service Provider Lines: 454 Sender: dave at kachina.jetcafe.org Approved: dave at jetcafe.org Distribution: world Expires: 27 Apr 96 04:53:59 Message-ID: Reply-To: freedom-knights at jetcafe.org (Freedom Knights of Usenet) NNTP-Posting-Host: kachina.jetcafe.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Summary: This posting clarifies and defines True Free Speech Keywords: FREEDOM, CENSORSHIP, NET-ABUSE, NET-COPS X-URL: http://www.jetcafe.org/~dave/usenet Posted-By: auto-faq 3.2.1.4 Archive-name: freedom-faq Revision: 1.6 Posting-Frequency: Posted once each month An alternative Primer on Net Abuse, Free Speech, and Usenet Dave Hayes dave at jetcafe.org ------------------------------ Subject: 0. Table of Contents 1. Introduction 1.1) What this document is 1.2) Prerequisites 2. Background 3. Basic Definitions 4. Basic Philosophies 4.1) Declaration of Free Speech 4.2) What is 'True Free Speech'? 4.3) What is 'net abuse'? 5. Frequently Debated Strawmen (aka Windmills) ------------------------------ Subject: 1. Introduction 1.1) What this document is This document represents an ongoing attempt to educate people about true freedom of speech among the emerging cyber-communities. There is a companion document to this, the USENET Site of Virtue FAQ, which should be read AFTER this document. 1.2) Prerequisites If you don't know what Usenet is, you're reading the wrong document! Go look in the newsgroup news.answers for appropriate introductory documents. There are many, and each has their own point of view. In order to understand the discussions here you should be familiar with USENET in general, and have a reasonable amount of experience posting and/or reading news. If these documents are not in news.answers or news.announce.newusers on your site, they can be had by anonymous ftp from rtfm.mit.edu in the directory /pub/usenet-by-hierarchy/news/announce/newusers. If you have a WWW browser, the following URLS should help you out: It helps to be familiar with news administration, how news works in general, and have kept up in some discussions on news.admin.*, but this is not totally mandatory for understanding this document. Finally, you should believe that no expression, however annoying, profit-oriented or counterproductive, should be prevented from being distributed. If you do not believe in this way, this document will only make you angry. (If that's what you want, then read it.) ------------------------------ Subject: 2. Background For a long time, I've been a loud advocate of free speech in most of the USENET related administration groups. I've participated in a few net.political actions to ensure the freedom of speech that we'd like to enjoy. For my efforts, I've been publically branded a loon, insane, idealistic, moronic, obnoxious, wacko, a kook, and other expletives which I'd rather not go into. Many times, I've repeated the same arguments over and over, all of which relate to this ultimate goal of absolute free speech. Well, after several years even a loon such as myself gets tired of repeating the same stuff over and over. It had been suggested that I write a FAQ of sorts on my ideas, and I felt the time was right, so here it is. Herein lies the heart of my arguments, and questions with answers about them. The companion document, the USENET Site of Virtue FAQ describes a new credo that willing USENET participants can actually adopt and use if they so desire. I implore you not to adopt -any- credo (even this one) or philosophy just because someone you see does so as well, for these credos only work for individuals who have personally and honestly decided that these are good ideas. Use your own judgement and take your power back from those who wish to steal it from you. ------------------------------ Subject: 3. Basic Definitions Here are some definitions which you'll find apply to things in this document, and most of my arguments. Beliefs - Networks of assumptions about the way things are. Ethics - Rules of conduct which appease and satisfy one's own true self. Directly opposed to Morals (see below) Lawful Speech - That speech which does not conflict with Morals Morals - Rules of conduct which appease and satisfy a governing, social, or communal entity. ------------------------------ Subject: 4. Basic Philosophies 4.1) Declaration of Free Speech We hold these Truths to be self-evident, that all Humans are created equal, that they are endowed by their creator with certain unalienable Rights, that among these are Unhindered Communications, Unregulated Exchange of Ideas, and Freedom of Speech, that to secure these rights the Usenet is instituted on networks of the world, that when any administration of Usenet becomes destructive to these ends, it is the Right of the People to alter or to abolish it and to institue new administration, laying its foundation on such Principles, and organizing its Powers in such Form, as to them shall seem most likely to effect their Free Communication. [With much thanks to the Declaration of Independence] 4.2) What is True Free Speech? True Free Speech is that speech which is hindered by nothing other than the speaking individual's own ethics (see definition above). Where True Free Speech exists, no external party may restrict someone else's speech, for any reason, period. Speech, in the above definition, does *not* restrict another's speech. It can't. It takes a person to *act* on that speech to restrict another's speech. That person, then, would be the responsible party. A news admin setting up a news server to act is one way to create the illusion of speech-restrictive speech. The litmus test for True Free Speech is speech that makes you -want- to silence another person. If that speech is not silencable by you (whether you want to or not), you have a state of True Free Speech. 4.3) What is net abuse? Any action that stops a properly configured transport system from performing its normal store and forward services. The key words are "properly configured". For that definition, you'll have to see the "Site of Virtue" FAQ. 4.4) What is Censorship? Censorship is the restriction of communicated ideas based on their expression style or their content. On Usenet, this is defined as reading or parsing anything but certain specific headers of a news article to determine whether or not to delete it from the news spool of a news server. By this criterion, the following RFC 1036 headers can NOT be interpreted in any way, in order to avoid censorship: Sender: From: Subject: NNTP-Posting-Host: Approved: Also, any invokation of the "Usenet Death Penalty" by aliasing a site out of one's feed is considered blatant censorship. Unless a clear newsfeed redundancy problem can be identified, such aliasing is considered censorship. ------------------------------ Subject: 5. Frequently Debated Strawmen (aka Windmills) This section contains the many frequently debated arguments (with "Dave Hayes" like answers) over free speech issues. If you find yourself embroiled in a debate with a control freak, the information below should help you out. If you find yourself embroiled in a debate with me, you might want to save time and read below. - Free speech is all well and good, but what is to prevent unreasonable users from committing "net-abuse"? The strawman here is that someone else is defining "net-abuse" quite differently than I do above. Any label of "net-abuse" is based on an arbitrary standard of conduct held by a person or group of people (even mine). There is nothing that says that this standard of conduct is the one true and right standard of conduct. People's standards vary. You, as a free person, have an unalienable right to a choice as to whether or not to adopt any standard of conduct. This is based on your ethics, not their morals. Thus, if someone labels you "unreasonable", that's not your problem...it's theirs. I'm not saying you should now go out and kill someone. I'm merely stressing the importance of ethics, internal codes of conduct which you will not violate (because -you- wrote them), in determining whether or not you did something wrong. - But there IS a general consensus on what net abuse is! Most news admins have adopted it. Don't let anyone fool you into believing that there some written consensus on or standard of net.abuse. There isn't, and if it claims to be, you can determine the invalidity of such a claim by observing just how many people argue about it. Without a consensus, it's quite arbitrary as to what people will claim abuse is. If someone has written up something, think about whether you agreed to abide by it or not before the fact when you are called to task on some violation. It is the root of dishonor to hold someone responsible to a code of conduct they didn't know about. Not only does this not work, but it's damn unfair. You may get localized consensi who decide to act not unlike the street gangs in LA or the legal gangs in American Federal Government, armed with scripts and authority, they attempt to bully people into submission into their way. This does not mean that there is a consensus. You can't expect 50,000 or more who come to a consensus on an issue this complex. Typically, the label of abuse is used as a wedge to stop someone from posting something that isn't liked, but this isn't always the case. Sometimes, people are genuinely trying to help things out. Such people should be reminded of the arbitrary nature of their standards, and of the wide variety of people on the net. - We can't allow free speech. What if something extremely damaging is posted? This strawman can easily be debunked by recognizing who is defining 'damage'. See above, as this is the same as saying something is "net-abuse". The true test of freedom of expression is when the advocates of True Free Speech are confronted with expression that they find they would like to silence. If this test is passed, the expression remains a thorn in their side. The thorn serves a great purpose as a reminder of the true freedom they have. If this test is failed, the entire philosophy of True Free Speech soon crumbles, and true freedom of expression becomes a bad thing in the eyes of the people who tried. "After all, people will abuse anything if given the chance", they'll say. We already have true freedom. We just keep agreeing to give it up. - But there really are damaging things that can be posted! You didn't listen above. Let me try another way. Here are some commonly dredged up examples of "damaging" information: * recipes for strong encryption * pornography and obscenity * recipes for making chemical, biological, and atomic weapons * recipes for making counterfeit money Dr. Dimitri Vulis said it really succinctly: "Posting such information to Usenet doesn't force anyone to use it to take some illegal action. And even if publishing such information by itself violates your local laws, it's up to your local law enforcement agents to silence you, not the Usenet Cabal." - There is no cabal. Anyone saying this is obviously a kook. Ah, and if there was a "secret society", what better way to hide it than by denying it and causing those who do not to look foolish? A "Cabal" of usenet has been identified. This Cabal is defined as: "Those net citizens, including some usenet administrators, who by their own consensus reality, set themselves apart from and superior to usenet users and use this illusory superiority to restrict or censor any usenet user's attempts at communication through usenet." The Cabal generally works in concert with each other over their own private channels of communication. You can tell a Cabal member by the arrogant holier-than-thou way that they refuse or block your attempts at communication, regardless of external perceptions of reasonability about those attempts. Just to be clear, I have no reason to believe that these people are acting out of deliberate malice. It's simply a trait of human beings to abuse positions of power and respect to their own ends. In this case this trait is damaging the freedom of usenet. - If a lot of people complain about someone, there must be something that person is doing wrong. Just because a mob comes to your door and demands to lynch someone, doesn't mean that the someone in question did anything worthy of being lynched. Usenet has become mob-oriented with several issues, most notably the famous C&S spamming, demonstrating the new jargon term "cybermob". Mobs are generally ignorant, dense, and single-minded. They have a tendancy to be generated by emotional issues, with subsequent loss of sanity for most involved. Do you really want to trust the judgement of someone else to this phenomena? Yes, once you become a sysadmin, the rest of the Usenet community will expect that you are prepared to discipline your users when they engage in whatever they decide to call net-abuse. Hopefully, by then, you will have grown past that. And what does this discipline really accomplish? Usually, nothing. - Someone is defaming me. They should be silenced. Forget USENET, what if these people were to say the same things in person, or to other people while you are not present? Again, Free Speech requires that people have the *ability* to defame you. Remember that you also have the ability to defend yourself. If such defamation gets too intense, see your lawyer, and attempt to get the defamer to agree to stop. - Free speech means the ability to say what you want. It does not guarantee you _where_ you want to say it and _how_ you want to say it. This is a definitions strawman. If you can't say something where and how you want to say it, is your speech truly free? Would you like some arbitrary person telling you where and how you can say certain things? I can see it now: "Sure you have free speech, at 3AM on channel 145 for 2.5 minutes." Anyone using this argument has no understanding or desire for free speech, by the very fact that they use this argument. Free speech, as defined in this document, guarantees that you can say anything, anywhere, and anyway you want to. - USENET operates on certain principles. Create your own net if you don't like the way it runs. This is a political hostage strawman. The arguer is attempting to convince you that everyone else likes things the way they are, and that everyone else is in control of USENET. If you are running a site, this is patently false. USENET is a collective anarchy, where site admins have authority over their part of the collective. You have absolute control over your site to run it any way you want to. If you aren't running a site, don't waste your breath arguing with these people. Find a Site of Virtue to post from, and support Sites of Virtue. That way, we -will- create our own net. - If you argue for free speech, people aren't going to take you seriously. This is an emotional hostage strawman. The arguer is attempting to play on your need to be taken seriously to coerce you into doing things their way...or they won't take you seriously. There are others who won't take you seriously if you cave into these coercions. Still, others won't take you seriously at all. If we become affected by everyone's impressions of us, we will certainly be candidates for an insane asylum. I would think that you don't really need to be taken seriously by anybody who would attempt to coerce you in this way. -But this is Usenet, a place where speaking is a privilege, not a right. That all depends on your site admin. If you are at a Site of Virtue, speaking is a right. -Freedom of speech does not mean yelling FIRE! in a crowded theater. Patently false. Yes, it does mean that. Practically, if you hear someone yell "FIRE!" then you have some decisions to make. Are you going to believe that person or not, especially when you see nothing? If you do believe this person, are you going to run for the door like a crazed animal, or quickly make your way to the exit in a civilized manner? Whichever you choose, it's -your- choice and -your- responsibility. It is -not- the responsibility of the person who yelled "FIRE!" that -you- chose one direction or another. Any other decision strips your power away from you. - It's wrong to force me to read your trash. Given that people have to manually select articles from a menu, it's hard to imagine someone forcing their fingers to press certain keys in a certain order, so that people are forced to read anything. Indeed, the entire concept of force becomes ludicrous when one recognizes that one can simply close one's eyes and not read anything presented to them. This does bring up a point, however. There -is- a place for censorship. Your personal newsreaders. - But who gave you free speech rights on my computer? YOU did when you loaded the news transport software. According to RFC1036, making a news server and getting a feed allows the transport of messages between your news server and another. If you do not specifically filter messages, those messages are allowed by implication. - You can't think like that. Your reputation will suffer. The value of a set of words is contained within the set of words, NOT in who said them. It is a common mistake of most human beings to judge the validity of a set of words mostly upon the reputation of the messenger. ------------------------------ Subject: Revision History $Log: freedom-faq.1,v $ Revision 1.6 1996/03/13 22:56:11 dave Added Dr. Vulis suggested changes: Approved line = censorship, examples of speech commonly considered damage, other misc. Revision 1.5 1996/03/04 00:03:59 dave Added definition of Cabal Revision 1.4 1996/02/28 21:53:33 dave Changed libel back to defamation. Revision 1.3 1996/02/28 00:32:34 dave Changed "slander" to "libel", as the latter is more appropriate for USENET. Revision 1.2 1996/02/19 08:16:15 dave Tightened up the definition of TFS, added a definition for Censorship, added a few words here and there for da flow. Revision 1.1.1.2 1996/02/19 07:52:11 dave Initial Import -- >>> Dave Hayes - Altadena CA, USA - dave at jetcafe.org <<< You need not wonder whether you should have a reliable person as a friend. An unreliable person is nobody's friend. From: dave at jetcafe.org (Dave Hayes) Newsgroups: news.admin.censorship,news.admin.misc,news.admin.policy,news.admin.net-abuse.announce,alt.culture.usenet Subject: The USENET Site of Virtue FAQ Followup-To: news.admin.misc Date: 28 Mar 1996 03:54:57 -0800 Organization: JetCafe - A Non-Profit Internet Service Provider Lines: 420 Sender: dave at kachina.jetcafe.org Approved: dave at jetcafe.org Distribution: world Expires: 27 Apr 96 04:54:52 Message-ID: Reply-To: freedom-knights at jetcafe.org (Freedom Knights of Usenet) NNTP-Posting-Host: kachina.jetcafe.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Summary: This posting describes how to run a USENET Site of Virtue, Keywords: FREEDOM, KNIGHT, HONOR, VIRTUE, CENSORSHIP X-URL: http://www.jetcafe.org/~dave/usenet Posted-By: auto-faq 3.2.1.4 Archive-name: virtue-faq Revision: 1.5 Posting-Frequency: Posted once each month The USENET Site of Virtue FAQ Dave Hayes dave at jetcafe.org ------------------------------ Subject: 0. Table of Contents 1. Introduction 1.1) What this document is 1.2) Prerequisites 1.3) Internet Resources 2. Basic Definitions 2.1) What is a 'Freedom Knight'? 2.1.1) How does one become a Freedom Knight? 2.2) What is a USENET 'site of virtue'? 2.3) What is a USENET 'newsreader of virtue'? 2.4) What does "content-based" mean? 3. The Freedom Knight Code of Honor 4. Technical Issues for a Site Of Virtue 5. Policy Issues for a Site Of Virtue 6. Technical Issues for a Newsreader Of Virtue 7. Other Frequently Asked Questions ----------------------------- Subject: 1. Introduction 1.1) What this document is This is the USENET Site of Virtue FAQ. It represents an ongoing attempt to implement true freedom of speech among the emerging cyber-communities, including standards of conduct and technical implementation issues relavent to operating a site which supports true freedom of speech. A companion document is "A Primer on Net Abuse, Free Speech, and Usenet". It is suggested that you read that first, as it describes the philosophies behind a Site of Virtue. 1.2) Prerequisites If you don't know what Usenet is, you're reading the wrong document! Go look in the newsgroup news.answers for the documents "What is Usenet" and "How to become a USENET site". In order to understand the discussions here you should be familiar with USENET in general, and have a reasonable amount of experience posting and/or reading news. If these documents are not in news.answers or news.announce.newusers on your site, they can be had by anonymous ftp from rtfm.mit.edu in the directory /pub/usenet-by-hierarchy/news/announce/newusers. You should be familiar with news administration, how news works in general, and have kept up in some discussions on news.admin.*. Finally, you should believe that no expression, however annoying or counterproductive, should be prevented from being distributed. If you do not believe in this way, this document will only make you angry. (If that's what you want, then read it.) 1.3) Internet Resources There is a mailing list which most of the freedom knights subscribe to. The list address is "freedom-knights at jetcafe.org", and subscriptions should go to "majordomo at jetcafe.org". For those who do not know majordomo, put the word "help" in the BODY (not the HEADER) of a mail message and fire it off to "majordomo at jetcafe.org". If that didn't clarify what you are supposed to do, and you want to subscribe, put the words "subscribe freedom-knights" in the body of a mail message to "majordomo at jetcafe.org". There is also a WWW site, this is http://www.jetcafe.org/~dave/usenet and this is the Freedom Knights site on the net. ----------------------------- Subject: 2. Basic Definitions 2.1) What is a 'Freedom Knight'? A Freedom Knight is a person who: -Conducts themselves in a manner consistent with the Freedom Knight Code of Honor -Works in an honorable fashion to ensure the persistance, defense, and existance of Sites of Virtue These standards are completely voluntary standards, in other words there will be people who claim to but do not adhere to all of these standards. Such non-adherence is not a bad or good thing, nor is there any punishment or reward associated with adherence or non-adherence. Rather, these standards are put here merely to point the way to how a Freedom Knight "should" act, to be worthy of the name. It is said that you will know a person by their actions. More directly, if someone finds someone who claims to be a Freedom Knight, and they do not observe these standards, chances are that they aren't *really* a Freedom Knight. Keep in mind, this is no reason to judge a Freedom Knight's actions. A Freedom Knight is responsible to no one other than themselves. Russ Allbery sums up the credo of the Freedom Knight with regards to this issue. He was asked "Why won't you be decent?". Here is his response: >Because I have no desire to become so, for becoming "decent" requires >that I accept a standard of society, that I order my beliefs and >reactions in order to fit someone's standard of acceptable and >unacceptable. That I cannot do, for my individuality is the gift of >my Creator and is not something that I will give up lightly, easily, >or for the sake of social acceptance. *I* *am* *myself*, and I will >not change for you, ... or for the people who claim they are >disappointed in me because I do not meet their internal models of what >I should be like. 2.1.1) How does one become a Freedom Knight? Contrary to what many would like to hear, there is no established body of judges who proclaim a USENET citizen a Freedom Knight. This is a completely voluntary and self-policing position, requiring no one but oneself to proclaim knighthood. Becoming a Freedom Knight is as simple as adopting the Freedom Knight Code of Honor, then sending a simple message to the Freedom Knights mailing list (see section 1.3) proclaiming yourself as a Freedom Knight. Subscribing to the list is recommended, but not required. Remember, it is your actions which show you to be a Freedom Knight, not your proclamations. 2.2) What is a USENET 'Site of Virtue'? This is a site run by a Freedom Knight which meets specific technical requirements, as specified below. 2.3) What is a USENET 'Newsreader of Virtue'? This is newsreader (usually found on sites run by a Freedom Knight) which meets specific technical requirements, as specified below. 2.4) What does "content-based" mean? "Content" is defined to be the Body of an electronic message, and/or the Subject: line of an electronic message. You are considered to be making content-based decisions if you have to read and parse Content to make your determination. Examples of content-based: -Inappropriate posting (you have to read the message) -Identical messages over several newsgroups (only if you read the messages) Examples of NOT content-based: -Running the Body through a program to determine size -Making a cryptographic checksum from the Body ----------------------------- Subject: 3. The Freedom Knight Code of Honor (1) A Freedom Knight will never enforce the application of -any- content-based standards on any other net.citizen, unless that conduct directly and immediately renders their server's transport software incapable of performing its normal store and forward operation. In particular, with regard to USENET this means: a) A Freedom Knight -never- issues cancel messages, except for his or her own postings. b) A Freedom Knight never removes a newsgroup from their news server unless that newsgroup directly results in breaking one or more software systems used to distribute or read news. An example of this is long newsgroup names that break newsreaders. c) A Freedom Knight will refrain from feeding another site newsgroups that it does not want. d) A Freedom Knight will never disable any user they have authorized to read or post news from their site for content-based reasons. e) The only time a Freedom Knight may punish or suspend a user's access is if that user directly attempted to shut down the news server's normal "store and forward" operation. Mailbombs from the net as a result of postings do not count as direct attempts. f) A Freedom Knight will never take action against a user due to complaints regarding the content of the body of any of their user's posts. (2) A Freedom Knight will always operate in such a way as to provide maximal unmoderated content on their news server. Any news site that a Freedom Knight operates is run as a Site Of Virtue, if the ownership of the site is willing. In particular, with regard to USENET this means: a) A Freedom Knight carries all unmoderated groups that they can get a feed for, regardless of content or origin, unless those groups serve no other purpose than to directly limit freedom of expression (e.g. alt.cancel, control, alt.nocem.*). b) A Freedom Knight actively solicites multiple feeds, technical considerations permitting. c) A Freedom Knight will feed any other site, technical considerations permitting. d) A Freedom Knight honors all newgroups and ignores all rmgroups, regardless of origin. The exception to this is if a newgroup message contains special characters that will damage the active file or most newsreader's .newsrcs. e) A Freedom Knight does not honor ANY cancel messages in any way shape or form. This includes Supercedes: or any other attempt to delete postings from the news server. The only way a Freedom Knight may honor cancel postings is if they are strongly authenticated to be from the originator of the postings. 3) A Freedom Knight, realizing the need for personal responsibility, will: a) take each and every step necessary to ensure the security and reliability of their own site, b) read news with a newsreader of virtue, c) have "mail shields", d) control their own posting habits by their own internal code of conduct, without calling undue attention to such control. ----------------------------- Subject: 4. Technical Issues for a Site Of Virtue In order to be a Site of Virtue, you need to be able to handle large amounts of traffic, and be relatively immune to minor abuses of net posters. The technical criteria for a Site of Virtue are: 1) Maintain free newsspool space that is no less than 3 times the nominal 24 hour news traffic. 2) Internet connection must be of T1 speed (1.5 MB/sec) or greater. 3) The operating system must be a virtual-memory, multitasking system capable of handling large (>100) amounts of network connections at the same time. 4) The server must have a resident copy of the source code to the news server software you are using, and be able to build and modify the software. Other notes: If you are looking to set up a reasonably fast server, emphasis on a wide I/O channel is a must. On the newsserver side, I recommend INN, modified with Dave's Cancel Patches so that cancels can be safely ignored. NNTPLINK feeds are preferred as they are faster. In order to be accessible to the rest of the Usenet community, you should make sure that as news administrator you are accessible to e-mail, as usenet at your.host.name and postmaster at your.host.name. For that reason, Your "mail shields" should be installed on both these addresses. As site administrator you should probably read news.admin.*. Reading these groups will keep you informed about the myriad of standards people categorize as "net-abuses", and help you understand what is wrong with the several emerging consensus opinions about net-abuse for yourself. ----------------------------- Subject: Policy Issues for a Site Of Virtue The policy issues for a Site Of Virtue are: 1) Honor all newgroups that do not break newsreading software, regardless of origin. 2) No unauthenticated cancel messages are honored, and optionally not propagated. Only cancel messages authenticated to be from the author of a message are honored. 3) All newsgroups, save those which would be inappropriate due to regional or national boundaries, are carried. Sites Of Virtue should feed each other, as appropriate. ----------------------------- Subject: 6. Technical Issues for a Newsreader Of Virtue In order to be a Newsreader of Virtue, a newsreader needs to be able to find interesting threads in a large amount of traffic/noise. The technical criteria for a newsreader of virtue are: 1) The newsreader must allow the user to specify patterns matching subjects or authors which the reader will then refrain from displaying to the user. 2) The newsreader must present articles by subject/author on a menu to be selected by the user's for reading. 3) Articles presented on a menu must either be consolodated by Subject line, or threaded by References line. On the reader side, we currently recommend NN or (S)TRN. Gnus 5 has also been recommended by some, this author hasn't looked at it yet. ----------------------------- Subject: 7. Other Frequently Asked Questions - I need a written policy for a site of virtue. What policy should I use? For external browsers of your policy, add this: "If you find a posting from this site offensive, inappropriate, or disruptive please ignore it. If you don't know how to ignore a posting, complain to us and we will demonstrate." For internal users of your site, add this: "USENET is interacted with at the reader's own risk. The postings found here are usually locatable at sites all over the world. We take no responsibility for the validity or appropriateness of articles posted or read on this newsserver. Postings are the sole responsibility of the poster." - How long should the articles' expiration times be? On most sites, disk space will limit the expiration times, and you will have to spend some time fine-tuning them on a per hierarchy or group basis. It's often best if the "large file" groups -- those carrying binaries for example -- expire more quickly than others. Lastly, its best if a low-volume group has its expiration time set long enough that the Frequently Asked Questions list (FAQ) and any other periodic postings in the group are always there. Well-managed FAQs are supposed to come with their own expiration times, and you should configure your site to honor these. - What are "mail shields"? There are two types of mail shields: 1) Absorptive - These take bogus mail and delete it. 2) Reflective - These take bogus mail and send it back somewhere along with an optional message. There are also two types of triggers on mail shields: 1) Threshold - These keep track of author and subject and when more than N messages are recieved with the same author or subject, the shields go up. Usually N is up at 1000 or so. 2) Disk Space - These keep track of available disk space, and when that gets too low it triggers the shield. These triggers are most used with "reflective" shields, as there are other reasons than flamage to lose one's mail capability. In general, Reflective Disk Space shields are the best choice as they are the most multi-purpose. It is often good to have something similar to "procmail", by which you can filter out annoyances from your mailbox. Also. the MH mail system coupled with SED, AWK, or PERL provides excellent filtering capabilities. Again, Gnus 5 has been recommended. ----------------------------- Subject: Revision History $Log: virtue-faq.1,v $ Revision 1.5 1996/03/10 09:26:24 dave Changed Russ Allbery's email address by request. Revision 1.4 1996/03/04 00:04:25 dave Added 2.1.1 about how to become a Knight Revision 1.3 1996/02/28 20:52:33 dave Added Russ Allbery's very nice expression of self responsibility. Revision 1.2 1996/02/19 08:05:52 dave Tightened up some of the definitions and codes, added Gnus 5 as a possible newsreader, and clarified a paragraph pertaining to moral superiority. Revision 1.1.1.2 1996/02/19 07:52:13 dave Initial Import -- >>> Dave Hayes - Altadena CA, USA - dave at jetcafe.org <<< People sell talking parrots for huge sums. They never pause to compare the possible value of a thinking parrot. -Mulla Nasrudin --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From roy at sendai.cybrspc.mn.org Sat Mar 30 03:17:40 1996 From: roy at sendai.cybrspc.mn.org (Roy M. Silvernail) Date: Sat, 30 Mar 1996 19:17:40 +0800 Subject: PGP Crack??? In-Reply-To: <2.2.16.19960330050617.3fdf7540@tiac.net> Message-ID: <960330.011033.9k0.rnr.w165w@sendai.cybrspc.mn.org> -----BEGIN PGP SIGNED MESSAGE----- In list.cypherpunks, byrd at ACM.ORG writes: > > This just appeared in alt.security.pgp. Is there anything to it? I'm > dubious. [snippo...] > Announcement: > No longer is PGP uncrackable. A new software program has been released > that cracks PGP encrypted messages. Find out more at: > http://www.fix.net/~kwyatt/pgpcrack.html So you didn't have time to go check out the URL? - ----- begin 'lynx -dump' output ----- Welcome to the PGP Cracker home page. As system administrator you know the frustration in reading your users Email if they use PGP. Or if your lover is receiving encrypted messages you would be interested in reading that encrypted email. Of course, government agencies will be greatly interested in this new tool also. The program is free for non-commercial users! For government and commercial applications the cost is $500.00 per site. The program only runs on UNIX machines. How does it work? To decrypt any message that uses PGP you need the Public Key and the random number generated to encrypt the message. Commands: Crack -d filename.ext Decrypts any encrypted message less than 2047 bytes. Crack -p secring.pgp Lets you modify a keys password so the owner can no longer decrypt messages. Crack -s PUBKEY.EXT Lets you modify the public key ID information. Crack -h The crack help file PGP Cracker is Copyright 1996 by Keith Wyatt, All Rights reserved. Download PGP Crack - ----- end 'lynx -dump' output ----- The "Download PGP Crack" is a link. Follow it and you get the following text: - ----- begin 'lynx -dump' output ----- APRIL FOOLS! - ----- end 'lynx -dump' output ----- Of course, if you have "the random number generated to encrypt the message", you have the session key. No further magic is necessary, and no public key required. But I bet a lot of newless cluebies bite. - -- Roy M. Silvernail -- roy at cybrspc.mn.org will do just fine, thanks. "Does that not fit in with your plans?" -- Mr Wiggen, of Ironside and Malone (Monty Python) PGP public key available upon request (send yours) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMVzfnBvikii9febJAQFeGwQAr3/U2WUSZ05z5oiE07f4NrUHEDxNFdSb nVHDn9dnY7+e2mKy1rJJPZb8b+gaQEzig3WPbM4SO+loIJkoRmXq1xqKz46sBNON nunJAQfgUuGBq36i3YBjy2bH+LSrgu5jvDd/Nqc+9Rfqu9kFV4kxxnpCuSi2nwUf bbB6vJr9WRg= =6ejG -----END PGP SIGNATURE----- From jeff at BlackMagic.Com Sat Mar 30 03:24:48 1996 From: jeff at BlackMagic.Com (Jeff) Date: Sat, 30 Mar 1996 19:24:48 +0800 Subject: What backs up digital money? In-Reply-To: Message-ID: <199603292029.PAA14637@Molasar.blackmagic.com> On Mar 29, 10:32am, Hal wrote: > Subject: Re: What backs up digital money? > From: jeff at BlackMagic.Com (Jeff) [snip] > Another factor that arises is that if some token does catch on and > circulate widely, it could be subject to regulation. I understand that > in Las Vegas, some people started using casino chips as money. You > could buy things with them, and they were accepted since people knew > they could be turned in for cash at the casino. But the Feds cracked > down and brought the practice to a halt. (I will ignore for now the > question of whether such a crackdown could work on the net, but it would > at least be a barrier to the acceptance of such tokens.) Absolutely- that's certainly the case with anything that "catches on", not just ways of transfering value. If you get big and popular, there will be regulation, thus if life. see: the Internet itself. > The idea of your "market square" token, which represents a basket of > other tokens, is interesting, but it seems like you're basically > re-inventing money. I don't quite understand the specifics of your > proposal, where the market square token is based on the "market value" of > the other tokens. In what units is this market value expressed? It > seemed like what you had instead was a set of relative prices, where each > token was worth a certain number of each other kind. I don't see how you > can get a unique market value for each token out of that system. It > doesn't seem like the relative value idea really works, anyway, as it > suffers from the barter problem that there will be too few people who > want to trade their shoe tokens for fruit tokens. That was what > motivated the transition from barter to money in the first place, or so > the story goes. In that particular dream-land I was saying that the "market value" of the token follows the trade value of tokens on the exchange- that is to say, if X tokens are being traded for .5 Y tokens and 2 Z tokens, then X, Y, and Z can all be expressed in terms of a common 'A' value. That A is the basis of the market value I was talking about. What is a "dollar" if not expressed in terms of it's purchasing power. The only thing that makes the dollar, or yen, etc, special is it's universal acceptance in whatever marketplace you happen to be trading. I don't think there is any real problem with the idea itself, the implementation in my opinion would be darn near impossible though and would be dependent on the "lack of something better", which a pupular digital cash scheme has already eliminated. But now I'm just repeating your point ... > If your overall point is that even without digital cash, we would end > up with some form of electronic money eventually anyway, I think it is > true. Entrepreneuers abhor a vacuum, and if the need is there it will > be met. But the fact is that we are likely to have digital cash before > all these other things, so I don't really see the whole scenario coming > to pass. I do think a lot of your specific applications are > interesting, though, and hopefully there will be many more creative > uses of this technology. I know Eric Hughes a while back was talking > about a way for players to transfer wealth between MUD games using a > token based system. There are a lot of game possibilites. Agreed- but what system did Eric Hughes use to implement his idea ? I've yet to find one that isn't buried in patents/controls. Which leads... To my "point" if I had one, and back to my mini-rant ... nobody has any CLUE what these tokens could be used for eventually. This is an entirely new mechanism, one in which unique values can be transferred between people without losing their value to something as simple as duplication. Who knows what could happen if the technology were open to the public- I have big doubts that my car's head lights will be buying electricity from it's powerplant (with the electrical systems overhead charge of course), but I don't think it's unreasonable to think tokens could be passing all around the net for priority bandwidth, or CPU cycles, etc. So if there is a point, it's that we JUST DON'T KNOW what could happen, what this totally new capability could be used for, and we won't unless we have access to it and all the net.developers get a shot. This sounds like I'm complaining and whining like a child for one simple reason- I am. This also sounds like interesting stuff with a lot of potential for one reason- it is. In all of these threads, I forgot to make it clear that I have the UTMOST respect for the people who design and implement these token systems, and crypography people in general. In the end, if nobody wants to give the end user a way to put value into these tokens, so be it- I didn't invent the system(s), all I can do is bitch and moan about it. But if someone came up with a radically new process for creating microchips, they would NOT just patent the process and sell the chips, they'd license and sell the process as well. I'll shut up after this, even I'm getting sick of hearing me-- these tokens systems may be the only good transport of a dollars value, but the transportation of dollars is not the only good use of these token systems. > Hal >-- End of excerpt from Hal Jeff. -- http://www.blackmagic.com/people/jeff Simply Be. SKYDIVE! From tcmay at got.net Sat Mar 30 03:30:38 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 30 Mar 1996 19:30:38 +0800 Subject: National speed limits and expansion of federal power... Message-ID: At 11:52 PM 3/28/96, Deven T. Corzine wrote: >Other states don't intend to raise the limits. In Montana, you can now drive >at *any* speed legally, in the daytime. So if you want to go 100 MPH, head to >Montana... :-) Ah, Montana! Home of the Freemen, home of the Senator with the new crypto bill, home to growing numbers of movie stars (Santa Fe having gotten too crowded), and where you can piss into the rivers and drive as fast as you want. Guns, too. (And the guy who hired me at Intel lo those many years ago is now expanding his ranch in Montana...something like 30,000 acres, last I heard.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From quester at eskimo.com Sat Mar 30 03:34:17 1996 From: quester at eskimo.com (Charles Bell) Date: Sat, 30 Mar 1996 19:34:17 +0800 Subject: Edited Edupage, 24 March 1996 In-Reply-To: <3159926C.FF6@netscape.com> Message-ID: On Wed, 27 Mar 1996, Phil Karlton wrote: > Perry E. Metzger wrote: > -- > Philip L. Karlton karlton at netscape.com > Principal Curmudgeon http://home.netscape.com/people/karlton It's clear we have a good match here. Charles Bell From dwl at hnc.com Sat Mar 30 03:35:33 1996 From: dwl at hnc.com (David Loysen) Date: Sat, 30 Mar 1996 19:35:33 +0800 Subject: No Subject Message-ID: <199603291755.JAA25340@spike.hnc.com> > >The Navajo/Na Dene codetalkers (WW II) developed a real arcane jargon, >so I was told. Maybe it was because the conditions of war were >completely different than their language's environment so they >were forced to invent words, or maybe they thought it was a good >idea, or whatever. But I believe transcripts of their transmissions >are often mostly unintelligible to native Navajo speakers who weren't in >the know. > > > It is my understanding that the codetalkers invented very few new words, they simply combined the words they already had to create descriptions of things that the language was never meant for. One of the reasons they were so successful was that more than one phrase could mean the same thing. For example, both "A flock of eagles with fire in their bellies is coming from the rising sun" and "Many birds are flying from the east to rain fire on you" Could reliably be translated to "There are bombers coming from the east" Add some new words for specifics that you needed (like altitudes and compass directions) and the codetalkers presented the bad guys with a language that was completely unrelated to anything they had heard before. Also (I copied this from RSA) "The Navaho language is so difficult to learn and its linguistics are so complex that it is virtually impossible for a non-native speaker to counterfeit its sounds. Furthermore, Navaho seems to have no linguistic connections to any other Asian or European language. Consequently, at any given time, there are only a few thousand people capable of speaking the tongue. For these reasons, the U.S. military made extensive use of hundreds of Native American codetalkers . During World War II, Navaho codetalkers relayed operational orders in the Pacific theater with a level of security that was unattainable by current encryption algorithms. The Japanese signal corps task was further complicated by the codetalkers liberal mix-in of Navaho and military slang resulting in a communications network so secure that it was, in fact, never compromised by Axis powers." In my stone age level of Crypto understanding I would liken this to having a public key that was the Navajo culture and an algorithm to process it that only runs on the human brain. Makes me wonder when somebody will set two AI computers down and tell them to invent a code we can't break. dwl at hnc.com David Loysen 619-546-8877 x245 From jeff at BlackMagic.Com Sat Mar 30 03:47:03 1996 From: jeff at BlackMagic.Com (Jeff) Date: Sat, 30 Mar 1996 19:47:03 +0800 Subject: What backs up digital money? Message-ID: <199603290536.AAA12695@Molasar.blackmagic.com> Regarding "What backs up digital currency/cash", a hypothetical situation just to see what you guys think. Can this happen ? I honestly have my doubts, mostly I see logistical problems (finding a mechanism, etc, if you recall my mini-rant just a few days ago). Anyway, these are some of the things I honestly feel would have to happen for a true Internetwork currency to take off, if that's even possible. Situation 1- You're a company, "Bug Boy Video" (my apologies to the real Bug Boy Video if it exists). This national video chain decides to get involved on the net and sees that there is a token standard- they figure they can get people to visit their website by offering a "web hunt". Anybody who can solve any of the puzzles gets a token worth, say, a free video, a 19.99$US value- just redeem the token. Token Backing-- 19.99$US video from Bug Boy Situation 2- You're a bank, "1st Netherworld". You use the same token system to make digital coins worth a penny each and issue them to your customers in exchange for 0.01$US - only to account holders of course. Now you have the "real money" to invest while the users of the system store and transfer these tokens around the net to each other (in reality I guess you use a net-cheque ?) Token Backing-- 0.01$US with 1st Netherworld Situation 3- You're a mining operation, "Money Pit". Your product is gold and silver refined to be 99.99% pure (24K in gold). You decide to issue some tokens on the net worth an ounce of gold and another kind of token worth an oz of silver. Some would call you a total nut corp, but they don't call you Money Pit for nothin. Token Backing-- 1 oz silver (approximately 7$US?) with Money Pit. 1 oz gold (approximately 490$US?) with Money Pit. Situation 4- Some group of hackers, "BizHack", decide to issue a private currency among themselves for the purposes of trading vulnerability information, services, etc. They come up with a standard, "an hour of work", and someone runs the bank. Anyone with currency can use it to buy goods and services from anyone who will accept the money. Token Backing-- 1 hour of service from a BizHacker. Situation 5- A bunch of kids on the net play this game, "Tragic: The Addiction", and they use rec.games.trading-cards.marketplace.tragic.sales to do their trading. Somebody gets the keen idea to set up a "holding company" that people can send their cards to and get a "token" out that represents the Tragic: card. They trade these tokens on the net until someone wants to redeem his/her "Black Lilly" token in for the real card that it represents. Some sort of redemption charge applies, of course. Token Backing-- Tragic: cards with holding company. Situation 6- You're a beer manufacturer, "Smart Foam", and decide to skip all the market middlemen and sell stock directly on the Internet. You set up your super-keen promo page and users buy stock directly from you. Now you hear about this other company that is doing electronic transfers of stocks on the internet in the token system, each stock represented by a single token. People trade them at will. You suggest to your buyers that they might want to look at the system as a way of trading your stock and offer to send the buyers stock directly to the exchange so it can be withdrawn by the buyer as tokens. As a beer brewery, we don't want to get in trouble with the SEC for offering the trading place for our own stock, we'll let somebody else have the liability. Token Backing-- One share of "Smart Foam" stock. Situation 7- (doubtful) You're running an exchange where people can send stock certificates to a third party bank and you'll mint them a token that represents that piece of stock so that it can be traded freely on the Internet. Your clients use your non-anonymous system so that trades can be tracked and reported, you make a few bucks at registration time, but don't charge for transfers (to cut out the brokers). You deal with the SEC directly to make sure all the exchange rules are being followed to the letter, and make the service as user friendly as possible- you are a place that people come to trade, a market square as it were. Token Backing-- A share of common stock in a particular company. Situation 8- (the "big mental leap") You set up a market square for tokens. In this online place the users can offer tokens for sale to the general public (other users) and the service acts as an "escrow" so that both parties have to make their transfers through the service. You track "prices" of the tokens, maybe users are on average trading 1 BizHacker token for 2 Bug Boys. Some sort of "trend" starts to emerge at your market. This BIG LIGHT comes on inside your head and you decide to issue your OWN token, this token is based on the MARKET VALUE of all the tokens that are traded at your exchange. You call them "market credits" and you "sell" them on your own market. Token Backing-- One market credit equals 1.5 BizHackers equals .5 Bug Boys equals 4 silver Money Pits equals etc, etc, etc ... the value changes constantly. Market tokens have now taken on a new characteristic, that they are going to be accepted much more widely because they can be used to purchase many more goods and services, they are accepted in the market which you have provided. Situation 9- Other people see how cool your market is going and decide to set up some of their own. These markets have their own clients, tokens backed by everything from stock, state currency, services, pizza coupons, car wash tokens, and Darla's special backrub tokens (worth 2 gold Money Pits each!) The bright idea pops up in somebodies head to link a few of these markets together and .... the rest is future. Followup- There are a lot of "trust" assumptions in this, but in the end the market always sorts things out. That's not to say a few people won't be holding valueless tokens on occasion or that people won't figure out ways to hurt the system, but thus is real life. Internet economy won't come from the top down, it'll come from little bits of trust that build up between people who do business together-- it'll come from that little group of consultants issuing their own "value tokens" backed by their personal service .. when they get together and issue a common currency which ALL of them will accept, that currency becomes more widely accepted in this new marketplace. It's in the best interest of everyone involved to retain the utmost professionalism when distributing tokens because they represent your good name and the name of those who join in. THIS is how trust develops, you can't dream trust up, trust just happens. An exchange fails if people stop trusting it, so they are by nature self- governing entities. Global currencies and Internet economies aside- even if "the big leap" above couldn't happen, I'd sure like to see some companies issuing tokens like they were gift certificates or coupons, those have good trade value if the name is well known (mostly for lack of something better to trade with I'm afraid). No mechanism can replace trust, trust just is. You trust the guy that fixes your porch because he's the guy you trust to fix your porch. You trust your consultants, your lawyers (maybe not them), and your accountant because they are the people you rely on, you just do. Anyway, just my 0.02$US/MTB -- Jeff. -----BEGIN ECASH PAYMENT----- oLmQgwABR6GgiqCukIFPkIECkIECkIEEkIEBkYQxW3hfkIQxbe1fkIFPkoFAlJQS snGvr60Cm0Ao6L2429ljPcC9l5SU1HRHyTS1iQ8W058T4A1+OICJq3GQgRCSji4w MiB0byB0aGUgbmV0koCUgJCBApGEAAAAAJCBAKGguKCrkIIBoZPgKKjPPXvwAl1Y kQBWxjFKp9zcfoRNDgsodlUqc5Vybk86UXpmsr2C853o6iZ5NPZ+DiZ0gEhooatU TZPoY016/rmyGspTixn9xievBxMW1FR34tARr6NgzyXyVU4AbxF0k+Ar2uqxO15E B6pDqYImuoZzUpMnkGo/vjm7k4nod576vB9F5DUSBMPLIeNm7kg6GuVDW0oPOou3 nbpkJ5AM5lItSJLMgsxel7LON6bjitnFHCLYdseV725AjkN49p7VE3SQgQKhoaE= -----END ECASH PAYMENT----- -- http://www.blackmagic.com/people/jeff Simply Be. SKYDIVE! From JR at ns.cnb.uam.es Sat Mar 30 03:53:06 1996 From: JR at ns.cnb.uam.es (JR at ns.cnb.uam.es) Date: Sat, 30 Mar 1996 19:53:06 +0800 Subject: Crypto CD UpDate Message-ID: <960328203626.20200293@ROCK.CNB.UAM.ES> >Thoughtful comments, so I'll comment on Henry's comments: >At 6:10 PM 3/27/96, Henry Huang wrote: > >>I'd argue that having a slightly out-of-date CD-ROM is better than nothing, >>because: >> >>- It gives you an idea of what sorts of crypto applications are out there, > >True, but your later point about who the intended market is makes the point >I was making: the likeliest users pretty much know what they want and snarf >the most recent (and debugged) version off the Net. (I have little >interest, speaking as a user, in the zillions of variants of CryptDisk and >SmartCrypt and whatnot that get mentioned here....I really only want >"MacPGP" in its latest version, at this time, and for this the Web is >certainly fast enough for me.) > >And I suspect I am not that unusual. The faster access to a CD-ROM is not >too useful to most, as the time to install, learn, use, etc. a new crypto >program is many orders of magnitude greater than getting it by even a 14.4 >modem. > What I see most useful in the CDs I burned last fall for personal use is not just having access to the latest executables, but to have access to trusted source code. Just as it is nice to have Appl. Crypt. disk, it is -for me- to have sources for many interesting things around. I can then study any of them, pick a piece, get whatever at any moment without having to surf the net. Hey, I just got Appl. Crypt. 2nd Ed. yesterday. Meanwhile with the 1st Ed. and the code I had in my CDs I could very well manage with most things, protocols, algorithms... Of course, the version of Crypto++ I have there is outdated now, but the algorithms are still valid, and I still have much more algorithms there than the current version has, and I can always plug in or adapt a new one should I need to. Yes, I can always go to the Net for the latest sources when I need them, but when I don't, it's easier for me to go to my CD (but I have it always at hand over my desk). Still, the main problem I see is that users should have to trust the authors of such CD. Of course I trust myself and I had already reviewed most of the code I stored -or verified it somehow- and so my CD is good for me. But a good crypto "aficionado" should seriously consider whether to trust any executables (hell, any net-aficionado should think the same about Java applets, but that's another story). That reduces the interest of the CD to those who want source code to work with or to analyze. Or at least those savvy enough to use a compiler and possibly study source code. Unless someone stands behind the CD to assert its truthfulness. I may -or not- trust the people at unimi, but would I also trust a lot of intermediate people putting up together a CD-ROM? For that sake, and considering the costs of storage and removable storage media, I'd bet many people would find more useful to download their copies from the net (even once a year only) as I did. It's a nice idea though. If well put together and done, it could help raise concern and access to cryptography to the average user. In this case, many crypto programs, shells and so would be bundled with samples and say, exercises, for average people to play with. Well done, many teens would play with it, and possibly many serious users. A good documentation set explaining in plain terms what each package does, its good and bad points, and comparing it with similar packages both for the savvy and the merely curious would round up the bundle. I'd like to imagine such a CD distributed with a popular magazine (PCworld for example)and many kids playing "spy vs. spy" with their friends, trying simple algorithms and corresponding cracking programs, discovering which are best and which ar not... And possibly serious adults studying the reports and playing too, cracking their WP files, discovering how good PKZIP crypto is, and moving on to PGP and other systems... Descriptive plays for mimicking simple protocols and attacks with real world roll games and then with the computer. All guided by a nice tutorial with references to more technical reports for the interested. Maybe with several levels of explanations up to real crypto stuff and source code. But you won't find all that on any current archive. And writing all the additional stuff, together with compiling for several platforms, and rearranging information for a rational organization (not just a mirror) is quite a *lot* of work. That could pretty well be Applied Cryptography Nth Online Edition. Oh well, I don't lose anything by dreaming. jr From byrd at acm.org Sat Mar 30 03:59:21 1996 From: byrd at acm.org (Jim Byrd) Date: Sat, 30 Mar 1996 19:59:21 +0800 Subject: PGP Crack??? Message-ID: <2.2.16.19960330050617.3fdf7540@tiac.net> This just appeared in alt.security.pgp. Is there anything to it? I'm dubious. --------------- Path: news.tiac.net!news-in.tiac.net!news.kei.com!newsfeed.internetmci.com!in2.uu. net!EU.net!sun4nl!xs4all!mail From: kwyatt at fix.net (Keith) Newsgroups: alt.security.pgp,talk.politics.crypto Subject: New release: PGP Cracker Date: 30 Mar 1996 02:23:58 +0100 Organization: http://www.fix.net/~kwyatt/pgpcrack.html Lines: 10 Sender: daemon at utopia.hacktic.nl Message-ID: <199603300137.RAA12090 at fletch.fix.net> NNTP-Posting-Host: utopia.hacktic.nl Mime-Version: 1.0 Content-Type: Text/Plain; charset=US-ASCII X-To: mail2news at utopia.hacktic.nl X-Newsreader: WinVN 0.99.7 X-Mail2News-Complaints-To: postmaster at utopia.hacktic.nl Xref: news.tiac.net alt.security.pgp:52460 talk.politics.crypto:15088 Announcement: No longer is PGP uncrackable. A new software program has been released that cracks PGP encrypted messages. Find out more at: http://www.fix.net/~kwyatt/pgpcrack.html http://www.tcf.com:80/~kwyatt/pgpcrack.html Our apologies to Phil Zimmerman! From jimbell at pacifier.com Sat Mar 30 04:04:20 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 30 Mar 1996 20:04:20 +0800 Subject: Anonymous Cpunk Bashing Message-ID: At 01:29 AM 3/30/96 -0500, Ted Garrett wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >At 01:06 PM 3/29/96 -0800, you wrote: >>The implication is that the people who oppose this "list of shame" are doing >>so primarily for PERSONALITY reasons, rather than on the issues. I would >>feel better about the whole thing if the people who volunteered for the list >>had engaged in some sort of serious effort to show that the placement of the >>other people on that list was unjustified. Lacking even the most >>rudimentary effort along these lines, I really wonder who (and what) these >>people think they're supporting. > >I think that sometimes, one's cumulative reputation must count for something. >Most of the people who are included in this 'list of shame' have contributed >enormously to the furtherance of the crypto field in general. Whether I conscribe >to their viewpoints or not on a given subject, it is rather easy for me to think >of something they have written which I use as a rather concrete reference. Thusly, >given a track record of open and noteworthy thought on the field, I find it difficult >to denounce, as an example, Bruce Schneier. Especially IF it's only a matter of >sharing a difference of opinion on a given bill or set of bills before our lawmakers. > >Considering the fact that I've not seen Mr. Schneier come out on either side of the >Leahy Bill or, He's one of the people I haven't seen respond to the Leahy bill, as well. However, I don't regularly read SCI.CRYPT or much else that he may put his comments on, and I don't recall if he commented here. That's one of the reasons to be suspicious of the motivations behind the "list of shame," however there's good reason to be even more suspicious of those who have rushed to debunk it by "standing behind" all those listed, with no distinction. I think it is obvious that at least a few people listed should have been listed, but the majority I simply don't know about. I wouldn't be surprised if at least one of those anonymous messages deliberately loaded up the list with unworthy targets simply to disguise the ones who ought to be listed. > for that matter, many of the other bills currently before the congress, >it's hard for me to support mail-bombing him or many of the others on the list From llurch at networking.stanford.edu Sat Mar 30 04:21:07 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 30 Mar 1996 20:21:07 +0800 Subject: Netscape 2.01 fixes server vulnerabilities by breaking the client... In-Reply-To: <315C8FCB.2781@netscape.com> Message-ID: On Fri, 29 Mar 1996, Tom Weinstein wrote: > It may be unpleasant, but it's a fact that there was a real security > hole here. There is a well known buffer overrun bug in finger that a > lot of people inside firewalls haven't fixed. Using gopher: URLs > in IMG tags it was possible to do nasty things. We tried to err on > the side of permissivity, but finger was one port we just couldn't > allow. Yes, it sucks. So does someone reaching through your firewall > and running commands as root. How about limiting URLs on non-blessed ports to, say, 64 alphanumeric characters? I'm sure the documentation writers and technical support folks would hate you, but it should address these concerns. -rich From unicorn at schloss.li Sat Mar 30 04:38:40 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sat, 30 Mar 1996 20:38:40 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: On Fri, 29 Mar 1996, jim bell wrote: > At 05:32 AM 3/29/96 -0500, Black Unicorn wrote: > >On Thu, 28 Mar 1996, jim bell wrote: > > > >> At 03:46 PM 3/28/96 -0500, Black Unicorn wrote: > > >You clearly don't understand. You are an ass making an assumption that a > >court cares or believes that the witness can actually produce the > >requested information or not. Fines tend to be imposed regardless. > > Bullets don't care that a judge was justified in his decisions, either. God I hope you keep talking like this. The list might not have to endure you anymore unless you get a cushy prison cell with internet hookups. > Ultimately, your repeated argument is simply, "The legal system can be > abused by those who work in it." I wouldn't call fines imposed on a third party who clearly was complicit in the destruction of material evidence to a proceeding "abuse." It's abuse because you can't get away with your little scheme? Eh? Mr. Bell can't commit his crime with impunity, so the justice system is a sham? I don't challenge this claim, in fact my > position depends on its truth; my assertion is that the current legal situation is > out of the control of people faithful to the meaning of the Constitution, > and has been so for a long time. One of the main reasons I promote a > de-facto (and unofficial) death penalty for recalcitrant politicians and > other government employees is because the traditional "checks and balances" > system seems to no longer be working for the interests of the average citizen. Yadda yadda yadda. > > >> And in any case, I consider it highly doubtful that anybody would contract > >> with an escrow agent and identify himself by name > > > >The same way no one creates Panamanian companies with their own name. So > >what? Third parties are still fined heavily. > > Any specific examples? Sure, several. See my large note on the subject of asset protection. No? I thought so! In any case, if "third parties" > are "fined heavily," that is even more justification for setting up a method > to deter out-of-control courts. Mr. Bell, go make yourself a sovereign or something. > >>It would be a simple > >> matter to operate "escrow agents," just glorified data-holders, who would > >> receive data anonymously and send it out just as anonymously, to the person > >> who can identify themselves via some sort of encrypted ID system. > > > >And simpler for courts to fine them out of existance (which happened to > >several banks, trust companies and agents in Cayman and Panama. > > I guess you really don't realize that every claim you make demolishes the > justification for your obvious hostility to a system which prevents exactly > the kind of abuses you list. (Although it really isn't clear whether you > would classify them as "abuses.") My hostility is for a system that allows mob mentality and murder run the streets like a bad day in Beruit. Again, I don't consider fines assessed to deal with obviously complicit third parties to be abuse. Your problem is you can't deal with authority without calling for murder. Become an expatriate if you don't like the U.S. Move to e.g., East Turkey. > >They need only suspect or have reason to suspect it might be exculpatory. > _ ^^^^^^^^^^^ > Sloppy word usage. I think you meant, "incriminating." Typical for you. Actually I should have said "material." > >Practically speaking this means convincing a judge. Not hard when the > >words "offshore holding company" are mentioned in a brief or hearing. > > > >> In short, you need to comprehend what you're responding to before you > >> express your opinions. You're living down to my expectations. > > > >In short, go to law school, then try to talk about legal issues. > > In this day and in this country, "going to law school" is basically > synonymous with "learn to get along with the current legal system." It > should have been obvious long ago that I don't consider the current legal > system to be worth living with. Suicide is always an option. I don't much like the system in the United States either. But there are two ways around it. Ways that work, and ways that don't. Encouraging random murder and mob justice is, in my view, in the second field. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From hfinney at shell.portal.com Sat Mar 30 04:51:12 1996 From: hfinney at shell.portal.com (Hal) Date: Sat, 30 Mar 1996 20:51:12 +0800 Subject: What backs up digital money? Message-ID: <199603291832.KAA06165@jobe.shell.portal.com> From: jeff at BlackMagic.Com (Jeff) > > Regarding "What backs up digital currency/cash", a hypothetical situation > just to see what you guys think. Can this happen ? I honestly have my > doubts, mostly I see logistical problems (finding a mechanism, etc, if > you recall my mini-rant just a few days ago). Anyway, these are some of > the things I honestly feel would have to happen for a true Internetwork > currency to take off, if that's even possible. > [Lots of examples of tokens issued by various businesses and other groups] I think this is an interesting idea, and no doubt will happen in some form. Coupons and other special tokens could be issued electronically. But there are limits to how far it is likely to go, since these tokens are competing with ordinary cash-backed tokens (digital cash). It's like today, maybe you could buy something at the swap meet using a handful of 50-cents-off toilet paper coupons, if the seller was agreeable. But this becomes in essence a barter trade. Why do this, if the cash alternative is much more widely accepted? Another factor that arises is that if some token does catch on and circulate widely, it could be subject to regulation. I understand that in Las Vegas, some people started using casino chips as money. You could buy things with them, and they were accepted since people knew they could be turned in for cash at the casino. But the Feds cracked down and brought the practice to a halt. (I will ignore for now the question of whether such a crackdown could work on the net, but it would at least be a barrier to the acceptance of such tokens.) The idea of your "market square" token, which represents a basket of other tokens, is interesting, but it seems like you're basically re-inventing money. I don't quite understand the specifics of your proposal, where the market square token is based on the "market value" of the other tokens. In what units is this market value expressed? It seemed like what you had instead was a set of relative prices, where each token was worth a certain number of each other kind. I don't see how you can get a unique market value for each token out of that system. It doesn't seem like the relative value idea really works, anyway, as it suffers from the barter problem that there will be too few people who want to trade their shoe tokens for fruit tokens. That was what motivated the transition from barter to money in the first place, or so the story goes. If your overall point is that even without digital cash, we would end up with some form of electronic money eventually anyway, I think it is true. Entrepreneuers abhor a vacuum, and if the need is there it will be met. But the fact is that we are likely to have digital cash before all these other things, so I don't really see the whole scenario coming to pass. I do think a lot of your specific applications are interesting, though, and hopefully there will be many more creative uses of this technology. I know Eric Hughes a while back was talking about a way for players to transfer wealth between MUD games using a token based system. There are a lot of game possibilites. Hal From jimbell at pacifier.com Sat Mar 30 04:51:54 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 30 Mar 1996 20:51:54 +0800 Subject: Electronic locksmiths are watching you (Belgium's ban on PGP) Message-ID: At 06:02 PM 3/29/96 -0800, Tim May wrote: > >This seems like an interesting glimpse into the future of crypto banning >around the world. France's ban on unapproved crypto has been >well-publicized, but I hadn't heard until this message that Belgium has >joined in. > >The reference to Belgium's wiretap law and "But little-known sections of >the law state that all cryptograhic systems aimed at protecting privacy >must not block these wiretaps" suggests that we ought to look _very_ >closely at our own Wiretap Act (aka Digital Telephony) for similar >language. What I'm surprised about is that I would be criticized for being suspicious (as Declan McCullagh was, below) for doubting the motivations of people who propose crypto bills: At 08:35 AM 3/29/96 -0500, Declan B. McCullagh wrote: >Two observations: > >* Jim Bell would be unduly suspicious if _anyone_ introduced a crypto >bill in Congress. I'm not surprised that here on conspiracypunks someone >would be raising alarums without knowing what they're talking about. I think it's obvious that governments around the world have a very poor record of responding "well" to encryption with any kind of acceptable legislation. Arguably, laws should exist for the benefit of the public, but what's happening is that governments are using their authority to try to restrain the political consequences of technical developments. I see no benefit to the public in laws against encryption, and certainly no net benefit. We should be particularly suspicious of any hint of a pan-European ban or control of encryption, because that is exactly the kind of development that could usher in a secretly-negotiated treaty that might be argued to be binding on the public. Jim Bell jimbell at pacifier.com From alanh at mailhost.infi.net Sat Mar 30 04:58:38 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Sat, 30 Mar 1996 20:58:38 +0800 Subject: suggestions for starting an e-bank In-Reply-To: <199603282331.PAA22199@mail.instanet.com> Message-ID: The marketplace is unforgiving. If your friend doesn't know what services to offer, and what his mooted market niche is.....wait, never mind that. Actually, I am an expert on the market for e-cash. I work for $250 per hour. Trust me, I will take good care of him.Have him e-mail me direct. From tcmay at got.net Sat Mar 30 07:03:11 1996 From: tcmay at got.net (Timothy C. May) Date: Sat, 30 Mar 1996 23:03:11 +0800 Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: At 12:50 PM 3/29/96, Dr. Dimitri Vulis wrote: >Likewise, Tim says there's no value in learning about "traditional" crypto. >I say there is. This is taken completely out of context and is beneath contempt in terms of trying to argue a point. *PLONK* Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From llurch at networking.stanford.edu Sat Mar 30 07:10:14 1996 From: llurch at networking.stanford.edu (Rich Graves) Date: Sat, 30 Mar 1996 23:10:14 +0800 Subject: Very nice Denise Caruso article in MacWorld Message-ID: Not that anyone actually reads Mac magazines anymore, but back page of the May 1996 issue of MacWorld (they don't procrastinate) bears an article titled "Civil Rights Activists 'Say, Sniff This!': encryption is one solution to net censorship," wherein Jim Warren, PGP, and other cool things are presented in an unambiguously good light. "On February 8th, President Clinton lifted his pen to sign the scabrous Telecommunications Reform Act of 1996.... The law is just one example of how our personal freedoms are fast eroding as digital technologies make it feasible to monitor electronic communications.... The decision to encrypt personal communication within this country is a political act that we still have the luxury to practice today. It is already illegal in many countries to use encryption for any reason without a license from the government." It should appear on www.macworld.com in about a month. -rich From jimbell at pacifier.com Sat Mar 30 07:21:27 1996 From: jimbell at pacifier.com (jim bell) Date: Sat, 30 Mar 1996 23:21:27 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 07:35 PM 3/29/96 -0500, Black Unicorn wrote: >On Fri, 29 Mar 1996, jim bell wrote: >> >entails criminal charges? >> >> You _do_ have an odd way with words. "entails" criminal charges? Hey, they >> can charge ANYBODY with ANYTHING, but that doesn't mean that a crime has >> actually been committed. Further, it isn't clear that anybody is obligated >> to respond to a subpoena without the possibility of a court challenge, and >> your fantasy about the cops showing up and trying to strongarm the ISP is >> laughable at best. > >Ok, forget "entails" try "is a crime." I think the reason you are so sloppy with language is that you don't want to be held to a strict standard of accuracy. For you, "entails" is sufficiently vague that you think you can get away with it. This kind of "abuse the language" behavior is common among lawyers. Check out the New York Times vs. Sullivan SC decision and their odd usage of the term "malice": It's a definition that appeared in no dictionary and (apparently) no prior legal decision. Clearly, lawyers (and especially judges) think that they can dynamically re-define the language in order to suit their needs. >> Who said anything about "destruction of material evidence"? Refusing to >> hand over information until AFTER a court has properly responded to a >> challenge to a subpoena is old hat to newspapers, TV stations, and other >> media-organizations who are occasioinally served with a subpoena. The ISP >> need merely say, I'm challenging this subpoena in court, go away >> motherfuckers! ISP prepares a challenge, "CC's" ALL the affected >> individuals, (including the person whose information is desired!), and the >> validity of the subpoena is tested. > >What you miss are provisions for the preservation of evidence called for >in the order during the hearing process. Before the challenge occurs? Hardy har har! Yes, the evidence WILL be preserved, in fully encrypted form. > The fact that you can fight a >subpoena has no bearing what-so-ever on the fact that its a crime to >destroy the evidence until the court rules that its non-material or >otherwise quashes the subpoena. Encrypting evidence is NOT "destroying evidence." Why don't you STOP talking about "destroying evidence, because it is clear that you've phonied up this assertion to buttress your claims. >I grow tired of being the source of your continuing legal education. I'm sure other people are growing tired of your failure to support your claims, as well as your failure to recognize the fundamental unfairness of the various things you've CLAIMED judges do. I suspect that any reasonably unbiased person would be shocked and astonished at the various behaviors you've claimed judges have displayed; he would then understand quite clearly why encryption is going to be such an important improvement in future society, because it will quickly emasculate the government and its ability to do precisely the sort of things you've claimed its agents do. >Anyone who knows me knows I spend all my days end arounding the >U.S. government. Explains a lot! You _are_ paid for this. In an earlier era, you would have gladly run the ovens at Auschwitz if you'd gotten paid for it. I'm reminded of that famous New Yorker magazine cover which showed, in cartoon form, a picture of Manhattan in the foreground, Jersey in the middleground, and the midwest towards the back, then California in the distance, etc. Clearly, you see the government as "Manhattan," occupying the vast majority of your scenery, and the rest of the country is clearly ignorable in the background. Chances are good that the reason you aren't more bothered at the government's behavior is that, fundamentally, you PROFIT from the excesses of the government. > The reason you can't see that is because I don't >threaten to murder officials, but choose the intellectual detour around >the myopic laws instead. I think you mean, "EXPENSIVE detour." You know, the one where the lawyers on both sides get paid a lot of money, the taxpayers and the victims get screwed, etc. Explains a lot about your motivations. >What is the function of your elusive super-secret "rosebud" warning >then? To tell the account holder to get a cup of coffee and call the >prosecutor to arrange for the delivery of the sought information? Simple. I disagree that it is constitutional to prohibit a person from informing yet another person (should he be inclined to do so) that he has been approached by officials. I see no support in the Constitution for such a tactic, since it is obviously equivalent to prior restraint. Obviously, however, there is a strong motivation for the officials to WANT to keep their interest a secret, but people want a lot of things without necessarily getting them. Your problem is that you are unable to admit that this practice is of dubious propriety; the government has been able to get away with it because it has dealt with large organizations that depend on it and can easily control. Smaller organizations, like ISP's and such, are run by people who aren't quite so contaminated with the "Government is God" philosophy, and who are far more likely to get around (or challenge) a old tenet that officials had grown to know and love. >Subjecting the target to compelled discovery orders $50,000+/day >fines, contempt charges, and incarceration for non-compliance. This, by >the way, regardless of the "incriminating" nature of the evidence. Fines >are not going to be refunded if the data/evidence is later proved immaterial. You keep making statements which merely represent abuses of the system. What you don't explain is why any judge who does such abusive things shouldn't be removed from office, by whatever means necessary. You would be far more credible if you prefaced your sweeping statements about what a government does with, "Yes, it's illegal, but they..." >> Ideally, this would be done automatically >> every time a person calls his ISP, although the software to do this probably >> doesn't exist yet. The result would be that whenever the target was NOT >> connected to the ISP, there would be no information on the ISP's system that >> could be decrypted by the ISP operator. > >Again, this still subjects the account holder to fines etc. You haven't explained why. You have appeared to accept the premise that the ISP's system is automatically programmed to make it impossible for the ISP to provide information, and you've just ADMITTED (and yes, it's really an admission!) that a judge would be inclined to abuse his position in such circumstances. As far as I can see, the American Revolution was fought over violations of freedom substantially less severe than these. >God help him >if he can't produce the desired information. He's likely to spend quite >a long time in jail until the judge is convinced that he's telling the >truth when he says "I threw away the key." Tell me, honestly: Do you genuinely believe that the average citizen (or ISP operator) is going to feel any more generous to the government's desire to regulate encryption if he's told that he may some day be held in contempt for failing to provide what he knows he cannot provide? Further, one of the provisions of the Leahy bill seems to be that key-escrow is OPTIONAL. It is, therefore, presumably true that the key-owner can write whatever conditions into that escrow arrangement he's inclined to add. Suppose for a moment the key-owner reads your suck-up commentary and believes you: He'd have to be a fool to use a key-escrow agent that was within the jurisdiction of the US or treaty agreements, OR he'd insist on using encryption to hide the keys. That being the case, pressure on the key-escrow agent is totally useless, as least with regards to getting the actual key. Obviously, then, the only purpose of such strong-arm tactics could possibly be is to deter any key-escrow agents that offer a _secure_ key-escrow service. But we've reached a contradiction: Is key-escrow voluntary or isn't it? You seem to have forgotten the subject of this thread. The appropriateness of any particular piece of legislation depends not exclusively on what it says, but in fact how it will be abused by crooked judges and prosecutors. Every time you open your digital mouth, you further destroy whatever credibility those guys have in the eyes of the public. At this point, anybody with a brain in his head should be terrified of giving the thugs any more power to abuse. >> This would be one of those inventive future uses of encryption, well beyond >> plain vanilla PGP, which we must assure ourselves will be developed. The >> kind of thing you dread, obviously. > >I don't dread it at all. I simply recognize the limited protection it >affords the evidence concealer. Actually, its protection against the individual is excellent. What you've done, essentially, is assert that the government will abuse any and all people who contract with the individual in order to deter them from entering into useful contracts which are secure against government intrusion. This worries me, and should worry anybody else. It's somewhat equivalent to the government holding your nearest neighbors responsible for any crimes you commit, which will induce them to spy on you to ensure that you're not doing anything that they'll later get it trouble for. Look up the term "bill of attainder" if you don't understand. >I certainly won't endorse moronic schemes that are so out of touch with >practical and legal reality so as to be laughable. That's odd. I've debated all comers, including clueless ones such as yourself. I've never run across a person who identified himself as a lawyer, and put even the smallest amount of effort into debunking my claims. I don't claim that everything I've said must be the truth; rather, I've pointed out that it's a good estimate and I've asked for clarifications and corrections. Nobody ever SPECIFICALLY challenges me on the big items; mostly I get statements like the one you've made just above which are so laughably non-specific that it's hard to know whether you seriously expect me to be satisfied with it. >The what's the purpose of your secret-super-duper "rosebud" warning? In >the absence of evidence/information availability to law enforcement at >the ISP, the account holder will be directly accountable. Is this a >better solution? > >You've now changed the structure of your "protection" scheme four times >to duck my criticisms. Actually, what I've done is poked four _different_ large holes in your arguments I haven't presented these as being part of the same claim. I don't have to. >> No, an even better defense is to make it absolutely impossible, as a matter >> of business practice, to assist the police with any kind of an >> investigation. > >On the part of the ISP, this is possible. A secret "rosebud" tipoff is >not the way to do it. Why not? If it's undetectable, then there's no risk to the ISP even if you assume that he's not entitled to inform the target. > Your constant encryption option is a bit better, >but still subjects the account holder to an investigation where the ISP >is compelled to cooperate with the authorities in secret and intercept or >record the computing session in real time. This is rich! You're saying the ISP has to CHANGE HIS BUSINESS PRACTICES to ADD A FUNCTION not previously provided? Hey, if there is any argument in favor of kicking these bastards out of office, feet first, it is this. A search warrant, even a wiretap warrant, is NOT a "do anything and everything we tell you no matter how much time it takes and how much money it costs" order. The reason the government wanted that Digital Wiretap act passed was because (supposedly) there simply wasn't the technology in place to do the kind of wiretaps they claim they wanted. There was no hint, BTW, that any judge was fining and local telephone company for failing to do a tap because the equipment wasn't designed to do that. (in fact, I've read that the thugs were forced to PRIORITIZE their taps, and to thus accept the existing limitation) If what YOU claimed was possible, then that Digital Wiretap Act would have been unnecessary: The government would have simply leaned on the phonecos to force them to install this equipment anyway. I agree that an old-line company like AT+T or IBM or such might have complied with such an order, simply to stay on the government's good side, but to assume that such a broad interpretation will fly in the modern era is laughable at best. >Unfortunately, records can only be completely destroyed in a pre-emptive >way when they are of no use any longer. This, again, ignores the >possibility of real-time investigation or informers. > > While courts will look askance >> at it when it does not appear to be a regular business practice (say, the >> company gets sued today and they have a mass shredding tomorrow) there is >> nothing wrong about regularly making past records unavailable by shredding, >> burning, erasing, or by any other method. > >Once suit is filed there is. Only if they are under discovery procedures. If I file a lawsuit again, say, the local phoneco, that doesn't mean that their entire records-destruction system must be put on hold. Only the material specifically needed and requested. >> Making those records SELECTIVELY unavailable by encrypting them with >> somebody else's public key and keeping them has probably never been tested >> in court, but if the business contracts this ISP regularly signs have this >> as a provision of doing business, the court can't squawk after the fact. > >No, instead, knowing of this provision, any plaintiff or prosecutor will >apply for a TRO to preserve evidence before ever filing for a warrant. It's pretty hard to TRO a microprocessor. >> After all, the ISP might have simply erased the files, keeping them from >> being accessed by ANYBODY, including their "owner." > >This argument will go over real well in court. It really doesn't matter how well it "goes over." Once ISP's start using pre-emptive anti-warrant procedures, I predict that they will become standard in the industry: "Due diligence," as it were. Given a choice, I'd much rather use an ISP that was willing to make it as difficult as possible for the government to get what they want. If the ISP WANTS to do this, they can. >> In any case, I think it's fair to hold an ISP to his word and contract. > >Contracts are void to the extent they are illegal. Note to the rest of you: Unicorn is abusing the term "illegal." There is a difference between an "unenforceable" contract and one which actually is a crime. Unicorn's trying to mix up these two distinctions. Just because a contract can't be enforced in court because of legal bias, doesn't mean it can't be enforced "extra-judicially." >> If you can repeatedly describe, in nominally accurate terms, how abusive the >> government has become and NOT oppose its actions with every fiber in your >> being, then YOU have made yourself part of the problem. > >Who said I didn't oppose it? You only oppose it when PAID to! You have all the business ethics of a whore. Actually, maybe less. >> Remember that prosecutor who died in Boston a few months ago? You >> know, the one who made the national news? I'm still waiting to see how >> that one came out, but I suspect they will never be able to prove who >> did it, and may not even be able to find out. > >Parties who believe Mr. Bell might have been responsible are invited to >call the Boston Police and provide an anonymous tip. Don't try to be funny. You're not very good at it. I try to follow all these kinds of "weird" cases that (strangely) make the national news for reasons that are not clear at the time. I figure that the reason they make the national news is that somebody knows something about the case which makes it worthy of the attention, but they can't quite say it because they have no proof. The word gets around, I'm sure. >> Except that in a court room, the decision maker is PAID by a party to the >> case, the government. That sounds like a classic conflict of interest >> to me. > >Yadda yadda yadda. That's the best this guy can do! (unless he's paid...) Jim Bell jimbell at pacifier.com From merriman at arn.net Sat Mar 30 07:24:26 1996 From: merriman at arn.net (David K. Merriman) Date: Sat, 30 Mar 1996 23:24:26 +0800 Subject: Why Americans feel no compulsion to learn foreign langua Message-ID: <2.2.32.19960330003531.00682704@arn.net> At 10:58 PM 03/29/96 -700, you wrote: >More fuel for the fire: I've noticed that I've been able to follow this entire >thread, and my multi-lingual skills are only as extensive as beer-ordering and >restroom-finding in a few languages. The second necessarily follows from the first :-) Dave ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From steve at aztech.net Sat Mar 30 08:04:08 1996 From: steve at aztech.net (Steve Gibbons) Date: Sun, 31 Mar 1996 00:04:08 +0800 Subject: Netscape 2.01 fixes server vulnerabilities by breaking the client... Message-ID: <009A015C.30D31580.701@aztech.net> (This was previously posted to cypherpunks list, I have expanded the distribution to the firewalls list due to the content.) In Article: <315C8FCB.2781 at netscape.com>, Tom Weinstein wrote: # Rich Graves wrote: # > # > Now I suppose they'll want me to fix all the pages where I do a finger # > with a gopher://host:79/0user Any chance this nonfix can be unfixed? # > # > This nonfix was applied to the UNIX and Win32 versions; I haven't # > checked the other platforms. # It may be unpleasant, but it's a fact that there was a real security # hole here. There is a well known buffer overrun bug in finger that a # lot of people inside firewalls haven't fixed. Using gopher: URLs # in IMG tags it was possible to do nasty things. We tried to err on # the side of permissivity, but finger was one port we just couldn't # allow. Yes, it sucks. So does someone reaching through your firewall # and running commands as root. Let's look at this from the perspective of a company with a firewall: Q: Do I want my users dictating what's allowed? A: Probably not. Q: Do I want my software vendors dictating what's allowed? A: Maybe not. Real Q1: When are sun/netscape/browser-vendor-x going to provide standardized, secure, multi-teired configuration options? Real Q2: It seams to me that most of the standard TCP protocols that a gopher client can talk to should have similarly standard protocol-specifiers for the URL. Browser vendors are in a perfect position to say "this lack of synchronization is a real problem" and "It's bitten us already" and to take care of the problem by proposing RFCs. Real Q3: (Somewhat off-topic) when are signed applets going to appear? comprehensive standards coupled with multi-teired configuration options would allow real-world customers and their net-neighbors to sleep a little better at night. -- Steve at AZTech.Net From steve at aztech.net Sat Mar 30 08:39:55 1996 From: steve at aztech.net (Steve Gibbons) Date: Sun, 31 Mar 1996 00:39:55 +0800 Subject: Why Americans feel no compulsion to learn foreign langua Message-ID: <009A014B.B8D6C960.673@aztech.net> More fuel for the fire: I've noticed that I've been able to follow this entire thread, and my multi-lingual skills are only as extensive as beer-ordering and restroom-finding in a few languages. Well, I thought it was an interesting point... :) -- Steve at AZTech.Net From unicorn at schloss.li Sat Mar 30 09:05:01 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 31 Mar 1996 01:05:01 +0800 Subject: The limits of my patience. In-Reply-To: Message-ID: On Fri, 29 Mar 1996, jim bell wrote: > > >Anyone who knows me knows I spend all my days end arounding the > >U.S. government. > > Explains a lot! You _are_ paid for this. In an earlier era, you would > have gladly run the ovens at Auschwitz if you'd gotten paid for it. You're way out of line here. I expect an apology. I've dedicated a lot of time to addressing your issues. You have repeatedly and preemptively brought the discussion into the realms of personal attack. I have endured and rebutted thus far, but you have really crossed the line of decency here. Being called an ass I can tolerate, the above I cannot. > > Jim Bell > jimbell at pacifier.com > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From anonymous-remailer at shell.portal.com Sat Mar 30 09:22:26 1996 From: anonymous-remailer at shell.portal.com (anonymous-remailer at shell.portal.com) Date: Sun, 31 Mar 1996 01:22:26 +0800 Subject: PLease ignore this test message Message-ID: <199603301357.FAA23035@jobe.shell.portal.com> TEst TEst TEst From Declan_O'Donovan/ITP/IE.ITP at bonzo.itp.ie Sat Mar 30 09:39:03 1996 From: Declan_O'Donovan/ITP/IE.ITP at bonzo.itp.ie (Declan O'Donovan/ITP/IE) Date: Sun, 31 Mar 1996 01:39:03 +0800 Subject: unsuscribe Message-ID: <9603301832.AA0134@bonzo.itp.ie> unsuscribe From dlv at bwalk.dm.com Sat Mar 30 09:46:13 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 31 Mar 1996 01:46:13 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: Message-ID: tcmay at got.net (Timothy C. May) writes: > *PLONK* Thank you for the compliment. --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From dlv at bwalk.dm.com Sat Mar 30 10:09:35 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 31 Mar 1996 02:09:35 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: Message-ID: tcmay at got.net (Timothy C. May) writes: > At 12:50 PM 3/29/96, Dr. Dimitri Vulis wrote: > > >Likewise, Tim says there's no value in learning about "traditional" crypto. > >I say there is. > > This is taken completely out of context and is beneath contempt in terms of > trying to argue a point. No, I think both of Tim's statements illustrate the typical Americans disdain for learning for knowledge's sake and the (still amazing to me) ability to express pride in their ignorance. Most Americans lack the motivation to learn a foreign language (or even their native language), or to learn what great naval battles of WW II were won because certain codes were broken, or how to prove that two triangles are congruent, or how to break a substitution cypher, since this knowledge won't bring immediate monetary rewards. It's as if though their challenge is to go through life learning as little as they can get away with (other than obscure sports statistics). --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From unicorn at schloss.li Sat Mar 30 10:23:53 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 31 Mar 1996 02:23:53 +0800 Subject: What backs up digital money? In-Reply-To: <199603291832.KAA06165@jobe.shell.portal.com> Message-ID: On Fri, 29 Mar 1996, Hal wrote: > From: jeff at BlackMagic.Com (Jeff) > > > > Regarding "What backs up digital currency/cash", a hypothetical situation > > just to see what you guys think. Can this happen ? I honestly have my > > doubts, mostly I see logistical problems (finding a mechanism, etc, if > > you recall my mini-rant just a few days ago). Anyway, these are some of > > the things I honestly feel would have to happen for a true Internetwork > > currency to take off, if that's even possible. > > [Lots of examples of tokens issued by various businesses and other groups] > > I think this is an interesting idea, and no doubt will happen in some > form. Coupons and other special tokens could be issued electronically. > But there are limits to how far it is likely to go, since these tokens > are competing with ordinary cash-backed tokens (digital cash). It's like > today, maybe you could buy something at the swap meet using a handful of > 50-cents-off toilet paper coupons, if the seller was agreeable. But this > becomes in essence a barter trade. Why do this, if the cash alternative > is much more widely accepted? The solution is a series of a "coupon/token exchange." One can imagine a service which does nothing but exchange all forms of coupons/tokens or, indeed, provides a fluid market for them a la "Idea Futures." If a given coupon/token issuer wanted complete fluidity, he has merely to offer the coupons/tokens on the coupon/token exchange. After a basic finding, the market will take care of the rest, including valuation. This gives the individual issuer exchangability, to the extent the market percieves his coupons to be worth something. Individuals not interested in their 'currency' being public could refuse to offer them on the exchange, or offer them on the exchange "blindly" without a description of their terms of redemption, and thus maintain an underground market in the tokens or coupons, used, one would assume, only by those who were familiar with the terms of redemption. > Another factor that arises is that if some token does catch on and > circulate widely, it could be subject to regulation. With an offshore exchange, this becomes almost a non-issue. Particularly if encryption is used to mask exchanges. > I understand that > in Las Vegas, some people started using casino chips as money. You > could buy things with them, and they were accepted since people knew > they could be turned in for cash at the casino. But the Feds cracked > down and brought the practice to a halt. (I will ignore for now the > question of whether such a crackdown could work on the net, but it would > at least be a barrier to the acceptance of such tokens.) Again, if you had an offshore entity which provided easy convertability to, e.g., e$ dollars, this becomes impossible to eliminate. > The idea of your "market square" token, which represents a basket of > other tokens, is interesting, but it seems like you're basically > re-inventing money. I don't quite understand the specifics of your > proposal, where the market square token is based on the "market value" of > the other tokens. In what units is this market value expressed? It > seemed like what you had instead was a set of relative prices, where each > token was worth a certain number of each other kind. I don't see how you > can get a unique market value for each token out of that system. Anyone have the idea futures URL available? The author should take a look at it. Briefly, by offering "futures" contracts on ideas (queen mother dies by year 2000), one can get a market valuation of the legitimacy or likelihhood of this claims truth. In the same way, a liquid exchange of tokens or coupons would provide fairly accurate valuations of the instruments. All the exchange would have to do is provide token or coupon convertability into it's own tokens (exchange tokens, "etk"s) and then permit purchases of all the trading coupons or tokens in terms of exchange tokens. e.g., assume currently one e$ is trading at 1etk. Those wishing to buy "tacky tokens" with e$ need only purchase 1etk, then run their cursor down to the tacky token field and see that two tacky tokens are trading at 1etk. Send the exchange their etk and get two tacky tokens. (Of course, the exchange would be best off in demominating things in etk100,000's so as to collect a small exchange fee in their own currency easily. The result might even be active trading in etk's. Get an offshore bank involved, and you have real interesting stuff. > It > doesn't seem like the relative value idea really works, anyway, as it > suffers from the barter problem that there will be too few people who > want to trade their shoe tokens for fruit tokens. That was what > motivated the transition from barter to money in the first place, or so > the story goes. What I've proposed is just a local common exchange of sorts. But it's only limited in so far as there are active users of the exchange. > If your overall point is that even without digital cash, we would end > up with some form of electronic money eventually anyway, I think it is > true. Entrepreneuers abhor a vacuum, and if the need is there it will > be met. But the fact is that we are likely to have digital cash before > all these other things, so I don't really see the whole scenario coming > to pass. I do think a lot of your specific applications are > interesting, though, and hopefully there will be many more creative > uses of this technology. I know Eric Hughes a while back was talking > about a way for players to transfer wealth between MUD games using a > token based system. There are a lot of game possibilites. The void to be filled will be as individuals see the advantages of minting their own currency. My brain's tired. Anyone want to spit some of these out? > Hal > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From alanh at mailhost.infi.net Sat Mar 30 10:29:05 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Sun, 31 Mar 1996 02:29:05 +0800 Subject: your mail In-Reply-To: <199603291755.JAA25340@spike.hnc.com> Message-ID: Is there any indication that the GRU or Chinese or Iranian intelligence (I think these are our only foes nowadays who have blue-water {to mix a metaphor} spook services) could do better than the Japanese did in sigint'ing against human speakers of Navajoe? Is the Navajo language still extent among draft-age men? Life in the Southwest has changed considerably since 1943. From alanh at mailhost.infi.net Sat Mar 30 10:29:35 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Sun, 31 Mar 1996 02:29:35 +0800 Subject: What backs up digital money? In-Reply-To: <199603291832.KAA06165@jobe.shell.portal.com> Message-ID: > From: Hal > I understand that > in Las Vegas, some people started using casino chips as money. You > could buy things with them, and they were accepted since people knew > they could be turned in for cash at the casino. But the Feds cracked > down and brought the practice to a halt. Noting your caveat that this is a rumor, I doubt it. I'm not aware of there being any legal basis for doing so. The only possible related thing would be for the IRS to bothyer people _after the fact_ _if and only if_ they were using barter to to hide the receipt of income. For example, if you have declared on your tax return that you are engaged in _buying and selling widgets with the intent of realizing a profit_ (Schedule C), they are likely to question whether your bartering of a widget for 5 50-cents-off-toilet-paper coupons, was really an even trade of your personal property for someone else's personal property. Even in such case, the rule is not absolute. For example, the regulations which implement the taxation of the inter-state trade in firearms, make the presumption that the dealer does possess some number of firearms as chattels. The legal tender laws are of very limited scope. Bus companies _are_ allowed to decline to accept dollar bills and instead demand exact change in coins, for example. From alanh at mailhost.infi.net Sat Mar 30 10:58:52 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Sun, 31 Mar 1996 02:58:52 +0800 Subject: Why Americans feel no compulsion to learn foreign langua In-Reply-To: <2.2.32.19960330003531.00682704@arn.net> Message-ID: > From: David K. Merriman > >restroom-finding in a few languages. > > The second necessarily follows from the first :-) While deployed to a remote radar station on an isolated island, supplied solely by periodic but unreliable airfreight sorties, I oft found myself wondering: which is the more acute emergency.... to run out of food or to run out of toilet paper? From jya at pipeline.com Sat Mar 30 11:07:32 1996 From: jya at pipeline.com (John Young) Date: Sun, 31 Mar 1996 03:07:32 +0800 Subject: The limits of my patience. Message-ID: <199603301518.KAA12640@pipe1.nyc.pipeline.com> Responding to msg by unicorn at schloss.li (Black Unicorn) on Sat, 30 Mar 8:43 AM >On Fri, 29 Mar 1996, jim bell wrote: >> Explains a lot! You _are_ paid for this. In an earlier era, you would >> have gladly run the ovens at Auschwitz if you'd gotten paid for it. >Black Unicorn wrote: >You're way out of line here. I expect an apology. Uni, thanks for noting Bell's XXX-poison, I'd stopped reading him, presuming his prescription was a dumb placebo for helpless hypochondriacs. Now, his clumsiness is revealed to be a trick to conceal the deadliness of his toxin. Still not sure if he's understands the sickness he's spreading. He probably hasn't checked his contaminated sources very carefully, or maybe got infected and is terminally out of his mind. Is there a doctor on the list, or a mortician? From adam at lighthouse.homeport.org Sat Mar 30 11:19:00 1996 From: adam at lighthouse.homeport.org (Adam Shostack) Date: Sun, 31 Mar 1996 03:19:00 +0800 Subject: Note: Problems Confronting the Asset Concealer [Part 1 of 2 of Volume I] In-Reply-To: Message-ID: <199603301540.KAA07025@homeport.org> Black Unicorn wrote: | While direct crypto relevance is limited, I thought that this work | might interest many on the list and so I decided to post it in any | event. The sections on fourth and fifth amendment protections, or | lack thereof, for banking documents might shed some light on the | eventual disposition of crypto keys under the same circumstances. Actually, this is not all all irrelevant. The question of how a non-American living in the US can benefit from writign crypto code has been a topic of discussion the last few days. A real understanding of laundering is needed for the time between now and when the bad guys stop trying to tax the non-physical. I look forward to having a chance to read it. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume From jkim at sn.no Sat Mar 30 11:41:18 1996 From: jkim at sn.no (Kim Johansson) Date: Sun, 31 Mar 1996 03:41:18 +0800 Subject: unsuscribe Message-ID: <199603301544.QAA23304@ekeberg.sn.no> unsuscribe From unicorn at schloss.li Sat Mar 30 12:00:01 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 31 Mar 1996 04:00:01 +0800 Subject: Note: Problems Confronting the Asset Concealer [Part 2 of 2 of Volume I] Message-ID: (Volume I - Part 2 of 2) The Constitution is of No Help. The asset concealer who hopes to rely on the constitution to protect him might wish to consider the view of one noted scholar: "The Constitution provides little protection for account holders. Courts describe the interest of the United States in enforcing its laws as overwhelming and the ability of prosecutors to uncover evidence of criminal conduct as essential. That interest usually overwhelms any possible constitutional right of a bank customer. United States v. Miller rejected the Fourth Amendment's Search and Seizure Clause as a basis for a privacy right in bank records." (Todd Jones, Compulsion Over Comity: The United States' Assault on Foreign Bank Secrecy, 12 J. Intl. L. Bus. 454), and cases since have followed this holding almost religiously. As discussed briefly above, it is likewise unlikely that the fifth amendment will protect the asset concealer to any degree of certainty. Several cases have held that fifth amendment rights do not apply to banking records or financial information. Zicarelli v. New Jersey State Comm'n of Investigation, 406 U.S. 472, 478 (1972)(Banks and other institutions cannot invoke the self incrimination clause of the Fifth Amendment); Braswell v. United States, 487 U.S. 99, 102 (1988); Bellis v. United States, 417 U.S. 85, 89-90 (1974). On the fifth amendment concerns See Generally, Comment: Sidestepping Foreign Bank Secrecy Laws: No Sanctuary in the Fifth Amendment and Little in the Interest of Comity, 10 Hous. J. INT'L L. 57, 57 n.1 (1987). Corporate entities have no Fifth Amendment protection at all by virtue of their agent status, Bellis v. United States, 417 U.S. 85, 89-90 (1974), and more and more such protection is withheld even if the corporate entity is a co-defendant. Braswell v. United States, 487 U.S. 99, 102 (1988). Exceptions may exist for those entities which are operated as sole proprietorships. Braswell at 104 citing United States v. Doe, 465 U.S. 605 (1984). The cases following In re Grand Jury Proceedings, 814 F.2d 791 (1st Cir. 1987) demonstrate how the fifth amendment has been eroded or eliminated in application to this problem. In the In re case the defendant was directed by the district court to sign a consent form permitting the disclosure and production by a financial institution of documents protected by Singapore banking secrecy law. On refusing to sign, the defendant was held in contempt. The investigation alleged reporting and currency violations. The defendant appealed to the First Circuit which held the signature as both "testimonial" and "self-incriminating." The court reasoned that the consent form "amounts to an assertion" that the bank customer consented to production of the requested records and that it was "self- incriminating" because it could be used to demonstrate incriminating facts (e.g., that the accounts in the witness's name existed and were within the witness's control). Even at the time, however, this decision was in conflict with the Second, Fifth and Eleventh circuits, which have held such an order does not violate the fifth amendment. (Typically on the grounds that the forms signed were non-testimonial). Lately, clever prosecutors and private litigants have evaded the testimonial hitch entirely by phrasing their consent forms in the hypothetical, and not naming specific account names or numbers. The Supreme Court upheld the order of contempt for a defendant refusing to sign such a document. See, Doe v. United States, 108 S. Ct. 2341 (1988). The Court noted that the form was carefully drafted not to make reference to a specific account, but only to speak in the hypothetical. Compare the unconstitutional language of the In Re Grand Jury form: "I [witness], consent to the production to the [District Court and Grand Jury] of any and all records related to any accounts held by, or banking transactions engaged in with, [bank X], which are in the name of, or on behalf of: [witness], if any such records exist." with the now constitutional: I, [witness], of the State of New York in the United States of America, do hereby authorize and direct any bank, trust company, or other financial institution located outside of the territorial United States at which I have or have had an account of any kind, or at which any corporation has or has had an account of any kind upon which I am or have been authorized to draw, to disclose all information and deliver copies of all documents of every nature in the possession or control of such bank, trust company, or other financial institution which relate to any such accounts, together with a certificate attesting to the authenticity of any and all such documents, to any agent or employee of the United States Government who presents a copy of this Consent Directive which has been certified by the Clerk of the United States District Court for the Northern District of New York to such bank, trust company, or other financial institution, and this Consent Directive shall be irrevocable authority for doing so. United States v. A Grand Jury Witness, 811 F.2d 114 (2d Cir. 1987). For more examples See also, United States v. Davis, 767 F.2d at 1040 (holding any problem of testimonial self-incrimination is solved by such an order precluding use of directive as admission); In re Grand Jury Proceedings, 814 F.2d at 795 (expressly approving of reasoning in Davis); United States v. A Grand Jury Witness, 811 F.2d 114, 117 (2d Cir. 1987); United States v. Cid-Molina, 767 F.2d 1131, 1132 (5th Cir 1985); United States v. Ghidoni, 732 F.2d 814, 818 (11th Cir.), cert. denied, 469 U.S. 932 (1984); United States v. Browne, 624 F. Supp. 245, 248 (N.D.N.Y. 1985); United States v. Quigg, 48 A.F.T.R.2d 81- 5953, 5955 (D. Vt. 1981). Even more importantly, the character of the "documents" themselves, public or private, electronic or paper, would seem to be a factor courts will refuse to consider. Fisher v. United States, 425 U.S. 391, 410-11 (1976) rejecting both an analysis based on the nature of documents and privacy as the policy supporting the fifth amendment. Some protection still exists. Many jurisdictions refuse to recognize "consent" orders signed under judicial compulsion. See, In re ABC Ltd., 1984 C.I.L.R. 130 (1984) (Grand Court of the Cayman Islands)(Consent directives compelled under threat of contempt sanctions do not constitute consent under Cayman Bank Secrecy Law); In re Confidential Relationships (Preservation) Law, Law 16 of 1976, Cause No. 269 of 1984 (Grand Ct. Cayman Islands July 24, 1984). [...] IV. Esoteric Considerations Intelligence threats: The asset concealer should note that financial institutions have increasingly become the target of foreign intelligence operations. The IRS has conducted intelligence operations against foreign banks extensively in past and the scope of such operations in the present is unclear. From 1965-1975 the intelligence division of the IRS's Jacksonville, Florida district conducted operations named "Tradewinds" and "Havens." Both operations were designed to gather intelligence on American investors in offshore banking entities, and expose potential tax evasion and criminal activity. Several IRS agents testified on the operations before the House Committee on Government Operations in the First Session 94th Congress, 1975. In 1965, when the Bahamas enacted its bank secrecy legislation criminalizing the release of banking information, the IRS turned to paid informants within the banking community to elicit information about the banking activities of U.S. citizens, a tactic that violated Bahamian law. The most dramatic of these was the "briefcase caper," wherein a female IRS informer "entertained" a Bahamian banker while her accomplice photocopied the contents of his briefcase. United States v. Payner, 434 F. Supp. 113 (N.D. Ohio 1977), rev'd, 447 U.S. 727 (1980) The IRS finally ceased the operation in 1975 when it admitted that it had obtained information in violation of federal law. The IRS has also shown a propensity for illicit information gathering from the mails. At one time in the late 1960s, the IRS combed through mail to identify those U.S. citizens who received mail from Swiss Banks. Though most Swiss banks at the time mailed their customers using unmarked envelopes, the IRS aggressively pursued traffic analysis in the mails. Agents from the IRS mailed inquires to several Swiss banks and recorded the number of the postal meters used to respond. These collected numbers were matched against international mails using high speed copiers at the port of entry and those matching the postal meter numbers were audited at "random." The practice was later upheld in United States v. Leonard, 524 F.2d 1076, 36 (2nd Cir. 1975) cert. denied, 425 U.S. 958 (1976), and some 150 taxpayers were prosecuted. Generally speaking, the Supreme Court has upheld the use of illegally obtained information in tax cases in United States v. Payner, 447 U.S. 727 (1980). Given the success of the IRS operations ($52,000,000 at a cost of $1,500,000 according to the hearings on Tradewinds and Haven) it is difficult to imagine that these methods have been entirely abandoned. Moreover, the asset concealer should recognize that today private litigants have access to the most professional intelligence services themselves. Organizations like The Investigative Group, Inc., Kroll, Pinkerton, and Control Risks, Inc. have recruited former investigative and intelligence professionals aggressively and offer their services to private litigants as a matter of course. Given the forgoing the private banking option, below, becomes more and more attractive. Pressure from the IRS alone is not the only concern that asset concealers might wish to consider. Congress has more than once called for sanctions against banks that do not bow to the wishes of the United States. Staff of Senate Subcomm. On Narcotics, Terrorism and International Operations, 101st Cong., 2d Sess., Drug Money Laundering, Banks and Foreign Policy 32 (Comm. Print 1990) Given this, the serious asset concealer should consider using banks that hold no assets in the United States, and which do not conduct normal banking business in the United States, as these assets, or the banking charter generally, could easily be suspended, frozen, or revoked. [...] The Anatomy of a Money Laundering Investigation [...] Private banks The asset concealer may also wish to consider the option of a private bank. Private offshore banks provide individuals or small groups of investors with their very own financial institution. This, of course, reduces the number of individuals with access to banking information, allows for the more direct control of records, and all but eliminates the potential for coercion of a large banking parent. In addition, private banks create a captive source of loans for investors, provide additional funds at interbank rates, allow the payment of interest tax free, the participation in tax free international underwriting, assist clients in international trusts and corporation formation, and eliminate many overhead costs of banking. If one can balance the costs and government fees of forming such a bank, they are the most secure and direct method of asset concealing. Asset concealers who wish to pursue this option would do well to keep in mind that their choice of corporate form for their financial institution will impact their fifth amendment protections. Braswell v. United States, 487 U.S. 99, 102 (1988)(Normal rule stripping fifth amendment protections from financial institutions refusing to comply with compelled discovery orders even when named as co-defendants may not apply for those entities which are operated as sole proprietorships). In the cases of securities related charges, where at one time charges could be filed solely on the basis of the defendants invocation of the fifth amendment in reference to questions about the existence of foreign bank accounts of financial dealings, in the absence of a direct connection, such an assertion alone is no longer enough to warrant an action. See Comserv Corp., 698 F. Supp. at 789. (Absent other evidence assertion of Fifth Amendment privilege is "not a sufficient basis for the SEC's action." Id. See also Pagel, Inc. v. SEC, 803 F.2d 942, 946-47 (8th Cir. 1986)(citing Baxter v. Palmigiano, 425 U.S. 308, 317 (1976)). Until around 1965, establishing banks in the Bahamas and other islands was simple. Forming a normal corporation and granting it banking powers was about the extent of the efforts required. The Bahamas eventually tightened restrictions and while there are still over 350 banks on the island, establishing new entities is more difficult today. The Cayman Islands followed suit in 1966, enacting legislation virtually identical to that of the Bahamas. Additional legislation passed in 1989 modifies some of the 1966 rules. While a "bank" is nearly impossible to organize in Bermuda today, finance companies can be organized to conduct some quasi-banking activities. The most attractive, and least regulated of the major jurisdictions today are Turks and Caicos, and Vanuatu. Turks and Caicos, while regulating "banks" a bit more strictly, allows almost unregulated formation of trust companies. Vanuatu permits the formation of exempted banks, making it perhaps the most attractive jurisdiction for the asset concealer interested in forming his or her own financial institution. To some extent is it possible to form a financial institution in Switzerland, but this has become increasingly difficult, and the highest standards for capital pay in and reputation make it prohibitively restrictive for most asset concealers. Jersey, Luxembourg and Guernsey are other options, but all still impose strict regulations on the formation of new banks. Luxembourg requires that the banking business be conducted locally, that the new bank be sponsored by two well established banks, and that at least 350 million Lux.F. be paid in prior to formation. Panama still allows offshore bank creation with limited fees and a low paid in capital requirement of $250,000 which must be deposited locally. New banks must generally be backed by large and reputable banks. I remain suspicious of actual banking activities in Panama, however, considering the increased U.S. presence in the country since the ousting of her former dictator. Netherland Antilles also allows formation of offshore banks which are generally treated like investment companies. Offshore banks can be granted a flat tax of 6% on income and require only a 20% pay in of the capital requirement which is NAf 1 million. (1NAf=$0.56 at the time of this writing). Nauru permits offshore banks but a reputation requirement often prevents novice applicants from easy approval. Nauru does, however, have very low licensing fees, which are usually not more than normal trading or holding corporations. Shell banks (those without substantive assets of any kind) were popular until 1977. They required no paid in capital and were commonplace in Anguilla and St. Vincent. While technically such institutions no longer exist, some of the smaller jurisdictions have difficulty enforcing their capital and debt-equity ratio requirements, often creating "effective" shell bank opportunities after an initial showing of capital which is later removable. For the prudent asset concealer, however, shell banks will present a less than desirable alternative to meaningful bank licenses in legitimate jurisdictions. My own views aside, conventional wisdom holds that offshore banks are best formed in the Bahamas and Cayman Islands. Both of these jurisdiction's license applications can exceed 100 pages. Directors are generally required to offer proof of bona fide banking experience, officers, managers and shareholders required to make disclosures, and references checked. In many cases, as with Vanuatu for example, stand-ins for officials, directors and managers are available through local trust services. Initial capital statements are typically audited. Paid in capital requirements are usually $250,000 or more. The Cayman Islands and other jurisdictions allow substitution of capital for guarantees from reputable banks or trust companies. Almost every jurisdiction requires annual license fees. [...] See Generally, Peat Marwick's numerous publications. Using Private Banks to your Advantage [...] Bearer Shares Bearer shares are an immensely useful tool to the asset concealer. Bearer shares are certificates of equity ownership which are freely transferable and embody full ownership rights to the holder. They do not bear the name of the shareholder or beneficiary and are not registered. Bearer shares are generally numbered certificates with removable serialized coupons attached which can be exchanged for dividend payments, much like bond coupons. Bearer shares with voting rights are generally tallied by deposit with a designated bank in exchange for corporate voting ballots issued by the bank before shareholder meetings. Because Bearer shares are not registered, and entitle the holder to the full benefits of ownership, and because dividend coupons are detachable, a stockholder in the corporation can be completely anonymous and a distinct entity from those entitled to dividend payments. Typically on formation trustees accept bearer shares in the corporation and later pass them to the actual shareholders who may in turn separate the dividend rights, transfer the shares, or both, to a third party. In this manner the ownership of the corporation is almost entirely shielded. Antigua, Barbuda, Liberia, Liechtenstein, Luxembourg, Nauru, Netherland Antilles, Panama, Switzerland, and Turks and Caicos all permit bearer shares, as do Cayman and Vanuatu for exempted companies. V. Reviews of Specific Jurisdictions Why I don't like Switzerland anymore Not obscure enough. Spineless. Switzerland has, perhaps for legitimate reasons at first, attracted a tremendous amount of attention as a banking secrecy jurisdiction. The astute asset concealer will avoid such jurisdictions where possible as they tend to attract suspicion and law enforcement attention. For example, a 1981 study by Swiss National Bank and the public prosecutors office attributed 26 kidnapping incidents in 1970 and 1978 to Swiss money laundering elements in the ransom demands. (Massnahmen gegen "Geldsauberung," Neue Zurcher Zeitung, (NZZ) May 9/10, 1981, No. 106 at 9). High profile customers in Swiss banks have attracted so much public attention as to make the jurisdiction extremely high profile. See, e.g., N. Schmid, Banken Zwischen Legalitat Und Kriminalitat 189- 191 (1986) (King Faisal of Iraq, King Faruk of Egypt, Algerian Liberation Front, Ex-Shah of Iran Pahlevi, and Presidents of Argentina, Kongo-Katanga, Nicaragua); Internationale Rechtshilfe - Gefahr fur das Bankgeheimnis, NZZ, Aug. 30, 1989, No. 200 at 21 (Marcos, Irangate, drug mafia); The Lifestyle of Rich the Infamous, FORTUNE, Dec. 2, 1988, at 38 (tax fugitive Marc Rich). Cf. Nationalrat will scharferen Geldwascher-Artikel, Tages-Anzeiger, Nov. 28, 1989, No. 277 at 9 (statement of member of Swiss House of Representatives)("...no country can point to as many illegal banking transactions as Switzerland"). In 1977 a private agreement between the Swiss Bankers' Association ("SBA") and member banks of the SBA took effect. The agreement establishes a duty of due care in the identification of potential account holders and depositors and is intended to reduce the incidence of rampid criminal activity through Swiss banks. (Vereinbarung uber die Sorgfaltspflicht bei der Entgegennahme von Geldern unde die Handhabung des Bankgeheimnisses)(VSB 1977). In addition, the Bankers' Agreement contains a stipulation that depositors wishing to trade on United States securities markets are required to waive their rights to secrecy as a condition to trading. The SBA provides in detail for SEC investigations into securities violations involving Swiss banks. The "Lebanon Connection," was the scandal that most turned the tables on Swiss banking secrecy. (Allegations that several of Switzerland's major banks assisted Turkish-Lebanese drug ring over in the laundering of proceeds totaling over 1.6 billion francs. Taglich eine Million Dollar gewaschen, Graber, Geldwascherei 42 (1990). See also, Wichtiger als Geldwascher bestrafen ist die Verbrecherorganisation treffen, Tages-Anzeiger, Nov. 12, 1988, No. 265 at 33 (Lebanon Connection largest Swiss money laundering scandal to date); Geldwascherei: Dampf aufgesetzt, Schweizerische Handelszeitung (SHZ), Nov. 10, 1988, No. 45 at 17 (Illegal drug profits entered Switzerland on daily basis via couriers carrying briefcases filled with dollar bills in small denominations). Immediately after, the Swiss Federal Council (Bundesrat) streamlined the typically lethargic elements of Swiss legislative efforts to criminalize money laundering, and the new legislation was approved by the Swiss Parliament to take effect August 1, 1990 P. Bernasconi, Grenzueberschreitende Wirtschaftskriminalitat, 83 Schweizerische Juristische Zeitung (Sjz) 73, 82 n. 24 (1987). Cf. P. Forstmoser & A. Meier/Hayoz, Einfuhrung in das Schweizerische Aktienrecht 329 (4th ed. 1989). Under the law, money laundering crimes are punishable by imprisonment for up to five years and by fines of up to one million Swiss francs. (Scweizerisches Strafgesetzbuch, Code Penal Suisse, Codice Penale Svizerro, art. 47, 273). Because the Mutual Assistance Treaty with the United States permits release of banking records to the United States in the event the activity is illegal in both countries, it would seem that money laundering investigations will grant prosecutors the right to request, and obtain Swiss banking records. Switzerland has gone on to eliminate the "Form B" account. (permitting a proxy to vouch for the depositor, and effectively making the account anonymous subject to the proxy's trustworthiness. Swiss Bankers Ass'n, Convention de Diligence Banquers, Form B (1987)). As of April 25, 1991 Swiss banks are now required to record the identity of the beneficial owner of depositor accounts, leaving a wider paper trail for U.S. prosecutors. According to one commentator, "In short, the United States now has an extremely powerful vehicle with which to pierce the veil of Swiss banking secrecy..." Kanwar M. Singh, Nowhere to Hide: Judicial Assistance in Piercing the Veil of Swiss Banking Secrecy, 71 B.U.L. Rev. 847. Even given the legislative tendency to erode Swiss secrecy, one must understand that the image Swiss banking secrecy has been much inflated in public opinion. Swiss banks have become very conscious and wary of indiscriminately opening accounts which may be the subject of illegal funds receipt. Swiss banks are increasingly reluctant to open new numbered accounts. "Coded" accounts are typically granted only to current customers. Truly "anonymous" accounts do not exist at all in Switzerland. Instead, numbering is directed to avoid internal violations of banking secrecy and problems along the line of the Bahamas "briefcase caper." Honegger, Demystification of the Swiss Banking Secrecy and Illumination of the United States Memorandum of Understanding, 9 N.C.J. Int'l L. & Com. Reg. 1, 17 (1983). In fact, contrary to popular belief, purely anonymous accounts do not exist at all in Switzerland. H. Bar, The Banking System of Switzerland 61 (1957). At the very least one or more senior bank employees will know the depositor's identity. Even in the case of Form B accounts, records of depositors were typically kept privately by higher officials in the bank. When taken as a whole, the legislature's specific indication of its willingness to erode the protection of banking secrecy in Switzerland, the pending legislation, interest in EU membership, acceptance of the European Convention on Money Laundering, four other anti-secrecy laws recently passed in Switzerland along with the more intrusive internal policies of Swiss bankers, my interest in Switzerland as an asset concealing jurisdiction is much eroded. See Generally, Rebecca G. Peters, Money Laundering and Its Current Status In Switzerland: New Disincentives for Financial Tourism, 11 J. Intl. L. Bus. 104 (1995). For a defense of the current status of Swiss banking secrecy, however, See Paolo S. Grassi and Daniele Calvarese, The Duty of Confidentiality of Banks in Switzerland: Where it Stands and Where it Goes. Recent Developments and Experience. The Swiss Assistance to, and Cooperation with the Italian Authorities in the Investigation of Corruption Among Civil Servants in Italy (The "Clean Hands" Investigation): How Much is Too Much? Why I like Panama. At one time, Panama was regarded as the leading tax and securities trading haven in the Western Hemisphere. 3 W. Diamond & D. Diamond, Tax Havens of the World, at Panama-1 (1989). While the political upheaval and overthrow of Manuel Noriega have changed much, many aspects of Panamanian law remain friendly to the asset concealer. Panamanian corporations have no minimum capital requirement, and registered shares are not required to be completely paid in. While corporate law requires two shareholders for the purpose of electing a board of directors, (which can consist of only three persons, none of whom must own shares), after the board is elected the corporation may be reduced to one shareholder. Ownership can be effectuated through bearer shares if they are fully paid in, and there are no citizenship requirements except for the appointment of a resident agent, who is generally the incorporating agent. "Bearer shares" are well entrenched in Panamanian law. They allow corporate ownership to be shielded quite effectively from identification by permitting the corporation fully transferability in private face to face transactions of nothing more than the corporate share certificates. Typically, an agent handles incorporation, and exchanges the bearer certificates with the principal, who then may even exchange it with a second principal, completely shielding the final holder of the corporation from identification by the agent absent the cooperation of the first principal. Bearer shares will be discussed more fully below. In addition, Panama continues to maintain strict banking secrecy laws and no taxation of income produced from sources outside the country. Large investors may enjoy the benefits of extensive investment and capital incentives. Banking Law of Panama, Law No. 16, Arts. 2-4 (Jan. 28, 1959). These arrangements have particularly suited Panamanian corporations for discrete, indeed totally confidential, securities trading on U.S. markets. Many traders have used Panamanian corporations extensively in this regard, and even where the existence of the corporations and their complicity in insider trading has been established, few investigations have been able to bear the burden required to secure convictions. See, e.g., SEC v. Levine, Civ. Action No. 86-3726 (S.D.N.Y. filed May 12, 1986)(alleging defendant Levine made securities trades based on inside information through two Panamanian corporations beneficially owned and controlled by Levine) In re Joseph A. Lugo, Admin. Proc. File No. 3-6740 (Lexis, Securities library, Releases file)(May 10, 1988)(Panamanian bearer stock corporation involved in scheme to defraud investors); SEC v. Palmer Fin. Corp., Litigation Release No. 12,082, 43 SEC Docket 1230 (D.D.C. May 3, 1989) (violations of Sections 13(d) and 16(a) of the Exchange Act). The combination of opaque ownership anonymity and non-cooperation with authorities even in criminal investigations makes Panama the ideal first tier expatriation jurisdiction, and an excellent re-investment vehicle. Panama's entities will be discussed in more detail in the second "implementation case study" section below. Why I like Liechtenstein I must disclaim my passage here by disclosing that I am personally involved in business, banking, and government in Liechtenstein. Despite her neighbor's less than favorable bent, Liechtenstein remains a powerful jurisdiction for the asset concealer. The primary vehicle employed is typically the Liechtenstein Anstalt, but Foundations and general trusts are also exceptionally effective. Unlike Luxembourg and Dublin, Liechtenstein, by virtue of her disdain for EU membership, will not be burdened by the proposed standard EU withholding tax to which even Switzerland and the Channel Islands may eventually be subject. Though the Channel Islands and the Isle of Man are technically outside the EU area, many point to their presence within the "sterling area" as dangerous with regard to the proposed tax's reach. Liechtenstein is also much easier to reach than most island offshore havens. Perhaps best of all, foreign judgments, except in Switzerland or Austria, are not enforceable in Liechtenstein. Private plaintiffs will waste their time seeking local assistance in attaching assets. Liechtenstein Entity Forms The Anstalt The Anstalt or "Establishment" is a corporation which is more accurately characterized as a international holding corporation. Typically financial or controlling interests in foreign corporations and other entities are left in the care of an Anstalt and thus in the jurisdiction of Liechtenstein. In many ways Anstalts function much the way that conventional trusts do. An Anstalt can be founded with only one "founder" or "promoter" who is typically an agent local to Liechtenstein acting for an anonymous owner. The local agent holds the charter of ownership on the Anstalt, which is the only record of the actual beneficiary of the entity, and can be made a bearer document. Owners of Anstalts enjoy advantages such as: Thirty year tax rate freezes, no mandated debt-equity ratio, liability limited to assets, and extremely low taxation. Some 70,000 Anstalts exist, though the precise number is a closely held secret (to avoid any attempt at process of elimination guesswork). There is a one time fee to establish an Anstalt, generally SwFr 1,000 or 3% of the starting capital, and a yearly tax on net assets of the greater of 0.1% or SwFr 1,000. Dividends are taxed at 4%. A minimum capital requirement of SwFr 30,000 exists for Anstalts, but can typically be waived. Taxation is more complicated for commercial entities in Liechtenstein, and auditing requirements apply, but generally taxation falls within 6 to 18%. There are no reporting requirements for Anstalts which do not themselves conduct commercial activities. Some problems with the Anstalt still remain. Anstalts, like Panamanian corporations, are generally bearer certificate owned and easily transferable as a result. Because of this, and the fact that most Anstalts are single owner entities, asset disputes can result if the bearer document falls into the wrong hands. The Treuunternehmen Treuunternehmens or "Trust Enterprises" are modeled after the Massachusetts trust and are generally unlimited as to its structure. Offshore activities, while better left to other jurisdictions in general, can be best effected through Treuunternehmens. The Stifung For the wealthiest clients, the security of Liechtenstein's foundations (Stifungs) are unparalleled, even in the offshore world. While establishing a Stifung requires a due diligence finding by the trustee or founding attorney of the client's general good character, the disposition of the funds applied after the founding of a Stifung will be unscrutinized. Stifungs require a separate offshore holding company for administration, have a board of directors, and a trustee/attorney. The beneficiary is known only to the directors, and the attorney. Like Anstalts and Treuunternehmens, Stifungs offer limited liability. Stifungs can be best described as autonomous funds without corporate structures. Stifungs too have some cautionary notes attached. The director of a Stifung may take a narrower view of the distributions of assets than the original founder originally intended. As directors are usually singular in Liechtenstein Stifungs, there is no recourse to disgruntled beneficiaries. Of course, these problems are easily solved if a close and trusted person can be appointed as the founder. Many trustees suggest the original founder's successor be appointed automatically on the death of the former. Additionally, paying out on the entire net worth of the Stifung tends to assure the correct ownership attribution. All of these entities are perfect for the asset concealer who wishes to stand before a local court and deny ownership of additional assets. In addition to being technically true of the beneficiary of an Anstalt or Stifung, it has the additional advantage of being entirely uncontradictable. Anstalts can be in bearer form, and Stifung founders are typically trustees. A measure of the frustration of U.S. regulatory and prosecuting authorities in tracing the owners of Anstalts can be seen in the slew of U.S. proceedings with similar case names. e.g., SEC v. Certain Unknown Purchasers, No. 81-Civ-6553 (S.D.N.Y. July 25, 1983) The Aktiengesellschaft Aktiengesellschafts, "Share Companies," or "Stock Corporations" are primarily Anstalts for larger number of beneficiaries, and provide more complicated vehicles for share distributions and stricter internal board requirements. They also have an initial capital requirement of SwFr 50,000. Bearer or registered shares are permitted. Shares may be held by nominees. Aktiengesellschafts are required to keep proper books, appoint qualified auditors, and submit balance sheets to Liechtenstein tax authorities. While holding corporations are a simple matter to establish, less than savory investors will have difficulty with direct banking. Liechtenstein has been conscious of her international reputation, and generally more fussy about her banking clients. Those depositors with less than SwFr 250,000 will be unable to expect much personal attention even if bankers will generally not turn away small depositors. Depositors with SwFr 1,000,000 or more can expect fuller service banking services including portfolio advice. Depositors with SwFr 3,000,000 can expect completely individualized service, including discretionary management by multiple fund managers directed to the client's individual needs. Forming individual financial institutions is extremely difficult. Secrecy Generally, Liechtenstein enjoys much more potent secrecy than her neighbor Switzerland, but because this has been somewhat eroded by international money laundering agreements and exceptions for criminal enterprises, she is a better reinvestment and shell management vehicle than expatriating entity. The SEC's own Mr. Haberman commented once on Anstalts, "We've traced stuff to Anstalts in the past and then couldn't get anywhere - where the money came from, who the beneficiaries were, nothing." Indeed, even where the ownership of the Anstalt is "obvious," proving it in court without the charter documents or extensive showings of financial information is all but impossible. The combination of a Liechtenstein Anstalt as an umbrella for offshore corporations in other jurisdictions and bank accounts in a separate, potent banking secrecy jurisdiction is thus an excellent concealing combination. Criminal activities, particularly drug related, are likely to remove the veil of secrecy, but unlike Switzerland, Liechtenstein's bankers have not explicitly adopted the SBA's 1982 "due care" agreement. Secrecy in regard to tax matters is as absolute as can be found worldwide. Liechtenstein and her financial institutions will under no circumstances whatsoever render any assistance to tax authorities. Assistance in criminal matters, even in light of the recent money laundering compact, is limited to those cases where the activity in question reflects badly on Liechtenstein as a financial center. Criminal investigation assistance under the Legal Assistance Act expressly provides for natural and legal entity secrecy even in cooperation with foreign authorities unless the crime in question is also illegal in Liechtenstein. Assistance in the case of criminal charges stemming solely from tax evasion or currency infringements and related offenses will be curtly denied. The 1992 provisions criminalizing drug-trafficking (Betaaubungsmittelgesetz). provide for five year sentences for those acting to hinder the discovery or retention of assets related to illegal drug production, distribution, storage, etc. 1995 provisions adopting Europe's convention against money laundering expands the exceptions to banking secrecy to proceeds having their origin in any sort of criminal offense which is also illegal in Liechtenstein. Lawyers and trustees have a right of silence in any administrative or judicial proceeding, and secrecy is expressly written into statutes in several places. Liechtenstein is best used as a tax shield and post expatriation umbrella for asset reinvestment rather than initial expatriation. For a detailed treatment of Liechtenstein Laws with regard to insider trading, See, Emmanuel Gaillard, Insider Trading: The Laws Of Europe, The United States And Japan, 1992. For a critical look at Liechtenstein secrecy entities, See, Liechtenstein's Uncertain Foundations, Anatomy of a Tax Haven, UE Ramati, Hazlemore Ltd Tax Publications, Dublin. Why I Like (sort of) The Cayman Islands While the Islands have attracted increased law enforcement attention of late, they remain very attractive as a base for offshore corporations. Cayman typically implies no-direct taxation, is not a party to any tax treaties, and grants exceptionally secure assurances against future increased taxation. Cayman has excellent telecommunications systems, offers direct dialing to offshore locations and remains on eastern standard time all year long. Government fees are the greatest burden to the asset concealer. The real hitch in the Caymans is the mutual legal assistance treaty between the United Kingdom and the United States. The treaty provides for information sharing in those instances where crimes are mutually recognized. This, of course, excludes tax related offenses if they are not connection with otherwise criminal activity. Investigations into narcotics trafficking activates a more liberal agreement which gives the U.S. Attorney General direct access to otherwise confidential information regarding Cayman Islands account holders. Entities in the Caymans Every Cayman company is required to keep a register of its directors, officers, mortgages, charges, and shareholders. Exempted companies may keep their registers anywhere in the world, others must keep it locally. Exempted companies are not required to disclose any of their shareholders publicly. Cayman corporations are divided into three types. Local companies, exempted companies, and nonresident companies. Local companies are permitted to conduct business in the islands. Exempted companies are the general vehicle used to conduct offshore business and while they may use a local office to do so, they may not themselves conduct local business. Nonresident companies are less flexible than exempted companies, but are less expensive to form. Companies can typically be formed in one to two days and the documents are fairly simple. Nearly 2,500 new companies are formed every year in the Caymans, offering the asset concealer ample opportunity to be lost in the crowd. Exempted companies are granted a 20 year stay on taxes of any kind. Unlike non-resident companies, exempted companies can issue bearer shares, no par value shares, and need not include "Limited" or "Ltd." as part of their business name. Directors of exempted companies must hold at least one meeting a year locally but alternate directors are permitted and often trust company stand-ins are used. While exempted companies can have a single shareholder, nonresident companies must maintain 3 or face personal liability of the shareholders for company debts. Exempted companies cannot invite Cayman citizens to hold shares or debentures, though unsolicited share and debenture purchases are permitted to them. Private Banking Cayman is particularly useful, even given the criminal legal assistance treaties, in its ease of banking entity establishment. More than 500 licensed banks exist on Grand Cayman, and several trust companies have been formed in the last decade. Banks and trust companies must be licensed by the Governor and Executive Council. Class A licenses permit local and offshore operation, and Class B licenses permit only offshore operation. Multinational corporations, families, and even individuals with "clean" credentials have been able to obtain licenses for banks and trust companies in the Caymans without much difficulty. Unrestricted Class B licenses have a capital requirement of about $500,000 with a 100% pay in requirement, though portions may be guaranteed. It is possible, in some circumstances, to obtain a restricted Class B license with less capital. Class A licenses cost $50,400 per year, while Class B licenses a mere $15,120. Setting up an offshore bank in Cayman should be possible with $40,000 and $25,000 per year. Quarterly financial statements are required and while annual financial statements must be audited, they need not be published. Class B licenses are generally eligible for a 20 year guarantee against taxes. Restricted Class B licenses are also available, but these can be hard to come by. Restricted licenses limit the number of depositors, and the undertaking which the bank may involve itself with. Usually a filing with the authorities is required. As the cost of obtaining an unrestricted Class B license is essentially the same, it is not usually worth the extra effort to pursue a restricted license. Cayman banks of all flavors can be owned by a single shareholder, and contracting with local banks to operate facilities and lend personal are both permitted. Typically trust companies charge between $15,000 and $25,000 per year for such services. [...] Government fees are the most plaguing obstacle to the asset concealer. If prices continue to increase, it may be beneficial to seek other jurisdictions in which to conduct ones activities. Despite expense, Cayman is still an excellent place to establish an offshore investment company, a bank or financial institution, captive insurance company, or offshore trust. Why I Like Vanuatu The pacific island nation of Vanuatu was at one time a condominium administered by France and the UK. Currently, Vanuatu, formerly called The New Hebrides, is a Republic with a multi-party democracy and regular elections. Under the British, Vanuatu adopted many of the aspects that today make it an interesting asset concealing jurisdiction. Vanuatu has a balanced budget, a balance of payment surplus, no or almost no public debt and low inflation. The government has explicitly endorsed tax haven type policies and even the opposition parties seem uninterested in rocking the boat. Australia, however, has tightened regulations on her citizens who transact with Vanuatu. Australian citizens must now file a "taxation clearance certificate" with local authorities before conducting business with Vanuatu. Taxation Administration Act, section 14C (Australia) In practice, such certificates are virtually impossible to obtain. The great advantage of Vanuatu is the saturation of tax-haven participants. Local financial, legal and accounting services have been so successful and numerous, that a flurry of merger and acquisition activity has resulted in the consolidation of several entities. The result has been increased stability in these areas. There is no registration requirement for trusts in Vanuatu, so there is no official account of their number, though it can assumed to be large as several large trust companies, some captives of major worldwide trust companies or banks, work actively on the islands. Offshore exempted (secret) companies number 650+. Bearer Shares Exempted companies in Vanuatu are "secret" and disclosure of financial or ownership information is punishable by a fine of VT100,000 or imprisonment of up to 12 months. (1VT=$0.009 at the time of this writing). Companies Regulation 1971, section 416. While non-exempt companies require public filings of ownership, in practice this is often circumvented by trust ownership and registration in the names of the nominees. Warranted bearer shares can only be issued by non-exempt companies and must be fully paid in. Companies Regulation 1971, sections 38(a), 93. Perhaps most importantly there are no taxes what so ever on capital or corporate profits. As a result there are no double taxation treaties, and hence no provisions for information sharing whatsoever. The obscurity of Vanuatu makes this one of the most impenetrable offshore centers around. Banking does not permit coded accounts, or accounts in pseudonyms, although practically there are few if any checks on identity for depositors. Local trust companies make these restrictions effectively unimportant, as nominee services are readily available to assure more potent account secrecy. New companies can be very quickly set up in Vanuatu. Three working days turn around time can be expected if an application is filled out in detail and in advance. While off the shelf companies are not "available," in practice abandoned, unwanted, unused, or idle companies can often be purchased from local vendors. Corporate forms in Vanuatu follow the Cayman Islands and Bahamas models. The result is an excellent offshore style legal framework. Companies in Vanuatu may be limited by shares, by guarantee, or unlimited. They may be private, (if the articles impose: self restricted transfer of shares, members number less than 50, and a prohibition on public subscription for shares or debentures), or public. For the asset concealer, the private company is the most useful. Exempted companies are not permitted to own shares in non-exempt companies, own interest in any local undertaking, allow public subscriptions to stock or debentures, or conduct any business with any non-exempt company. Any local judicial proceedings involving exempted companies in Vanuatu will be held in camera, and public records of the proceedings will not be recorded. Technically speaking, a Vanuatu corporation is required to have issued and paid two shares in the minimal amount of VT1/share. No formal requirements as to shares is actually required and shares with no par value at all may be issued by unlimited companies. Exempted companies need only have one director and a separate secretary. Private Banks The real gem of Vanuatu, however, is the ease with which the asset concealer may create a banking company. Financial institutions in Vanuatu must be licensed and must have a minimum paid in capital of VT12.5 million if the head office is in Vanuatu, and VT50 million otherwise. There is an annual license fee of VT300,000. Reserve fund and liquid asset minimum holdings are enforced, and banks or financial institutions may also be exempted if they conduct no local business except with related entities and exempted financial institutions and banks are not subject to many of the stricter regulations imposed on non-exempt entities. Unlike almost any jurisdiction, financial institutions may be exempted. This is a powerful tool for asset transfer, privacy and concealment. Exempted banking entities are afforded a good deal of flexibility in their minimum capital requirements subject to the approval of the Registrar. There are no reserve or equity ratios imposed on exempt banks. Most interestingly, local trust companies are in the habit of providing all staff, local directors, attorneys, and required personal for exempted banks. Some beneficial ownership and audit requirements are in force, but exempted financial institutions and banks can expect full confidentiality as a matter of course and lax enforcement. Combined with the complete absence of currency controls, Vanuatu is nearly the perfect jurisdiction for those asset concealers interested in founding their own private financial institution. [...] See Generally, Vanuatu Companies Regulation 1971, Vanuatu Banking Regulation 1970, Vanuatu Trust Companies Regulation 1971. (Continued in Volumes II, III, and IV) --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From frantz at netcom.com Sat Mar 30 12:07:36 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 31 Mar 1996 04:07:36 +0800 Subject: Crypto CD UpDate Message-ID: <199603301639.IAA16075@netcom9.netcom.com> At 8:36 PM 3/28/96 +0100, JR at ns.cnb.uam.es wrote: > I may -or not- trust the people at unimi, but would I also trust >a lot of intermediate people putting up together a CD-ROM? For that sake, >and considering the costs of storage and removable storage media, I'd >bet many people would find more useful to download their copies from >the net (even once a year only) as I did. If pieces of the source/executable are digitally signed, you have a basis for some degree of trust. (My pgp came with a detached signature. A bit self-referental, but at least a start.) Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From declan+ at CMU.EDU Sat Mar 30 12:18:09 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Sun, 31 Mar 1996 04:18:09 +0800 Subject: New crypto bill to be introduced In-Reply-To: Message-ID: A few responses to Jim Bell: * Why would Sen. Burns introduce *this* particular crypto bill? Would you believe that he wanted to appear cyber-clueful and net-friendly, but didn't know exactly how to do that -- so certain people suggested that this bill would be an appropriate way to do it? * Why would Sen. Burns introduce this particular bill *now*? One word: CFP. * Why would Jim Bell post anonymously? He writes: > That is a silly conclusion. The primary reason for anonymity with such > postings is to avoid controversy being associated with one's name. I, as No, the primary reason for anonymity is to avoid being *associated* with one's name. I know this may be attributing an undeserved sense of precedence, but perhaps Jim Bell has realized that his opinions are discarded out-of-hand by many on this list, so he posts anonymously to regain some credibility. A message from anonymous would also work nicely to reinforce his own position, allowing Jim Bell to claim additional allies. Anyway, last night I sat next to Dorothy Denning on the bus to the EFF Pioneer Awards reception and dinner, and we chatted for about 20 minutes. She's a sweet old lady -- I can't think of anyone with whom it's easier to agree to disagree. I asked her what she thought of a number of people -- on Tim May she said: "Let's not talk about that." She also said she's educating a House committee about crypto next week -- I dearly hope our side will have some experts there as well. -Declan Excerpts from cypherpunks: 29-Mar-96 Re: New crypto bill to be i.. by jim bell at pacifier.com > It's not that I'm suspicious of the wording of this new bill; I haven't even > seen it yet. What is a bit suspicious is its timing. Let's see, where do I > begin? When the Leahy bill was first discussed around here, there were > claims (which, arguably, might be true) that this bill "couldn't be passed" > without the negative portions of the bill (key escrow commentary; > criminalization of encryption use, etc.) More recently, it was claimed > that the Leahy bill was dead, and couldn't be revived by the end of the > session due to lack of time. I don't necessarily challenge these claim; but > I note them and I also note that this new bill is going to run into the same > kind of time restraints as the Leahy bill would have, even more so. Even > worse, this new bill will split off support from Leahy, meaning that > (everything else being equal) it is hard to imagine how this new bill (even > if it is everything we want, and nothing we don't want) will get passed. > > Maybe that's the idea: As Tim May pointed out, at this time maybe no bill > is better than any bill. And maybe what is needed is a bill to siphon > support away from Leahy, to ensure it's dead, which I presume this new bill > will do quite well even if it's never voted on. If that's the case, this > new bill may be a "conspiracy," but it might be a conspiracy that I can > actually sympathize with and support, even like. > > Nevertheless so, I would at least like to look that gift horse in the mouth, a > nd > understand the motivations of the people proposing this new bill. > > > >* Jim Bell says we're "overdoing it on this 'List of Shame' thing." Not > >at all -- we're proud to be on it! And you, Jim Bell, are one of my > >primary suspects for authorship. > > That is a silly conclusion. The primary reason for anonymity with such > postings is to avoid controversy being associated with one's name. I, as > anyone who's read my writing can attest, not only do not try to avoid > controversy, but in fact appear to seek it out, perhaps even to revel in it. > Having taking a strongly anti-Leahy position before this anonymous poster > first appeared, it would be pointless for me to add my commentary in > anonymous form to that which I've already posted under my own name. > > Furthermore, I've pointed out that there is no reason to exclude the > possibility that this anonymous poster isn't deliberately going too far, > mixing "deserving" names in with undeserving ones, in order to discredit > those people who are criticizing the supporters of the Leahy bill. I can't > say this for certain, because there were a number of names on this "list of > shame" whose positions on Leahy I haven't even seen. Nevertheless, > propaganda techniques are sophisticated, and I do notice a suspicious number > of people who appeared to want to "stand up for those people" rather than > standing up for the positions they took. (Whatever they were.) > > The implication is that the people who oppose this "list of shame" are doing > so primarily for PERSONALITY reasons, rather than on the issues. I would > feel better about the whole thing if the people who volunteered for the list > had engaged in some sort of serious effort to show that the placement of the > other people on that list was unjustified. Lacking even the most > rudimentary effort along these lines, I really wonder who (and what) these > people think they're supporting. From cpunk at remail.ecafe.org Sat Mar 30 12:54:23 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Sun, 31 Mar 1996 04:54:23 +0800 Subject: Note: Problems Confronting the Asset Concealer [Part 1 of 2 of Volume I] Message-ID: <199603301648.QAA26804@pangaea.hypereality.co.uk> Black Unicorn wrote: > Practical and Legal Problems Confronting the Asset Concealer in > Relation to Offshore Financial and Corporate Entities: A View from > the Perspective of the Individual Attempting to Avoid Extraterritorial > Discovery, Attachment, or Coercion. "Laundernomicon?" From JonWienke at aol.com Sat Mar 30 13:14:01 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Sun, 31 Mar 1996 05:14:01 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <960330120159_181484785@emout09.mail.aol.com> To Jim Bell and "Black Unicorn": I have been following your debate with interest, and would like to re-iterate some points that were made and add some of my own. The concept of encrypting a key before escrowing it is excellent. It prevents the escrow agent from misusing the key, and protects the principal from government snooping. If the escrow agent is served a subpoena, he can say, "Here is the key you want. Go ahead and take it. In fact, here is my entire key database. All keys are encrypted by the principals before I get them, so I can't guarantee that you will be able to use them, but here they are anyway." At this point, the LEO's can take whatever they want, but the principals are still safe. The escrow agent doesn't have to send any encrypted "rosebud" message to anyone, and he can bend over backwards to make the LEO's happy, so his butt is covered, too. At this point, the LEO's can either (a) send the keys to the NSA for decryption, and thereby admit that the gov't can break IDEA (or whatever cryptosystem was used to encrypt the keys before the escrow agent got them), (b) rubber hose the unencrypted key(s) from the principal, or (c) go home and pout. Of course, if you never escrow your keys, you can avoid the whole scenario altogether, leaving the gov't with options (b) and (c). Jonathan Wienke From raph at cs.berkeley.edu Sat Mar 30 14:11:05 1996 From: raph at cs.berkeley.edu (Raph Levien) Date: Sun, 31 Mar 1996 06:11:05 +0800 Subject: Test case for RSA t-shirts In-Reply-To: <199603262347.LAA09880@cs26.cs.auckland.ac.nz> Message-ID: <315D7895.307AB61A@cs.berkeley.edu> pgut001 at cs.auckland.ac.nz wrote: > [...] > In July I'll be going to the US for a conference. I have one of Adam Backs > RSA-in-perl t-shirts and am prepared to wear it into (and possibly back out of) > the country if anyone feels it would do any good (for example to act as a test > case for exportability). If anyone thinks this would be useful or wants to > offer a legal opinion, let me know. [...] While we're on the subject, I called Sam Capino's office regarding my CJR for this t-shirt, and he said they were still waiting for a response from the NSA. I think my next move will be a letter asking exactly when I can expect a response, and whether there's anything I can do to compel a response, It was originally filed (in October) as a 15-day expedited review. Thus, the actual legal status of the shirt is murky. Don't be surprised if they approve it after they quit stalling. Raph From tcmay at got.net Sat Mar 30 14:37:47 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 31 Mar 1996 06:37:47 +0800 Subject: unsuscribe Message-ID: At 11:47 AM 3/28/96, "Declan O'Donovan/ITP/IE" unsuscribe Declan (the other one), you have misspelled "unsuscribe" and you have sent your request to the wrong place. To let others know that you have been told what to do, for the usual game-theoretic reasons, I'm leaving the CP list copied on this reply. How to subscribe to the Cypherpunks mailing list: send a message to "majordomo at toad.com" with the body message "subscribe cypherpunks". To unsubscribe, send the message "unsubscribe cypherpunks" to the same address. For help, send "help cypherpunks". Don't send these requests to the Cypherpunks list itself. And be aware that the list generates between 40 and 100 messages a day. Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From dlv at bwalk.dm.com Sat Mar 30 14:39:03 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 31 Mar 1996 06:39:03 +0800 Subject: The limits of my patience. In-Reply-To: Message-ID: <287LLD31w165w@bwalk.dm.com> Black Unicorn writes: > On Fri, 29 Mar 1996, jim bell wrote: > > > > >Anyone who knows me knows I spend all my days end arounding the > > >U.S. government. > > > > Explains a lot! You _are_ paid for this. In an earlier era, you would > > have gladly run the ovens at Auschwitz if you'd gotten paid for it. > > You're way out of line here. > I expect an apology. Consider the above in context. Would you be willing to run the ovens/gas chambers if you were exterminating U.S. government employees/contractors? "The final solution to the IRS/BATF problem." :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From jamesd at echeque.com Sat Mar 30 15:20:56 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sun, 31 Mar 1996 07:20:56 +0800 Subject: CDT Policy Post 2.12 - Sen. Burns Announces New Bill To Lift Crypto Export Controls Message-ID: <199603301805.KAA22524@dns1.noc.best.net> At 05:52 PM 3/28/96 -0500, Bob Palacios wrote: > The Burns bill is different from the other proposals in several respects. > Specifically, the latest bill does not contain any new criminal provisions > or provisions imposing liability on third party key holders. Wow!!! Have I been excessively cynical? Perhaps, but the argument "You should support the Leahy bill or they will hit you with something worse" did nothing for my paranoia. Now I expect the NSA to do a little tour of the halls of congress telling the Senators "If you knew what we knew -- we would have to kill you", but let us applaude Burns anyway. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From jimbell at pacifier.com Sat Mar 30 15:25:19 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 31 Mar 1996 07:25:19 +0800 Subject: The limits of my patience. Message-ID: At 08:43 AM 3/30/96 -0500, Black Unicorn wrote: > >On Fri, 29 Mar 1996, jim bell wrote: >> Explains a lot! You _are_ paid for this. In an earlier era, you would >> have gladly run the ovens at Auschwitz if you'd gotten paid for it. > >You're way out of line here. >I expect an apology. And as a form of protest, I recommend that you refuse to post any more messages to CP until you get it! That would solve a lot of problems, I think. From jamesd at echeque.com Sat Mar 30 15:51:01 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sun, 31 Mar 1996 07:51:01 +0800 Subject: New crypto bill to be introduced Message-ID: <199603301919.LAA26836@dns1.noc.best.net> In my previous posting, I said that the Burns bill suggested that I had been too paranoid. Wrong. As usual, not paranoid enough. The Burns bill, and the "assault" weapons bill, and several other bills, are like TV wrestling. The participants are working to a script with a predetermined outcome that they have agreed to in advance. The Burns bill will not only fail, it is intended to fail. That is why it was introduced now, when it is guaranteed to be painlessly guillotined by the elections. Politicians have their ear to the ground. They are very much aware that the elite and the middle class are increasingly cynical about democracy and hostile to the corrupt poltical process, that many large groups see the government as unconstitutional and illegitimate, and see no hope or benefit in participation in politics. The purpose of these bills is not to change who gets screwed, but to draw those who are screwed back into the political process. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From unicorn at schloss.li Sat Mar 30 16:07:39 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 31 Mar 1996 08:07:39 +0800 Subject: Note: Problems Confronting the Asset Concealer [Part 1 of 2 of Volume I] In-Reply-To: Message-ID: On Sat, 30 Mar 1996, jim bell wrote: > At 10:40 AM 3/30/96 -0500, Adam Shostack wrote: > >Black Unicorn wrote: > > Actually, this is not all all irrelevant. The question of how > >a non-American living in the US can benefit from writign crypto code > >has been a topic of discussion the last few days. A real > >understanding of laundering is needed for the time between now and > >when the bad guys stop trying to tax the non-physical. > > While your interest in Unicorn's essay is understandable, I think you've > missed the problems with his point of view. He's apparently suffering from > a disease which is supposed to be common among first year law students, > specifically: Citing legal precedents as if they are some sort of justification > for themselves. You correctly referred to "the bad guys" above as taxing > the non-physical, so you're obviously on the right track. Unicorn, however, > does not REALLY think of them as being "the bad guys," in fact his gravy > train _depends_ on them! That's Herr Reichsmarschall Unicorn to you. I'd be happy to find other work. High tax jurisdictions, welfare states, and overbearing jurisdiction are, however, unlikely to go away. I also happen to be independently wealthy, and have been since far before I ever took up law. All that stolen art from my Nazi associates you understand. > It is this conflict of interest which drives him to cite precedent after > precedent as somehow supporting his nebulous positions. When my position is: "Courts are likely to do this." A cite is entirely appropriate. I don't make public value judgements on the policies of the United States in the same way that I don't want the United States to impose it's view of "right" on Liechtenstein. Don't, if you can at all help it, Mr. Bell, confuse recitation of current fact with philisophical support for a novel, or as the case may be, raving position. Of course, I'm just a Nazi, so.... > What he misses is > that citing these precedents merely destroys whatever confidence we could > have in the legal system. Which is why I provide more practical detours around the problems. Readers will note that I do this without calling people Nazi's. > Peter Junger's analysis of the Leahy bill was far more useful, primarily > because it focussed on the areas that this bill could be abused. Unicorn > cites cases of abuse frequently, but does not identify them as such, leading > me to conclude that all he can do is to cite precedent. Abuse is in the eye of the beholder. You are beginning to blur your useage of the word "abuse" as badly as you were complaining about the court's use of the word "malice." But perhaps its just the national-socialist need for order in me that makes me say so. > > Jim Bell > jimbell at pacifier.com > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jamesd at echeque.com Sat Mar 30 16:10:24 1996 From: jamesd at echeque.com (jamesd at echeque.com) Date: Sun, 31 Mar 1996 08:10:24 +0800 Subject: Why Americans feel no compulsion to learn foreign langua Message-ID: <199603301919.LAA26825@dns1.noc.best.net> A foreign language is useful only when there are large numbers of folk around who speak *one* *particular* foreign language, and these folk have knowledge and skills and power and wealth, for example if you are close neighbor of Germany or France. Americans feel no compulsion to learn foreign languages because the only time they need a foreign language is spanish to negotiate with whores. --------------------------------------------------------------------- | We have the right to defend ourselves | http://www.jim.com/jamesd/ and our property, because of the kind | of animals that we are. True law | James A. Donald derives from this right, not from the | arbitrary power of the state. | jamesd at echeque.com From unicorn at schloss.li Sat Mar 30 16:24:57 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 31 Mar 1996 08:24:57 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <960330120159_181484785@emout09.mail.aol.com> Message-ID: On Sat, 30 Mar 1996 JonWienke at aol.com wrote: > The concept of encrypting a key before escrowing it is excellent. It > prevents the escrow agent from misusing the key, and protects the principal > from government snooping. If the escrow agent is served a subpoena, he can > say, "Here is the key you want. Go ahead and take it. In fact, here is my > entire key database. All keys are encrypted by the principals before I get > them, so I can't guarantee that you will be able to use them, but here they > are anyway." At this point, the LEO's can take whatever they want, but the > principals are still safe. The escrow agent doesn't have to send any > encrypted "rosebud" message to anyone, and he can bend over backwards to make > the LEO's happy, so his butt is covered, too. At this point, the LEO's can > either (a) send the keys to the NSA for decryption, and thereby admit that > the gov't can break IDEA (or whatever cryptosystem was used to encrypt the > keys before the escrow agent got them), (b) rubber hose the unencrypted > key(s) from the principal, or (c) go home and pout. (d) [which may be a subset of (b)] impose contempt sanctions on the principal until he releases the key to the key. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jimbell at pacifier.com Sat Mar 30 16:54:01 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 31 Mar 1996 08:54:01 +0800 Subject: New crypto bill to be introduced Message-ID: At 11:35 AM 3/30/96 -0500, Declan B. McCullagh wrote: >A few responses to Jim Bell: > >* Why would Sen. Burns introduce *this* particular crypto bill? Would >you believe that he wanted to appear cyber-clueful and net-friendly, but >didn't know exactly how to do that -- so certain people suggested that >this bill would be an appropriate way to do it? I'm well aware of symbolic gestures. Maybe this is one of them. But having not seen it yet it's who knows how worthy it is. I'm wondering when somebody is going to post it. I'm also waiting for those people who claimed that the Leahy bill was dead (for lack-of-time reasons if nothing else) to express the same opinion of this newer bill. Not that I want it dead; I just want to see if people are using consistent levels of logic. > >* Why would Sen. Burns introduce this particular bill *now*? One word: CFP. Yes? >* Why would Jim Bell post anonymously? He writes: >> That is a silly conclusion. The primary reason for anonymity with such >> postings is to avoid controversy being associated with one's name. I, as > >No, the primary reason for anonymity is to avoid being *associated* with >one's name. I know this may be attributing an undeserved sense of >precedence, but perhaps Jim Bell has realized that his opinions are >discarded out-of-hand by many on this list, so he posts anonymously to >regain some credibility. A message from anonymous would also work nicely >to reinforce his own position, allowing Jim Bell to claim additional >allies. In view of the fact that I've repeatedly publicly stated that I'm not aware of the Leahy-bill position of many if not most of the people listed, this seems unlikely. Like most of the people around here, I'm still waiting for some sort of showing that demonstrates why any given person was listed. I'm also waiting for counter-arguments: For example, statements by those listed, or others, explaining why they they should not have been listed. There is a distinct lack of documentation from BOTH sides. This leads me to suspect that there may really be only one side there: a straw man set up anonymously, and a bunch of people racing (non-anonymously, of course!) to knock him down. (Or possibly the original anonymous message was legit, and some others were posted to discredit the original post; I may not have those messages, and I haven't looked to see if they came from a stable anonymous address.) >Anyway, last night I sat next to Dorothy Denning on the bus to the EFF >Pioneer Awards reception and dinner, and we chatted for about 20 >minutes. She's a sweet old lady -- I can't think of anyone with whom >it's easier to agree to disagree. I asked her what she thought of a >number of people -- on Tim May she said: "Let's not talk about that." >She also said she's educating a House committee about crypto next week >-- I dearly hope our side will have some experts there as well. I think we need to ask ourselves why Denning keeps getting invited to these kinds of hearings. If the purpose is to get an accurate, unbiased view of encryption, I'm sure there's plenty of experts who could take her place without sharing her conveniently pro-government position. Never having seen such a hearing, I can't say for sure, but I suspect she's billed as an "encryption expert," when in fact she should be labelled as a "pro-government-biased encryption expert." Which, I suppose, is okay too, since all sides deserve to be heard. However, there should be no illusion about her point of view in such matters. Jim Bell jimbell at pacifier.com From vipul at pobox.com Sat Mar 30 17:20:19 1996 From: vipul at pobox.com (Vipul Ved Prakash) Date: Sun, 31 Mar 1996 09:20:19 +0800 Subject: Psuedo-Ramdom Number Generator Message-ID: <199603301741.MAA15782@pobox.com> Don't know if its proper to post some trivial code snippets on the list. I felt some one just might find is useful. Vipul {********************************************************************* LFSR-based Psuedo Random Number Generator LFSR is a random number generator based on a Linear Feedback Shift Register The _tap_ sequence is 31, 6, 4, 2, 1 and 0. The primitive polynomial mod 2 formed from the tap sequence is x^32 + x^7 + x^5 + x^3 + x^2 + x + 1. The function LFSRRandom generates a 16-bit unsigned word. Function SetInit defines the initial parameters to run the generator with. It should be noted that a particular set of Initial parameters will always generate the same set of psuedo-random numbers. Vipul Ved Prakash 25th Feb '95 **********************************************************************} uses crt; var lShiftReg : longint; wLastRandom : word; procedure LFSRRandom(var wGeneratedRandom : word); var i : integer; wNewRandom : word; lFnResult : longint; begin wNewRandom := 0; for i := random(3) to random(3) + 13 do begin lFnResult := ((lShiftReg shr 31) xor (lShiftReg shr 06) xor (lShiftReg shr 04) xor (lShiftReg shr 02) xor (lShiftReg shr 01) xor (lShiftReg)) and $1; lShiftReg := (lFnResult shl 31) or (lShiftReg shr 1); wNewRandom := wNewRandom or (lFnResult shl i) end; wGeneratedRandom := wLastRandom xor wNewRandom; wLastRandom := wNewRandom end; procedure paramError; begin writeln; writeln; writeln(#07,'Syntax : RGen '); writeln; halt; end; procedure setInit(x, y : longint; z : integer); begin if x <> 0 then lShiftReg := x else lShiftReg := 1; { Anything but 0 } wLastRandom := y; randseed := z; end; var i : longint; ch : char; wGeneratedRandom : word; ranfile : text; S : string; number : longint; code : integer; dummy : integer; count : integer; begin count := 0; clrscr; setInit(4,5,10); if (paramcount < 2) then paramerror else assign(ranfile, paramstr(1)); rewrite(ranfile); val(paramstr(2), number, code); if code <> 0 then paramerror; for i := 1 to number do begin count := count + 1; LFSRRandom(wGeneratedRandom); str(wGeneratedRandom, S); writeln(ranfile, S); if count > 100 then begin count := 0; write('.'); {Write a dot after every 100 numbers} end; end; close(ranfile); writeln; writeln('Done. Press a key to exit...'); ch := readkey; writeln; end. .od8888bo. \|/ .d%::::88::888b. (@ @) .d888::::::::8:888%. ------------------oOO-(_)-OOo----------------- 88888:::::::88888::%. You walk across with your flowers in your hand d888888:::88;888888::b Trying to tell me no one understands 888888888:888888888888 Trade in your hours for a hand full of dimes Y8888888::::::888888%P Gonna make it baby in our prime. '8888888:::::::8888:%' ---------------------------------------------- '88888888:::888888%' Vipul Ved Prakash Fax : +91-11-3328849 '8888888::88888%' Positive Ideas. Internet : vipul at pobox.com '"Y88%B8P"' ---------------------------------------------- PGP Key : Finger PGP Key fingerprint = 35 FF A2 CA BD 6B 80 82 61 30 F2 23 96 93 77 E4 ~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-= From ichudov at algebra.com Sat Mar 30 17:23:13 1996 From: ichudov at algebra.com (Igor Chudov @ home) Date: Sun, 31 Mar 1996 09:23:13 +0800 Subject: What happened with Cypherpunks? Message-ID: <199603301633.KAA09444@manifold.algebra.com> -----BEGIN PGP SIGNED MESSAGE----- To: cypherpunks at toad.com Subject: what happened to Cypherpunks? Date: Sat Mar 30 10:30:44 CST 1996 Hello, Sorry if it is an offtopic question... Has something happened with this mailing list? In the last two weeks I received only one article. My system log indicates that no messages have been received by our machine. Thanks! - Igor. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMV1ib8JFmFyXKPzRAQHrPAP+LkI7K5Xpvi2NpnlL8f72VuCkJ+3ZuYFj 6brj+3dzkgwb6Wiq0ayMQylM1uOGl3xrvsvqnKOaTgEu/c9KfmtiDL+/d/COt2pg H9k8Hu/OpKiWGNU+6wPrGRsHDxzE4Q3e8OOoRFv3n5vxi8eHC3oXpOBpqSzT2LYd 3wzCS0puldg= =alQh -----END PGP SIGNATURE----- From jya at pipeline.com Sat Mar 30 17:54:16 1996 From: jya at pipeline.com (John Young) Date: Sun, 31 Mar 1996 09:54:16 +0800 Subject: SNI_ffs Message-ID: <199603302137.QAA08281@pipe2.nyc.pipeline.com> 3-30-96 TWP reports on an Argentinian hacker who penetrated a slew of sensitive networks and how the FBI tracked him by getting a warrant to run a sniffer-filter at Harvard, the POE. The hacker's dad, a Lt. Col., barks, "The Yankees don't have the slightest idea about security. If a kid can enter, they should be ashamed to admit it." The Feds snort, "The case underscores the vulnerability of computer systems worldwide, a preview of a coming era of cyber-sleuthing, what computer crime-fighting will look like in the coming years." And that it shows they can catch tresspassers without violating other users' privacy. Banisar sniffs, "The case shows that there's a need for more encryption." SNI_ffs From perry at piermont.com Sat Mar 30 17:59:25 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 31 Mar 1996 09:59:25 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks In-Reply-To: <199603300210.SAA09465@netcom3.netcom.com> Message-ID: <199603302117.QAA17076@jekyll.piermont.com> Mike Duvos writes: > Once you have both audio and video streams in digital form, > having ones encryption "hacked" is more a function of > cluelessness on the part of those engineering the encryption and > authentication mechanism than some latent vulnerability on the > part of the technology. Not true at all, Mike. Consider the threat model. You have a single satelite sending out a single encrypted stream to millions of people. Your goal is to let some people view the signal and others not view the signal in spite of the fact that some of the people viewing the signal might be willing to leak information (such as the keys!) to the people who aren't supposed to view it. In other words, you are trying to do something that no amount of technology can really do. At best, by using enough tamperproof equipment you can stave off the inevitable for a while. Perry From ddt at lsd.com Sat Mar 30 18:34:49 1996 From: ddt at lsd.com (ddt at lsd.com) Date: Sun, 31 Mar 1996 10:34:49 +0800 Subject: No Subject Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: New Millennium Communications / Boulder, CO. X-PGP-KeyID-Fprnt: 4AAF00E5 - 30D81F3484E6A83F 6EC8D7F0CAB3D265 X-PGP: http://www-swiss.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=lsd X-Floppyright: (f)1995 Unlicensed retransmission prohibited. Date: Sat, 30 Mar 1996 14:07:55 -0500 To: Black Unicorn From: Dave Del Torto Subject: Re: The limits of my patience. Cc: jim bell , cypherpunks at toad.com At 8:43 am 3/30/96, Black Unicorn wrote: >On Fri, 29 Mar 1996, jim bell wrote: >> >> >Anyone who knows me knows I spend all my days end arounding the >> >U.S. government. >> >> Explains a lot! You _are_ paid for this. In an earlier era, you would >> have gladly run the ovens at Auschwitz if you'd gotten paid for it. > >You're way out of line here. >I expect an apology. > >I've dedicated a lot of time to addressing your issues. You have >repeatedly and preemptively brought the discussion into the realms of >personal attack. I have endured and rebutted thus far, but you have >really crossed the line of decency here. Being called an ass I can >tolerate, the above I cannot. I agree: this sort of ad hominem attack has no place in a civilized, reponsible debate on an important topic. As for Unicorn's end-runs around the govt: I support anyone who challenges his (or any other) government in order to keep it honest, to the extent that they do so constructively. I hope you act responsibly, Uni. Jim, I think you owe Unicorn a public apology, and I think it ought to be now. If I don't see one, I'm going to feel quite OK about filtering you out of my future archives of cpunks. Let's see how civilized you're capable of being: we know you can talk through your "other" orifices. dave From unicorn at schloss.li Sat Mar 30 18:58:28 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 31 Mar 1996 10:58:28 +0800 Subject: New crypto bill to be introduced In-Reply-To: Message-ID: On Sat, 30 Mar 1996, Declan B. McCullagh wrote: > * Why would Jim Bell post anonymously? He writes: > > > That is a silly conclusion. The primary reason for anonymity with such > > postings is to avoid controversy being associated with one's name. I, as > > No, the primary reason for anonymity is to avoid being *associated* with > one's name. I know this may be attributing an undeserved sense of > precedence, but perhaps Jim Bell has realized that his opinions are > discarded out-of-hand by many on this list, so he posts anonymously to > regain some credibility. A message from anonymous would also work nicely > to reinforce his own position, allowing Jim Bell to claim additional > allies. It is a measure of desperation when resorting to completely anonymous postings creates an >increase< in reputation capital. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jimbell at pacifier.com Sat Mar 30 19:54:33 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 31 Mar 1996 11:54:33 +0800 Subject: Note: Problems Confronting the Asset Concealer [Part 1 of 2 of Volume I] Message-ID: At 10:40 AM 3/30/96 -0500, Adam Shostack wrote: >Black Unicorn wrote: > >| While direct crypto relevance is limited, I thought that this work >| might interest many on the list and so I decided to post it in any >| event. The sections on fourth and fifth amendment protections, or >| lack thereof, for banking documents might shed some light on the >| eventual disposition of crypto keys under the same circumstances. > > Actually, this is not all all irrelevant. The question of how >a non-American living in the US can benefit from writign crypto code >has been a topic of discussion the last few days. A real >understanding of laundering is needed for the time between now and >when the bad guys stop trying to tax the non-physical. While your interest in Unicorn's essay is understandable, I think you've missed the problems with his point of view. He's apparently suffering from a disease which is supposed to be common among first year law students, specifically: Citing legal precedents as if they are some sort of justification for themselves. You correctly referred to "the bad guys" above as taxing the non-physical, so you're obviously on the right track. Unicorn, however, does not REALLY think of them as being "the bad guys," in fact his gravy train _depends_ on them! It is this conflict of interest which drives him to cite precedent after precedent as somehow supporting his nebulous positions. What he misses is that citing these precedents merely destroys whatever confidence we could have in the legal system. And since the legal system will be charged with interpreting whatever bills are passed by Congress, by extension these precedents show that all the all the potential benefits promised by bills such as Leahy's are conditional. Similarly, even a negative which appears minimal today could easily turn into a "killer" problem tomorrow. Peter Junger's analysis of the Leahy bill was far more useful, primarily because it focussed on the areas that this bill could be abused. Unicorn cites cases of abuse frequently, but does not identify them as such, leading me to conclude that all he can do is to cite precedent. Jim Bell jimbell at pacifier.com From ses at tipper.oit.unc.edu Sat Mar 30 21:25:27 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 31 Mar 1996 13:25:27 +0800 Subject: Note: Problems Confronting the Asset Concealer [Part 1 of 2 of Volume I] In-Reply-To: <199603301540.KAA07025@homeport.org> Message-ID: I'm a non-american living in the us, benefiting from writing crypto (or at least implementing stuff based on crypto primitives). You need to get an export licence, but I gather they're normally pretty automatic. I don't know if this depends on nationality though Simon --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From jimbell at pacifier.com Sat Mar 30 21:25:54 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 31 Mar 1996 13:25:54 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 02:19 PM 3/30/96 -0500, Black Unicorn wrote: >On Sat, 30 Mar 1996 JonWienke at aol.com wrote: > >> The concept of encrypting a key before escrowing it is excellent. It >> prevents the escrow agent from misusing the key, and protects the principal >> from government snooping. If the escrow agent is served a subpoena, he can >> say, "Here is the key you want. Go ahead and take it. In fact, here is my >> entire key database. All keys are encrypted by the principals before I get >> them, so I can't guarantee that you will be able to use them, but here they >> are anyway." At this point, the LEO's can take whatever they want, but the >> principals are still safe. The escrow agent doesn't have to send any >> encrypted "rosebud" message to anyone, and he can bend over backwards to make >> the LEO's happy, so his butt is covered, too. At this point, the LEO's can >> either (a) send the keys to the NSA for decryption, and thereby admit that >> the gov't can break IDEA (or whatever cryptosystem was used to encrypt the >> keys before the escrow agent got them), (b) rubber hose the unencrypted >> key(s) from the principal, or (c) go home and pout. > >(d) [which may be a subset of (b)] impose contempt sanctions on the >principal until he releases the key to the key. ...which would be a clear violation of the 5th amendment, and would (by informing the person targeted) defeat the entire purpose of getting the key in the first place. Of course, you've also assumed that the escrowed data actually represents some sort of key, which it may not. (The data-holder is never told that the data he's asked to hold is REALLY a key!) Insisting that the target of an investigation provide something that may not even exist is a sure way to fire up the populace. Remember Madame Defarge (sp?) Jim Bell jimbell at pacifier.com From weidai at eskimo.com Sat Mar 30 21:29:33 1996 From: weidai at eskimo.com (Wei Dai) Date: Sun, 31 Mar 1996 13:29:33 +0800 Subject: PGP Crack??? In-Reply-To: <199603300650.WAA06087@netcom15.netcom.com> Message-ID: On Fri, 29 Mar 1996, Mike Duvos wrote: > On a more serious note, does anyone know what is happening > with Arjen Lenstra and RSA-130? Last I heard back in late > December, FAFNER, the magic WWW sieving dragon, had collected > more than enough relations from participants to yield a > factorization. Surely they have not spent an additional four > months crunching the big boolean matrix at CWI. Apparently the Cray they are using to crunch the matrix is busy with higher priority users and they have not been able to squeeze in enough CPU time. I was told at the beginning of March that they didn't expect to finish before late April, but now it looks like the job will take another two to three months. Anyone got a spare supercomputer laying around? Wei Dai From mpd at netcom.com Sat Mar 30 21:56:00 1996 From: mpd at netcom.com (Mike Duvos) Date: Sun, 31 Mar 1996 13:56:00 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks In-Reply-To: <199603302117.QAA17076@jekyll.piermont.com> Message-ID: <199603302351.PAA03993@netcom14.netcom.com> "Perry E. Metzger" writes: > Not true at all, Mike. Consider the threat model. > You have a single satelite sending out a single encrypted > stream to millions of people. That is correct. > Your goal is to let some people view the signal > and others not view the signal... That is also correct. > ...in spite of the fact that some of the people viewing the > signal might be willing to leak information (such as the > keys!) to the people who aren't supposed to view it. Certainly anyone authorized to view the program can "leak" that program to other users. Indeed, with the European system, people have set up transmitters which simply run off a decoder that subscribes to every program. Not exactly subtle, but in jurisdictions where such activity carries no significant legal sanctions, an efficient approach to the problem. Much like the case of sending an encrypted PGP message to multiple recipients. One or more of the legitimate recipients can tell others what the message says. Not a negative reflection on the strength of PGP, and certainly not something I spend a lot of time worrying about. In the system I described, a person might make a lower bandwidth attempt to defeat the system by leaking either the periodically changing random session key used to encrypt the video stream, or the unique cryptographic key belonging to a particular smart card authorized to view the program. We have postulated that the latter is not recoverable even by destructive reverse engineering of a specific card, and were such information to be compromised upstream where the programming originates, it would only be necessary to reissue new cards to the affected subscribers and cancel the old ones. Leakage of the periodically changing random session key directly would require significant surgery to a working smart card, although it might be recovered by tapping appropriate points in the circuitry. However, anyone using such information for unauthorized reception would require a constant connection to a provider to continually update the key, which would be awkward, and not likely to be done by a large population of people in a way which was inconspicuous to LEAs. I can't imagine that a significant market for pirate equipment could be built around any of the attacks described above. Indeed, a significant market exists only for ersatz smartcards which a person can purchase for a fixed price, stick in their decoder, and then forget about. The system I described would certainly preclude such a device from being built. I spent a bit of time on the Web last night reading up on the various attacks which were mounted against DSS and the earlier European VideoCrypt system. The implementors put what they though were a lot of cute features into the cards, including the ability to reprogram them from upstream when software updates were needed. Unfortunately, rather than relying totally upon strong cryptography within a tamperproof module, they also employed easily forged checksums to validate commands sent to the cards, and "security through obscurity" as to what those commands were. The ultimate result was that the cards were being updated with new software almost constantly, and the hackers were issuing updates to the pirate versions within hours each time this was done. Given the way the system had been implemented, there was really no way prevent this from happening. > In other words, you are trying to do something that no > amount of technology can really do. At best, by using enough > tamperproof equipment you can stave off the inevitable for a > while. If what you are trying to do is make sure no subscriber will ever disclose, by any means, the contents of a program to a non-subscriber, then of course you are right. There is no technology which can prevent this. If, on the other hand, you wish to prevent clever engineers from looking at the system with instrumentation, and then trotting off and stamping out millions of their own smart cards, which interoperate with the legitimate ones and decode all programming transmitted, this is something that can certainly be done by using strong cryptography correctly. It is this latter goal which the VideoCrypt system, and now apparently the DSS one as well, failed to accomplish. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From ses at tipper.oit.unc.edu Sat Mar 30 22:16:11 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 31 Mar 1996 14:16:11 +0800 Subject: What backs up digital money? In-Reply-To: Message-ID: [Everyone's ignoring the obvious answer: Exabyte's, silly :)] I find it kind of strange that many people are advocating setting up nano-currencies when lots of central-bank grownups in the EU are still bang-up for monetary union. I'd be interested to hear why so many people think the massive extra costs involved in adding 1000s of extra private negotiable currencies will somehow be worth it (apart from FOREX and derivatives arbitragers). If I was going to create a purely digital currency I'd want to do it at a supra-national scale (e.g. the Euro or maybe even the UNO); otherwise why not just treat chaumian cash as just another payment instrument. --- They say in online country So which side are you on boys There is no middle way Which side are you on You'll either be a Usenet man Which side are you on boys Or a thug for the CDA Which side are you on? National Union of Computer Operatives; Hackers, local 37 APL-CPIO From perry at piermont.com Sat Mar 30 22:40:49 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 31 Mar 1996 14:40:49 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks In-Reply-To: <199603302351.PAA03993@netcom14.netcom.com> Message-ID: <199603310021.TAA17420@jekyll.piermont.com> Mike Duvos writes: > In the system I described, a person might make a lower bandwidth > attempt to defeat the system by leaking either the periodically > changing random session key used to encrypt the video stream, or > the unique cryptographic key belonging to a particular smart card > authorized to view the program. We have postulated that the > latter is not recoverable even by destructive reverse engineering > of a specific card, Why not? If the card knows its own key, then someone else can probably get the key out by some nasty mechanism. .pm From paul.elliott at hrnowl.lonestar.org Sat Mar 30 22:45:00 1996 From: paul.elliott at hrnowl.lonestar.org (Paul Elliott) Date: Sun, 31 Mar 1996 14:45:00 +0800 Subject: MUSE (Mail Ubiquitous Security Extensions) discussion starting In-Reply-To: <9603260842.AA07183@toad.com> Message-ID: <315db746.flight@flight.hrnowl.lonestar.org> -----BEGIN PGP SIGNED MESSAGE----- > > Don Eastlake has written an internet-draft proposing to add signatures > and encryption to the Internet mail-delivery system. The two big > differences between his proposal and past proposals are: > > * They work at the "sendmail" level, not at the "mail reader" > level. This doesn't give your mail complete end-to-end protection > (unless you use "mail reader" encryption like S/MIME or PGP). > But it's a lot easier to install and maintain; your sysadmin > can do it for your whole site, instead of having to retrain > every user. > One obvious problem with this is that since sendmail runs at all times of day or night and since sendmail must have the decryption keys, this means that the decryption keys may be in the memory of a computer that may be unattended. This scheme may be useful for its convenience, but many users will only be willing to turst the computer with their keys while there messages are actually being decrypted in their presence. Thus, many users will want to super encrypt with their own personal keys. Thus I believe that the above scheme should be implemented for mail security between sites, but it should not be viewed as a total solution. - -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063 -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: cp850 iQCVAgUBMV229/BUQYbUhJh5AQFrIgP/eejmxUvAiRtJQfkHyrIZflQ6tQBz1PuB Oxl31K+xnIYmpgIJHb2M+flpeTlOE+6DyIf3ZTB3UMHRqT1v5VrVmDy0ByrukrjF KRbJTLO2yuDadZKEGKrm+n1FAleCpwuoQJTem7S5XQQts6FCscqaII61HNBkSC0V JkDwN8ouYsk= =YUcS -----END PGP SIGNATURE----- From unicorn at schloss.li Sat Mar 30 22:47:51 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 31 Mar 1996 14:47:51 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: On Sat, 30 Mar 1996, jim bell wrote: > At 07:12 PM 3/30/96 -0500, Black Unicorn wrote: > >> >(d) [which may be a subset of (b)] impose contempt sanctions on the > >> >principal until he releases the key to the key. > >> > >> ...which would be a clear violation of the 5th amendment, > > > >This is not at all clear. > > The ONLY reason this is "not at all clear" is because of those 9 > morons-for-life they have currently sitting in that wasted building near the > Congress building have never been particularly careful to follow the rules. Yadda yadda yadda. Mr. Bell the ultimate authority of the U.S. Constitution. Spare me. For someone so concerned about Nazis, you sure like centralized power. As long as everyone agrees with you, they can live. Interesting. (I also think its one of the most beautiful buildings in D.C.) > I believe that this would be a "clear violation of the 5th amendment." > Whether those 9 nincompoops agree is sti Yadda Yadda Yadda. > >The data holder is ordered to turn over the data. He does in this > >scenerio, the data is encrypted, > > Actually, he doesn't know this. As long as the data being held "looks like" > random data, and contains no headers, as far as anybody knows it IS random > data. The data holder cannot know. I didn't say he had to know anything about whether the data was encrypted or not. I would point out that the data holder who is convinced I was spending good money to store random bits would probably not be the data holder I would pick to hold my data in the first place, but this is a tangent, as knowing if the data is encrypted is irrelevent. But I'm sure my view is just a Nazified one. In Bellville (Bellview?), I'm sure everyone pays money to store megabytes of random data. > >LEO goes to the principal, principal > >refuses to provide key for the encrypted key that the escrow agent was > >holding, compelled discovery is ordered, > > 5th amendment is invoked. See above. Because you say the Fifth amendment is applicable doesn't make it so. You are not the Supreme Court (thanks for small blessings and all that). We aren't talking fantasy here, or might be, or would be, we are talking about is. And the system you propose is problematic. > > now your right back into the > >case where the principal never gave the data to the escrow agent in the > >first place. > > What you seem to have forgotten is that if the scenario you describe could > really occur "in real life," this is all the more reason for ordinary > citizens to REFUSE to use any kind of key-escrow system, or to do so in a > way which is completely undetectable. Well, all the more reason for you to REFUSE to pay your taxes, or to do so in a way which is completely undetectable. Easier said than done. If you want to use this system, be my guest. Saying the Gestapo is a bad thing doesn't make it magically go away. > Naturally, you won't address this > problem, but the man-on-the-street is more realistic about his own privacy. > How many times must I raise this issue? How many times do you ignore it? > Face it, people are smarter than you give them credit for. They will simply > not tolerate any more shit from the government. Funny, the latest primary has been one of the highest voter turn outs in quite a while (except in Deleware). Considering those are the law-and-order types who are most likely to invade personal liberities, I think its a bit hard to make the case that the temper of the country is anything but very pro-political process. > Was the government lying to us when they claimed that "key escrow will be > voluntary"? Or was this some odd new usage of the word "voluntary" that > only appears in the "Newspeak Dictionary"? Actually, this usage of "voluntary" dates back something like 50 years. The speed limit example, where states "voluntarily" adopt speed limits (or suffer a revocation of funds so serious so as to put them in receivership) is a classic example. But as Mr. Bell is too busy looking for Nazis, he wasn't doing his homework and so missed this. His bravado is a poor replacement for basic education. It's not even very good bravado. > With every new post you send, you simply go to prove that every concern that > anybody ever had about the government's behavior is potentially reasonable. > You really ought to quit while you're behind. I've never made the case for anything but exactly this. If I thought government behavior was reasonable, I'd not bother posting at all. I just don't call people Nazis and call for murder for hire to solve the problem. That's the resort of infantile mind. The mind that fills gaps with ranting and violence where mental effort is too much of a task. Again, this will be my last posting on yet another thread. Mr. Bell has devolved again into ranting lunacy and that feedback loop that prevents him from confining himself to the merits of the debate. > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jimbell at pacifier.com Sat Mar 30 23:00:31 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 31 Mar 1996 15:00:31 +0800 Subject: The limits of my patience. (suggested solution) Message-ID: At 03:29 PM 3/30/96 -0800, Adam philipp wrote: >At 09:48 AM 3/30/96 -0800, you wrote: >>At 08:43 AM 3/30/96 -0500, Black Unicorn wrote: >>>On Fri, 29 Mar 1996, jim bell wrote: >>>> Explains a lot! You _are_ paid for this. In an earlier era, you would >>>> have gladly run the ovens at Auschwitz if you'd gotten paid for it. >>>You're way out of line here. >>>I expect an apology. >>And as a form of protest, I recommend that you refuse to post any more >>messages to CP until you get it! That would solve a lot of problems, I think. > >An apology was warranted. This is not a flaming ground. It is also not the place for people like this Unicorn to waste our time with non-responsive messages. If you don't know what I'm referring to, go back and re-read what I posted to him, and what he posted to me in "response." You'll discover that he doesn't address my commentary appreciably, and certainly not reliably. He's wasting your time, and mine, and if you haven't complained to him so far then you have no business complaining to me. Put him to his proof; challenge his assumptions. Jim Bell jimbell at pacifier.com From mccoy at communities.com Sat Mar 30 23:01:25 1996 From: mccoy at communities.com (Jim McCoy) Date: Sun, 31 Mar 1996 15:01:25 +0800 Subject: Why Americans feel no compulsion to learn foreign languages Message-ID: At 9:35 AM 3/30/96, Dr. Dimitri Vulis is rumored to have typed: [...] > No, I think both of Tim's statements illustrate the typical Americans disdain > for learning for knowledge's sake and the (still amazing to me) ability to > express pride in their ignorance. [...] It's as if though > their challenge is to go through life learning as little as they can get away > with (other than obscure sports statistics). Well, I believe that Tim's original point was that Americans have little to gain in practical terms from learning foreign languages, while others are forced by necessity to learn English (and possibly other languages.) So far no one has provided any convincing counter-argument to this point. As an American who has learned a great many languages just for the sake of knowing them I can assure you that this knowledge has turned out to have no practical benefit to me in my daily life. I can converse in French, German, Italian, Indonesian/Malay, and can "get around" in Tamil, Dutch, Russian, and Arabic. I can read Latin, Greek, Sanskrit, and Egyptian hieroglyphics (okay, so I was on a dead languages kick in college, sue me...) and know enough in eight or nine other languages to travel anywhere in the world and be secure in the knowledge that I could order dinner, read a train schedule, and find shelter. Big deal. This knowledge is still of no practical benefit to me; it does not help me do my job any better, it does not make my life significantly better than Americans who are not polyglots, and in the past year the only time I have had occasion to really use my linguistic abilities was when I was able to deliver a particularly nasty reminder that some Americans do speak more than just English to a pair of obnoxious French ladies in the Los Altos Starbuck's coffee shop who seemed to think that if the natives cannot understand you then you have permission to make rude comments about them loudly and in public... For this ability I spent eight years in class learning when to use the past subjunctive form of etre?!? BTW, those who learn as little as they can get away with may not fit into your ivory tower definition of true knowledge, but they are doing the important thing: "getting away with it." Every time I hear someone whine about knowledge for its own sake I get the fealing they are just jealous because they wasted time learning more knowledge than was necessary for the task at hand... :) jim From ddt at lsd.com Sun Mar 31 03:37:27 1996 From: ddt at lsd.com (Dave Del Torto) Date: Sun, 31 Mar 1996 19:37:27 +0800 Subject: Electronic locksmiths are watching you (Belgium's ban onPGP) In-Reply-To: Message-ID: At 1:25 am 3/30/96, jim bell wrote: [elided] >I think it's obvious that governments around the world have a very poor >record of responding "well" to encryption with any kind of acceptable >legislation. Arguably, laws should exist for the benefit of the public, but >what's happening is that governments are using their authority to try to >restrain the political consequences of technical developments. I see no >benefit to the public in laws against encryption, and certainly no net >benefit. > >We should be particularly suspicious of any hint of a pan-European ban or >control of encryption, because that is exactly the kind of development that >could usher in a secretly-negotiated treaty that might be argued to be >binding on the public. [elided] IMHO, this represents a very America-centric, and a rather innacurate, view of the world. Sure, we live in a great country in many ways. Sure, we still enjoy many priviledges, such as owning and using strong crypto. In point of fact, though, the US is by far the most "behind" country in the wired world as far as Privacy protections and legislation. In New Zealand, Hong Kong, the Nederlands, Taiwan, Hungary, most of the EC, there is a well-defined privacy policy that protects - proactively - the citizens from intrusive practives by government. Only here in the US do we suffer under proposed/pending/established legislation such as the CDA. One might argue that the few loopholes that the other nations allow for "violations" of personal privacy are egregious (national security, etc), but they represent the real-world concerns of governments not so "insulated" by geography, etc as the US. The charge of "restraint" IMHO is premature, and is more of a projection (in the psych sense) than a reality. Canada, I've learned here at CFP, has defined a progressive national privacy policy that proactively protects people -- where we do not implicitly -- against "processing" of personal data for any purpose other than a "specific use for which it was gathered. Does the US have such a p-p-policy? No. Can you argue that other protections in place under the US Constitution already cover those areas? You could, but there are so many holes in that argument, and so much is yet to be done by the FTC, that we now have the phenomenon of "toy" companies putting out 5-page survey web pages for 5-year-olds that ask what careers they plan and what shoes they wear. Amazing. I would not argue that myself. Cypherpunks like Jim need to keep doing their homework before they make such quasi-factual statements. dave From die at pig.die.com Sun Mar 31 03:42:45 1996 From: die at pig.die.com (Dave Emery) Date: Sun, 31 Mar 1996 19:42:45 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks In-Reply-To: <199603310021.TAA17420@jekyll.piermont.com> Message-ID: <9603310537.AA20289@pig.die.com> > > > .pm writes: > Why not? If the card knows its own key, then someone else can probably > get the key out by some nasty mechanism. > > One of the earliest breaks of the Videocipher II analog satellite descrambler back in 1986 was based on twidling with the timing and electrical characteristics of the chip clock on the supposedly tamperproof TMS 7000 crypto microprocessor until it stared to misexecute instructions. By chance, some PROM code that allowed reading the secret seed keys used by each individual box to decode master keying messages addressed to it happened to be a few instructions after some other code normally accessible by issuing commands to the chip. One kept issuing those commands while corrupting the clock until the chip misexecuted the branch at the end of the public code and fell into the otherwise inaccessible code that allowed access to the seed keys. So yes, this has already been done in one real case of cryptosystem defeat. For a while, it was the standard method of obtaining seed keys from VC-II boards. Later versions of the ROM code removed that vulnerability. Dave From merriman at arn.net Sun Mar 31 03:51:50 1996 From: merriman at arn.net (David K. Merriman) Date: Sun, 31 Mar 1996 19:51:50 +0800 Subject: Why Americans feel no compulsion to learn foreign langua Message-ID: <2.2.32.19960330092924.0068346c@arn.net> At 10:18 AM 03/30/96 -0500, Alan Horowitz wrote: >> From: David K. Merriman > >> >restroom-finding in a few languages. >> >> The second necessarily follows from the first :-) > > While deployed to a remote radar station on an isolated island, >supplied solely by periodic but unreliable airfreight sorties, I oft found >myself wondering: which is the more acute emergency.... to run out of food >or to run out of toilet paper? Why do you think they make those government instruction manuals so thick? :-) Dave "Adak - where suicide is redundant" Merriman ------------------------------------------------------------- "Giving money and power to government is like giving whiskey and car keys to teenage boys." P. J. O'Rourke (b. 1947), U.S. journalist. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> http://www.shellback.com/personal/merriman/index.htm From saken at chardos.connix.com Sun Mar 31 03:52:18 1996 From: saken at chardos.connix.com (Scott Kenney) Date: Sun, 31 Mar 1996 19:52:18 +0800 Subject: REMINDER - amnesia remailer public key Message-ID: <199603310515.AAA16293@chardos.connix.com> -----BEGIN PGP SIGNED MESSAGE----- This is a reminder that the type1(cypherpunks) remailer at has a new public key. Please REMOVE the old key from your keyrings. Since the corresponding secret key was lost due to a combination of hardware failure and destroyed backup media, any messages send using the old key will be lost. Attached is the new key. If you don't trust this message, send mail to amnesia at chardos.connix.com with the Subject: remailer-keys will get you the latest public keys for the remailer. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAzDy9QoAAAEEANhmnki6wxk3/XSAyFMdIaQdA89oaUQimoQoXHVcIUdqmwtR MvO1xT3axxVELbYrukbNxqEsJZiFnyitSueWUtTYCNkvcb7ynEJhv+ZDrLnn/sot GcBxyZ8wpwjo06SKjEP4F7LL0a/wESo87o9UgdCJcxhoPqWBBo2GI7oTXfNFAAUR tDxBbW5lc2lhIFJlbWFpbGluZyBTZXJ2aWNlIDxhbW5lc2lhK3R5cGUxQGNoYXJk b3MuY29ubml4LmNvbT6JAJUDBRAxOAbgjYYjuhNd80UBAQNuA/9SSPu302xb+k40 TUyVWdfHJXqmVY45BvITLPHbRVmtsWT3c4o7yAt6XUPbGkgkgG8mV5W1fjyN3PxJ EkZK1r/9H1Cyvm4caLS+stBH3fB8nAir6qibd+4NOKEJ/o91+G1aeFpdzWid30cb 3/Grn9rb2JX/VWhcpm3qkBEovifCA7Q2QW1uZXNpYSBSZW1haWxpbmcgU2Vydmlj ZSA8YW1uZXNpYUBjaGFyZG9zLmNvbm5peC5jb20+iQCVAwUQMPXOlI2GI7oTXfNF AQFzMAQAvQ1X3k+Mtg+5YOYKeZPcANtUcEqYT9yKQ/tRrGCxxx/Ph5Mbk76HaSgM LBEY0CTYf3gxywLNTVHI60viEKPtjMwUxNPZp8E6DIvzMHiM40OK9TjFTAQZMdmC kuu4Qohg6Q7Po6H0oN3OklZah+su4dr/fYAfRV1dGieT7QFy4Va0H1JlcGxhY2Vt ZW50IEtleSBGb3I6IDB4M0NBRERBMDWJAJUDBRAw+UiJjYYjuhNd80UBAeUGA/9p QnyoCllqIU2b3zAcoscCZizcUPxXpeqaJ2X64dRInXftEnZ54QoIhJyCuIjg74QZ HDS7ceYlAusoWAnnHs+cF/pfV7GW4G4GDYvWGLzruUHaivKd9Ko4fDDR1GvXBFwT xELr0hGDkGSqJfJfCyB+0KBdHjURX4AjZS1FcY/wRg== =iwD2 - -----END PGP PUBLIC KEY BLOCK----- - -- Scott Kenney >|< saken at chardos.connix.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMV4TfpQgY7wl3Gh1AQGDOgQA0Ku8KYda8AdM7FmKUm7dXkOYM0wI/ZcT BPXCnkbEwPhpoiuKNtTRjSUuFS9LyCulEuawH+B1mm2TqMy5W/zEu14YV7+mw1UL J0VZoMx1hAbxd3ruNX+afa15QsMDEgo6BBx/zCE9VQphCdT8YTni8yUB2KHo2xYJ TFO1kZUwMmY= =4R2d -----END PGP SIGNATURE----- From jimbell at pacifier.com Sun Mar 31 04:01:39 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 31 Mar 1996 20:01:39 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 08:56 PM 3/30/96 -0500, Black Unicorn wrote: >> Actually, he doesn't know this. As long as the data being held "looks like" >> random data, and contains no headers, as far as anybody knows it IS random >> data. The data holder cannot know. > >I didn't say he had to know anything about whether the data was encrypted >or not. I would point out that the data holder who is convinced I was >spending good money to store random bits would probably not be the data >holder I would pick to hold my data in the first place, but this is a >tangent, as knowing if the data is encrypted is irrelevent. >But I'm sure my view is just a Nazified one. In Bellville (Bellview?), >I'm sure everyone pays money to store megabytes of random data. Justa sec! "Megabytes of random data"? Pardon me, but we're talking something which is alleged to be a KEY! Perhaps you're too dense to follow this idea, but an IDEA key is 128 _bits_, and even a long RSA key is 2048 bits, or only 256 bytes. So where did you get this "megabytes of random data" anyway? Unfortunately, it appears that your brain is in neutral while your fingers are in 5th gear. I don't suppose it would be particularly merciful at this point to mention steganography. Unicorn is already vastly discredited as it is; I wouldn't want to be accused of rubbing it in, right? Aw, why not. He deserves it. Steganography is, basically, hiding data (usually already encrypted) in an existing file (often an audio file or a GIF) in such a way that it is undetectable. The file it's hidden in, which is usually far larger (10x, 100x, or even more) than the data to be hidden, is not appreciably changed by the process, and if it is well done the data is undetectable. This means that if the picture is a 25,600 byte GIF of your late granny, which you are keeping for sentimental reasons, for every 99 bits of granny there is one bit of RSA key. Show the file to the judge, say "that's my late granny!" and he'll see that it is. Now, if you're operating according to your normal clueless level, you'll try to claim that the judge will fine the person ANYWAY. Perhaps, but that merely goes to further justify my favorite method of dealing with these miscreants: I work from what I consider a reasonable assumption that people shouldn't be obligated to tolerate shit from the government, and fining people on principle is an excellent example of the government going too far. Only if you can demonstrate a reliable method of stopping this, permanently and rapidly, should anybody bother with your opinions. Asking people to resort to "the political process" is probably what King George did for the American colonies 220 years ago. >Easier said than done. If you want to use this system, be my guest. >Saying the Gestapo is a bad thing doesn't make it magically go away. Sadly, saying Unicorn is clueless doesn't make him shut up, either. >> Naturally, you won't address this >> problem, but the man-on-the-street is more realistic about his own privacy. >> How many times must I raise this issue? How many times do you ignore it? >> Face it, people are smarter than you give them credit for. They will simply >> not tolerate any more shit from the government. > >Funny, the latest primary has been one of the highest voter turn outs in >quite a while (except in Deleware). Considering those are the law-and-order >types who are most likely to invade personal liberities, I think its a >bit hard to make the case that the temper of the country is anything but >very pro-political process. Unicorn again displays his cluelessness. If people know that the system is sick, and they believe (even wrongly) that the only way to fix the problem is through "the political process," they can reasonably be expected to take one last, desperate effort at fixing the situation. That doesn't make anybody "pro-political-process," in fact they could be disgusted with the lack of progress that this system produces. They simply believe that they have no alternative. To put it in simple terms that even you should be able to understand, the fact that a drowning person moves his arms and legs around a lot doesn't mean that he LIKES to swim, it may merely mean that he likes drowning even less. >Again, this will be my last posting on yet another thread. Mr. Bell has >devolved again into ranting lunacy and that feedback loop that prevents >him from confining himself to the merits of the debate. He's going to keep saying "this will be my last posting" whenever he grows tired of getting his butt kicked. I guess that's the Unicorn equivalent of an EOF (end-of-file) character. Jim Bell jimbell at pacifier.com From inglem at adnetsol.com Sun Mar 31 04:01:43 1996 From: inglem at adnetsol.com (Mike Ingle) Date: Sun, 31 Mar 1996 20:01:43 +0800 Subject: [CRYPTO] Cable-TV-Piracy-Punks In-Reply-To: <199603302117.QAA17076@jekyll.piermont.com> Message-ID: <199603310256.SAA00348@cryptical.adnetsol.com> The big latent assumption here being that you have only one-way communication with the subscribers. DSS has a modem. It could get a new key from a distribution center frequently - i.e. every day. Then the pirates would somehow have to update their keys daily, in real time. Once we have live packet communication (cable modems or ISDN D-channel, for example) the keys can be changed minute by minute, if necessary. Each new-key request is checked with a digital signature from the box's key, and the KDC will not accept two requests for the same key. If you clone the box, one or the other won't get a key. The pirates will have to run their own network parallel to the legitimate one to distribute the keys. Therefore piracy requires an ongoing organization, and is subject to being tracked down. Mike > Mike Duvos writes: > > Once you have both audio and video streams in digital form, > > having ones encryption "hacked" is more a function of > > cluelessness on the part of those engineering the encryption and > > authentication mechanism than some latent vulnerability on the > > part of the technology. > > Not true at all, Mike. Consider the threat model. > > You have a single satelite sending out a single encrypted stream to > millions of people. Your goal is to let some people view the signal > and others not view the signal in spite of the fact that some of the > people viewing the signal might be willing to leak information (such > as the keys!) to the people who aren't supposed to view it. > > In other words, you are trying to do something that no amount of > technology can really do. At best, by using enough tamperproof > equipment you can stave off the inevitable for a while. > > Perry From jimbell at pacifier.com Sun Mar 31 04:01:46 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 31 Mar 1996 20:01:46 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 07:12 PM 3/30/96 -0500, Black Unicorn wrote: >On Sat, 30 Mar 1996, jim bell wrote: > >> At 02:19 PM 3/30/96 -0500, Black Unicorn wrote: >> >On Sat, 30 Mar 1996 JonWienke at aol.com wrote: > >> >> principals are still safe. The escrow agent doesn't have to send any >> >> encrypted "rosebud" message to anyone, and he can bend over backwards to make >> >> the LEO's happy, so his butt is covered, too. At this point, the LEO's can >> >> either (a) send the keys to the NSA for decryption, and thereby admit that >> >> the gov't can break IDEA (or whatever cryptosystem was used to encrypt the >> >> keys before the escrow agent got them), (b) rubber hose the unencrypted >> >> key(s) from the principal, or (c) go home and pout. >> > >> >(d) [which may be a subset of (b)] impose contempt sanctions on the >> >principal until he releases the key to the key. >> >> ...which would be a clear violation of the 5th amendment, > >This is not at all clear. The ONLY reason this is "not at all clear" is because of those 9 morons-for-life they have currently sitting in that wasted building near the Congress building have never been particularly careful to follow the rules. I believe that this would be a "clear violation of the 5th amendment." Whether those 9 nincompoops agree is still up in the air. Given the fact that they were chosen for their current jobs after a long history of "getting along" with system, their "reliability" to hold the government's line is quite understandable. >> Of course, you've also assumed that the escrowed data >> actually represents some sort of key, which it may not. (The data-holder is >> never told that the data he's asked to hold is REALLY a key!) > >The data holder is ordered to turn over the data. He does in this >scenerio, the data is encrypted, Actually, he doesn't know this. As long as the data being held "looks like" random data, and contains no headers, as far as anybody knows it IS random data. The data holder cannot know. >LEO goes to the principal, principal >refuses to provide key for the encrypted key that the escrow agent was >holding, compelled discovery is ordered, 5th amendment is invoked. > now your right back into the >case where the principal never gave the data to the escrow agent in the >first place. What you seem to have forgotten is that if the scenario you describe could really occur "in real life," this is all the more reason for ordinary citizens to REFUSE to use any kind of key-escrow system, or to do so in a way which is completely undetectable. Naturally, you won't address this problem, but the man-on-the-street is more realistic about his own privacy. How many times must I raise this issue? How many times do you ignore it? Face it, people are smarter than you give them credit for. They will simply not tolerate any more shit from the government. Was the government lying to us when they claimed that "key escrow will be voluntary"? Or was this some odd new usage of the word "voluntary" that only appears in the "Newspeak Dictionary"? With every new post you send, you simply go to prove that every concern that anybody ever had about the government's behavior is potentially reasonable. You really ought to quit while you're behind. Jim Bell jimbell at pacifier.com From dlv at bwalk.dm.com Sun Mar 31 04:01:50 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 31 Mar 1996 20:01:50 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: <199603301919.LAA26825@dns1.noc.best.net> Message-ID: jamesd at echeque.com writes: > A foreign language is useful only when there are large numbers of > folk around who speak *one* *particular* foreign language, and these > folk have knowledge and skills and power and wealth, for example > if you are close neighbor of Germany or France. Why do you suppose people study Latin or Sanskrit or classical Greek? > Americans feel no compulsion to learn foreign languages because > the only time they need a foreign language is spanish to > negotiate with whores. It's interesting to note that while Tim speaks Spanish to gardeners, James speaks Spanish to whores. Can't blame him, considering what American women must be like where he lives. :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From paul.elliott at Hrnowl.LoneStar.ORG Sun Mar 31 04:01:55 1996 From: paul.elliott at Hrnowl.LoneStar.ORG (Paul Elliott) Date: Sun, 31 Mar 1996 20:01:55 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: <315db2d6.flight@flight.hrnowl.lonestar.org> -----BEGIN PGP SIGNED MESSAGE----- > > (d) [which may be a subset of (b)] impose contempt sanctions on the > principal until he releases the key to the key. > > Yes, but this will alert the principal not to use that key for future communications. One of the things that the Leahy bill provides for is getting of keys without any of the principals knowing about it. This idea of escrowing encrypted, essentially frustrates that provision of the Leahy Bill. All this talk of voluntary key escrow is essentially fatuous. If Key escrow is truly voluntary then there is nothing to prevent the person escrowing from doing all of the following: 1) Not labelling the key escrow file as a key escrow file, so that the escrow agent does not know that he is an key escrow agent. The escrow agent can be told that he is a data storage agent -- which in fact he is. 2) Encrypting the keys before handing to the escrow agent, and only giving the decryption keys to those who are authorized to break the escrow. 3) Insuring that the escrow agent and those who are authorized to break the escrow are outside the jurisdiction of any court. 4) Using the crypto technique of secret splitting to split the secret of the key among multiple escrow agents in difficult to subpoena countries. - -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott at hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063 -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: cp850 iQCVAgUBMV2yf/BUQYbUhJh5AQGyXwP5AeQQXJBr8j4vLv2eXTb6HsffHW72Yguu 1h7pILY8Iomo3/vgo1YuoJEfcIwNJaY5T4VEoLghW2H8mJ9gVQoAYkJXb7tvTyee cBi33OPrNd2SXVYpQ4oF1qnTR+h2mGp9bkf+XQLRRev1jkrdpFYeHsTsP0w6sxLE X+bqsj+57pE= =+LHz -----END PGP SIGNATURE----- From jimbell at pacifier.com Sun Mar 31 04:01:57 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 31 Mar 1996 20:01:57 +0800 Subject: Electronic locksmiths are watching you (Belgium's ban onPGP) Message-ID: At 05:07 PM 3/30/96 -0500, Dave Del Torto wrote: >At 1:25 am 3/30/96, jim bell wrote: >[elided] >>I think it's obvious that governments around the world have a very poor >>record of responding "well" to encryption with any kind of acceptable >>legislation. Arguably, laws should exist for the benefit of the public, but >>what's happening is that governments are using their authority to try to >>restrain the political consequences of technical developments. I see no >>benefit to the public in laws against encryption, and certainly no net >>benefit. >> >>We should be particularly suspicious of any hint of a pan-European ban or >>control of encryption, because that is exactly the kind of development that >>could usher in a secretly-negotiated treaty that might be argued to be >>binding on the public. [elided] > >IMHO, this represents a very America-centric, and a rather innacurate, view >of the world. Sure, we live in a great country in many ways. Sure, we still >enjoy many priviledges, such as owning and using strong crypto. In point of >fact, though, the US is by far the most "behind" country in the wired world >as far as Privacy protections and legislation. You _COMPLETELY_ misinterpreted what I said. I was referring, obliquely, to a tricky practice whereby the US government writes up a treaty, and pushes it through the Senate, requiring only 51 votes (or even less, depending on the quorum. Participation of the House is not required, BTW, for treaty ratification.) The resulting "treaty" is interpreted as being binding not merely on the government, but is also (and incorrectly, I believe) on the citizens as well. The reason, as I recall, is a misinterpretation of a portion of the Constitution which states that treaties are the law of the land. The proper interpretion would be that such a treaty is indeed binding on the government, but not the citizenry who didn't sign it and whose Representatives didn't vote on it. The question is, "is it possible for the government to pass a law that violates a citizen's constitutional rights by putting it into the form of an international treaty?" In my opinion, this is unconstitutional, but sadly, I believe that this practice is nominally tolerated. I believe there's at least one anti-narcotics treaty, in the 1960's, which was foisted on the citizenry in this way. Naturally, I welcome details and clarification by any REAL LAWYERS around here. But if I'm right, the danger is that once Europe agrees on some sort of broad anti-crypto rule, all the US government needs to do to force such a rule on US citizens is to do their "write a treaty" schtick and we're all screwed. It wouldn't _have_ to be Europe; but this would be the most convenient excuse they could dredge up. >Cypherpunks like Jim need to keep doing their homework before they make >such quasi-factual statements. Cypherpunks like Dave need to pull their head out and read text carefully before responding to it. If you really have no idea what I'm talking about, you need to do your research. Jim Bell jimbell at pacifier.com From peterson at bitterroot.net Sun Mar 31 04:02:00 1996 From: peterson at bitterroot.net (Nels Peterson) Date: Sun, 31 Mar 1996 20:02:00 +0800 Subject: No Subject Message-ID: <19960331020330843.AAA202@bitterroot.net> unsubscibe ----------------------------------------------------------- peterson at bitterroot.net ----------------------------------------------------------- From perry at piermont.com Sun Mar 31 04:02:03 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 31 Mar 1996 20:02:03 +0800 Subject: What happened with Cypherpunks? In-Reply-To: <199603302339.PAA18937@netcom9.netcom.com> Message-ID: <199603310351.WAA17732@jekyll.piermont.com> Bill Frantz writes: > When many of us at Netcom went a week without a feed, I tried to find out > what was going on. The best explanation I could get was:\ > > >From: David Lesher > > > >The problem is toad.com is broken. > >It refuses to pass mail to an MX address, Huh? I get my cypherpunks mail via an MX. Besides, the thing is running sendmail, which uses MX records. .pm From adam at rosa.com Sun Mar 31 04:02:05 1996 From: adam at rosa.com (Adam philipp) Date: Sun, 31 Mar 1996 20:02:05 +0800 Subject: The limits of my patience. (suggested solution) Message-ID: <199603302329.PAA08279@sirius.infonex.com> At 09:48 AM 3/30/96 -0800, you wrote: >At 08:43 AM 3/30/96 -0500, Black Unicorn wrote: >>On Fri, 29 Mar 1996, jim bell wrote: >>> Explains a lot! You _are_ paid for this. In an earlier era, you would >>> have gladly run the ovens at Auschwitz if you'd gotten paid for it. >>You're way out of line here. >>I expect an apology. >And as a form of protest, I recommend that you refuse to post any more >messages to CP until you get it! That would solve a lot of problems, I think. An apology was warranted. This is not a flaming ground. Your remarks have undermined any credibility you may have had. That whirring sound is the kill files and filter --> trash being cranked up. I am CC:ing to cypherpunks to recommend this simple soluton. Adam, Esq. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | My PGP key is available on my |Unauthorized interception violates | | home page: http://www.rosa.com |federal law (18 USC Section 2700 et| |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-|seq.). In any case, PGP encrypted | |SUB ROSA...see home page for definition|communications are preferred for | | -=[ FUCK THE CDA]=- |sensitive materials. | \-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-/ Success: If A is a success in life, then A equals x plus y plus z. Work is x; y is play; and z is keeping your mouth shut. Albert Einstein (1879-1955) From markm at voicenet.com Sun Mar 31 04:02:09 1996 From: markm at voicenet.com (Mark M.) Date: Sun, 31 Mar 1996 20:02:09 +0800 Subject: Crypto CD UpDate In-Reply-To: <199603301639.IAA16075@netcom9.netcom.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- On Sat, 30 Mar 1996, Bill Frantz wrote: > At 8:36 PM 3/28/96 +0100, JR at ns.cnb.uam.es wrote: > > I may -or not- trust the people at unimi, but would I also trust > >a lot of intermediate people putting up together a CD-ROM? For that sake, > >and considering the costs of storage and removable storage media, I'd > >bet many people would find more useful to download their copies from > >the net (even once a year only) as I did. > > If pieces of the source/executable are digitally signed, you have a basis > for some degree of trust. (My pgp came with a detached signature. A bit > self-referental, but at least a start.) It depends where the person who signed the program is in the web of trust. I rarely find that the cooresponding public key for a digital signature is signed by someone that I trust and that I know that that public key belongs to whom it says it belongs. Without trust, a digital signature is completely worthless. - -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm at voicenet.com | finger -l for PGP key 0xf9b22ba5 http://www.voicenet.com/~markm/ | bd24d08e3cbb53472054fa56002258d5 "The concept of normalcy is just a conspiracy of the majority" -me -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv iQCVAwUBMV3zobZc+sv5siulAQHHgAQAqBcay46jx0/ez+Cz1vsjZjpWacurf3II Oj3u29DrmuTTMk3su51Dc8oQfqF39xS6k1b5EZY/0wqC8fGumItasmwVYZFcILGl dVO/DyAbuvmud4CamwGtTvmDDL+7Y8mojnLFHyGL7ht1JUasz0oM6EaxJyRIksjx tSwsRj54D8w= =MxYS -----END PGP SIGNATURE----- From dlv at bwalk.dm.com Sun Mar 31 04:02:11 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 31 Mar 1996 20:02:11 +0800 Subject: New crypto bill to be introduced In-Reply-To: Message-ID: <6FkmLD44w165w@bwalk.dm.com> jim bell writes: > At 11:35 AM 3/30/96 -0500, Declan B. McCullagh wrote: > >A few responses to Jim Bell: > > > >* Why would Sen. Burns introduce *this* particular crypto bill? Would > >you believe that he wanted to appear cyber-clueful and net-friendly, but > >didn't know exactly how to do that -- so certain people suggested that > >this bill would be an appropriate way to do it? > > I'm well aware of symbolic gestures. Maybe this is one of them. But having > not seen it yet it's who knows how worthy it is. I'm wondering when > somebody is going to post it. I'm also waiting for those people who claimed > that the Leahy bill was dead (for lack-of-time reasons if nothing else) to > express the same opinion of this newer bill. Not that I want it dead; I > just want to see if people are using consistent levels of logic. This whole discussion of whether any of these laws will mean anything and which bill deserves to be supported reminds me of the following story: Once upon a time, the Tsar of Russia announced that he will hold elections to a State Duma (parliament). Some Bolsheviks suggested that they should get their candidates elected and try to introduce certain reform legislation. Others suggested that the elections were a sham, they shouldn't waste their resources taking part in them. Lenin said that both sides were wrong. The Duma was a sham and they had no chance to pass any reform legislation. However they could use the campaign process to get their message to the masses, and they could flame the Tsar in the Duma if any of their candidates were elected. Of course, everything that Lenin predicted came to pass. The Bolsheviks were able to campaign and get some candidates elected, and they were able to say bad things about the Tsar. However as soon as some non-Bolshevik left-wingers in the Duma tried to pass some reform legislation, the Tsar disbanded it and had another election, banning all potentially disloyal candidates from running. And another story in the same vein: once a Chassidic businesman came to a rabbi and asked the following question: "Rebbe, I'm about to get audited by the IRS. Should I wear a business suit, so they'll think I'm a respectable person, or should I wear rags, so they'll think I'm poor and can pay them nothing?" Before the rabbi could answer, a young woman ran in and asked the following question: "Rebbe, today I'm getting married. [Recall that in some societies there's not supposed to be any sex before marriage.] On my wedding night, should I go to bed wearing a nightgown or nothing?" The rabbi said to the woman: "No matter how you dress, you'll get screwed." And to the businessman: "And by the way, this also answers your question." --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From sandfort at crl.com Sun Mar 31 04:02:16 1996 From: sandfort at crl.com (Sandy Sandfort) Date: Sun, 31 Mar 1996 20:02:16 +0800 Subject: A MODEST PROPOSAL (fwd) Message-ID: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SANDY SANDFORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C'punks, has anyone had the sort of problem mentioned below? S a n d y ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ---------- Forwarded message ---------- Date: Sat, 30 Mar 1996 19:19 EDT From: E. ALLEN SMITH To: sandfort at crl.com Subject: Re: A MODEST PROPOSAL From: IN%"sandfort at crl.com" "Sandy Sandfort" 26-MAR-1996 16:57:18.92 >Wilco. I'm collecting names for an addendum now. Thanks. Incidentally, I recently had a problem with posting to the cypherpunks list; it consisted of the message getting sent to anon.penet.fi instead. This looks like someone trying to find out anon.penet.fi anon IDs; however, it wouldn't work due to the password requirement. Have you heard anything about this? Please forward this to the list if you would; I can't exactly do so myself until the problem is resolved. I've let Julf know via the help address, but he hasn't gotten back to me yet - probably because I sent it Friday. -Allen From jimbell at pacifier.com Sun Mar 31 04:02:25 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 31 Mar 1996 20:02:25 +0800 Subject: The limits of my patience. Message-ID: At 12:46 PM 3/30/96 EST, Dr. Dimitri Vulis wrote: >Black Unicorn writes: > >> On Fri, 29 Mar 1996, jim bell wrote: >> > >> > >Anyone who knows me knows I spend all my days end arounding the >> > >U.S. government. >> > >> > Explains a lot! You _are_ paid for this. In an earlier era, you would >> > have gladly run the ovens at Auschwitz if you'd gotten paid for it. >> >> You're way out of line here. >> I expect an apology. > >Consider the above in context. Would you be willing to run the ovens/gas >chambers if you were exterminating U.S. government employees/contractors? > >"The final solution to the IRS/BATF problem." :-) Aw, C'mon Dimitri. Don't try to tease me. You _know_ I get glassy-eyed when I hear stuff like this! Jim Bell jimbell at pacifier.com From quester at eskimo.com Sun Mar 31 04:02:31 1996 From: quester at eskimo.com (Charles Bell) Date: Sun, 31 Mar 1996 20:02:31 +0800 Subject: Why Americans feel no compulsion to learn foreign langua In-Reply-To: Message-ID: On Sat, 30 Mar 1996, Alan Horowitz wrote: > > While deployed to a remote radar station on an isolated island, > supplied solely by periodic but unreliable airfreight sorties, I oft found > myself wondering: which is the more acute emergency.... to run out of food > or to run out of toilet paper? > If you had studied almost any non-European language, you would have learned the word for `toilet paper' is `your left hand and a bucket of water.' Charles Bell From unicorn at schloss.li Sun Mar 31 04:02:36 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 31 Mar 1996 20:02:36 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: On Sat, 30 Mar 1996, jim bell wrote: > At 02:19 PM 3/30/96 -0500, Black Unicorn wrote: > >On Sat, 30 Mar 1996 JonWienke at aol.com wrote: > >> principals are still safe. The escrow agent doesn't have to send any > >> encrypted "rosebud" message to anyone, and he can bend over backwards to make > >> the LEO's happy, so his butt is covered, too. At this point, the LEO's can > >> either (a) send the keys to the NSA for decryption, and thereby admit that > >> the gov't can break IDEA (or whatever cryptosystem was used to encrypt the > >> keys before the escrow agent got them), (b) rubber hose the unencrypted > >> key(s) from the principal, or (c) go home and pout. > > > >(d) [which may be a subset of (b)] impose contempt sanctions on the > >principal until he releases the key to the key. > > ...which would be a clear violation of the 5th amendment, This is not at all clear. Infact, there is good evidence it goes the other way. Mr. Bell, again, needs to learn law. Seems even Nazis know it better than he. > and would (by > informing the person targeted) defeat the entire purpose of getting the key > in the first place. Considering by this time the encryped data would have been seized as evidence, I doubt this makes much difference. Hey, call me a Nazi. > Of course, you've also assumed that the escrowed data > actually represents some sort of key, which it may not. (The data-holder is > never told that the data he's asked to hold is REALLY a key!) The data holder is ordered to turn over the data. He does in this scenerio, the data is encrypted, LEO goes to the principal, principal refuses to provide key for the encrypted key that the escrow agent was holding, compelled discovery is ordered, now your right back into the case where the principal never gave the data to the escrow agent in the first place. In short, useless expense. Very un-Nazi like. Which is, of course, why I oppose it. > Insisting that the target of an investigation provide something that may > not even exist is a sure way to fire up the populace. Remember Madame > Defarge (sp?) Ah yes, the final resort. Grab the pitchforks and torches! And he calls me a Nazi. > Jim Bell > jimbell at pacifier.com --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From ddt at lsd.com Sun Mar 31 04:02:42 1996 From: ddt at lsd.com (Dave Del Torto) Date: Sun, 31 Mar 1996 20:02:42 +0800 Subject: Test case for RSA t-shirts In-Reply-To: <199603262347.LAA09880@cs26.cs.auckland.ac.nz> Message-ID: At 1:08 pm 3/30/96, Raph Levien wrote: > While we're on the subject, I called Sam Capino's office regarding my >CJR for this t-shirt, and he said they were still waiting for a response >from the NSA. I think my next move will be a letter asking exactly when >I can expect a response, and whether there's anything I can do to compel >a response, It was originally filed (in October) as a 15-day expedited >review. FYI, PRZ mentioned to me last night that the CJR on the OCR-able book of PGP source is still pending. The "15 days" has stretched into about a year in that case, if I don't have my dates/the facts wrong. Bob Prior at MIT would know. So much for expediency in commerce. From frantz at netcom.com Sun Mar 31 04:02:46 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 31 Mar 1996 20:02:46 +0800 Subject: What happened with Cypherpunks? Message-ID: <199603302339.PAA18937@netcom9.netcom.com> At 10:33 AM 3/30/96 -0600, Igor Chudov @ home wrote: >Sorry if it is an offtopic question... Has something happened with >this mailing list? In the last two weeks I received only one article. > >My system log indicates that no messages have been received by our >machine. When many of us at Netcom went a week without a feed, I tried to find out what was going on. The best explanation I could get was:\ >From: David Lesher >Subject: Re: cipherpunk mail at Netcom.com >To: frantz at netcom.com (Bill Frantz) >Date: Thu, 8 Feb 1996 10:18:44 -0500 (EST) >Cc: stewards at ix.netcom.com >Reply-To: wb8foz at nrk.com >X-Mailer: ELM [version 2.4 PL24] > >The problem is toad.com is broken. >It refuses to pass mail to an MX address, so it's hacked to >ALWAYS pass mail to mail12.netcom.com, I think it is. > >If it used MX's, it would be poll about 15 machines at netcom, >until it found one accepting connections. > > >-- >A host is a host from coast to coast.................wb8foz at nrk.com >& no one will talk to a host that's close........[v].(301) 56-LINUX >Unless the host (that isn't close).........................pob 1433 >is busy, hung or dead....................................20915-1433 > The following comment also applies: >X-Sender: stewarts at popd.ix.netcom.com >X-Mailer: Windows Eudora Light Version 1.5.2 >Date: Thu, 08 Feb 1996 00:10:53 -0800 >To: frantz at netcom.com (Bill Frantz) >From: Bill Stewart >Subject: Re: cipherpunk mail at Netcom.com > >No denial of service attack involved; netcom and toad are slightly >incompatible with each other and they do this every six months or so. >Of course, I'd blame that on netcom :-) >#-- ># Thanks; Bill ># Bill Stewart, stewarts at ix.netcom.com / billstewart at attmail.com >+1-415-442-2215 ># http://www.idiom.com/~wcs > > If your problem is behaves the same as the one we at Netcom experienced, after about a week, it goes away and ALL the pending mail descends on your mail box. In my case it was over 1000 messages. Good Luck - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From unicorn at schloss.li Sun Mar 31 04:02:55 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 31 Mar 1996 20:02:55 +0800 Subject: The limits of my patience. In-Reply-To: <287LLD31w165w@bwalk.dm.com> Message-ID: On Sat, 30 Mar 1996, Dr. Dimitri Vulis wrote: > Black Unicorn writes: > > > On Fri, 29 Mar 1996, jim bell wrote: > > > > > > >Anyone who knows me knows I spend all my days end arounding the > > > >U.S. government. > > > > > > Explains a lot! You _are_ paid for this. In an earlier era, you would > > > have gladly run the ovens at Auschwitz if you'd gotten paid for it. > > > > You're way out of line here. > > I expect an apology. > > Consider the above in context. Would you be willing to run the ovens/gas > chambers if you were exterminating U.S. government employees/contractors? No, I would not. That's the difference between me and you- er... Mr. Bell. > "The final solution to the IRS/BATF problem." :-) > > --- > Dr. Dimitri Vulis > Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From karn at unix.ka9q.ampr.org Sun Mar 31 04:08:24 1996 From: karn at unix.ka9q.ampr.org (Phil Karn) Date: Sun, 31 Mar 1996 20:08:24 +0800 Subject: text of Richey's decision Message-ID: <199603310546.VAA08153@unix.ka9q.ampr.org> The text of Judge Richey's decision to grant the government's motion to dismiss my case is now up on my web page as http://www.qualcomm.com/people/pkarn/export/decision.html My attorneys scanned it into HTML format, but neither they nor I have had a chance to thoroughly proofread it yet. An appeal is extremely likely. Phil From unicorn at schloss.li Sun Mar 31 04:12:51 1996 From: unicorn at schloss.li (Black Unicorn) Date: Sun, 31 Mar 1996 20:12:51 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: Message-ID: On Sat, 30 Mar 1996, jim bell wrote: > give up information to the detriment of citizens. Ironically, this will > make people like Unicorn useful, because whether or not his morality is > intact he may have plenty of examples of how government abuses its position. Boy you have a lot of nerve to talk to me about morality. But hey, I'm just a Nazi anyhow. > However, he doesn't appear to have the mental wherewithall or inclination > to turn those facts into sketches of effective countermeasures. I've forgotten more about creating and distributing countermeasures to the U.S. exercise of jurisdiction than your rambling-radical-conspiracy rants and personal attacks will ever fool others into thinking you ever had. Put up or shut up. Then again, as I'm a Nazi.... > Jim Bell > jimbell at pacifier.com > --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From perry at piermont.com Sun Mar 31 04:19:04 1996 From: perry at piermont.com (Perry E. Metzger) Date: Sun, 31 Mar 1996 20:19:04 +0800 Subject: [CRYPTO] Cable-TV-Piracy-Punks In-Reply-To: <199603310256.SAA00348@cryptical.adnetsol.com> Message-ID: <199603310350.WAA17724@jekyll.piermont.com> Mike Ingle writes: > The big latent assumption here being that you have only one-way > communication with the subscribers. DSS has a modem. I am assuming that you mean that DSS has a phone line attached and can call home. If this is merely a two way satelite communication it isn't useful for this purpose. > It could get a new key from a distribution center frequently - > i.e. every day. Then the pirates would somehow have to update their > keys daily, in real time. You mean, perhaps the pirates would have to distribute keys over the internet or some such? How horrid. The problem is, as I said, insoluble. You cannot defend against hostile users of the system because each user gets the same encrypted data stream. > Once we have live packet communication (cable modems or ISDN D-channel, > for example) the keys can be changed minute by minute, if necessary. And could be updated to millions of people getting the signal illegally via the same mechanism. > The pirates will have to run their own network parallel to the > legitimate one to distribute the keys. Therefore piracy requires an > ongoing organization, and is subject to being tracked down. No one said it wasn't subject to being tracked down, although the use of offshore packet laundries might make it hard. Cellphone fraud is subject to being tracked down, too, and yet it happens to the tune of billions a year. Perry From dlv at bwalk.dm.com Sun Mar 31 04:22:46 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Sun, 31 Mar 1996 20:22:46 +0800 Subject: The limits of my patience. In-Reply-To: Message-ID: Lance Detweiller posting as Black Unicorn writes: > On Sat, 30 Mar 1996, Dr. Dimitri Vulis wrote: > > > Black Unicorn writes: > > > > > On Fri, 29 Mar 1996, jim bell wrote: > > > > > > > > >Anyone who knows me knows I spend all my days end arounding the > > > > >U.S. government. > > > > > > > > Explains a lot! You _are_ paid for this. In an earlier era, you would > > > > have gladly run the ovens at Auschwitz if you'd gotten paid for it. > > > > > > You're way out of line here. > > > I expect an apology. > > > > Consider the above in context. Would you be willing to run the ovens/gas > > chambers if you were exterminating U.S. government employees/contractors? > > No, I would not. That's the difference between me and you- er... Mr. Bell. Finally, Lance blew his nym. So, do you think that I'm Jim Bell's tentacle or that he's my tentacle? > > "The final solution to the IRS/BATF problem." :-) And what if you were "processing" U.S. Congressmen? --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From ses at tipper.oit.unc.edu Sun Mar 31 04:40:52 1996 From: ses at tipper.oit.unc.edu (Simon Spero) Date: Sun, 31 Mar 1996 20:40:52 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: Message-ID: On Sat, 30 Mar 1996, Dr. Dimitri Vulis wrote: [...] > It's interesting to note that while Tim speaks Spanish to gardeners, > James speaks Spanish to whores. Can't blame him, considering what [...] > Why do you suppose people study Latin or Sanskrit or classical Greek? [...] To speak to really expensive whores? --- "Moo! I tell you I've seen them. Black milk floats, hundreds of them, crusiing the streets in the middle of the night. " - The UNigate tapes Remember when having a mind like a sponge was a good thing? From frantz at netcom.com Sun Mar 31 04:41:46 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 31 Mar 1996 20:41:46 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks Message-ID: <199603302219.OAA13688@netcom9.netcom.com> At 6:10 PM 3/29/96 -0800, Mike Duvos wrote: >kooltek at iol.ie (Hack Watch News) writes: > > The most dangerous thing in all this is that the smart > > cards that have been hacked in Pay TV systems throughout > > the world are also used in other applications. The expertise > > and the knowledge of reversing smart cards is now more > > common in the Pay TV piracy business. There is always the > > possibility that these skills could be applied elsewhere. > >Perhaps in the private sector, where snake oil abounds. I >suspect military types do things a bit more cleverly than the >prior scenario implies. This observation has direct application to the Mondex electronic cash system. Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From mpd at netcom.com Sun Mar 31 04:55:02 1996 From: mpd at netcom.com (Mike Duvos) Date: Sun, 31 Mar 1996 20:55:02 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks Message-ID: <199603310759.XAA09261@netcom13.netcom.com> A few more hopefully short comments... perry at piermont.com ("Perry E. Metzger") writes: > Why not? If the card knows its own key, then someone else > can probably get the key out by some nasty mechanism. There is no physical difference between cards. The key information is stored in EEPROM, and the links which permit the EEPROM to be written are burned after programming is complete. The EEPROM data is then only accessible to intimately associated circuitry in its vicinity. Presumedly the state of the EEPROM cannot be deduced by any external examination of the card, and any attempt to incrementally abrade the card down to the relevent circuit elements should completely obliterate the minute charge differences which represent the data. At least, that's the theory. The Europeans trust this technology well enough to let it represent real money, so presumedly they do not consider hacking a possibility. Perhaps our resident VLSI and Alpha Particle expert, Timothy C. May, could give us a guess as to whether Perry's "Nasty Mechanism" is more or less likely than Maxwell's "Daemon." inglem at adnetsol.com (Mike Ingle) writes: > The big latent assumption here being that you have only > one-way communication with the subscribers. DSS has a modem. > It could get a new key from a distribution center frequently > - i.e. every day. Then the pirates would somehow have to > update their keys daily, in real time. Once we have live > packet communication (cable modems or ISDN D-channel, for > example) the keys can be changed minute by minute, if > necessary. Assuming Perry is right and a smart card could have its innards transplanted into a hostile environment, the scheme you describe would offer no real protection. The compromised card would simply do the communication with the Key Distribution Center and give all the information to the pirates. A low-bandwidth link, such as a web page, would be more than sufficient to communicate the required bits to everyone else on the planet. The security of a smart card based system has to lie in the "data cannot be recovered even by destructive reverse engineering" aspect of it. If this is not a given, then cards can be exactly cloned, and one clone can tell others what they need to know to prevent the duplication from becoming known to the other side of any transaction. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From grafolog at netcom.com Sun Mar 31 05:04:53 1996 From: grafolog at netcom.com (Jonathon Blake) Date: Sun, 31 Mar 1996 21:04:53 +0800 Subject: Blue Water spooks In-Reply-To: Message-ID: Alan: On Sat, 30 Mar 1996, Alan Horowitz wrote: > Is there any indication that the GRU or Chinese or Iranian intelligence > (I think these are our only foes nowadays who have blue-water {to mix a What about the Allies, and alleged allies of the US. Canada, Britian, Israel? << Why assume that only non-allies will want to conduct any sort of sigint against human speakers of Navajo. > metaphor} spook services) could do better than the Japanese did in > sigint'ing against human speakers of Navajoe? Have the Chinese turned their thought towards cryptography, or cryptanalysis yet? If so, I suspect the answer is yes, If not, then the answer is a definate No. The Chinese Intelligence Service traditionally has not looked outward, preferring to ply its trade domestically. That said, the earliest extant text on espionage is Chinese. > Is the Navjo language still extent among draft-age men? Life in the > Southwest has changed considerably since 1943. I suspect more anglos can speak Navajo now, than during WW2 -- both numerically, and as a percentage of the population. << Some americans do think a second languages is useful, unlike some people on this list. Admittedly, the US still has a far way to catchup to the European idea of what a literate person is. >> xan jonathon grafolog at netcom.com From shamrock at netcom.com Sun Mar 31 05:05:13 1996 From: shamrock at netcom.com (Lucky Green) Date: Sun, 31 Mar 1996 21:05:13 +0800 Subject: No Subject Message-ID: Yes, Netscape caches passwords. --- begin forwarded text From: support at sfnb.com Date: Fri, 29 Mar 96 17:27:02 -0500 Sender: Apparently-To: bankusers at sfnb.com Dear Security First customer: With the release of Netscape Navigator 2.0, Netscape enhanced their caching mechanism to improve the browser's performance. As a result of this enhancement, the Navigator was storing Security First username and password information when entered in cleartext on a customer's local hard drive in a file called fat.db. Therefore, if a knowledgeable and malicious person had access to a Security First customer's computer, they could have potentially stolen that customer's username and password. To our knowledge, this vulnerability was NOT exploited by anyone. We were made aware of this fact in an e-mail to the bank from Lucky Green, a frequent contributor to the cypherpunks mailing list. Immediately upon learning of this situation, Five Paces engineers worked closely with Netscape engineers and fixed the problem. To prevent caching of the username and password, we changed the login script to include "pragma: no-cache" in the http header. This command instructs the browser not to cache any information from this page on the local hard drive. Please note this was not specific to Security First. Any Web site that requests a username and password in an onscreen form is potentially vulnerable to this cleartext caching if the "pragma: no-cache" header is not used. In order to ensure that your username and password have been cleared from your cache, bank customers should go to the Options dropdown menu in the Navigator, and select Network, then Cache, and then click on the "Clear Disk Cache Now" button. We know that software involving Internet commerce is changing at a rapid pace, and we will continue to monitor all changes that might affect our customers. We would like to thank Lucky and also Jeff Weinstein of Netscape for bringing this to our attention. The Internet community benefits when we all work together to make it a better network. If you have any questions, please do not hesitate to e-mail me at karlin at sfnb.com, or our customer service staff at support at sfnb.com. Sincerely, Michael Karlin President & COO Security First Network Bank ================================================================ Michael S. Karlin Security First Network Bank 2957 Clairmont Road 404.679.3201 Suite 280 404.679.3210 Fax Atlanta, GA 30329 karlin at sfnb.com --- end forwarded text -- Lucky Green PGP encrypted mail preferred. From jimbell at pacifier.com Sun Mar 31 05:20:28 1996 From: jimbell at pacifier.com (jim bell) Date: Sun, 31 Mar 1996 21:20:28 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: At 08:52 AM 3/29/96 -0800, jamesd at echeque.com wrote: >On Thu, 28 Mar 1996, jim bell wrote: >> > Escrowing encrypted keys makes them useless to subpoena, and in >> > fact it helps the key owner because the escrow agent can (and, in fact, >> > must!) be obligated to inform the key owner if his key is requested. > >At 05:49 AM 3/29/96 -0500, Black Unicorn wrote: >> I thought I would take the time to let everyone know that this is >> baseless as well. Most jurisdictions forbid third parties to reveal >> prosecution inquries to the principal for which they are holding >> documents or other information. A VERY few have laws on the books that >> require this disclosure. Switzerland is no longer one of them. > >If you had actually read the article that you criticize you would >have noticed that the "must" was enforced by cryptographic >protocols, not by the blunt sword of the law. I do think it's interesting how Unicorn so easily falls into these mental ruts. He thinks only in terms of what the government wants and what it does to get it, not what other people want and what they can do for their own benefit. One useful function that CP can and should provide is to disseminate ideas about future crypto developments, ones that do not merely encrypt and decrypt files and messages, but also incorporate encryption into systems so that government attacks on them ("legal" as well as surreptitious) are guaranteed to be fruitless. This will require coding, but it will primarily require enough imagination to figure out ways around all the tactics normally used to force people to give up information to the detriment of citizens. Ironically, this will make people like Unicorn useful, because whether or not his morality is intact he may have plenty of examples of how government abuses its position. However, he doesn't appear to have the mental wherewithall or inclination to turn those facts into sketches of effective countermeasures. Jim Bell jimbell at pacifier.com From tcmay at got.net Sun Mar 31 05:20:47 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 31 Mar 1996 21:20:47 +0800 Subject: Navajo Code-Talkers Message-ID: At 2:59 PM 3/30/96, Alan Horowitz wrote: >Is there any indication that the GRU or Chinese or Iranian intelligence >(I think these are our only foes nowadays who have blue-water {to mix a >metaphor} spook services) could do better than the Japanese did in >sigint'ing against human speakers of Navajoe? Probably. Not that it matters, as Navajo code-talking was a classic example of security through obscurity. It served its purpose, but approaches such as this are effectively just _very weak codes_. I wouldn't expect this "trick" to work as well the second time around. (Actually, it's been used throughout history, in the sense of people speaking in what they think to be obscure variants of languages, or in slang. There is ample evidence that teen lingo is designed to be less intelligible to adults.) >From where I am now sitting I can see the Defense Language Institute in Monterey, where all sorts of obscure languages are taught. AT&T even located their translation service here, to take advantage of the various experts (even Yoruba speakers, Alan B. will be pleased to hear). I'd venture that NSA also has large staffs of language experts, to interpret the COMINT stuff vacuumed up. >Is the Navajo language still extent among draft-age men? Life in the >Southwest has changed considerably since 1943. According to an episode of "The X Files," which dealt with Navajo code-talkers, the answer is that young Navajo men are losing their fluency in Navajo, especially of the nuances and double entendres that code-talkers relied upon. (For those who scoff at using a television show as a source, writers for shows like this often do more interesting research than, say, the average encyclopedia article will report.) Finally, there is no draft in the U.S., of course. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sun Mar 31 06:31:16 1996 From: tcmay at got.net (Timothy C. May) Date: Sun, 31 Mar 1996 22:31:16 +0800 Subject: What backs up digital money? Message-ID: At 10:29 PM 3/30/96, Simon Spero wrote: >[Everyone's ignoring the obvious answer: Exabyte's, silly :)] > No, "exonbytes," the archival storage medium for the post-CDA world. It automatically filters out the naughty bits. Dats what I've got. (By the way, wags may call them "Exon bites," but this usage is forbidden by the CDA. As well has having already been used, a la Valdez.) --Klaus THE X-ON CONGRESS: INDECENT COMMENT ON AN INDECENT SUBJECT, by Steve Russell, American Reporter Correspondent....You motherfuckers in Congress have dropped over the edge of the earth this time... "the sorriest bunch of cocksuckers ever to sell out the First Amendment" or suggesting that "the only reason to run for Congress these days is to suck the lobbyists' dicks and fuck the people who sent you there," ....any more than I care for the language you shitheads have forced me to use in this essay...Let's talk about this fucking indecent language bullshit. From frantz at netcom.com Sun Mar 31 06:32:33 1996 From: frantz at netcom.com (Bill Frantz) Date: Sun, 31 Mar 1996 22:32:33 +0800 Subject: What happened with Cypherpunks? Message-ID: <199603310718.XAA27085@netcom9.netcom.com> >Bill Frantz writes: >> When many of us at Netcom went a week without a feed, I tried to find out >> what was going on. The best explanation I could get was:\ >> >> >From: David Lesher >> > >> >The problem is toad.com is broken. >> >It refuses to pass mail to an MX address, > >Huh? I get my cypherpunks mail via an MX. Besides, the thing is >running sendmail, which uses MX records. > >.pm What I posted is what I received. They were the ONLY explanation(s) I received of a cause for the problem. My understanding of RFC822 and descendants is not good enough to offer a critique, but I do know that my, and a number of my friends toad.com feed was constipated for a week until the Exlax came thru. If you have a better explanation of what happened, I would be delighted to receive it. (BTW - I have notes from a number of non-Netcom subscribers who report no problems during the effected time.) Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz at netcom.com | dead teenagers | Los Gatos, CA 95032, USA From WlkngOwl at unix.asb.com Sun Mar 31 06:54:28 1996 From: WlkngOwl at unix.asb.com (Deranged Mutant) Date: Sun, 31 Mar 1996 22:54:28 +0800 Subject: (Excerpted Fwd) Minnesota Online privacy bill in conference comm Message-ID: <199603310737.CAA13085@unix.asb.com> ------- Forwarded Message Follows ------- Date: Sat, 30 Mar 1996 11:33:26 -0600 To: privacy at ftc.gov, net-happenings at vm1.nodak.edu, pubs at educom.edu From: shel at mtn.org (Sheldon Mains) Subject: Minnesota Online privacy bill in conference committee Reply-to: privacy at ftc.gov Minnesota Online Privacy Bill in Conference Committee is in Conference Committee 3-27-1996 The following online privacy option bill passed the full Minnesota State House and is now in conference committee with a "study" passed today by the State Senate. The various interests, including major commercial on-line services, woke up to the bill and found Senate members to amend their version which was similar to the House's on the floor with a short bill that would instead require study. It is a pretty incredible story that the House bill (following after this intro) has gotten so far without major attention. Sheldon Mains shel at mtn.org You can track the legislation via the legislative WWW at: http://www.leg.state.mn.us [..] Rob. --- Send a blank message with the subject "send pgp-key" (not in quotes) to for a copy of my PGP key. From dlv at bwalk.dm.com Sun Mar 31 08:05:31 1996 From: dlv at bwalk.dm.com (Dr. Dimitri Vulis) Date: Mon, 1 Apr 1996 00:05:31 +0800 Subject: Why Americans feel no compulsion to learn foreign languages In-Reply-To: Message-ID: Simon Spero writes: > On Sat, 30 Mar 1996, Dr. Dimitri Vulis wrote: [Quoting James, who wrote the knowledge of a foreign language is primarily useful for talking to whores] > [...] > > It's interesting to note that while Tim speaks Spanish to gardeners, > > James speaks Spanish to whores. Can't blame him, considering what > [...] > > Why do you suppose people study Latin or Sanskrit or classical Greek? > [...] > > To speak to really expensive whores? Consider the crypto implications: James's whores can compare notes and discuss right in front of him the size of his reproductive organs and the time it takes him to ejaculate, and he won't understand what they're talking about. :-) --- Dr. Dimitri Vulis Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps From jya at pipeline.com Sun Mar 31 08:31:00 1996 From: jya at pipeline.com (John Young) Date: Mon, 1 Apr 1996 00:31:00 +0800 Subject: PIR_ate Message-ID: <199603311312.IAA25762@pipe4.nyc.pipeline.com> 3-31-96. NYT: "Sold Out." By James Boyle, American University law professor We are in the middle of an information land grab and no one seems to have noticed. Congress is now considering the Administration's proposal for intellectual property on the Internet, aimed at "saving" this thriving medium. Using a far-fetched theory of what constitutes "copying," the proposal would turn browsing an Internet document into a copyright violation. It would effectively privatize much of the public domain by transforming the current law of fair use. It would make on-line service providers strictly liable for their customers' copyright violations, thus giving providers an incentive to monitor what you do in cyberspace. "Poetry can only be made out of other poems, novels out of other novels," as the critic Northrop Frye famously put it. The same goes for computer programs, which build on the contributions of earlier hackers. Every intellectual property claim is a chunk taken out of the public domain. If we give someone a software patent over basic functions, at some point the public domain will be so diminished that future creators will be prevented from creating because they won't be able to afford the raw materials they need. An intellectual property system has to insure that the fertile public domain is not converted into a fallow landscape of walled private plots. PIR_ate From rollo at artvark.com Sun Mar 31 09:21:56 1996 From: rollo at artvark.com (Rollo Silver) Date: Mon, 1 Apr 1996 01:21:56 +0800 Subject: "Random Sequence" Message-ID: The paper "On the Effective Definition of 'Random Sequence'", by Michael Levin, Marvin Minsky, and Roland Silver can be viewed (and downloaded, and printed) from my website . At the end of the main menu you'll see a link to "Random Sequences", which click. I hand-translated the paper into HTML, making the formulas into GIFs; what a crock! Rollo Silver | e-mail: rollo at artvark.com | Artvark | Home page: http://www.artvark.com/artvark/ | PO Box 219 | Voice: 505-586-0197 | San Cristobal, NM 87564 USA | Compuserve 71174,1453 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-= From jk at digit.ee Sun Mar 31 10:24:11 1996 From: jk at digit.ee (Jyri Kaljundi) Date: Mon, 1 Apr 1996 02:24:11 +0800 Subject: Netscape Navigator 3.0 beta Message-ID: I found today Netscape Navigator 3.0 AKA Netscape Navigator Atlas available for download from Netscape. Things of interest for this list are client or personal certificates, have a look at Options->Security. I do not have a WWW server with client certificate support right now, so I can't tell if it is actually implemented in the beta. J�ri Kaljundi jk at digit.ee From r3506010 at cml11.csie.ntu.edu.tw Sun Mar 31 10:41:51 1996 From: r3506010 at cml11.csie.ntu.edu.tw (Chein-hsinLiu) Date: Mon, 1 Apr 1996 02:41:51 +0800 Subject: Question about integrity of Blind Signature Message-ID: <199603311551.XAA01495@cml11.csie.ntu.edu.tw> Hi! I have some question about ecash protocol. In ecash protocol, we represent money by a sequence number which is signed by bank. And for privacy, we use blind signature. But when we send bank a pesudo sequence number-- X*PK(r) (X:sequence number we want, r :random number to cheat bank) then we can get SK(X*PK(r)) from bank, and get money by SK(X*PK(r))/r=SK(X). But if we divide SK(X*PK(r)) with r', we can get another money? It confuses me. How does it preserve the integrity of the money, and let people divide r on the SK(X*PK(r)) ? It confuses me very long time. Thanks for any help! Chein-hsin Liu 4/1/96 From declan+ at CMU.EDU Sun Mar 31 11:01:03 1996 From: declan+ at CMU.EDU (Declan B. McCullagh) Date: Mon, 1 Apr 1996 03:01:03 +0800 Subject: SNI_ffs In-Reply-To: <199603302137.QAA08281@pipe2.nyc.pipeline.com> Message-ID: Excerpts from internet.cypherpunks: 30-Mar-96 SNI_ffs by John Young at pipeline.com > 3-30-96 TWP reports on an Argentinian hacker who penetrated > a slew of sensitive networks and how the FBI tracked him by > getting a warrant to run a sniffer-filter at Harvard, the > POE. > > The hacker's dad, a Lt. Col., barks, "The Yankees don't > have the slightest idea about security. If a kid can enter, > they should be ashamed to admit it." My panel at CFP had a former and a current AUSA on it, and we were chatting before it started. They were quite proud of this bust and saw it as an example of a "civil liberties friendly" investigation they can hold up to rebut charges of violation of due process, illegal wiretaps, and so on. (Both DoJers were involved in this case, which was handled by the Boston office.) One gave me the impression the DoJ had to develop custom hardware and software for this "Internet wiretap" done without Harvard's direct cooperation. -Declan From daw at cs.berkeley.edu Sun Mar 31 11:05:03 1996 From: daw at cs.berkeley.edu (David Wagner) Date: Mon, 1 Apr 1996 03:05:03 +0800 Subject: Chaumian ecash without RSA Message-ID: <199603311610.IAA10786@joseph.cs.berkeley.edu> I've always seen Chaum's anonymous ecash system described in terms of RSA. RSA has this ungainly patent which probably will be around for quite some time, yet the Diffie-Hellman patent expires pretty soon. With that motivation, here's a Chaumian anonymous ecash protocol based on Diffie-Hellman. Take a publicly known group G and generator g; breaking Diffie-Hellman and taking discrete logs in this group should be hard. For instance, G might be (Z/pZ)^*, the integers modulo a prime p. The bank picks a secret value k, and publishes g^k. To withdraw a coin, Alice picks an x, sets y = x | hash(x), [ | is concatenation ] chosen so that y is in G. Alice chooses a random secret blinding factor b, sends to the bank A->B: y g^b, and the bank returns B->A: (y g^b)^k, debiting Alice's account. Note that this is a (blinded) Diffie-Hellman key exchange with public exponentials g^k and y g^b; the bank returns the exchanged "secret". Alice unblinds this value, computing z = (y g^b)^k (g^k)^{-b} and now c = (x,z) is a coin in the digital cash system. Note z = y^k. We use the traditional online clearing protocol; to deposit the coin, a shop S sends S->B: x, z. The bank checks to make sure the coin hasn't already been spent, and then computes y = x | MD5(x), checking whether y^k = z. If equality holds, and the coin hasn't already been spent, then the bank credits S's account and adds the coin to the list of spent coins. This is just the same old Chaum anonymous ecash protocol, except that I've replaced the RSA operations by Diffie-Hellman ones. It's a lesser-known fact that you can blind a Diffie-Hellman key exchange just as you can blind a RSA signature. The security of this protocol depends on the intractibility of breaking Diffie-Hellman. In particular, given public exponentials g^k and y = g^m, for k,m unknown, it must be impossible to compute g^{km} = y^k. Furthermore, this protocol depends on the hash function being one-way and possessing no interactions with Diffie-Hellman or modular exponentiation. Comments? From jya at pipeline.com Sun Mar 31 11:13:28 1996 From: jya at pipeline.com (John Young) Date: Mon, 1 Apr 1996 03:13:28 +0800 Subject: SNI_ffs Message-ID: <199603311557.KAA09394@pipe1.nyc.pipeline.com> Responding to msg by declan+ at CMU.EDU ("Declan B. McCullagh") on Sun, 31 Mar 10:42 AM >One gave me the impression the DoJ had to develop >custom hardware and software for this "Internet >wiretap" done without Harvard's direct cooperation. DoJ is probably cutting spying-sensitive Harvard some slack, or slyly crowing about setting up the Crimson butts with a promise for deniability. Is it possible that the CFP chit-chat revved that Janus-spin, practicing for more pervasive cyber-sleuth slathering of wannabe L&O insiders? ---------- The New York Times, March 31, 1996, p. 20. First Internet Wiretap Leads to a Suspect [Excerpts of story not in the TWP] Stephen P. Heymann, a Federal prosecutor in Boston, said investigators had worked with Harvard to determine a method of tracking the suspect that would protect the privacy of legitimate users. He said that the Harvard system had 16,500 accounts and 13,000 users and that about 60,000 E-mail messages each day moved in and out of the area where investigators were looking for the intruder. Mr. Heymann said investigators had used a high-speed computer to check for 10 to 15 key words that matched the intruder's profile. If they were not sure if an electronic communication containing a key word was Mr. Ardita's, the investigators looked at 80 characters on either side of the key word to make that determination. Mr. Heymann said investigators believed that only twice had they read a complete message that was not Mr. Ardita's. [End excerpt] From jimbell at pacifier.com Sun Mar 31 11:31:28 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 1 Apr 1996 03:31:28 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks Message-ID: At 11:59 PM 3/30/96 -0800, Mike Duvos wrote: >A few more hopefully short comments... > > Why not? If the card knows its own key, then someone else > > can probably get the key out by some nasty mechanism. > >There is no physical difference between cards. The key >information is stored in EEPROM, and the links which permit the >EEPROM to be written are burned after programming is complete. >The EEPROM data is then only accessible to intimately associated >circuitry in its vicinity. > >Presumedly the state of the EEPROM cannot be deduced by any >external examination of the card, and any attempt to >incrementally abrade the card down to the relevent circuit >elements should completely obliterate the minute charge >differences which represent the data. > >At least, that's the theory. The Europeans trust this technology >well enough to let it represent real money, so presumedly they do >not consider hacking a possibility. > >Perhaps our resident VLSI and Alpha Particle expert, Timothy C. >May, could give us a guess as to whether Perry's "Nasty >Mechanism" is more or less likely than Maxwell's "Daemon." I don't know what Tim May will tell you, but over 10 years ago a technology was developed which is something like a scanning electron microscope, however with very low beam energies and is designed to be able to scan a chip and quantitatively measure the voltage at various/all points on the chip. It can be thwarted by a thick coating on the chip, but most organic coatings can be removed with a "plasma asher," a chamber designed to remove photoresist coatings on chips. Jim Bell jimbell at pacifier.com From jf_avon at citenet.net Sun Mar 31 11:57:07 1996 From: jf_avon at citenet.net (Jean-Francois Avon JFA Technologies, QC, Canada) Date: Mon, 1 Apr 1996 03:57:07 +0800 Subject: Electronic locksmiths are watching you (Belgium's ban onPGP) Message-ID: <9603311631.AB23359@cti02.citenet.net> -----BEGIN PGP SIGNED MESSAGE----- Dave Del Torto wrote: >At 1:25 am 3/30/96, jim bell wrote: >>We should be particularly suspicious of any hint of a pan-European ban or >>control of encryption, because that is exactly the kind of development that >>could usher in a secretly-negotiated treaty that might be argued to be >>binding on the public. [elided] >Cypherpunks like Jim need to keep doing their homework before they make >such quasi-factual statements. Jim seems to analyse a situation in terms of broad principles, while Dave seems to focus more on specifics that would disprove Jim. I agree with the Dave's last phrase in the sense that our models of reality should indeed be rooted in reality. But considering that in most european country, you are recognized guilty unless proven innocent, it is only non-contradictory to arrive at Jim's conclusions. The basic psycho-epistemology at work there is implying that. Maybe that on the instant, ugly things are not happening, but nevertheless, the basic principles held about man, his nature and therefore, about how he should be treated leads, by their own logic, to ugly things. JFA -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQEVAwUBMV5p5siycyXFit0NAQGSjAf/abwWK0DoLESROTPjrNgEcX66t+zFJ8X8 c1oMvDqXsUye0WKibkgiO+yQ7Cjt2Zxo1bD9luH9boX0vUPhDxtUclw64HJ7SOGK WVVizbZLYmz5dSoOO8+0JpJUyFFgdI9LOMPjD1wIH84YwC8zjjSx/ZCPoEzt0lux pP2l57+G3aVwvxCXBD0lm/Uwtafn3i35ZsOyuKRq802Is8BhFH1hka+SzUyuU1i2 Tcw7/WbqSklvGSkVkBxKMJot7GbBTEQMNqVH7oLECY1oTKafEnXzAKihKJYef49w AJJpsOr5LQ9hyrKzAL9Mhzpx/DrrnIQ3BxMb7VgtbHSMjaEMJ+rS0g== =3bz4 -----END PGP SIGNATURE----- Public Key at http://w3.citenet.net/users/jf_avon Jean-Francois Avon 2048 bits key ID:C58ADD0D 1996/03/01 fingerprint=52 96 45 E8 20 5A 8A 5E F8 7C C8 6F AE FE F8 91 Unsollicited commercial e-mail will be proofread at a rate of 165 $ U.S. per hours. Any sender of unsollicited commercial e-mail will be considered as to have accepted the above mentionned terms. From JonWienke at aol.com Sun Mar 31 12:11:41 1996 From: JonWienke at aol.com (JonWienke at aol.com) Date: Mon, 1 Apr 1996 04:11:41 +0800 Subject: So, what crypto legislation (if any) is necessary? Message-ID: <960331120551_366431213@emout06.mail.aol.com> >My preferred and soon to be permanent e-mail address:unicorn at schloss.li >"In fact, had Unicorn not existed, potestas scientiae in usu est >Detweiler might not have had to invent him." in nihilum nil posse reverti >00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information Unicorn = Detweiler = Agent Provocateur From vasudeva at mindport.net Sun Mar 31 13:36:53 1996 From: vasudeva at mindport.net (vasudeva at mindport.net) Date: Mon, 1 Apr 1996 05:36:53 +0800 Subject: Medusa's Tentacles Message-ID: <199603311652.LAA27625@polaris.mindport.net> (Please forgive the uninformed method of my inquiry.) Would any here happen to know where I might come across a later version of 'Medusa's Tentacles?' I've got the first release, alpha/beta 1, but, as many probably know, it carries a few bugs, such as not allowing purging of fuzzybases... ...vasudeva ___________________________________ 'Hot water is the revolutionist's element. You clean men as you clean milkpails: by scalding them.' -GBS PGP messages encouraged - look at MIT keyserver for public key. ___________________________________ From alanh at mailhost.infi.net Sun Mar 31 13:56:14 1996 From: alanh at mailhost.infi.net (Alan Horowitz) Date: Mon, 1 Apr 1996 05:56:14 +0800 Subject: Navajo Code-Talkers In-Reply-To: Message-ID: Young men are still being registered for the draft. In fact, in the past several years, there's been a crackdown.... no draft registration, no federal student loan. From JR at ns.cnb.uam.es Sun Mar 31 14:00:25 1996 From: JR at ns.cnb.uam.es (JR at ns.cnb.uam.es) Date: Mon, 1 Apr 1996 06:00:25 +0800 Subject: Crypto CD UpDate Message-ID: <960331201326.204003bd@ROCK.CNB.UAM.ES> >> Hey, I just got Appl. Crypt. 2nd Ed. yesterday. Meanwhile with >> the 1st Ed. and the code I had in my CDs I could very well manage with >> most things, protocols, algorithms... Of course, the version of Crypto++ >> I have there is outdated now, but the algorithms are still valid, and >> I still have much more algorithms there than the current version has, and >> I can always plug in or adapt a new one should I need to. > >Would you like to suggest some of your favorite algorithms not in the >current version of Crypto++ for inclusion in the next version? > >Wei Dai > Point taken. Well, as it is now, it is good enough for my current needs. And it's a great work you've done. What I was referring to instead was actually what I don't want or expect in a "good" library: simple, extraneous, old, maybe breakable algorithms, things no longer useful... they make a great material for studying and learning, and sometimes to demonstrate some colleagues how simple some approaches are. These materials, that I wouldn't use in a decent application are still usefull for me from time to time, and are nice to have at hand. Personally, I would prefer some algorithms not to be in Crypto++ less someone use them confident that if they are there, they must necessarily be good, although they might be useful for learning purposes. Nevertheless, as soon as I find something I think interesting to add, I'll let you know, or even contribute it myself. And thanks again for this fine piece of code! jr From JR at ns.cnb.uam.es Sun Mar 31 14:23:17 1996 From: JR at ns.cnb.uam.es (JR at ns.cnb.uam.es) Date: Mon, 1 Apr 1996 06:23:17 +0800 Subject: Crypto CD UpDate Message-ID: <960331195402.204003bd@ROCK.CNB.UAM.ES> >If pieces of the source/executable are digitally signed, you have a basis >for some degree of trust. (My pgp came with a detached signature. A bit >self-referental, but at least a start.) > >Regards - Bill Agreed, but it imposes further restrictions: it's OK if you can put PGP digitally signed by prz, but not all packages will be available signed from their authours, especially compiled for various platforms. OTOH, most unknowledgeable people will trust almost anything (they are already doing so when downloading java applets). And it would do a great work to spread knowledge about cryptography. Which is a Good Thing. All in all, I think it is a good idea, but addressing the general public will require quite some work, and the 'connoisseurs' might either do as Tim (only use the net) or just make their own mass-store, removable, thingies. Stil I'd bet many people will be eager to get a mirror of the major sites on CD. jr From perry at piermont.com Sun Mar 31 14:59:03 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 1 Apr 1996 06:59:03 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks In-Reply-To: <199603310759.XAA09261@netcom13.netcom.com> Message-ID: <199603311844.NAA20037@jekyll.piermont.com> Mike Duvos writes: > perry at piermont.com ("Perry E. Metzger") writes: > > > Why not? If the card knows its own key, then someone else > > can probably get the key out by some nasty mechanism. > > There is no physical difference between cards. The key > information is stored in EEPROM, and the links which permit the > EEPROM to be written are burned after programming is complete. > The EEPROM data is then only accessible to intimately associated > circuitry in its vicinity. Or to people with access to scanning microscopy techniques like STMs or AFMs. I suspect that there are lots of techniques that can be successfully used. It used to be that using them required the sort of facilities only available at a large semiconductor manufacturer, but now I suspect that it would be easy for a student at a major university, and probably less easy, but still perfectly feasible, for a person working at home with lots of sophisticated but fairly available equipment like STMs. > Presumedly the state of the EEPROM cannot be deduced by any > external examination of the card, and any attempt to > incrementally abrade the card down to the relevent circuit > elements should completely obliterate the minute charge > differences which represent the data. They aren't immune to the laws of physics. If it can be put together, it can be taken apart. I can even surmise HOW it can be taken apart. > At least, that's the theory. The Europeans trust this technology > well enough to let it represent real money, so presumedly they do > not consider hacking a possibility. The Americans trust their money to the notion that no counterfeiter can afford to pay a million or so for an intaglio press. Do you think this is likely? In any case, I notice that the claim has changed. Before, it was claimed, speciously, that modern cryptography could solve this problem. Now it is claimed that the security of the system depends entirely on keeping the user from breaking in to a piece of equipment that they have physical possession of. Pretty different story, eh? > Perhaps our resident VLSI and Alpha Particle expert, Timothy C. > May, could give us a guess as to whether Perry's "Nasty > Mechanism" is more or less likely than Maxwell's "Daemon." I think he'll tell you that he doesn't know how much effort it will take but that Intel's labs probably could manage it and that they probably couldn't manage to build Maxwell's Demon. Perry From jimbell at pacifier.com Sun Mar 31 15:02:41 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 1 Apr 1996 07:02:41 +0800 Subject: So where's the Burns bill? Message-ID: >(1) SENATOR BURNS ANNOUNCES BILL TO LIFT CRYPTO EXPORT CONTROLS >The battle to roll back the Clinton Administration's encryption policy >escalated on Thursday when Senator Conrad Burns (R-MT) announced that he >will introduce a new proposal to repeal restrictions on encryption exports >and to encourage the growth of electronic commerce. Senator Burns announced >the bill via a teleconference during a special session at the Computers, >Freedom, and Privacy Conference in Boston, MA. >The bill, titled the "Promoting Commerce On-Line in the Digital Age Act" >(PROCODE), joins two recent bills introduced earlier this month (S. 1587 >and HR 3011) designed to encourage the development of strong, easy-to-use >privacy and security products for the Internet. Maybe I'm just naturally suspicious of the government about such things, but I'm wondering where the text of this new Burns bill has gotten off to. It's been days since it was first described, and yet a recent trip to the CDT page still claims it's coming. Well, is there a bill or isn't there? As usual, my solution will cause some people to smile, while others will frown: We should educate these politicians that whenever they claim they have a bill to introduce, at the very least they should be required to release a secure hash of their CURRENT draft version of the bill, as it sits in the word processor. Later, when the finalized bill is complete, they will be required to release the intermediate edit (whose hash can be checked against that originally announced) to prove that they did, indeed, have a specific bill in mind. It would also allow all citizens to see how that bill changed (if at all) between the time they CLAIMED the bill existed, and the time it is actually released in finalized text version. (If we REALLY don't trust the politicians, we could insist that the text of that proposed bill be released into the hands of one of these supposedly-trustworthy escrow agents they seem to want US to use, which instructions to release it in, say, 2 weeks maximum come hell or high water. All these instructions, plus the hash, will be immediately released.) This requirement would drastically cut down on the kind of game-playing that may be going on regularly when a bill is claimed to be ready to introduce, but actually isn't. It would prevent the politicians from "running it up the flagpole and seeing if anyone salutes" without that being later revealed. They could still change their bills, but all of their changes will become documented, and thus potentially politically incriminating. Jim Bell jimbell at pacifier.com From ravage at ssz.com Sun Mar 31 15:30:21 1996 From: ravage at ssz.com (Jim Choate) Date: Mon, 1 Apr 1996 07:30:21 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks (fwd) Message-ID: <199603311954.NAA18479@einstein.ssz.com> Forwarded message: > > Presumedly the state of the EEPROM cannot be deduced by any > > external examination of the card, and any attempt to > > incrementally abrade the card down to the relevent circuit > > elements should completely obliterate the minute charge > > differences which represent the data. > > They aren't immune to the laws of physics. If it can be put together, > it can be taken apart. I can even surmise HOW it can be taken apart. You wouldn't even have to take it apart. Just subject it to analysis using SQUID's. Using this technology you would not even have to physicaly touch the card, let alone remove any parts of it. From tcmay at got.net Sun Mar 31 15:31:29 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 1 Apr 1996 07:31:29 +0800 Subject: Navajo Code-Talkers Message-ID: At 6:10 PM 3/31/96, Alan Horowitz wrote: >Young men are still being registered for the draft. In fact, in the past >several years, there's been a crackdown.... no draft registration, no >federal student loan. But what I said was there is no draft. There hasn't been one for around 20 years or so, since the "All Volunteer Army," roughly coinciding with the end of American involvement in Vietnam. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sun Mar 31 16:07:26 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 1 Apr 1996 08:07:26 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks Message-ID: At 4:34 PM 3/31/96, jim bell wrote: >At 11:59 PM 3/30/96 -0800, Mike Duvos wrote: >>Perhaps our resident VLSI and Alpha Particle expert, Timothy C. >>May, could give us a guess as to whether Perry's "Nasty >>Mechanism" is more or less likely than Maxwell's "Daemon." I wrote a reply to this, about decoder cloning and fingerprinting, but my Mac froze up for some reason...must be a message. Maybe I'll rewrite it... Then I saw this comment, and my sense of irony was triggered: >I don't know what Tim May will tell you, but over 10 years ago a technology >was developed which is something like a scanning electron microscope, >however with very low beam energies and is designed to be able to scan a >chip and quantitatively measure the voltage at various/all points on the >chip. It can be thwarted by a thick coating on the chip, but most organic >coatings can be removed with a "plasma asher," a chamber designed to remove >photoresist coatings on chips. I wrote a paper on this, "Dynamic Fault Imaging," using voltage contrast combined with image processing and chip data bases to locate the origins of glitches and faults in microprocessors. However, voltage contrast is a lot older than 10 years, and was in use in the early 70s--my group just developed a kind of "time machine" for watching the propagation of defective states inside complex logic devices. Using such methods to look at the internal state of logic or memory devices is incredibly difficult, though a sufficiently determined analyst might discover some interesting things. (Check the archives for several articles I've written on tamper-resistant and tamper-responding hardware.) Hardware fingerprinting is an economic win over reverse-engineering analysis to the extent that it costs a huge amount more to get a particular key than the value of what's in the key. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From samman-ben at CS.YALE.EDU Sun Mar 31 16:40:34 1996 From: samman-ben at CS.YALE.EDU (Rev. Ben) Date: Mon, 1 Apr 1996 08:40:34 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <960331120551_366431213@emout06.mail.aol.com> Message-ID: On Sun, 31 Mar 1996 JonWienke at aol.com wrote: > >My preferred and soon to be permanent e-mail address:unicorn at schloss.li > >"In fact, had Unicorn not existed, potestas scientiae in usu est > >Detweiler might not have had to invent him." in nihilum nil posse reverti > >00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information > > Unicorn = Detweiler = Agent Provocateur Uh. No. Unicorn != Detweiler = Agent Provocateur I won't post my opinions upon whom I think is an Agent Provocateur, but Uni isn't one. Ben. Ben Samman..............................................samman at cs.yale.edu Want to give a soon-to-be college grad a job? Mail me for a resume Je voudrais travailler en France. J'ai deja obtenu une autorisation de travail. From jimbell at pacifier.com Sun Mar 31 16:50:24 1996 From: jimbell at pacifier.com (jim bell) Date: Mon, 1 Apr 1996 08:50:24 +0800 Subject: SNI_ffs Message-ID: At 10:57 AM 3/31/96 -0500, John Young wrote: >---------- > The New York Times, March 31, 1996, p. 20. > > > First Internet Wiretap Leads to a Suspect > > [Excerpts of story not in the TWP] > > Stephen P. Heymann, a Federal prosecutor in Boston, said > investigators had worked with Harvard to determine a method > of tracking the suspect that would protect the privacy of > legitimate users. > > He said that the Harvard system had 16,500 accounts and > 13,000 users and that about 60,000 E-mail messages each day > moved in and out of the area where investigators were > looking for the intruder. > > Mr. Heymann said investigators had used a high-speed > computer Hey! They finally got those 386DX-40's working! From mpd at netcom.com Sun Mar 31 17:08:44 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 1 Apr 1996 09:08:44 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks In-Reply-To: <199603311844.NAA20037@jekyll.piermont.com> Message-ID: <199603311936.LAA18229@netcom15.netcom.com> "Perry E. Metzger" writes: > Or to people with access to scanning microscopy techniques > like STMs or AFMs. I suspect that there are lots of > techniques that can be successfully used. It used to be that > using them required the sort of facilities only available at > a large semiconductor manufacturer, but now I suspect that > it would be easy for a student at a major university, and > probably less easy, but still perfectly feasible, for a > person working at home with lots of sophisticated but fairly > available equipment like STMs. We aren't talking about IC masks here. We are talking about electrostatic charges which would instantly leak away if the insulation around them were in the least bit compromised. Such data wouldn't even survive the preparation for scanning microscopy, much less the actual inspection process. > They aren't immune to the laws of physics. If it can be put > together, it can be taken apart. I can even surmise HOW it > can be taken apart. If you put something fragile inside a container which cannot be breached without exposing the fragile thing to a destructive environment, then the fragile thing is very unlikely to be retrieved intact. The specific parameters here will of course vary with what technology is available, but I think live EEPROM cells deep inside a multi-layer VLSI device are probably safe from scrutiny for the lifetime of your average smart card. Live registers too, for that matter. > The Americans trust their money to the notion that no > counterfeiter can afford to pay a million or so for an > intaglio press. Do you think this is likely? It is neither likely nor relevant. > In any case, I notice that the claim has changed. Before, > it was claimed, speciously, that modern cryptography could > solve this problem. Now it is claimed that the security of > the system depends entirely on keeping the user from > breaking in to a piece of equipment that they have physical > possession of. Pretty different story, eh? The original scenario outlined how strong cryptography could be used to authorize pay per view in a manner which was not vulnerable to obvious hacking. The successful use of strong cryptography depends upon keeping certain key information secret, and it was postulated as part of the scenario that this could be done within a smart card. An endless metaphysical quibble over whether God can create a smart card he can't peek into does not serve to further illuminate the cryptographic issues under discussion. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From mpd at netcom.com Sun Mar 31 17:35:26 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 1 Apr 1996 09:35:26 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks (fwd) In-Reply-To: <199603311954.NAA18479@einstein.ssz.com> Message-ID: <199603312022.MAA25284@netcom9.netcom.com> Jim Choate writes: > You wouldn't even have to take it apart. Just subject it to > analysis using SQUID's. Using this technology you would not > even have to physicaly touch the card, let alone remove any > parts of it. Excuse me, but April Fool's Day isn't until tomorrow. Besides, all you have to do is run the card through a transporter, and then dump the pattern buffer to a floppy. :) -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From ravage at ssz.com Sun Mar 31 17:53:22 1996 From: ravage at ssz.com (Jim Choate) Date: Mon, 1 Apr 1996 09:53:22 +0800 Subject: SQUID's Message-ID: <199603312132.PAA18565@einstein.ssz.com> Forwarded message: > > > You wouldn't even have to take it apart. Just subject it to > > analysis using SQUID's. Using this technology you would not > > even have to physicaly touch the card, let alone remove any > > parts of it. > > Excuse me, but April Fool's Day isn't until tomorrow. Besides, all > you have to do is run the card through a transporter, and then > dump the pattern buffer to a floppy. :) > > -- > Mike Duvos $ PGP 2.6 Public Key available $ > mpd at netcom.com $ via Finger. $ > Hi Mike, Apparently you are grossly unfamiliar with the characteristics and capabilities of SQUID's. To help you catch up... Conductus 969 West Maude Av. Sunnyvale, CA 94086 408-737-6700 408-737-6699 Fax If you happen to be in Austin, TX, Data Managemenet Associates 3636 Executive Center Dr., #216 Austin, TX 78731 512-338-4701 The product under suggestion is called 'Mr. SQUID' and is a device intended for educational and introductory appllications. Its specifications are: SQUID Amplifier: Voltage Gain x 10,000 Frequency Responce 0 - 2.8 kHz Voltage Noise Floor < 5.0 nV/ sqrt. Hz @ 10 Hz SQUID Specifications: Critical Current (minimum) 5 uAmps @ 77K Magnetic Field Modulation (minimum) 1 uVolt @ 77K Int. & ext. Coil Mutual Inductance ~75 pHenries Int. & ext. Coil Resistance ~20 Ohms @ 77K Mr. SQUID User's Guide Contents: Typical experiments: Resistance v Temperature of the YBCO SQUID Flux-locked Loop Using a Flux-locked Loop as a sensitive non-contact voltmeter Microwave induced (Shapiro) steps @ 77K & h/e Inductive measurement of the Tc of an HTS film SQUID properties in pumped liquid nitrogen The following is taken without permission and verbatim from their pamphlet What's inside the probe? The heart of Mr. SQUId is a small integrated circuit containing a dc SQUID and 2 modulation coils. The SQUID itself is a superconducting ring made of Yttrium Barium Copper oxides (Y1Ba2Cu3O7, sometimes called YBCO or 123) with two active devices called Josephson Junctions - the basic building block of all superconducting electronics - made by a process invented at Conductus. The coils are made of thin film silver deposited on top of an insulating layer. The chip in Mr. SQUID represents a remarkable level of sophistication in a materials technology scarecly 5 years old. And, unlike any other SQUID system currently on the market, Mr. SQUID is designed to operate in a liquid Nitrogen bath at 77K (-169C). What does Mr. SQUID do? Mr. Squid is a sensitive superconducting magnetometer and can therefore be used to detect small magnetic signals if they are properly introduced to the SQUID. The limiting performance of Mr. SQUID is set by its economical electronics package and by its non-superconducting modulation coils. As a result, Mr. SQUID does not have the sensitivity of high-performance laboratory SQUIDs and thus cannot be used to detect truly minute signals such as those generated in the human brain. Enjoy! From ravage at ssz.com Sun Mar 31 18:00:06 1996 From: ravage at ssz.com (Jim Choate) Date: Mon, 1 Apr 1996 10:00:06 +0800 Subject: Laws of physics Message-ID: <199603312156.PAA18604@einstein.ssz.com> Forwarded message: > From: mpd at netcom.com (Mike Duvos) > Subject: Re: [NOISE] Cable-TV-Piracy-Punks > Date: Sun, 31 Mar 1996 11:36:51 -0800 (PST) > > We aren't talking about IC masks here. We are talking about > electrostatic charges which would instantly leak away if the > insulation around them were in the least bit compromised. Actualy the data in a PROM is not electrostic, it is quite dynamic and the chip itself would undergo no permanent damage if removed from the original case and examined in the right environment (namely a good vacuum). > If you put something fragile inside a container which cannot be > breached without exposing the fragile thing to a destructive > environment, then the fragile thing is very unlikely to be > retrieved intact. Only if you are sloppy and/or don't understand the technology. > The specific parameters here will of course > vary with what technology is available, but I think live EEPROM > cells deep inside a multi-layer VLSI device are probably safe > from scrutiny for the lifetime of your average smart card. Live > registers too, for that matter. Not. Not only woud SQUID technology be applicable but STM and MNR technologies would also be applicable to this type of hardware analysis. The chip is simply to big to prevent this type of analysis. Get it down to atomic scale (nanotech) and SQUIDs are about your only resource. From unicorn at schloss.li Sun Mar 31 18:18:59 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 1 Apr 1996 10:18:59 +0800 Subject: No Subject Message-ID: > On Sat, 30 Mar 1996, Dr. Dimitri Vulis wrote: > > > Black Unicorn writes: > > > > > On Fri, 29 Mar 1996, jim bell wrote: > > > > > > > > >Anyone who knows me knows I spend all my days end arounding the > > > > >U.S. government. > > > > > > > > Explains a lot! You _are_ paid for this. In an earlier era, you > > > > would have gladly run the ovens at Auschwitz if you'd gotten paid > > > > for it. would have gladly run the ovens at Auschwitz if you'd > > > > gotten paid for it. > > > > > > You're way out of line here. > > > I expect an apology. > > > > Consider the above in context. Would you be willing to run the ovens/gas > > chambers if you were exterminating U.S. government employees/contractors? > > No, I would not. That's the difference between me and you- er... Mr. Bell. . Finally, Lance blew his nym. I'd love to hear the rationale behind this. . So, do you think that I'm Jim Bell's tentacle or that he's my tentacle? Does it make a difference? > > "The final solution to the IRS/BATF problem." :-) . And what if you were "processing" U.S. Congressmen? I find this entire line of conversation revolting. I also don't find it very surprising given the sources/source. . --- . Dr. Dimitri Vulis . Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From perry at piermont.com Sun Mar 31 18:21:00 1996 From: perry at piermont.com (Perry E. Metzger) Date: Mon, 1 Apr 1996 10:21:00 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks In-Reply-To: <199603311936.LAA18229@netcom15.netcom.com> Message-ID: <199603312135.QAA20370@jekyll.piermont.com> Mike Duvos writes: > We aren't talking about IC masks here. We are talking about > electrostatic charges which would instantly leak away if the > insulation around them were in the least bit compromised. I was under the impression charges had associated fields which could be detected without physically touching the charged object. Silly me. Incidently, EEPROMs don't work by simply charging a capacitor or something silly like that. No insulator is perfect, no dielectric is perfect, and charge would eventually leak away were that the case. However, if it were, it would be fairly easy to determine the state of a cell without having to get particularly close to it. Beyond that, there is this insane notion you seem to have that a charged object will lose its charge if the "insulator" is "stripped off" -- I wasn't under the impression a vacuum, for instance, was a particularly good charge carrier. > Such data wouldn't even survive the preparation for scanning > microscopy, much less the actual inspection process. I believe you are operating on some sort of weird faith here rather than in reality. Reality is that even the extraordinarily well built circuits on the Capstone and similar chips that the NSA is trusting the Skipjack algorithm to aren't believed to be uncompromisable -- I believe the words were something to the effect of "it would take the resources of a national laboratory to reverse engineer" or some such. In any case, I don't care to debate this further. I am coming to believe very strongly that you just don't know what you are talking about. > > They aren't immune to the laws of physics. If it can be put > > together, it can be taken apart. I can even surmise HOW it > > can be taken apart. > > If you put something fragile inside a container which cannot be > breached without exposing the fragile thing to a destructive > environment, then the fragile thing is very unlikely to be > retrieved intact. If a container contains some protective gas, you can pressurize the exterior with the same at the same pressure. If the container contains a vacuum, you can open the container in a vacuum. If the contents are light sensitive, you can open the container in the dark. This is a problem like copy protection. Yes, you can make things arbitrarily hard, but you can't make them hard enough. > > The Americans trust their money to the notion that no > > counterfeiter can afford to pay a million or so for an > > intaglio press. > > It is neither likely nor relevant. No, its relevant. You cut out what I quoted, which was you saying "the europeans trust smartcards for storing money", to which I noted, basically, "so what; people trust even more easily forged things like paper, with nothing standing between a forgery and the forger than some special paper and an intaglio press." You brought it up, not me. > An endless metaphysical quibble over whether God can create a > smart card he can't peek into does not serve to further > illuminate the cryptographic issues under discussion. The point is that men can't create an impenetrable smart card. Perry From unicorn at schloss.li Sun Mar 31 19:16:08 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 1 Apr 1996 11:16:08 +0800 Subject: So, what crypto legislation (if any) is necessary? In-Reply-To: <960331120551_366431213@emout06.mail.aol.com> Message-ID: On Sun, 31 Mar 1996 JonWienke at aol.com wrote: > >My preferred and soon to be permanent e-mail address:unicorn at schloss.li > >"In fact, had Unicorn not existed, potestas scientiae in usu est > >Detweiler might not have had to invent him." in nihilum nil posse reverti > >00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information > > Unicorn = Detweiler = Agent Provocateur Uh huh, whatever. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From jlasser at rwd.goucher.edu Sun Mar 31 19:37:13 1996 From: jlasser at rwd.goucher.edu (Bruce Zambini) Date: Mon, 1 Apr 1996 11:37:13 +0800 Subject: Witch Hunts In-Reply-To: <960331120551_366431213@emout06.mail.aol.com> Message-ID: On Sun, 31 Mar 1996 JonWienke at aol.com wrote: > >My preferred and soon to be permanent e-mail address:unicorn at schloss.li > >"In fact, had Unicorn not existed, potestas scientiae in usu est > >Detweiler might not have had to invent him." in nihilum nil posse reverti > >00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information > > Unicorn = Detweiler = Agent Provocateur Well, I won't say it's impossible. However, for those of you who are relatively new to the list, Mr. Unicorn has been a regular (and useful) contributor to the list. My belief in this has been unwavering. Excepting, of course, the recent Unicorn/Bell flamefest, which we all get sucked into occasionally. My opinion of Mr. Bell on the same issue has varied widely; however, he has participated (in recent times) in more flamewars on the list than anyone, including the usual flamers (ie Perry, me, etc.). It is also interesting to note that Mr. Unicorn talks knowledgably about several fields; Mr. Bell talks about one field, and there are those who would dispute his knowledge about it. I have had an e-mail correspondence with Mr. Bell that lasted several messages. In it, we were both civil and friendly; I post this now not to take sides in the flamewar, but merely to note that, in my opinion, it is improbable that Black Unicorn is Detweiller, and that, although I missed the origin of this thread, it is likely a suggestion from Mr. Bell or one of his associates, intended to discredit him. If Mr. Unicorn is indeed Detweiller, it is in the mold of Vlad Z. Nuri, who (while almost certainly Detweiller) has produced useful contributions on the list, while refraining from acting out. It is also worth noting that the original Detweiller, in a sense, played De Sade to Tim May's Rousseau, in that he used an unorthodox, but effective, critical technique. (This is, in fact, one reading of De Sade's "pornography" -- an interesting counterexample to what was trumpeted on _Both_ sides of the recent Firing Line debate: that pornography or obscenity is, whether or not protected, devoid of any intellectual content.) Jon Lasser (his own tentacle :-) ) ---------- Jon Lasser (410)494-3072 - Obscenity is a crutch for jlasser at rwd.goucher.edu inarticulate motherfuckers. http://www.goucher.edu/~jlasser/ Finger for PGP key (1024/EC001E4D) - Fuck the CDA. From Greg_Rose at sydney.sterling.com Sun Mar 31 20:35:58 1996 From: Greg_Rose at sydney.sterling.com (Greg Rose) Date: Mon, 1 Apr 1996 12:35:58 +0800 Subject: HP & Export of DCE In-Reply-To: <9603272147.AA19461@oberon.osf.org.osf.org> Message-ID: On Wed Mar 27, 1996, Perry E. Metzger wrote: Adam Shostack writes: > | Adam Shostack writes: > | > Well, if Leahy passes, DCE is exportable. DCE is exported today, although without the ability to encrypt application traffic. Authentication and message integrity are in the export version. Yes, but lest we miss the point, Anon's posting was about FULL DCE, with the end-to-end security option, unless I'm very much mistaken. Greg. Greg Rose INTERNET: greg_rose at sydney.sterling.com Sterling Software VOICE: +61-2-9975 4777 FAX: +61-2-9975 2921 28 Rodborough Rd. http://www.sydney.sterling.com:8080/~ggr/ French's Forest 35 0A 79 7D 5E 21 8D 47 E3 53 75 66 AC FB D9 45 NSW 2086 Australia. co-mod sci.crypt.research, USENIX Director. From reagle at MIT.EDU Sun Mar 31 21:03:07 1996 From: reagle at MIT.EDU (Joseph M. Reagle Jr.) Date: Mon, 1 Apr 1996 13:03:07 +0800 Subject: Netscape Navigator 3.0 beta Message-ID: <9603312351.AA08987@rpcp.mit.edu> Found an interesting article on Ecash in Industrial (Internatioal) Design. / What is Money / Karrie Jacobs ID March/April 96 _______________________ Regards, Those who would have nothing to do with thorns must never attempt to gather flowers. Joseph Reagle http://farnsworth.mit.edu/~reagle/home.html reagle at mit.edu 0C 69 D4 E8 F2 70 24 33 B4 5E 5E EC 35 E6 FB 88 From Randy at mci.net Sun Mar 31 21:12:33 1996 From: Randy at mci.net (Randy Catoe) Date: Mon, 1 Apr 1996 13:12:33 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks Message-ID: <01I2ZZ718SXE001O2D@ALPHA1.RESTON.MCI.NET> >"Perry E. Metzger" writes: > > > Or to people with access to scanning microscopy techniques > > like STMs or AFMs. I suspect that there are lots of > > techniques that can be successfully used. It used to be that > > using them required the sort of facilities only available at > > a large semiconductor manufacturer, but now I suspect that > > it would be easy for a student at a major university, and > > probably less easy, but still perfectly feasible, for a > > person working at home with lots of sophisticated but fairly > > available equipment like STMs. > The proof would be in the pudding, would it not? Are their documented cases of smartcard scavenging? From cpunk at remail.ecafe.org Sun Mar 31 22:20:20 1996 From: cpunk at remail.ecafe.org (ECafe Anonymous Remailer) Date: Mon, 1 Apr 1996 14:20:20 +0800 Subject: Spy Dupe Message-ID: <199604010019.BAA07060@pangaea.hypereality.co.uk> Has this dupe russe tale appeared in the US? Or brags of cutting edge XX-equipment duping global buyers? ----- The Sunday Times (UK) 31 March 1996 Spy in the copier gave CIA its coup by James Adams Washington A tiny camera hidden in a photocopier in the Soviet embassy in Washington provided America with one of the greatest intelligence coups of the cold war, it emerged last week. The camera, planted by the CIA in the early 1960s, provided a treasure trove of intelligence, with access to virtually every document copied by the Russians for most of the decade. The CIA was exploiting a Russian bureaucratic obsession with documents: in 1963, word got out that embassy staff were fed up with copying documents by hand and had approached Xerox to rent a photocopier. American spies went to work. Ray Zoppoth, one of Xerox's engineering experts, hit upon the idea of installing a camera opposite the photocopier's mirror. It was activated automatically when the document scanning light came on. The coup could hardly have come at a better time for the CIA. The Cuban missile crisis had plunged American-Soviet relations into one of their darkest periods. The CIA, embarrassed over the way the Soviets had been able to move missiles into Cuba, was determined to improve its intelligence capability. One problem was how to retrieve the camera's film at regular intervals. Xerox prided itself on the reliability of its early machines but it sent a maintenance man regularly to the embassy to collect the film. Later Zoppoth invented an even smaller camera that could be disguised as a tool. Over the next six years the camera was installed in photocopiers at other embassies of hostile and friendly countries. "Xerox copiers had become part of every office system and no foreign embassy was immune to possible spying," said Zoppoth. The operation was halted only in 1969, when an American chemical company tried to bug the photocopier of a rival firm to steal patented designs. The publicity surrounding the case alerted the Russians and they stopped photocopying their secret documents. -- From mpd at netcom.com Sun Mar 31 22:48:31 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 1 Apr 1996 14:48:31 +0800 Subject: SQUID's In-Reply-To: <199603312132.PAA18565@einstein.ssz.com> Message-ID: <199603312236.OAA03236@netcom9.netcom.com> Jim Choate writes: > Apparently you are grossly unfamiliar with the > characteristics and capabilities of SQUID's. To help you > catch up... Actually, I am quite familiar with Superconducting Quantum Interference Devices and the one existing commercial application of the technology, a magnetometer probe containing a liquid nitrogen cooled SQUID chip at its tip. [Biography of Mr. Squid deleted] I will still laugh at suggestions that Mr. Squid can remotely read the EEPROM in my smart card, however. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From aba at dcs.ex.ac.uk Sun Mar 31 22:48:35 1996 From: aba at dcs.ex.ac.uk (Adam Back) Date: Mon, 1 Apr 1996 14:48:35 +0800 Subject: [ITAR/POLITICS] rsa-in-3-lines-of-perl just shrunk!! Message-ID: <199603312332.AAA00930@adam.test.net> Sorry to contribute to the simply awesome noise to signal ratio here lately (hopefully the subject tag should help those not interested in politics), but... [if you don't know what I'm talking about, see http://www.dcs.ex.ac.uk/~aba/rsa/ for a combined perl hack and ITAR violation] Due mainly to a couple of insights donated by someone who was introduced to the code via a friends `munition' T-shirt... he started the ball rolling again... it shrunk from: #!/bin/perl -s-- -export-a-crypto-system-sig -RSA-3-lines-PERL $m=unpack(H.$w,$m."\0"x$w),$_=`echo "16do$w 2+4Oi0$d*-^1[d2%Sa 2/d0 At 11:22 AM 3/31/96 -0500, Jean-Francois Avon (JFA Technologies, QC, Canada) wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >Dave Del Torto wrote: > >>At 1:25 am 3/30/96, jim bell wrote: >>>We should be particularly suspicious of any hint of a pan-European ban or >>>control of encryption, because that is exactly the kind of development that >>>could usher in a secretly-negotiated treaty that might be argued to be >>>binding on the public. [elided] > >>Cypherpunks like Jim need to keep doing their homework before they make >>such quasi-factual statements. > > >Jim seems to analyse a situation in terms of broad principles, >while Dave seems to focus more on specifics that would disprove Jim. > >I agree with the Dave's last phrase in the sense that our models of reality >should indeed be rooted in reality. I hope by now you've seen my reply about the treaty issue. I wasn't particularly focussing on the question of what Europe will do qua Europe, but how the treaty issue could be abused in the US. Here is the section of the US Constitution which is relevant, and which I mentioned by reference before: Article VI ... This Constitution, and the Laws of the United States which shall be made in Pursuance thereof; and all Treaties made, or which shall be made, under the Authority of the United States, shall be the supreme Law of the land; and the Judges in every State shall be bound thereby, any Thing in the Constituion or Laws of any State to the Contrary notwithstanding. ... I do not believe that this section was intended to mean that the _citizens_ of the US are bound by treaty obligations; That would be illogical, treaties are agreements between governments. Treaties are inherently intended to govern relations with foreign countries, not legal or political circumstances within a particular country. Treaties may AFFECT citizens, such as extradition treaties, immigration/emigration treaties, and passport requirements, but the citizen doesn't "agree" with them. That's evidenced by the fact that treaties are ratified by only the US Senate, the body with two Senators from each state. (The House has proportional representation, based on the population of each state.) The intent, I suggest, was that treaties were supposed to be interpreted as applying to the country, while laws applied to the individual. (Since you're Canadian, and for other non-US readers, I should point out that when the US Constitution was being drafted and debated, citizens were strongly loyal to their state, not the country as a whole, and there was a debate concerning how the representation in the Federal legislature should be divvied up. Obviously, large states wanted proportional representation, small states wanted "n-votes-per-state." The compromise was to have two houses, one of each kind of system. (House=proportional, Senate=2 votes per state.)) Laws have to be passed by both houses to become valid; treaties, on the other hand, only need to be ratified by the Senate. In any case, since laws can be declared unconstitutional I think it's implicit that there can be such a thing as an "unconstitutional treaty," or at least one if declared to be binding on the citizens would be in violation of the Constitution. If, for example, the US government decided that it wanted to take away free speech rights from its citizens, to name an obviously fantastic example, it could arguably write a treaty with, say, Mexico, "agreeing" that free-speech rights will not apply to the citizens of each country. While in practice such an extreme example would never fly and would not be tested (fortunately!) I have read that this section is opportunistically interpreted as if a treaty can be assumed to bind the citizens and not merely the government. I believe there was a treaty in the middle 1960's called something like "Single Issue Treaty on Narcotics" which led directly to a massive re-write of the drug laws in the US. In view of the fact that today, probably 70% of the inmates in US prisons are there on drug charges, it is obvious that this treaty had a long-lasting internal effect, far beyond what a person might have expected at the time. Whether or not this interpretation could still work in today's changed political climate, I don't know, but it's obvious that portions of the US government would dearly love to control encryption in particular and communications in general. Since telecommunications is one of those subjects that is covered by past treaties, and can be expected to be covered by future ones, I believe that American citizens need to be particularly concerned about the government sneaking in laws in the "back door," made by treaty, as opposed to the "front door", made by both the House and Senate and subject to Presidential veto. (Not that I have much respect for the latter, either, but that system is a bit easier to control.) If anything, I think there needs to be an explicit prohibition written into law prohibiting the enforcement of anti-crypto treaty terms on the citizens, or even better a law requiring that all future telecommunications treaties to which the US is a party not contain any regulations or restrictions on crypto. But I'm not hopeful about this. >But considering that in most european country, you are recognized guilty >unless proven innocent, it is only non-contradictory to arrive at Jim's >conclusions. The basic psycho-epistemology at work there is implying that. There is probably much about Europe which is superior to the US, but they do have a problem with social and political stratification given their long history. Jim Bell jimbell at pacifier.com From mpd at netcom.com Sun Mar 31 23:28:15 1996 From: mpd at netcom.com (Mike Duvos) Date: Mon, 1 Apr 1996 15:28:15 +0800 Subject: [NOISE] Nasty-Quibble-Punks In-Reply-To: <199603312135.QAA20370@jekyll.piermont.com> Message-ID: <199604010006.QAA10270@netcom2.netcom.com> "Perry E. Metzger" writes: > I was under the impression charges had associated fields > which could be detected without physically touching the > charged object. Silly me. Uh huh. > Incidently, EEPROMs don't work by simply charging a > capacitor or something silly like that. No insulator is > perfect, no dielectric is perfect, and charge would > eventually leak away were that the case. However, if it > were, it would be fairly easy to determine the state of a > cell without having to get particularly close to it. Beyond > that, there is this insane notion you seem to have that a > charged object will lose its charge if the "insulator" is > "stripped off" -- I wasn't under the impression a vacuum, > for instance, was a particularly good charge carrier. Uh huh. > I believe you are operating on some sort of weird faith > here rather than in reality. Reality is that even the > extraordinarily well built circuits on the Capstone and > similar chips that the NSA is trusting the Skipjack > algorithm to aren't believed to be uncompromisable -- I > believe the words were something to the effect of "it would > take the resources of a national laboratory to reverse > engineer" or some such. Uh huh. > In any case, I don't care to debate this further. I am > coming to believe very strongly that you just don't know > what you are talking about. High praise, considering the source. ----- Now I am certainly not going to waste any more time trying to explain solid state physics, how EEPROMs are put together, that the tamper-resistant packaging of Capstone is designed to thwart the reverse engineering of an algorithm contained on the masks used to make the chips, or impuning the supposed powers of "national laboratories." However, I will observe that whenever technology is put forth for criticism on this list, there are always a few people who insist upon maintaining that anything can be easily defeated. "All you have to do is " they exclaim, where may be replaced by "Quantum Factoring", "SQUIDs", "Scanning Tunneling Microscopy", "NP=P", "The EPR Effect", "Nanomachines", or some other exotic notion which would be lucky if it had even achieved a laboratory demonstration under carefully controlled conditions much less a practical application to the problem in question. Common to all such claims is a gross underappreciation of the engineering difficulties involved, in this case those related to reading logic states buried in a densely integrated digital device without destroying them. Something that isn't easy to do even if the device has been designed specifically for the purpose of permitting such observation in a laboratory environment. Such distractions, unfortunately, are why good physics rarely gets discussed in sci.physics, and why discussions on this list about nuclear bomb design, tampering, and hacking frequently take off in the crackpot direction. The bad eventually drives out the good, and few of the competent posters are going to continue to comment on a thread which has degenerated into the "You don't know anything. Mr. Squid can read your smart card and your brain waves too" level of interaction. Somewhere amongst all the noise here was the interesting disclosure that DSS had been compromised, and the beginnings of a good discussion about current "scrambling" protocols and their vulnerabilities. Let's see if we can recapture that discussion, and let the rants about obscure technologies magickally defeating all conceivable forms of tamper-resistant packaging drop. -- Mike Duvos $ PGP 2.6 Public Key available $ mpd at netcom.com $ via Finger. $ From tcmay at got.net Sun Mar 31 23:38:09 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 1 Apr 1996 15:38:09 +0800 Subject: Witch Hunts Message-ID: Bruce Zambini wrote: >It is also worth noting that the original Detweiller, in a sense, played >De Sade to Tim May's Rousseau, in that he used an unorthodox, but >effective, critical technique. (This is, in fact, one reading of De I don't buy this. If you consult the archives, circa the fall of 1993, you'll find that while Detweiler/S.Boxx/etc. repeatedly begged me to engage him in debate, I declined. So, what was the "effective" part? I thought his insults, rants, forgeries, screams, shouts, and general gibbering detracted from his real points, such as they were. I'm beginning to think there must be a personality type or behavioral pattern at work here. Others in recent months have also had their ideas buried in a stream of insults, rants, and CAPITAL LETTERS! The pattern seems to be the same, though I doubt any of them are Detweiler. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From tcmay at got.net Sun Mar 31 23:39:54 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 1 Apr 1996 15:39:54 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks Message-ID: thus demonstrating that the system had only moderate security. Enough security to stop an attacker from attacking a specific instance of the chip, but enough ^ not security to prevent attacks completely. From ravage at ssz.com Sun Mar 31 23:42:20 1996 From: ravage at ssz.com (Jim Choate) Date: Mon, 1 Apr 1996 15:42:20 +0800 Subject: SQUID's (fwd) Message-ID: <199603312348.RAA00351@einstein.ssz.com> Forwarded message: > > > Apparently you are grossly unfamiliar with the > > characteristics and capabilities of SQUID's. To help you > > catch up... > > Actually, I am quite familiar with Superconducting Quantum > Interference Devices and the one existing commercial application > of the technology, a magnetometer probe containing a liquid > nitrogen cooled SQUID chip at its tip. There are several commercial probes available, not a single source as you claim. The Air Force has used them in experimental fighter programs for several years allowing hands-off flying (in a simulator) with quite good results. Quite a few neurophysiologists use them along with NMR to map the neuronal activity of the human brain on a neuron by neuron basis. The folks who make the various flavors of super-conducting wire use them to test for imperfections in the product. I sugest that your familiarity with the SQUID technology might be a little dated. Take the time to contact Conductus. > > [Biography of Mr. Squid deleted] > > I will still laugh at suggestions that Mr. Squid can remotely > read the EEPROM in my smart card, however. I didn't make that assertion. I clearly offered it as a source of education and entertainment. I even went so far as to specificaly predicate my recital with this caveat. While Mr. SQUID might be able to do it, the other commercial probes out there would have no problem from reading your smart card on a transistor by transistor state if that is what were required. From tcmay at got.net Sun Mar 31 23:43:14 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 1 Apr 1996 15:43:14 +0800 Subject: Tamper-Resistance in VLSI Message-ID: At 12:06 AM 4/1/96, Mike Duvos wrote: >However, I will observe that whenever technology is put forth for >criticism on this list, there are always a few people who insist >upon maintaining that anything can be easily defeated. > >"All you have to do is " they exclaim, where may >be replaced by "Quantum Factoring", "SQUIDs", "Scanning Tunneling >Microscopy", "NP=P", "The EPR Effect", "Nanomachines", or some >other exotic notion which would be lucky if it had even achieved >a laboratory demonstration under carefully controlled conditions >much less a practical application to the problem in question. > >Common to all such claims is a gross underappreciation of the >engineering difficulties involved, in this case those related to >reading logic states buried in a densely integrated digital >device without destroying them. Something that isn't easy to do >even if the device has been designed specifically for the purpose >of permitting such observation in a laboratory environment. While I agree that reverse-engineering/analyzing the internal states of VLSI devices is much harder than some are claiming, it is not the case that a chip must have been designed with this in mind for it to be possible. When, then, is it possible, and when is it not? There is no simple answer; I'd have to look closely at the device, its packaging, how many layers of metal are involved, the size of the target node to be measured, and a raft of other things. >Such distractions, unfortunately, are why good physics rarely >gets discussed in sci.physics, and why discussions on this list >about nuclear bomb design, tampering, and hacking frequently take >off in the crackpot direction. > >The bad eventually drives out the good, and few of the competent >posters are going to continue to comment on a thread which has >degenerated into the "You don't know anything. Mr. Squid can >read your smart card and your brain waves too" level of >interaction. Well, this is my third post tonight on this thread. I admit that it has little to do with practical list issue (but then, what really does?). Howvever, this happens to be an area of primary expertise for me (device physics, voltage contrast, SQUIDs, sensing small charges, and tamper-resistance), so I'm making comments to correct the various misapprehensions here. As to tamper-resistance, there is some exciting work being done on "fingerprinting" of chips, some of which has been publically presented. I'm under an NDA on some of this, but I can say that the cost of reverse-engineering a smart card chip or satellite decoder chip is about to take a quantum leap upward. --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From unicorn at schloss.li Sun Mar 31 23:47:41 1996 From: unicorn at schloss.li (Black Unicorn) Date: Mon, 1 Apr 1996 15:47:41 +0800 Subject: Witch Hunts In-Reply-To: <199603312326.PAA04845@netcom22.netcom.com> Message-ID: On Sun, 31 Mar 1996, Vladimir Z. Nuri wrote: > > Bruce Zambini > >If Mr. Unicorn is indeed Detweiller, it is in the mold of Vlad Z. Nuri, > >who (while almost certainly Detweiller) has produced useful contributions > >on the list, while refraining from acting out. > > sigh. I don't know why this periodic identity madness visits this > list. does it have something to do with phases of the moon? do you guys > do harass everyone who hasn't personally attended a cypherpunk > meeting? I have personally attended a cypherpunks meeting. Seems that's not one of the required ommissions. > as for your speculations, all I can say is that Mr. Unicorn is one of > the many people who seem to have violent prejudices against me posting > here because of some supposed similarity of my style to this notorious > Detweiller fellow. so it wouldn't make much sense to me if he was > really me, er, sorry, Detweiller. Cute. > it seems to me that by now, people might have figured out that all this > silly identity speculation is a total waste of time (and tends only > to start flamewars) on a list that is > by official administration and consensus agreement, "anything goes". Perhaps, if these identity issues tire you so, you should stop fostering them? > in this forum, there is only a message. the messenger is irrelevant. This, of course, ignores all issues of reputation capital. The message is still only as good as the messenger, which is why I have maintained this nym for so long. Or more accurately, the message is only as good as it is heard. The message is heard in proportion to the reputation capital the messenger holds. > we could all post anonymously and have precisely the same effect. in > fact, I don't think it would be all that bad of an idea. I believe this in error. This is why I work to debunk Mr. Bell, and why I don't post with complete anonyminity. Of course, as you have no reputation capital of note, you would be of the view that posting without any name at all would be of no worth. You, like Mr. Bell, have little to lose. --- My preferred and soon to be permanent e-mail address:unicorn at schloss.li "In fact, had Bancroft not existed, potestas scientiae in usu est Franklin might have had to invent him." in nihilum nil posse reverti 00B9289C28DC0E55 E16D5378B81E1C96 - Finger for Current Key Information From vznuri at netcom.com Sun Mar 31 23:48:53 1996 From: vznuri at netcom.com (Vladimir Z. Nuri) Date: Mon, 1 Apr 1996 15:48:53 +0800 Subject: Witch Hunts In-Reply-To: Message-ID: <199603312326.PAA04845@netcom22.netcom.com> Bruce Zambini >If Mr. Unicorn is indeed Detweiller, it is in the mold of Vlad Z. Nuri, >who (while almost certainly Detweiller) has produced useful contributions >on the list, while refraining from acting out. sigh. I don't know why this periodic identity madness visits this list. does it have something to do with phases of the moon? do you guys do harass everyone who hasn't personally attended a cypherpunk meeting? are the cpunks going to implement uncrackable identity cards for authorizing posts before the congress does so for immigration security? as for your speculations, all I can say is that Mr. Unicorn is one of the many people who seem to have violent prejudices against me posting here because of some supposed similarity of my style to this notorious Detweiller fellow. so it wouldn't make much sense to me if he was really me, er, sorry, Detweiller. it seems to me that by now, people might have figured out that all this silly identity speculation is a total waste of time (and tends only to start flamewars) on a list that is by official administration and consensus agreement, "anything goes". ah, but some people are slow learners and need a lot of reiteration before they begin to understand. in this forum, there is only a message. the messenger is irrelevant. we could all post anonymously and have precisely the same effect. in fact, I don't think it would be all that bad of an idea. >It is also worth noting that the original Detweiller, in a sense, played >De Sade to Tim May's Rousseau, in that he used an unorthodox, but >effective, critical technique. Tim May == Rousseau??? hehehehehe. and I fail to comprehend how anyone so universally despised as Detweiller could be considered to have employed any "effective critical technique". maybe I should send him some email, but alas I perceive that to be another waste of time. the point of this message is to say, will everyone give it a rest? who cares? why do you think it matters? From tcmay at got.net Sun Mar 31 23:53:14 1996 From: tcmay at got.net (Timothy C. May) Date: Mon, 1 Apr 1996 15:53:14 +0800 Subject: [NOISE] Cable-TV-Piracy-Punks Message-ID: At 11:56 PM 3/31/96, Randy Catoe wrote: >>"Perry E. Metzger" writes: >> >> > Or to people with access to scanning microscopy techniques >> > like STMs or AFMs. I suspect that there are lots of >> > techniques that can be successfully used. It used to be that >> > using them required the sort of facilities only available at >> > a large semiconductor manufacturer, but now I suspect that >> > it would be easy for a student at a major university, and >> > probably less easy, but still perfectly feasible, for a >> > person working at home with lots of sophisticated but fairly >> > available equipment like STMs. >> >The proof would be in the pudding, would it not? Are their >documented cases of smartcard scavenging? Intel produced an "encrypted EPROM," for use in coin-op game machines and in similar applications, in the early 80s. My voltage contrast lab was able to use our machine (which I invented and my group then developed and deployed to major sites within Intel) to read the internal data streams out from internal nodes, thus demonstrating that the system had only moderate security. Enough security to stop an attacker from attacking a specific instance of the chip, but enough security to prevent attacks completely. Does this qualify as a documented case, coming as it does directly from the guy who lead such a scavenging attack? --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay at got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway." From don at cs.byu.edu Sun Mar 31 23:58:22 1996 From: don at cs.byu.edu (don at cs.byu.edu) Date: Mon, 1 Apr 1996 15:58:22 +0800 Subject: Key signing - LA & SF Message-ID: <199604010026.RAA00174@wero.cs.byu.edu> -----BEGIN PGP SIGNED MESSAGE----- I will be in the Los Angeles and San Francisco areas briefly at the end of April. Anyone who would like to trade keysignatures, please email me. (Unfortunately my ability to get around will be somewhat limited) Don ObCypherpunks: I read cpunks by NNTP from nntp.hks.net. Let me assure you, the apparent noise level has gone down by 90% from when it landed in my mailbox. Many thanks to those who provide this service. - -- http://students.cs.byu.edu/~don PGP 0x994B8F39 fRee cRyPTo! "It is not worth an intelligent man's time to be in the majority. By definition, there are already enough people to do that." - G. H. Hardy ** This user insured by the Smith, Wesson, & Zimmermann insurance company ** -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQB1AwUBMV8iosLa+QKZS485AQGVJgL/TED+T/49jMtNRbCAHJdo+IkSOTx7Ajrx Ox7+ABlcbCYKudLE70qh7RDdz9TI2sojB6FZ0vyoLGdVM61ljfd9YzZfq/kVXsyY EZ4HM2nGInXBQFo+rfQcn7JbXAT3agz/ =NZjK -----END PGP SIGNATURE-----